1. Open-Audit Voting
How to let anyone
verify an election
Ben Adida
Harvard University
Université Catholique de Louvain
3 February 2009
Saturday, February 14, 2009

2. The Point of An Election
Saturday, February 14, 2009

3. The Point of An Election
“The People have spoken....
the bastards!”
Dick Tuck
1966 Concession Speech
Saturday, February 14, 2009

4. The Point of An Election
“The People have spoken....
the bastards!”
Dick Tuck
1966 Concession Speech
Provide enough evidence
to convince the loser.
Saturday, February 14, 2009

5. Saturday, February 14, 2009

6. quot;That's for me and a
button to know.quot;
Joe, the plumber.
Saturday, February 14, 2009

7. 5
Saturday, February 14, 2009

8. 5
Saturday, February 14, 2009

9. 5
Saturday, February 14, 2009

10. 5
Saturday, February 14, 2009

11. 5
Saturday, February 14, 2009

12. 5
Saturday, February 14, 2009

13. 5
Saturday, February 14, 2009

14. 6
Saturday, February 14, 2009

15. 6
Saturday, February 14, 2009

16. “When I finally saw
the results of our tests,
I thought I was going to throw up.”
Secretary of State of Ohio,
two weeks before 2008 US Presidential Elections
Saturday, February 14, 2009

17. Fashionable Voting
http://www.cs.uiowa.edu/~jones/voting/pictures/8
Saturday, February 14, 2009

18. Fashionable Voting
http://www.cs.uiowa.edu/~jones/voting/pictures/8
Saturday, February 14, 2009

19. Fashionable Voting
http://www.cs.uiowa.edu/~jones/voting/pictures/8
Saturday, February 14, 2009

20. Fashionable Voting
http://www.cs.uiowa.edu/~jones/voting/pictures/8
Saturday, February 14, 2009

21. Fashionable Voting
http://www.cs.uiowa.edu/~jones/voting/pictures/8
Saturday, February 14, 2009

22. Fashionable Voting
http://www.cs.uiowa.edu/~jones/voting/pictures/8
Saturday, February 14, 2009

23. Fashionable Voting
http://www.cs.uiowa.edu/~jones/voting/pictures/8
Saturday, February 14, 2009

24. Fashionable Voting
9
Saturday, February 14, 2009

25. Fashionable Voting
9
Saturday, February 14, 2009

26. Voting is a
fundamentally
difficult problem.
10
Saturday, February 14, 2009

27. Wooten got the news from his wife, Roxanne,
who went to City Hall on Wednesday
to see the election results.
quot;She saw my name with zero votes by it.
She came home and asked me if
I had voted for myself or not.quot;
11
Saturday, February 14, 2009

28. 12
Saturday, February 14, 2009

29. 14
12
12
Saturday, February 14, 2009

30. 14
12
1 person, 1 vote
12
Saturday, February 14, 2009

31. Enforced Privacy
to ensure each voter
votes in his/her
own interest
13
Saturday, February 14, 2009

32. http://www.cs.uiowa.edu/~jones/voting/pictures/ 14
Saturday, February 14, 2009

33. 1892 - Australian Ballot
http://www.cs.uiowa.edu/~jones/voting/pictures/ 15
Saturday, February 14, 2009

34. The Ballot Handoff
McCain
Alice the Voter
16
Saturday, February 14, 2009

35. The Ballot Handoff
McCain
Alice the Voter
16
Saturday, February 14, 2009

36. The Ballot Handoff
McCain
Alice the Voter
16
Saturday, February 14, 2009

37. The Ballot Handoff
McCain
Alice the Voter
16
Saturday, February 14, 2009

38. The Ballot Handoff
McCain Obama
Obama
Obama
McCain
McCain
McCain
Alice the Voter
16
Saturday, February 14, 2009

39. The Ballot Handoff
McCain Obama
Obama
Obama
McCain
McCain
McCain
Alice the Voter Black Box
16
Saturday, February 14, 2009

