Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Helios
   real-world
open-audit voting
           Ben Adida
       Harvard University

  Workshop on Electronic Voting
   ...
http://www.cs.uiowa.edu/~jones/voting/pictures/   2
Who counts
the votes?
http://www.cs.uiowa.edu/~jones/voting/pictures/   4
Democratizing
the Tallying Process

      + secrecy
Public Ballots
   Bulletin Board


               Bob:
              McCain

         Carol:
         Obama




          ...
Public Ballots
           Bulletin Board


                       Bob:
                      McCain

                 Caro...
Public Ballots
            Bulletin Board

         Alice:         Bob:
         Obama         McCain

                  C...
Public Ballots
            Bulletin Board

         Alice:         Bob:
         Obama         McCain

                  C...
Encrypted Public Ballots
            Bulletin Board

        Alice:          Bob:
         Rice          Clinton

        ...
Encrypted Public Ballots
                             Bulletin Board

                         Alice:          Bob:
      ...
Encrypted Public Ballots
                             Bulletin Board

                         Alice:          Bob:
      ...
How can we verify
  operations on
 encrypted data?

Mathematical Proofs.

                       8
Zero-Knowledge Proof
                 President:
                   President:
                Mickey Mouse
              ...
Zero-Knowledge Proof
                 President:
                   President:
                Mickey Mouse
              ...
Zero-Knowledge Proof
                                       President:
                                         President:...
Zero-Knowledge Proof
    President:            President:
      President:
   Mickey Mouse             President:
        ...
“And there are cryptographic
    techniques that can be used to
 achieve software independence so
   that even if there's ...
“But with cryptography, you’re just
moving the black box. Few people really
      understand it or trust it.”

           ...
Where to Start?
Most Open-Audit schemes

 Complex voting process
    In-person voting
  Few can experience it
Helios

          Simplify
   Low-coercion elections
Web-based: all can experience
“Low-Coercion?”

- A more appropriate term might be
  “stratified coercion”
- If the voting public is a subset of the popul...
Technical Concepts
Technical Concepts
- Probabilistic Encryption & Threshold Decryption.
  posting ciphertexts safely on a bulletin board
Technical Concepts
- Probabilistic Encryption & Threshold Decryption.
  posting ciphertexts safely on a bulletin board
- H...
Technical Concepts
- Probabilistic Encryption & Threshold Decryption.
  posting ciphertexts safely on a bulletin board
- H...
Technical Concepts
- Probabilistic Encryption & Threshold Decryption.
  posting ciphertexts safely on a bulletin board
- H...
Probabilistic Encryption &
  Threshold Decryption
Public-Key Encryption
Public-Key Encryption
Keypair consists of a public key pk and a secret key sk.
Public-Key Encryption
Keypair consists of a public key pk and a secret key sk.

         quot;Obamaquot;         Enc pk   ...
Public-Key Encryption
Keypair consists of a public key pk and a secret key sk.

         quot;Obamaquot;         Enc pk   ...
Public-Key Encryption
Keypair consists of a public key pk and a secret key sk.

         quot;Obamaquot;         Enc pk   ...
Threshold Decryption
      Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to ...
Threshold Decryption
      Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to ...
Threshold Decryption
      Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to ...
Threshold Decryption
      Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to ...
Threshold Decryption
      Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to ...
Threshold Decryption
      Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to ...
Homomorphic
  Tallying
Homomorphic Property




First: r’th residuosity [Benaloh85]
Also: Paillier Cryptosystem [P99]     22
Homomorphic Property

          Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 )




First: r’th residuosity [Benaloh85]
Also: Paillier...
Homomorphic Property

          Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 )




First: r’th residuosity [Benaloh85]
Also: Paillier...
Homomorphic Property

          Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 )


                    then we can simply
          add...
Homomorphic Tally
                        Vote for None Adam
      0001 0000 0000 0000      Vote for

                    ...
Benaloh
Casting Protocol
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Alice




        http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
quot;Obamaquot;


Alice




                  http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
quot;Obamaquot;

        Encrypted
          Ballot
Alice




                    http://en.wikipedia.org/wiki/Image:Barco...
quot;Obamaquot;

                Encrypted
                  Ballot
        Alice




Alice




                          ...
quot;Obamaquot;

                     Encrypted
                       Ballot
             Alice



        quot;AUDITquot...
quot;Obamaquot;

                       Encrypted
                         Ballot
               Alice



        quot;AUD...
quot;Obamaquot;

                                   Encrypted
                                     Ballot
                ...
quot;Obamaquot;

                                   Encrypted
                                     Ballot
                ...
quot;Obamaquot;

                                   Encrypted
                                     Ballot
                ...
quot;Obamaquot;

                                   Encrypted
                                     Ballot
                ...
quot;Obamaquot;

                                   Encrypted
                                     Ballot
                ...
quot;Obamaquot;

