Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Open-Audit Voting

2,372 views

Published on

My open-audit voting talk given at Université Catholique de Louvain, on Feb 3rd, 2009.

Published in: Technology
  • Be the first to comment

Open-Audit Voting

  1. 1. Open-Audit Voting How to let anyone verify an election Ben Adida Harvard University Université Catholique de Louvain 3 February 2009 Saturday, February 14, 2009
  2. 2. The Point of An Election Saturday, February 14, 2009
  3. 3. The Point of An Election “The People have spoken.... the bastards!” Dick Tuck 1966 Concession Speech Saturday, February 14, 2009
  4. 4. The Point of An Election “The People have spoken.... the bastards!” Dick Tuck 1966 Concession Speech Provide enough evidence to convince the loser. Saturday, February 14, 2009
  5. 5. Saturday, February 14, 2009
  6. 6. quot;That's for me and a button to know.quot; Joe, the plumber. Saturday, February 14, 2009
  7. 7. 5 Saturday, February 14, 2009
  8. 8. 5 Saturday, February 14, 2009
  9. 9. 5 Saturday, February 14, 2009
  10. 10. 5 Saturday, February 14, 2009
  11. 11. 5 Saturday, February 14, 2009
  12. 12. 5 Saturday, February 14, 2009
  13. 13. 5 Saturday, February 14, 2009
  14. 14. 6 Saturday, February 14, 2009
  15. 15. 6 Saturday, February 14, 2009
  16. 16. “When I finally saw the results of our tests, I thought I was going to throw up.” Secretary of State of Ohio, two weeks before 2008 US Presidential Elections Saturday, February 14, 2009
  17. 17. Fashionable Voting http://www.cs.uiowa.edu/~jones/voting/pictures/8 Saturday, February 14, 2009
  18. 18. Fashionable Voting http://www.cs.uiowa.edu/~jones/voting/pictures/8 Saturday, February 14, 2009
  19. 19. Fashionable Voting http://www.cs.uiowa.edu/~jones/voting/pictures/8 Saturday, February 14, 2009
  20. 20. Fashionable Voting http://www.cs.uiowa.edu/~jones/voting/pictures/8 Saturday, February 14, 2009
  21. 21. Fashionable Voting http://www.cs.uiowa.edu/~jones/voting/pictures/8 Saturday, February 14, 2009
  22. 22. Fashionable Voting http://www.cs.uiowa.edu/~jones/voting/pictures/8 Saturday, February 14, 2009
  23. 23. Fashionable Voting http://www.cs.uiowa.edu/~jones/voting/pictures/8 Saturday, February 14, 2009
  24. 24. Fashionable Voting 9 Saturday, February 14, 2009
  25. 25. Fashionable Voting 9 Saturday, February 14, 2009
  26. 26. Voting is a fundamentally difficult problem. 10 Saturday, February 14, 2009
  27. 27. Wooten got the news from his wife, Roxanne, who went to City Hall on Wednesday to see the election results. quot;She saw my name with zero votes by it. She came home and asked me if I had voted for myself or not.quot; 11 Saturday, February 14, 2009
  28. 28. 12 Saturday, February 14, 2009
  29. 29. 14 12 12 Saturday, February 14, 2009
  30. 30. 14 12 1 person, 1 vote 12 Saturday, February 14, 2009
  31. 31. Enforced Privacy to ensure each voter votes in his/her own interest 13 Saturday, February 14, 2009
  32. 32. http://www.cs.uiowa.edu/~jones/voting/pictures/ 14 Saturday, February 14, 2009
  33. 33. 1892 - Australian Ballot http://www.cs.uiowa.edu/~jones/voting/pictures/ 15 Saturday, February 14, 2009
  34. 34. The Ballot Handoff McCain Alice the Voter 16 Saturday, February 14, 2009
  35. 35. The Ballot Handoff McCain Alice the Voter 16 Saturday, February 14, 2009
  36. 36. The Ballot Handoff McCain Alice the Voter 16 Saturday, February 14, 2009
  37. 37. The Ballot Handoff McCain Alice the Voter 16 Saturday, February 14, 2009
  38. 38. The Ballot Handoff McCain Obama Obama Obama McCain McCain McCain Alice the Voter 16 Saturday, February 14, 2009
  39. 39. The Ballot Handoff McCain Obama Obama Obama McCain McCain McCain Alice the Voter Black Box 16 Saturday, February 14, 2009
  40. 40. Saturday, February 14, 2009
  41. 41. Saturday, February 14, 2009
  42. 42. Chain of Custody 19 Saturday, February 14, 2009