40. Saturday, February 14, 2009

41. Saturday, February 14, 2009

42. Chain of Custody
19
Saturday, February 14, 2009

43. Chain of Custody
1
/*
* source
* code
*/
if (...
Vendor
19
Saturday, February 14, 2009

44. Chain of Custody
1
/*
* source
* code
Voting */
2
Machine
if (...
Vendor
19
Saturday, February 14, 2009

45. Chain of Custody
1
/*
* source
* code
Polling Voting */
3 2
Location Machine
if (...
Vendor
19
Saturday, February 14, 2009

46. Chain of Custody
1
/*
* source
* code
Polling Voting */
3 2
Location Machine
if (...
Vendor
4
Alice
19
Saturday, February 14, 2009

47. Chain of Custody
1
/*
* source
* code
Polling Voting */
3 2
Location Machine
if (...
Vendor
4
Alice
19
Saturday, February 14, 2009

48. Chain of Custody
1
/*
* source
* code
Polling Voting */
3 2
Location Machine
if (...
Vendor
4
Alice
5
Ballot Box Collection
19
Saturday, February 14, 2009

49. Chain of Custody
1
/*
* source
* code
Polling Voting */
3 2
Location Machine
if (...
Vendor
4
Alice
Results
5 6 .....
Ballot Box Collection
19
Saturday, February 14, 2009

50. Chain of Custody
1
/*
* source
* code
Polling Voting */
3 2
Location Machine
if (...
Vendor
4
Alice
Results
5 6 .....
Ballot Box Collection
Black Box
19
Saturday, February 14, 2009

51. The Cost of Secrecy
Saturday, February 14, 2009

52. The Cost of Secrecy
Saturday, February 14, 2009

53. The Cost of Secrecy
Saturday, February 14, 2009

54. The Cost of Secrecy
Saturday, February 14, 2009

55. The Cost of Secrecy
Saturday, February 14, 2009

56. But Secrecy is Important.
Secret Ballot implemented in Chile in 1958.
“the secrecy of the ballot [...] has
first-order implications for resource
allocation, political outcomes, and social efficiency.”
[BalandRobinson 2004]
Saturday, February 14, 2009

57. Computers have
obscured the process.
22
Saturday, February 14, 2009

58. Computers have
obscured the process.
What about
computer science?
22
Saturday, February 14, 2009

59. Cryptography
solving problems
that initially appear to have
conflicting requirements.
23
Saturday, February 14, 2009

60. Public-Key Encryption
Customer
24
Saturday, February 14, 2009

61. Public-Key Encryption
public key
Customer
24
Saturday, February 14, 2009

62. Public-Key Encryption
public key
enc(cc number)
Customer
24
Saturday, February 14, 2009

63. Secret Ballot vs.
Verifiability
Voting System
convince
Alice
Carl the Coercer
25
Saturday, February 14, 2009

64. Secret Ballot vs.
Verifiability
Voting System
convince
Alice
Carl the Coercer
[Chaum81], [Benaloh85], [PIK93], [BenalohTuinstra92], [SK94], [Neff2001], [FS2001],
[Chaum2004], [Neff2004], [Ryan2004], [Chaum2005]
Punchscan, Scantegrity I & II, Civitas, ThreeBallot, Prêt-à-Voter, Scratch & Vote, ...
25
Saturday, February 14, 2009

65. Public Ballots
Bulletin Board
Bob:
McCain
Carol:
Obama
26
Saturday, February 14, 2009

66. Public Ballots
Bulletin Board
Bob:
McCain
Carol:
Obama
Alice
26
Saturday, February 14, 2009

67. Public Ballots
Bulletin Board
Alice: Bob:
Obama McCain
Carol:
Obama
Alice
26
Saturday, February 14, 2009

68. Public Ballots
Bulletin Board
Alice: Bob:
Obama McCain
Carol:
Obama
Tally
Obama....2
McCain....1
Alice
26
Saturday, February 14, 2009

