1) Cryptography can reconcile voting secrecy and auditing by enabling a new voting paradigm of secrecy and auditability through techniques like encrypted ballots on a public bulletin board. 2) End-to-end verifiable voting allows voters like Alice to independently verify that their votes were correctly cast and counted in the final results through a public bulletin board and verification of the election paper trail and results. 3) Cryptography creates trust between competitors in voting by allowing independent third-party auditing of election results through techniques like public verifiable encrypted ballots.

1. Cryptography
and Voting
Ben Adida
Harvard University
EVT & WOTE
August 11th, 2009
Montreal, Canada

2. “If you think
cryptography
is the solution
to your problem....
2

3. ... then you
don’t understand
cryptography...
3

4. ... then you
don’t understand
cryptography...
... and you don’t
understand your
problem.”
-Peter, Butler, Bruce
3

5. Yet, cryptography solves
problems that initially
appear to be impossible.
4

6. There is a
potential paradigm shift.
A means of
election verification
far more powerful
than other methods.
5

7. Three Points
1. Voting is a unique trust problem.
2. Cryptography is not just about secrets,
it creates trust between competitors,
it democratizes the auditing process.
3. Open-Audit Voting
is closing in on practicality.
6

8. 1.
Voting is a unique
trust problem.
7

9. “Swing Vote”
terrible movie.
hilarious ending.
8

10. Wooten got the news from his wife, Roxanne,
who went to City Hall on Wednesday
to see the election results.
"She saw my name with zero votes by it.
She came home and asked me if
I had voted for myself or not."
9

11. 10

12. 11

13. Bad Analogies
Dan Wallach’s great rump session talk.
More than that
ATMs and planes are vulnerable
(they are, but that’s not the point)
It’s that voting is much harder.
12

14. Bad Analogies
Adversaries
➡ pilots vs. passengers (airline is on your side, I think.)
➡ banking privacy is only voluntary:
you are not the enemy.
Failure Detection & Recover
➡ plane crashes & statements vs. 2% election fraud
➡ Full banking receipts vs. destroying election evidence
Imagine
➡ a bank where you never get a receipt.
➡ an airline where the pilot is working against you.
13

15. Ballot secrecy
conflicts with auditing,
cryptography
can reconcile them.
14

16. http://www.cs.uiowa.edu/~jones/voting/pictures/ 15

17. 16

18. /* 1
* source
* code
*/
if (...
Vendor
16

19. /* 1
* source
* code
Voting 2 */
Machine
if (...
Vendor
16

20. /* 1
* source
* code
Polling Voting */
3 2
Location Machine
if (...
Vendor
16

21. /* 1
* source
* code
Polling Voting */
3 2
Location Machine
if (...
Vendor
4
Alice
16

22. /* 1
* source
* code
Polling Voting */
3 2
Location Machine
if (...
Vendor
4
Alice
16

23. /* 1
* source
* code
Polling Voting */
3 2
Location Machine
if (...
Vendor
4
Alice
5
Ballot Box Collection
16

24. /* 1
* source
* code
Polling Voting */
3 2
Location Machine
if (...
Vendor
4
Alice
Results
5 6 .....
Ballot Box Collection
16

25. /* 1
* source
* code
Polling Voting */
3 2
Location Machine
if (...
Vendor
4
Alice
Results
5 6 .....
Ballot Box Collection
Black Box
16

26. Chain of Custody

27. Chain of Custody

28. Chain of Custody

29. Chain of Custody

30. Chain of Custody

31. Initially,
cryptographers
re-created
physical processes
in the digital arena.
18

32. Then, a realization:
cryptography enables a
new voting paradigm
Secrecy + Auditability.
19

33. 20

34. Public Ballots
Bulletin Board
Bob:
McCain
Carol:
Obama
21

35. Public Ballots
Bulletin Board
Bob:
McCain
Carol:
Obama
Alice
21

36. Public Ballots
Bulletin Board
Alice: Bob:
Obama McCain
Carol:
Obama
Alice
21

37. Public Ballots
Bulletin Board
Alice: Bob:
Obama McCain
Carol:
Obama
Tally
Obama....2
McCain....
Alice
1
21

38. Encrypted Public Ballots
Bulletin Board
Alice: Bob:
Rice Clinton
Carol:
Rice
Tally
Obama....2
McCain....
Alice
1
22

39. Encrypted Public Ballots
Bulletin Board
Alice: Bob:
Rice Clinton
Carol:
Ali Rice
ce
ver Tally
ifies
he
rv Obama....2
ote
McCain....
Alice
1
22

40. Encrypted Public Ballots
Bulletin Board
Alice: Bob:
Rice Clinton
Carol:
Ali
ce Rice ta lly
e
hTally
ver
ifi ifie st
es
he ne ver
rv ve ryo Obama....2
ote E
McCain....
Alice
1
22