  43. 43. Chain of Custody 1 /* * source * code */ if (... Vendor 19 Saturday, February 14, 2009
  44. 44. Chain of Custody 1 /* * source * code Voting */ 2 Machine if (... Vendor 19 Saturday, February 14, 2009
  45. 45. Chain of Custody 1 /* * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 19 Saturday, February 14, 2009
  46. 46. Chain of Custody 1 /* * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice 19 Saturday, February 14, 2009
  47. 47. Chain of Custody 1 /* * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice 19 Saturday, February 14, 2009
  48. 48. Chain of Custody 1 /* * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice 5 Ballot Box Collection 19 Saturday, February 14, 2009
  49. 49. Chain of Custody 1 /* * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice Results 5 6 ..... Ballot Box Collection 19 Saturday, February 14, 2009
  50. 50. Chain of Custody 1 /* * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice Results 5 6 ..... Ballot Box Collection Black Box 19 Saturday, February 14, 2009
  51. 51. The Cost of Secrecy Saturday, February 14, 2009
  52. 52. The Cost of Secrecy Saturday, February 14, 2009
  53. 53. The Cost of Secrecy Saturday, February 14, 2009
  54. 54. The Cost of Secrecy Saturday, February 14, 2009
  55. 55. The Cost of Secrecy Saturday, February 14, 2009
  56. 56. But Secrecy is Important. Secret Ballot implemented in Chile in 1958. “the secrecy of the ballot [...] has first-order implications for resource allocation, political outcomes, and social efficiency.” [BalandRobinson 2004] Saturday, February 14, 2009
  57. 57. Computers have obscured the process. 22 Saturday, February 14, 2009
  58. 58. Computers have obscured the process. What about computer science? 22 Saturday, February 14, 2009
  59. 59. Cryptography solving problems that initially appear to have conflicting requirements. 23 Saturday, February 14, 2009
  60. 60. Public-Key Encryption Customer 24 Saturday, February 14, 2009
  61. 61. Public-Key Encryption public key Customer 24 Saturday, February 14, 2009
  62. 62. Public-Key Encryption public key enc(cc number) Customer 24 Saturday, February 14, 2009
  63. 63. Secret Ballot vs. Verifiability Voting System convince Alice Carl the Coercer 25 Saturday, February 14, 2009
  64. 64. Secret Ballot vs. Verifiability Voting System convince Alice Carl the Coercer [Chaum81], [Benaloh85], [PIK93], [BenalohTuinstra92], [SK94], [Neff2001], [FS2001], [Chaum2004], [Neff2004], [Ryan2004], [Chaum2005] Punchscan, Scantegrity I & II, Civitas, ThreeBallot, Prêt-à-Voter, Scratch & Vote, ... 25 Saturday, February 14, 2009
  65. 65. Public Ballots Bulletin Board Bob: McCain Carol: Obama 26 Saturday, February 14, 2009
  66. 66. Public Ballots Bulletin Board Bob: McCain Carol: Obama Alice 26 Saturday, February 14, 2009
  67. 67. Public Ballots Bulletin Board Alice: Bob: Obama McCain Carol: Obama Alice 26 Saturday, February 14, 2009
  68. 68. Public Ballots Bulletin Board Alice: Bob: Obama McCain Carol: Obama Tally Obama....2 McCain....1 Alice 26 Saturday, February 14, 2009
  69. 69. Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Rice Tally Obama....2 McCain....1 Alice 27 Saturday, February 14, 2009
  70. 70. Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Ali Rice ce ver Tally i fies he rv Obama....2 ote McCain....1 Alice 27 Saturday, February 14, 2009
  71. 71. Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: lly Ali ta Rice ce e thTally ver es rifi i fies e ve he n ryo rv ve Obama....2 E ote McCain....1 Alice 27 Saturday, February 14, 2009
  72. 72. End-to-End Verification Saturday, February 14, 2009
  73. 73. End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Polling Location Saturday, February 14, 2009
  74. 74. End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Ballot Box / Bulletin Board Polling Location Alice Saturday, February 14, 2009
