Helios - Real-World Open-Audit Voting

4,659 views

Published on

Helios and the recent UCL election presented at the electronic voting workshop in Israel, Tel Aviv University, May 2009.

Published in: Technology, News & Politics
1 Comment
1 Like
Statistics
Notes
  • exceptional demonstration..convinced me to have a hardlook at my company model..amazing
    Sharika
    http://winkhealth.com http://financewink.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
4,659
On SlideShare
0
From Embeds
0
Number of Embeds
52
Actions
Shares
0
Downloads
55
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Helios - Real-World Open-Audit Voting

  1. 1. Helios real-world open-audit voting Ben Adida Harvard University Workshop on Electronic Voting Tel Aviv University 18 May 2009
  2. 2. http://www.cs.uiowa.edu/~jones/voting/pictures/ 2
  3. 3. Who counts the votes?
  4. 4. http://www.cs.uiowa.edu/~jones/voting/pictures/ 4
  5. 5. Democratizing the Tallying Process + secrecy
  6. 6. Public Ballots Bulletin Board Bob: McCain Carol: Obama 6
  7. 7. Public Ballots Bulletin Board Bob: McCain Carol: Obama Alice 6
  8. 8. Public Ballots Bulletin Board Alice: Bob: Obama McCain Carol: Obama Alice 6
  9. 9. Public Ballots Bulletin Board Alice: Bob: Obama McCain Carol: Obama Tally Obama....2 McCain....1 Alice 6
  10. 10. Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Rice Tally Obama....2 McCain....1 Alice 7
  11. 11. Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Ali Rice ce ver Tally ifie s he rv Obama....2 ote McCain....1 Alice 7
  12. 12. Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Ali ce Rice ta lly ver e thTally ifie rifies s he ne ve rv ver yo Obama....2 ote E McCain....1 Alice 7
  13. 13. How can we verify operations on encrypted data? Mathematical Proofs. 8
  14. 14. Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama 9
  15. 15. Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama 9
  16. 16. Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama This last envelope likely contains “Obama” 9
  17. 17. Zero-Knowledge Proof President: President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Vote For: Mickey Mouse Obama McCain Paul Open envelopes don’t prove anything after the fact. 10
  18. 18. “And there are cryptographic techniques that can be used to achieve software independence so that even if there's a bug in the software, you'll detect if there's a problem. But those are not ready for prime time in my opinion.” Avi Rubin, 7/9/2008
  19. 19. “But with cryptography, you’re just moving the black box. Few people really understand it or trust it.” Debra Bowen California Sec. of State, 7/30/2008 (paraphrased)
  20. 20. Where to Start?
  21. 21. Most Open-Audit schemes Complex voting process In-person voting Few can experience it
  22. 22. Helios Simplify Low-coercion elections Web-based: all can experience
  23. 23. “Low-Coercion?” - A more appropriate term might be “stratified coercion” - If the voting public is a subset of the population, there may be inherent limits to coercion. - e.g. university voting - e.g. EFCA in the US
  24. 24. Technical Concepts
  25. 25. Technical Concepts - Probabilistic Encryption & Threshold Decryption. posting ciphertexts safely on a bulletin board
  26. 26. Technical Concepts - Probabilistic Encryption & Threshold Decryption. posting ciphertexts safely on a bulletin board - Homomorphic Tallying. no write-ins, proofs of correct plaintext
  27. 27. Technical Concepts - Probabilistic Encryption & Threshold Decryption. posting ciphertexts safely on a bulletin board - Homomorphic Tallying. no write-ins, proofs of correct plaintext - Benaloh Challenge. cast or audit, authenticate only upon cast
  28. 28. Technical Concepts - Probabilistic Encryption & Threshold Decryption. posting ciphertexts safely on a bulletin board - Homomorphic Tallying. no write-ins, proofs of correct plaintext - Benaloh Challenge. cast or audit, authenticate only upon cast - In-Browser Encryption. plaintext only in user’s browser
  29. 29. Probabilistic Encryption & Threshold Decryption
  30. 30. Public-Key Encryption
  31. 31. Public-Key Encryption Keypair consists of a public key pk and a secret key sk.
  32. 32. Public-Key Encryption Keypair consists of a public key pk and a secret key sk. quot;Obamaquot; Enc pk 8b5637
  33. 33. Public-Key Encryption Keypair consists of a public key pk and a secret key sk. quot;Obamaquot; Enc pk 8b5637 quot;McCainquot; Enc pk c5de34
  34. 34. Public-Key Encryption Keypair consists of a public key pk and a secret key sk. quot;Obamaquot; Enc pk 8b5637 quot;McCainquot; Enc pk c5de34 quot;Obamaquot; Enc pk a4b395