                                   Encrypted
                                     Ballot
                ...
quot;Obamaquot;

                                   Encrypted
                                     Ballot
                ...
quot;Obamaquot;

                                   Encrypted
                                     Ballot
                ...
Helios System Details
Helios System Details

- Python & JavaScript logic & crypto
Helios System Details

- Python & JavaScript logic & crypto
- Free/Open-Source stack
Helios System Details

- Python & JavaScript logic & crypto
- Free/Open-Source stack
- Deployed on Google App Engine
Helios System Details

-   Python & JavaScript logic & crypto
-   Free/Open-Source stack
-   Deployed on Google App Engine...
Helios System Details

-   Python & JavaScript logic & crypto
-   Free/Open-Source stack
-   Deployed on Google App Engine...
So, does it work?

-   Université catholique de Louvain
-   25,000 eligible voters
-   University president election
-   H...
28
29
30
500                                                                                                    500

              ...
32
32
32
Most Interesting Lesson:
    spurious claims
  are easily countered
brief demo
Questions?
     ben_adida@harvard.edu

http://heliosvoting.org/
Upcoming SlideShare
Loading in …5
×

Helios - Real-World Open-Audit Voting

5,002 views

Published on

Helios and the recent UCL election presented at the electronic voting workshop in Israel, Tel Aviv University, May 2009.

Published in: Technology, News & Politics
  • exceptional demonstration..convinced me to have a hardlook at my company model..amazing
    Sharika
    http://winkhealth.com http://financewink.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Helios - Real-World Open-Audit Voting