  75. 75. End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Results Ballot Box / Bulletin Board Polling ..... Location Alice Saturday, February 14, 2009
  76. 76. End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Results Ballot Box / Bulletin Board Polling ..... Location 1 Alice Receipt Saturday, February 14, 2009
  77. 77. End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Results Ballot Box / Bulletin Board Polling ..... Location 1 2 Alice Receipt Saturday, February 14, 2009
  78. 78. How can we verify operations on encrypted data? Mathematical Proofs. 29 Saturday, February 14, 2009
  79. 79. Zero-Knowledge Proof 30 Saturday, February 14, 2009
  80. 80. Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama 30 Saturday, February 14, 2009
  81. 81. Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama 30 Saturday, February 14, 2009
  82. 82. Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama This last envelope likely contains “Obama” 30 Saturday, February 14, 2009
  83. 83. Zero-Knowledge Proof President: President: President: President: Mickey Mouse Mickey Mouse President: President: Mickey Mouse Mickey Mouse President: President: Mickey Mouse Mickey Mouse President: President: Mickey Mouse Mickey Mouse President: President: Mickey Mouse Mickey Mouse Vote For: Vote For: Mickey Mouse Mickey Mouse McCain Obama Paul Open envelopes don’t prove anything after the fact. 31 Saturday, February 14, 2009
  84. 84. Helios Saturday, February 14, 2009
  85. 85. “And there are cryptographic techniques that can be used to achieve software independence so that even if there's a bug in the software, you'll detect if there's a problem. But those are not ready for prime time in my opinion.” Avi Rubin, 7/9/2008 Saturday, February 14, 2009
  86. 86. “But with cryptography, you’re just moving the black box. Few people really understand it or trust it.” California Sec. of State, 7/30/2008 (paraphrased) Saturday, February 14, 2009
  87. 87. Simplify Low-Coercion Elections Web-based Saturday, February 14, 2009
  88. 88. Technical Concepts Saturday, February 14, 2009
  89. 89. Technical Concepts - Probabilistic Encryption & Threshold Decryption. posting ciphertexts safely on a bulletin board Saturday, February 14, 2009
  90. 90. Technical Concepts - Probabilistic Encryption & Threshold Decryption. posting ciphertexts safely on a bulletin board - Homomorphic Tallying. no write-ins, proofs of correct plaintext Saturday, February 14, 2009
  91. 91. Technical Concepts - Probabilistic Encryption & Threshold Decryption. posting ciphertexts safely on a bulletin board - Homomorphic Tallying. no write-ins, proofs of correct plaintext - Benaloh Challenge. cast or audit, authenticate only upon cast Saturday, February 14, 2009
  92. 92. Technical Concepts - Probabilistic Encryption & Threshold Decryption. posting ciphertexts safely on a bulletin board - Homomorphic Tallying. no write-ins, proofs of correct plaintext - Benaloh Challenge. cast or audit, authenticate only upon cast - In-Browser Encryption. plaintext only in user’s browser Saturday, February 14, 2009
  93. 93. Probabilistic Encryption & Threshold Decryption Saturday, February 14, 2009
  94. 94. Public-Key Encryption Saturday, February 14, 2009
  95. 95. Public-Key Encryption Keypair consists of a public key pk and a secret key sk . Saturday, February 14, 2009
  96. 96. Public-Key Encryption Keypair consists of a public key pk and a secret key sk . Enc pk quot;Obamaquot; 8b5637 Saturday, February 14, 2009
  97. 97. Public-Key Encryption Keypair consists of a public key pk and a secret key sk . Enc pk quot;Obamaquot; 8b5637 Enc pk quot;McCainquot; c5de34 Saturday, February 14, 2009
  98. 98. Public-Key Encryption Keypair consists of a public key pk and a secret key sk . Enc pk quot;Obamaquot; 8b5637 Enc pk quot;McCainquot; c5de34 Enc pk quot;Obamaquot; a4b395 Saturday, February 14, 2009