41. End-to-End Verification

42. End-to-End Verification
/*
* source
* code
Voting */
Machine
if (...
Vendor
Polling
Location

43. End-to-End Verification
/*
* source
* code
Voting */
Machine
if (...
Vendor
Ballot Box /
Polling Bulletin Board
Location
Alice

44. End-to-End Verification
/*
* source
* code
Voting */
Machine
if (...
Vendor
Ballot Box / Results
Polling Bulletin Board
Location .....
Alice

45. End-to-End Verification
/*
* source
* code
Voting */
Machine
if (...
Vendor
Ballot Box / Results
Polling Bulletin Board
Location .....
1
Alice
Receipt

46. End-to-End Verification
/*
* source
* code
Voting */
Machine
if (...
Vendor
Ballot Box / Results
Polling Bulletin Board
Location .....
1 2
Alice
Receipt

47. Democratizing Audits
Each voter is responsible for checking
their receipt (no one else can.)
Anyone, a voter or a public org,
can audit the tally and
verify the list of cast ballots.
Thus, OPEN-AUDIT Voting.
24

48. 2.
Cryptography is
not just about secrets,
creates trust between
competitors.
25

49. NO!
Increased transparency
when some data
must remain secret.
26

50. So, yes, we encrypt,
and then we operate on the
encrypted data in public, so
everyone can see.
In particular, because the vote
is encrypted, it can remain
labeled with voter’s name.
27

51. “Randomized” Encryption
28

52. “Randomized” Encryption
Keypair consists of a public key pk and a secret key sk .
28

53. “Randomized” Encryption
Keypair consists of a public key pk and a secret key sk .
"Obama" Enc pk 8b5637
28

54. “Randomized” Encryption
Keypair consists of a public key pk and a secret key sk .
"Obama" Enc pk 8b5637
"McCain" Enc pk c5de34
28

55. “Randomized” Encryption
Keypair consists of a public key pk and a secret key sk .
"Obama" Enc pk 8b5637
"McCain" Enc pk c5de34
"Obama" Enc pk a4b395
28

56. Threshold Decryption
Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to decrypt.
8b5637
29

57. Threshold Decryption
Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to decrypt.
Dec sk1 b739cb
8b5637
29

58. Threshold Decryption
Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to decrypt.
Dec sk1 b739cb
Dec sk2 261ad7
8b5637
29

59. Threshold Decryption
Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to decrypt.
Dec sk1 b739cb
Dec sk2 261ad7
8b5637
Dec sk3 7231bc
29

60. Threshold Decryption
Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to decrypt.
Dec sk1 b739cb
Dec sk2 261ad7
8b5637
Dec sk3 7231bc
Dec sk4 8239ba
29

61. Threshold Decryption
Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to decrypt.
Dec sk1 b739cb
Dec sk2 261ad7
8b5637 "Obama"
Dec sk3 7231bc
Dec sk4 8239ba
29

62. Homomorphic
Encryption
30

63. Homomorphic
Encryption
Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 )
30

64. Homomorphic
Encryption
Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 )
30

65. Homomorphic
Encryption
Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 )
g m1
×g m2
= g m 1 +m 2
30

66. Homomorphic
Encryption
Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 )
g m1
×g m2
= g m 1 +m 2
then we can simply
add “under cover” of encryption!
30

67. Mixnets
c = Encpk1 (Encpk2 (Encpk3 (m)))
Each mix server “unwraps”
a layer of this encryption onion.
31

68. Proving certain details while
keeping others secret.
Proving a ciphertext
encodes a given message
without revealing
its random factor.
32

69. Zero-Knowledge Proof
33

70. Zero-Knowledge Proof
President:
President:
Mickey Mouse
President:
Mickey Mouse
President:
Mickey Mouse
President:
Mickey Mouse
President:
Mickey Mouse
Vote For:
Mickey Mouse
Obama
Vote For:
Obama
33

71. Zero-Knowledge Proof
President:
President:
Mickey Mouse
President:
Mickey Mouse
President:
Mickey Mouse
President:
Mickey Mouse
President:
Mickey Mouse
Vote For:
Mickey Mouse
Obama
Vote For:
Obama
This last envelope
likely contains “Obama”
33

72. Zero-Knowledge Proof
President: President:
President:
Mickey Mouse President:
Mickey Mouse
President:
Mickey Mouse President:
Mickey Mouse
President:
Mickey Mouse President:
Mickey Mouse
President:
Mickey Mouse President:
Mickey Mouse
President:
Mickey Mouse President:
Mickey Mouse
Vote For:
Mickey Mouse Vote For:
Mickey Mouse
Obama McCain
Paul
Open envelopes don’t prove
anything after the fact.
34