  1. 1. Helios real-world open-audit voting Ben Adida Harvard University Workshop on Electronic Voting Tel Aviv University 18 May 2009
  2. 2. http://www.cs.uiowa.edu/~jones/voting/pictures/ 2
  3. 3. Who counts the votes?
  4. 4. http://www.cs.uiowa.edu/~jones/voting/pictures/ 4
  5. 5. Democratizing the Tallying Process + secrecy
  6. 6. Public Ballots Bulletin Board Bob: McCain Carol: Obama 6
  7. 7. Public Ballots Bulletin Board Bob: McCain Carol: Obama Alice 6
  8. 8. Public Ballots Bulletin Board Alice: Bob: Obama McCain Carol: Obama Alice 6
  9. 9. Public Ballots Bulletin Board Alice: Bob: Obama McCain Carol: Obama Tally Obama....2 McCain....1 Alice 6
  10. 10. Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Rice Tally Obama....2 McCain....1 Alice 7
  11. 11. Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Ali Rice ce ver Tally ifie s he rv Obama....2 ote McCain....1 Alice 7
  12. 12. Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Ali ce Rice ta lly ver e thTally ifie rifies s he ne ve rv ver yo Obama....2 ote E McCain....1 Alice 7
  13. 13. How can we verify operations on encrypted data? Mathematical Proofs. 8
  14. 14. Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama 9
  15. 15. Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama 9
  16. 16. Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama This last envelope likely contains “Obama” 9
  17. 17. Zero-Knowledge Proof President: President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Vote For: Mickey Mouse Obama McCain Paul Open envelopes don’t prove anything after the fact. 10
  18. 18. “And there are cryptographic techniques that can be used to achieve software independence so that even if there's a bug in the software, you'll detect if there's a problem. But those are not ready for prime time in my opinion.” Avi Rubin, 7/9/2008
  19. 19. “But with cryptography, you’re just moving the black box. Few people really understand it or trust it.” Debra Bowen California Sec. of State, 7/30/2008 (paraphrased)
  20. 20. Where to Start?
  21. 21. Most Open-Audit schemes Complex voting process In-person voting Few can experience it
  22. 22. Helios Simplify Low-coercion elections Web-based: all can experience
  23. 23. “Low-Coercion?” - A more appropriate term might be “stratified coercion” - If the voting public is a subset of the population, there may be inherent limits to coercion. - e.g. university voting - e.g. EFCA in the US
  24. 24. Technical Concepts
  25. 25. Technical Concepts - Probabilistic Encryption & Threshold Decryption. posting ciphertexts safely on a bulletin board
  26. 26. Technical Concepts - Probabilistic Encryption & Threshold Decryption. posting ciphertexts safely on a bulletin board - Homomorphic Tallying. no write-ins, proofs of correct plaintext
  27. 27. Technical Concepts - Probabilistic Encryption & Threshold Decryption. posting ciphertexts safely on a bulletin board - Homomorphic Tallying. no write-ins, proofs of correct plaintext - Benaloh Challenge. cast or audit, authenticate only upon cast
  28. 28. Technical Concepts - Probabilistic Encryption & Threshold Decryption. posting ciphertexts safely on a bulletin board - Homomorphic Tallying. no write-ins, proofs of correct plaintext - Benaloh Challenge. cast or audit, authenticate only upon cast - In-Browser Encryption. plaintext only in user’s browser
  29. 29. Probabilistic Encryption & Threshold Decryption
  30. 30. Public-Key Encryption
  31. 31. Public-Key Encryption Keypair consists of a public key pk and a secret key sk.
  32. 32. Public-Key Encryption Keypair consists of a public key pk and a secret key sk. quot;Obamaquot; Enc pk 8b5637
  33. 33. Public-Key Encryption Keypair consists of a public key pk and a secret key sk. quot;Obamaquot; Enc pk 8b5637 quot;McCainquot; Enc pk c5de34
  34. 34. Public-Key Encryption Keypair consists of a public key pk and a secret key sk. quot;Obamaquot; Enc pk 8b5637 quot;McCainquot; Enc pk c5de34 quot;Obamaquot; Enc pk a4b395
  35. 35. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. 8b5637
  36. 36. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb 8b5637
  37. 37. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637
  38. 38. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 Dec sk3 7231bc
  39. 39. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 Dec sk3 7231bc Dec sk4 8239ba
  40. 40. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 quot;Obamaquot; Dec sk3 7231bc Dec sk4 8239ba
  41. 41. Homomorphic Tallying
  42. 42. Homomorphic Property First: r’th residuosity [Benaloh85] Also: Paillier Cryptosystem [P99] 22
  43. 43. Homomorphic Property Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) First: r’th residuosity [Benaloh85] Also: Paillier Cryptosystem [P99] 22
  44. 44. Homomorphic Property Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) First: r’th residuosity [Benaloh85] Also: Paillier Cryptosystem [P99] 22
  45. 45. Homomorphic Property Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) then we can simply add votes “under cover” of encryption! First: r’th residuosity [Benaloh85] Also: Paillier Cryptosystem [P99] 22
  46. 46. Homomorphic Tally Vote for None Adam 0001 0000 0000 0000 Vote for Vote for Vote for Bob 0000 0001 0000 0000 Obama Vote for McCain 0000 0000 0001 0000 Vote for Charlie 0000 0000 0000 0001 Vote for David 0003 0001 0008 0002 0004 0006 0005 Sample Tally [B+2001, P1999] 23
  47. 47. Benaloh Casting Protocol
  48. 48. http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  49. 49. Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  50. 50. quot;Obamaquot; Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  51. 51. quot;Obamaquot; Encrypted Ballot Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  52. 52. quot;Obamaquot; Encrypted Ballot Alice Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  53. 53. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  54. 54. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  55. 55. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  56. 56. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  57. 57. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  58. 58. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  59. 59. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; quot;CASTquot; Decrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  60. 60. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; quot;CASTquot; Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  61. 61. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; quot;CASTquot; Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  62. 62. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; quot;CASTquot; Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot Signed Encrypted Ballot VERIFICATION Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  63. 63. Helios System Details
  64. 64. Helios System Details - Python & JavaScript logic & crypto
  65. 65. Helios System Details - Python & JavaScript logic & crypto - Free/Open-Source stack
  66. 66. Helios System Details - Python & JavaScript logic & crypto - Free/Open-Source stack - Deployed on Google App Engine
  67. 67. Helios System Details - Python & JavaScript logic & crypto - Free/Open-Source stack - Deployed on Google App Engine - Deployed on Apache/Python/PostgreSQL
  68. 68. Helios System Details - Python & JavaScript logic & crypto - Free/Open-Source stack - Deployed on Google App Engine - Deployed on Apache/Python/PostgreSQL - Customizable authentication, look-and-feel, translations
  69. 69. So, does it work? - Université catholique de Louvain - 25,000 eligible voters - University president election - Helios 2.0, optimized - customized for UCL (French, improved UI)
  70. 70. 28
  71. 71. 29
  72. 72. 30
  73. 73. 500 500 1st round 1st round 2nd round 2nd round 400 DAY 1 400 DAY 2 Number of votes per hour Number of votes per hour 300 300 200 200 100 100 0 0 0 2 4 6 8 10 12 14 16 18 20 22 0 2 4 6 8 10 12 14 16 18 20 22 Time [h] Time [h] 4000 4000 3500 3500 3000 3000 Total number of votes Total number of votes 2500 2500 2000 2000 1500 1500 1000 1000 DAY 1 1st round DAY 2 1st round 2nd round 2nd round 500 500 0 0 0 2 4 6 8 10 12 14 16 18 20 22 0 2 4 6 8 10 12 14 16 18 20 22 Time [h] Time [h] 31
  74. 74. 32
  75. 75. 32
  76. 76. 32
  77. 77. Most Interesting Lesson: spurious claims are easily countered
  78. 78. brief demo
  79. 79. Questions? ben_adida@harvard.edu http://heliosvoting.org/

×