  35. 35. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. 8b5637
  36. 36. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb 8b5637
  37. 37. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637
  38. 38. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 Dec sk3 7231bc
  39. 39. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 Dec sk3 7231bc Dec sk4 8239ba
  40. 40. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 quot;Obamaquot; Dec sk3 7231bc Dec sk4 8239ba
  41. 41. Homomorphic Tallying
  42. 42. Homomorphic Property First: r’th residuosity [Benaloh85] Also: Paillier Cryptosystem [P99] 22
  43. 43. Homomorphic Property Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) First: r’th residuosity [Benaloh85] Also: Paillier Cryptosystem [P99] 22
  44. 44. Homomorphic Property Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) First: r’th residuosity [Benaloh85] Also: Paillier Cryptosystem [P99] 22
  45. 45. Homomorphic Property Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) then we can simply add votes “under cover” of encryption! First: r’th residuosity [Benaloh85] Also: Paillier Cryptosystem [P99] 22
  46. 46. Homomorphic Tally Vote for None Adam 0001 0000 0000 0000 Vote for Vote for Vote for Bob 0000 0001 0000 0000 Obama Vote for McCain 0000 0000 0001 0000 Vote for Charlie 0000 0000 0000 0001 Vote for David 0003 0001 0008 0002 0004 0006 0005 Sample Tally [B+2001, P1999] 23
  47. 47. Benaloh Casting Protocol
  48. 48. http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  49. 49. Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  50. 50. quot;Obamaquot; Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  51. 51. quot;Obamaquot; Encrypted Ballot Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  52. 52. quot;Obamaquot; Encrypted Ballot Alice Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  53. 53. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  54. 54. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  55. 55. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  56. 56. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  57. 57. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  58. 58. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  59. 59. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; quot;CASTquot; Decrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  60. 60. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; quot;CASTquot; Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  61. 61. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; quot;CASTquot; Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  62. 62. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; quot;CASTquot; Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot Signed Encrypted Ballot VERIFICATION Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
  63. 63. Helios System Details
  64. 64. Helios System Details - Python & JavaScript logic & crypto
  65. 65. Helios System Details - Python & JavaScript logic & crypto - Free/Open-Source stack
  66. 66. Helios System Details - Python & JavaScript logic & crypto - Free/Open-Source stack - Deployed on Google App Engine
  67. 67. Helios System Details - Python & JavaScript logic & crypto - Free/Open-Source stack - Deployed on Google App Engine - Deployed on Apache/Python/PostgreSQL
  68. 68. Helios System Details - Python & JavaScript logic & crypto - Free/Open-Source stack - Deployed on Google App Engine - Deployed on Apache/Python/PostgreSQL - Customizable authentication, look-and-feel, translations
  69. 69. So, does it work? - Université catholique de Louvain - 25,000 eligible voters - University president election - Helios 2.0, optimized - customized for UCL (French, improved UI)
  70. 70. 28
  71. 71. 29
  72. 72. 30
  73. 73. 500 500 1st round 1st round 2nd round 2nd round 400 DAY 1 400 DAY 2 Number of votes per hour Number of votes per hour 300 300 200 200 100 100 0 0 0 2 4 6 8 10 12 14 16 18 20 22 0 2 4 6 8 10 12 14 16 18 20 22 Time [h] Time [h] 4000 4000 3500 3500 3000 3000 Total number of votes Total number of votes 2500 2500 2000 2000 1500 1500 1000 1000 DAY 1 1st round DAY 2 1st round 2nd round 2nd round 500 500 0 0 0 2 4 6 8 10 12 14 16 18 20 22 0 2 4 6 8 10 12 14 16 18 20 22 Time [h] Time [h] 31
  74. 74. 32
  75. 75. 32
  76. 76. 32
  77. 77. Most Interesting Lesson: spurious claims are easily countered
  78. 78. brief demo
  79. 79. Questions? ben_adida@harvard.edu http://heliosvoting.org/

×