69. Encrypted Public Ballots
Bulletin Board
Alice: Bob:
Rice Clinton
Carol:
Rice
Tally
Obama....2
McCain....1
Alice
27
Saturday, February 14, 2009

70. Encrypted Public Ballots
Bulletin Board
Alice: Bob:
Rice Clinton
Carol:
Ali Rice
ce
ver Tally
i fies
he
rv Obama....2
ote
McCain....1
Alice
27
Saturday, February 14, 2009

71. Encrypted Public Ballots
Bulletin Board
Alice: Bob:
Rice Clinton
Carol:
lly
Ali ta
Rice
ce e
thTally
ver es
rifi
i fies
e ve
he n
ryo
rv ve Obama....2
E
ote
McCain....1
Alice
27
Saturday, February 14, 2009

72. End-to-End Verification
Saturday, February 14, 2009

73. End-to-End Verification
/*
* source
* code
Voting */
Machine
if (...
Vendor
Polling
Location
Saturday, February 14, 2009

74. End-to-End Verification
/*
* source
* code
Voting */
Machine
if (...
Vendor
Ballot Box /
Bulletin Board
Polling
Location
Alice
Saturday, February 14, 2009

75. End-to-End Verification
/*
* source
* code
Voting */
Machine
if (...
Vendor
Results
Ballot Box /
Bulletin Board
Polling
.....
Location
Alice
Saturday, February 14, 2009

76. End-to-End Verification
/*
* source
* code
Voting */
Machine
if (...
Vendor
Results
Ballot Box /
Bulletin Board
Polling
.....
Location
1
Alice
Receipt
Saturday, February 14, 2009

77. End-to-End Verification
/*
* source
* code
Voting */
Machine
if (...
Vendor
Results
Ballot Box /
Bulletin Board
Polling
.....
Location
1 2
Alice
Receipt
Saturday, February 14, 2009

78. How can we verify
operations on
encrypted data?
Mathematical Proofs.
29
Saturday, February 14, 2009

79. Zero-Knowledge Proof
30
Saturday, February 14, 2009

80. Zero-Knowledge Proof
President:
President:
Mickey Mouse
President:
Mickey Mouse
President:
Mickey Mouse
President:
Mickey Mouse
President:
Mickey Mouse
Vote For:
Mickey Mouse
Obama
Vote For:
Obama
30
Saturday, February 14, 2009

81. Zero-Knowledge Proof
President:
President:
Mickey Mouse
President:
Mickey Mouse
President:
Mickey Mouse
President:
Mickey Mouse
President:
Mickey Mouse
Vote For:
Mickey Mouse
Obama
Vote For:
Obama
30
Saturday, February 14, 2009

82. Zero-Knowledge Proof
President:
President:
Mickey Mouse
President:
Mickey Mouse
President:
Mickey Mouse
President:
Mickey Mouse
President:
Mickey Mouse
Vote For:
Mickey Mouse
Obama
Vote For:
Obama
This last envelope
likely contains “Obama”
30
Saturday, February 14, 2009

83. Zero-Knowledge Proof
President: President:
President: President:
Mickey Mouse Mickey Mouse
President: President:
Mickey Mouse Mickey Mouse
President: President:
Mickey Mouse Mickey Mouse
President: President:
Mickey Mouse Mickey Mouse
President: President:
Mickey Mouse Mickey Mouse
Vote For: Vote For:
Mickey Mouse Mickey Mouse
McCain
Obama Paul
Open envelopes don’t prove
anything after the fact.
31
Saturday, February 14, 2009

84. Helios
Saturday, February 14, 2009

85. “And there are cryptographic
techniques that can be used to
achieve software independence so
that even if there's a bug in the
software, you'll detect if there's a
problem. But those are not ready
for prime time in my opinion.”
Avi Rubin, 7/9/2008
Saturday, February 14, 2009