  99. 99. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. 8b5637 Saturday, February 14, 2009
  100. 100. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb 8b5637 Saturday, February 14, 2009
  101. 101. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 Saturday, February 14, 2009
  102. 102. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 Dec sk3 7231bc Saturday, February 14, 2009
  103. 103. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 Dec sk3 7231bc Dec sk4 8239ba Saturday, February 14, 2009
  104. 104. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 quot;Obamaquot; Dec sk3 7231bc Dec sk4 8239ba Saturday, February 14, 2009
  105. 105. Homomorphic Tallying Saturday, February 14, 2009
  106. 106. Homomorphic Property First: r’th residuosity [Benaloh85] Also: Paillier Cryptosystem [P99] 41 Saturday, February 14, 2009
  107. 107. Homomorphic Property Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) First: r’th residuosity [Benaloh85] Also: Paillier Cryptosystem [P99] 41 Saturday, February 14, 2009
  108. 108. Homomorphic Property Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) First: r’th residuosity [Benaloh85] Also: Paillier Cryptosystem [P99] 41 Saturday, February 14, 2009
  109. 109. Homomorphic Property Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) then we can simply add votes “under cover” of encryption! First: r’th residuosity [Benaloh85] Also: Paillier Cryptosystem [P99] 41 Saturday, February 14, 2009
  110. 110. Homomorphic Tally Vote for None Adam 0001 0000 0000 0000 Vote for Vote for Vote for Bob Obama 0000 0001 0000 0000 Vote for McCain 0000 0000 0001 0000 Vote for Charlie 0000 0000 0000 0001 Vote for David 0003 0001 0008 0002 0004 0006 0005 Sample Tally [B+2001, P1999] 42 Saturday, February 14, 2009
  111. 111. Benaloh Casting Protocol Saturday, February 14, 2009
  112. 112. http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg Saturday, February 14, 2009
  113. 113. Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg Saturday, February 14, 2009
  114. 114. quot;Obamaquot; Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg Saturday, February 14, 2009
  115. 115. quot;Obamaquot; Encrypted Ballot Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg Saturday, February 14, 2009
  116. 116. quot;Obamaquot; Encrypted Ballot Alice Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg Saturday, February 14, 2009
  117. 117. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg Saturday, February 14, 2009
  118. 118. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg Saturday, February 14, 2009
  119. 119. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg Saturday, February 14, 2009
  120. 120. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg Saturday, February 14, 2009
  121. 121. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg Saturday, February 14, 2009
  122. 122. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg Saturday, February 14, 2009
  123. 123. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; quot;CASTquot; Decrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg Saturday, February 14, 2009
  124. 124. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; quot;CASTquot; Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg Saturday, February 14, 2009
  125. 125. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; quot;CASTquot; Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg Saturday, February 14, 2009
  126. 126. quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; quot;CASTquot; Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot Signed Encrypted Ballot VERIFICATION Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg Saturday, February 14, 2009
  127. 127. Web Browser Tricks Saturday, February 14, 2009