73. Electronic Experience
Voter interacts with a voting
machine
Voting Machine
Alice
Obtains a freshly printed receipt
that displays the encrypted ballot
Encrypted Vote
Takes the receipt home and uses it
as a tracking number.
Receipts posted for public tally.
35

74. Paper Experience
David
Adam
Bob
Charlie
David _______
Adam _______
Bob _______ Pre-print paper ballots with some
indirection betw candidate and choice
Charlie _______
_______
8c3sw
_______
_______
_______
8c3sw
Break the indirection (tear, detach)
Adam - x
8c3sw
for effective encryption
Bob - q
Charlie - r
David - m Take receipt home and use it
Adam - x
Bob - q
8c3sw
as tracking number.
Charlie - r
q
q
David - m
r
r m
m x
x
8c3sw
Receipts posted for public tally.
q r m x
36

75. 3.
Cryptography-based Voting
(Open-Audit Voting)
is closing in on practicality.
37

76. Benaloh Casting
38

77. Benaloh Casting
Alice
38

78. Benaloh Casting
"Obama"
Alice
38

79. Benaloh Casting
"Obama"
Encrypted
Ballot
Alice
38

80. Benaloh Casting
"Obama"
Encrypted
Ballot
Alice
Alice
38

81. Benaloh Casting
"Obama"
Encrypted
Ballot
Alice
"AUDIT"
Alice
38

82. Benaloh Casting
"Obama"
Encrypted
Ballot
Alice
"AUDIT"
Decrypted
Ballot
Alice
38

83. Benaloh Casting
"Obama"
Encrypted
Ballot
Alice
"AUDIT"
Decrypted
Ballot
Alice
Encrypted Decrypted
Ballot Ballot
VERIFICATION
38

84. Benaloh Casting
"Obama"
Encrypted
Ballot
Alice
"AUDIT"
Decrypted
Ballot
Alice
Encrypted Decrypted
Ballot Ballot
VERIFICATION
38

85. Benaloh Casting
"Obama"
Encrypted
Ballot
Alice
"AUDIT"
Decrypted
Ballot
Alice
Encrypted Decrypted
Ballot Ballot
VERIFICATION
38

86. Benaloh Casting
"Obama"
Encrypted
Ballot
Alice
"AUDIT"
Decrypted
Ballot
Alice Alice
Encrypted Decrypted
Ballot Ballot
VERIFICATION
38

87. Benaloh Casting
"Obama"
Encrypted
Ballot
Alice
"AUDIT" "CAST"
Decrypted
Ballot
Alice Alice
Encrypted Decrypted
Ballot Ballot
VERIFICATION
38

88. Benaloh Casting
"Obama"
Encrypted
Ballot
Alice
"AUDIT" "CAST"
Decrypted Signed
Ballot Encrypted
Ballot
Alice Alice
Encrypted Decrypted
Ballot Ballot
VERIFICATION
38

89. Benaloh Casting
"Obama"
Encrypted
Ballot
Alice
"AUDIT" "CAST"
Decrypted Signed
Ballot Encrypted
Ballot
Alice Alice
Encrypted Decrypted
Ballot Ballot
VERIFICATION
Alice
38

90. Benaloh Casting
"Obama"
Encrypted
Ballot
Alice
"AUDIT" "CAST"
Decrypted Signed
Ballot Encrypted
Ballot
Alice Alice
Encrypted Decrypted
Ballot Ballot
Signed
Encrypted
Ballot
VERIFICATION
Alice
38

91. Many more great ideas
Neff ’s MarkPledge
➡ high-assurance, human-verifiable, proofs of correct encryption
Scantegrity
➡ closely mirrors opscan voting
ThreeBallot by Rivest
➡ teaching the concept of open-audit without deep crypto
STV: Ramchen, Teague, Benaloh & Moran.
➡ handling complex election styles
Prêt-à-Voter by Ryan et al.
➡ elegant, simple, paper-based
39

92. Deployments!
UCL (25,000 voters)
Scantegrity @ Takoma Park
SCV
40

93. Three Points
1. Voting is a unique trust problem.
2. Cryptography is not just about secrets,
it creates trust between competitors,
it democratizes the auditing process.
3. Open-Audit Voting
is closing in on practicality.
41

94. My Fear:
computerization of
voting is inevitable.
without open-audit,
the situation is grim.
42

95. My Hope:
proofs for auditing
partially-secret
processes will soon be
as common as public-
key crypto is now.
43

96. Challenge:
Ed Felten: “you have no voter privacy, deal with it.”
44

97. Challenge:
Ed Felten: “you have no voter privacy, deal with it.”
44

98. Questions?
45