86. “But with cryptography, you’re just
moving the black box. Few people really
understand it or trust it.”
California Sec. of State, 7/30/2008
(paraphrased)
Saturday, February 14, 2009

87. Simplify
Low-Coercion Elections
Web-based
Saturday, February 14, 2009

88. Technical Concepts
Saturday, February 14, 2009

89. Technical Concepts
- Probabilistic Encryption & Threshold Decryption.
posting ciphertexts safely on a bulletin board
Saturday, February 14, 2009

90. Technical Concepts
- Probabilistic Encryption & Threshold Decryption.
posting ciphertexts safely on a bulletin board
- Homomorphic Tallying.
no write-ins, proofs of correct plaintext
Saturday, February 14, 2009

91. Technical Concepts
- Probabilistic Encryption & Threshold Decryption.
posting ciphertexts safely on a bulletin board
- Homomorphic Tallying.
no write-ins, proofs of correct plaintext
- Benaloh Challenge.
cast or audit, authenticate only upon cast
Saturday, February 14, 2009

92. Technical Concepts
- Probabilistic Encryption & Threshold Decryption.
posting ciphertexts safely on a bulletin board
- Homomorphic Tallying.
no write-ins, proofs of correct plaintext
- Benaloh Challenge.
cast or audit, authenticate only upon cast
- In-Browser Encryption.
plaintext only in user’s browser
Saturday, February 14, 2009

93. Probabilistic Encryption &
Threshold Decryption
Saturday, February 14, 2009

94. Public-Key Encryption
Saturday, February 14, 2009

95. Public-Key Encryption
Keypair consists of a public key pk and a secret key sk .
Saturday, February 14, 2009

96. Public-Key Encryption
Keypair consists of a public key pk and a secret key sk .
Enc pk
quot;Obamaquot; 8b5637
Saturday, February 14, 2009

97. Public-Key Encryption
Keypair consists of a public key pk and a secret key sk .
Enc pk
quot;Obamaquot; 8b5637
Enc pk
quot;McCainquot; c5de34
Saturday, February 14, 2009

98. Public-Key Encryption
Keypair consists of a public key pk and a secret key sk .
Enc pk
quot;Obamaquot; 8b5637
Enc pk
quot;McCainquot; c5de34
Enc pk
quot;Obamaquot; a4b395
Saturday, February 14, 2009

99. Threshold Decryption
Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to decrypt.
8b5637
Saturday, February 14, 2009

100. Threshold Decryption
Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to decrypt.
Dec sk1 b739cb
8b5637
Saturday, February 14, 2009

101. Threshold Decryption
Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to decrypt.
Dec sk1 b739cb
Dec sk2 261ad7
8b5637
Saturday, February 14, 2009

102. Threshold Decryption
Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to decrypt.
Dec sk1 b739cb
Dec sk2 261ad7
8b5637
Dec sk3 7231bc
Saturday, February 14, 2009

103. Threshold Decryption
Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to decrypt.
Dec sk1 b739cb
Dec sk2 261ad7
8b5637
Dec sk3 7231bc
Dec sk4 8239ba
Saturday, February 14, 2009

104. Threshold Decryption
Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to decrypt.
Dec sk1 b739cb
Dec sk2 261ad7
8b5637 quot;Obamaquot;
Dec sk3 7231bc
Dec sk4 8239ba
Saturday, February 14, 2009

105. Homomorphic
Tallying
Saturday, February 14, 2009

106. Homomorphic Property
First: r’th residuosity [Benaloh85]
Also: Paillier Cryptosystem [P99] 41
Saturday, February 14, 2009

107. Homomorphic Property
Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 )
First: r’th residuosity [Benaloh85]
Also: Paillier Cryptosystem [P99] 41
Saturday, February 14, 2009

108. Homomorphic Property
Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 )
First: r’th residuosity [Benaloh85]
Also: Paillier Cryptosystem [P99] 41
Saturday, February 14, 2009