  128. 128. Single-Page Web App <a href=“javascript:doStuff();”> next page </a> Saturday, February 14, 2009
  129. 129. LiveConnect Saturday, February 14, 2009
  130. 130. LiveConnect var p = new java.math.BigInteger(“13”,10); Saturday, February 14, 2009
  131. 131. LiveConnect var p = new java.math.BigInteger(“13”,10); var p = lc_applet.newBigInteger(“13”,10); Saturday, February 14, 2009
  132. 132. LiveConnect var p = new java.math.BigInteger(“13”,10); var p = lc_applet.newBigInteger(“13”,10); var GEN = new java.security.SecureRandom(); Saturday, February 14, 2009
  133. 133. LiveConnect var p = new java.math.BigInteger(“13”,10); var p = lc_applet.newBigInteger(“13”,10); var GEN = new java.security.SecureRandom(); var GEN = lc_applet.newSecureRandom(); Saturday, February 14, 2009
  134. 134. Data URIs Saturday, February 14, 2009
  135. 135. Data URIs window.open(“data:text/plain,” + content); Saturday, February 14, 2009
  136. 136. Data URIs window.open(“data:text/plain,” + content); w = window.open(quot;quot;); w.document.open(quot;text/plainquot;); w.document.write(content); w.document.close(); Saturday, February 14, 2009
  137. 137. window.postMessage() Saturday, February 14, 2009
  138. 138. window.postMessage() w = window.open(HELIOS_API_URL); w.postMessage(“election 123”, helios_host); Saturday, February 14, 2009
  139. 139. window.postMessage() w = window.open(HELIOS_API_URL); w.postMessage(“election 123”, helios_host); window.addEventListener(“message”, ...); window.opener.postMessage(election_data); Saturday, February 14, 2009
  140. 140. Helios System Details Saturday, February 14, 2009
  141. 141. Helios System Details - Python & JavaScript logic & crypto Saturday, February 14, 2009
  142. 142. Helios System Details - Python & JavaScript logic & crypto - Free/Open-Source stack Saturday, February 14, 2009
  143. 143. Helios System Details - Python & JavaScript logic & crypto - Free/Open-Source stack - Deployed on Google App Engine Saturday, February 14, 2009
  144. 144. Helios System Details - Python & JavaScript logic & crypto - Free/Open-Source stack - Deployed on Google App Engine - Deployed on Apache/Python/PostgreSQL at UCL! Saturday, February 14, 2009
  145. 145. Helios System Details - Python & JavaScript logic & crypto - Free/Open-Source stack - Deployed on Google App Engine - Deployed on Apache/Python/PostgreSQL at UCL! - Customizable authentication, look-and-feel, translations Saturday, February 14, 2009
  146. 146. Demo Saturday, February 14, 2009
  147. 147. Is Open-Audit Voting Too Difficult to Understand? Saturday, February 14, 2009
  148. 148. Is Open-Audit Voting Too Difficult to Understand? - It’s more difficult than counting paper ballots. Saturday, February 14, 2009
  149. 149. Is Open-Audit Voting Too Difficult to Understand? - It’s more difficult than counting paper ballots. - Simplicity hides a lack of auditability: how can you trust that a ballot box was not tampered with? Saturday, February 14, 2009
  150. 150. Is Open-Audit Voting Too Difficult to Understand? - It’s more difficult than counting paper ballots. - Simplicity hides a lack of auditability: how can you trust that a ballot box was not tampered with? - With open-audit, anyone can learn the math and write their own program. Saturday, February 14, 2009
  151. 151. Is Open-Audit Voting Too Difficult to Understand? - It’s more difficult than counting paper ballots. - Simplicity hides a lack of auditability: how can you trust that a ballot box was not tampered with? - With open-audit, anyone can learn the math and write their own program. - If there’s fraud, there’s evidence! All you need is one person to point it out. Saturday, February 14, 2009
  152. 152. Questions? Ben Adida ben@adida.net Harvard University Université Catholique de Louvain 3 February 2009 53 Saturday, February 14, 2009

×