109. Homomorphic Property
Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 )
then we can simply
add votes “under cover” of encryption!
First: r’th residuosity [Benaloh85]
Also: Paillier Cryptosystem [P99] 41
Saturday, February 14, 2009

110. Homomorphic Tally
Vote for None Adam
0001 0000 0000 0000 Vote for
Vote for Vote for Bob
Obama
0000 0001 0000 0000
Vote for McCain
0000 0000 0001 0000 Vote for Charlie
0000 0000 0000 0001 Vote for David
0003 0001 0008 0002
0004 0006 0005 Sample Tally
[B+2001, P1999]
42
Saturday, February 14, 2009

111. Benaloh
Casting Protocol
Saturday, February 14, 2009

112. http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Saturday, February 14, 2009

113. Alice
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Saturday, February 14, 2009

114. quot;Obamaquot;
Alice
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Saturday, February 14, 2009

115. quot;Obamaquot;
Encrypted
Ballot
Alice
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Saturday, February 14, 2009

116. quot;Obamaquot;
Encrypted
Ballot
Alice
Alice
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Saturday, February 14, 2009

117. quot;Obamaquot;
Encrypted
Ballot
Alice
quot;AUDITquot;
Alice
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Saturday, February 14, 2009

118. quot;Obamaquot;
Encrypted
Ballot
Alice
quot;AUDITquot;
Decrypted
Ballot
Alice
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Saturday, February 14, 2009

119. quot;Obamaquot;
Encrypted
Ballot
Alice
quot;AUDITquot;
Decrypted
Ballot
Alice
Encrypted Decrypted
Ballot Ballot
VERIFICATION
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Saturday, February 14, 2009

120. quot;Obamaquot;
Encrypted
Ballot
Alice
quot;AUDITquot;
Decrypted
Ballot
Alice
Encrypted Decrypted
Ballot Ballot
VERIFICATION
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Saturday, February 14, 2009

121. quot;Obamaquot;
Encrypted
Ballot
Alice
quot;AUDITquot;
Decrypted
Ballot
Alice
Encrypted Decrypted
Ballot Ballot
VERIFICATION
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Saturday, February 14, 2009

122. quot;Obamaquot;
Encrypted
Ballot
Alice
quot;AUDITquot;
Decrypted
Ballot
Alice Alice
Encrypted Decrypted
Ballot Ballot
VERIFICATION
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Saturday, February 14, 2009

123. quot;Obamaquot;
Encrypted
Ballot
Alice
quot;AUDITquot; quot;CASTquot;
Decrypted
Ballot
Alice Alice
Encrypted Decrypted
Ballot Ballot
VERIFICATION
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Saturday, February 14, 2009

124. quot;Obamaquot;
Encrypted
Ballot
Alice
quot;AUDITquot; quot;CASTquot;
Decrypted Signed
Ballot Encrypted
Ballot
Alice Alice
Encrypted Decrypted
Ballot Ballot
VERIFICATION
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Saturday, February 14, 2009

125. quot;Obamaquot;
Encrypted
Ballot
Alice
quot;AUDITquot; quot;CASTquot;
Decrypted Signed
Ballot Encrypted
Ballot
Alice Alice
Encrypted Decrypted
Ballot Ballot
VERIFICATION
Alice
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Saturday, February 14, 2009

126. quot;Obamaquot;
Encrypted
Ballot
Alice
quot;AUDITquot; quot;CASTquot;
Decrypted Signed
Ballot Encrypted
Ballot
Alice Alice
Encrypted Decrypted
Ballot Ballot
Signed
Encrypted
Ballot
VERIFICATION
Alice
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Saturday, February 14, 2009

127. Web Browser Tricks
Saturday, February 14, 2009

128. Single-Page Web App
<a href=“javascript:doStuff();”>
next page
</a>
Saturday, February 14, 2009

129. LiveConnect
Saturday, February 14, 2009

130. LiveConnect
var p = new java.math.BigInteger(“13”,10);
Saturday, February 14, 2009

131. LiveConnect
var p = new java.math.BigInteger(“13”,10);
var p = lc_applet.newBigInteger(“13”,10);
Saturday, February 14, 2009

132. LiveConnect
var p = new java.math.BigInteger(“13”,10);
var p = lc_applet.newBigInteger(“13”,10);
var GEN = new java.security.SecureRandom();
Saturday, February 14, 2009

133. LiveConnect
var p = new java.math.BigInteger(“13”,10);
var p = lc_applet.newBigInteger(“13”,10);
var GEN = new java.security.SecureRandom();
var GEN = lc_applet.newSecureRandom();
Saturday, February 14, 2009

134. Data URIs
Saturday, February 14, 2009

135. Data URIs
window.open(“data:text/plain,” + content);
Saturday, February 14, 2009

136. Data URIs
window.open(“data:text/plain,” + content);
w = window.open(quot;quot;);
w.document.open(quot;text/plainquot;);
w.document.write(content);
w.document.close();
Saturday, February 14, 2009

137. window.postMessage()
Saturday, February 14, 2009

138. window.postMessage()
w = window.open(HELIOS_API_URL);
w.postMessage(“election 123”, helios_host);
Saturday, February 14, 2009

139. window.postMessage()
w = window.open(HELIOS_API_URL);
w.postMessage(“election 123”, helios_host);
window.addEventListener(“message”, ...);
window.opener.postMessage(election_data);
Saturday, February 14, 2009

140. Helios System Details
Saturday, February 14, 2009

141. Helios System Details
- Python & JavaScript logic & crypto
Saturday, February 14, 2009

142. Helios System Details
- Python & JavaScript logic & crypto
- Free/Open-Source stack
Saturday, February 14, 2009

143. Helios System Details
- Python & JavaScript logic & crypto
- Free/Open-Source stack
- Deployed on Google App Engine
Saturday, February 14, 2009

144. Helios System Details
- Python & JavaScript logic & crypto
- Free/Open-Source stack
- Deployed on Google App Engine
- Deployed on Apache/Python/PostgreSQL
at UCL!
Saturday, February 14, 2009

145. Helios System Details
- Python & JavaScript logic & crypto
- Free/Open-Source stack
- Deployed on Google App Engine
- Deployed on Apache/Python/PostgreSQL
at UCL!
- Customizable
authentication, look-and-feel, translations
Saturday, February 14, 2009

146. Demo
Saturday, February 14, 2009

147. Is Open-Audit Voting Too
Difficult to Understand?
Saturday, February 14, 2009

148. Is Open-Audit Voting Too
Difficult to Understand?
- It’s more difficult than counting paper ballots.
Saturday, February 14, 2009

149. Is Open-Audit Voting Too
Difficult to Understand?
- It’s more difficult than counting paper ballots.
- Simplicity hides a lack of auditability: how can you
trust that a ballot box was not tampered with?
Saturday, February 14, 2009

150. Is Open-Audit Voting Too
Difficult to Understand?
- It’s more difficult than counting paper ballots.
- Simplicity hides a lack of auditability: how can you
trust that a ballot box was not tampered with?
- With open-audit, anyone can learn the math and
write their own program.
Saturday, February 14, 2009

151. Is Open-Audit Voting Too
Difficult to Understand?
- It’s more difficult than counting paper ballots.
- Simplicity hides a lack of auditability: how can you
trust that a ballot box was not tampered with?
- With open-audit, anyone can learn the math and
write their own program.
- If there’s fraud, there’s evidence!
All you need is one person to point it out.
Saturday, February 14, 2009

152. Questions?
Ben Adida
ben@adida.net
Harvard University
Université Catholique de Louvain
3 February 2009
53
Saturday, February 14, 2009