Ben Hosp, Nils Janson, Phillipe Moore, John Rowe, Rahul Simha, Jonathan Stanton, Poorvi Vora
description
Transcript of Ben Hosp, Nils Janson, Phillipe Moore, John Rowe, Rahul Simha, Jonathan Stanton, Poorvi Vora
Ben Hosp, Nils Janson, Phillipe Moore, John Rowe, Rahul Simha, Jonathan Stanton, Poorvi Vora
{bhosp, simha, jstanton, poorvi} @gwu.eduDept. of Computer Science
George Washington University
Integrity during ballot casting: paper receipts
Challenge: allow the voter to keep a record of her vote so – she can determine that it has been counted
correctly, yet – not prove how she voted
This record on paper, so “computer” problems will not destroy the record
CVV* can do this, with, from the voter’s POV
A voting system that will “just work”
The only additional effort required of the voter is to pull a lever up or down arbitrarily.
Caveat: a non-negligible percentage of voters or their representatives must make the effort to check their ballot receipts.
* Based on a method by David Chaum
Election Goals
Integrity – Correct vote count. Anonymity – I can’t tell how you voted. Involuntary Privacy – You can’t prove to
me how you voted. Voter Verifiability – You, the voter, can verify the
first two goals. Public Verifiability – Anyone can verify the
first three goals. Robustness – If something goes wrong it can be
detected and fixed
CVV Assumes
A set of n independent trustees, all of whom do not collude (can be made k of n)– Collusion can violate privacy without being
detected – Collusion cannot violate integrity without
detection
All n trustees are functional (can be made k of n)– A nonfunctional trustee (or > k nonfunctional
trustees) can cause a denial of service attack
CVV Assumes
A not necessarily trustworthy polling machine– Cannot violate count integrity– Can violate privacy (sees ballot)
No collusion between authentication process and polling machine– Collusion can lead to ballot stuffing
Sufficiently large number of receipts checked – by voter or authorized third party– Requires process
poster
CVV is
A prototype implementation of Chaum’s voter-verifiable voting system
Using commonly available, low-cost hardware and OS platforms
Stage 2
Demo 1: walk-through
The Voting ProcessBallot Casting
The voter uses the voting booth machine to generate some image: her vote.
The booth prints out two layers – which are random by themselves, – but when overlaid, display the image.
Layer generation
The layers are generated using two strings of random numbers– Each created by adding trustee shares– Each of size half of the number of image pixels– One for the top layer, other for bottom– Laid in staggered form on the two layers
R
R
RR
R
R
R RR
R RR R
R R
R
Layer generation
Other half pixels on each layer are such that the overlay is the correct vote
=
Other vote:
Different types of receipts
Optical (additive) overlay: Chaum
Many other symbols by Jeroen van de Graf
The Voting ProcessReceipt Choice
The voter chooses one layer for her receipt.– Some other “stuff” is printed on the chosen layer.– The unchosen layer is destroyed.– The chosen layer is stored or transmitted
It can be shown that the machine can cheat in only one of the two receipts if the overlay represents the vote.
The Voting ProcessReceipt Checking
Receipts at counting station can all be checked, by a third party, for correctness.
A voter can check her own receipt has reached the counting station or have it checked by a third party.
Automated checking that a hard copy matches an image at counting station not yet implemented by CVV. Visual checking possible.
Cheating machine caught with probability half
If the machine has cheated on a vote which has the check performed– it will be detected with non-negligible
probability (one-half?)– this does not depend on the hardness of
any problem using any computational model, but
– on the randomness of the voter choiceDoes not depend on voter trust of poll
worker checks
The Complete Ballot
The receipt/vote has the following fields:– The vote ID– The encrypted image.– Information for trustees required to decrypt
the top layer. the bottom layer
– A signature of the vote ID info required by non-trustee to recreate above for
chosen layer, but not unchosen oneused to check commitments.
– A signature of the whole ballot to prevent false claims of uncounted votes
{
{
Pre
choice
Post
choice
The Complete Ballot
The information on the ballot– Can be used by anyone to verify that
the ballot was correctly constructed, but
– Cannot be used to decrypt the ballot except by appropriate combination of trustees.
The Vote-Decryption Process – similar to a regular MIX
Random pixels were generated using a different seed for each trustee for top and bottom
The seed of the chosen layer made available on the receipt for checking
The other seed made available in nested encrypted form for the trustees to generate random part of unchosen layer
The Vote-Decryption Process
Each trustee: – for each ballot:
extracts his seed incrementally regenerates the random
numbers on the other layer adds his share to the ballot
– shuffles all the ballots– passes on the ballots to the next trustee
Receipt Decryption
RR
R
RRR R
R
=
The other vote would have looked like
The Auditor
The first trustee is asked to reveal, to the public, a random half of his shuffle.
The next trustee reveals the other half.
And so forth– no ballot can be completely traced through the
shuffles.
The Auditor
Each trustee provides– A correspondence between input and output
images– A seed value
Such that– the encryption of the seed with his public key
gives the encrypted information – the difference between the output and input
images of the revealed half of their shuffle was generated using the seed
Cheating trustee caught with probability half for every vote cheated on
Reduce “negative aspects” of voter verification by
Participation by major political interestspublic interest organizations
as: – Trustees– Third party working on behalf of voter to
Check that receipt is on website Check that receipt was correctly generated
(For this, need them to actively obtain receipts)– Witnesses of trustee decryption process and
audit
Reduce “negative aspects” of voter verification by - II
Process that includes encouraging voter verification when fraud detected or alleged: – If a voter claims his vote not counted,
encourage enough voters to check their votes to determine extent of fraud/error
– If a displayed receipt does not check, check receipts in that precinct to determine extent of fraud/error
Current status of CVV
Prototype implemented in Java Currently supports low-end ink jet
printing Plan
– Open source release– User-friendly ballots– Pre-packaged election tool kit for third-party
elections (e.g. student elections). Those interested please contact us.
– Construction of various other primitives for plug and play
More Next Steps
Performance and Robustness Testing and Enhancements
Trials in local and school elections – for education and – to test usefulness and acceptance of scheme
With Political Science and Public Affairs FacultyDetermine if there is a difference in acceptance along group lines: – Political parties– Age– Race– Ability (among handicapped; Braille overlay methods can
be developed)
References and Acknowledgements
David Chaum
David Chaum, “Secret-Ballot Receipts: True Voter-Verifiable Elections”, IEEE Security and Privacy, January-February 2004 (Vol. 2, No. 1)
Poorvi Vora, “David Chaum’s Voter Verification using Encrypted Paper Receipts”, www.seas.gwu.edu/~poorvi/Chaum/chaum.pdf
Also on DIMACS website linked from talk abstract
Extras
1. Voter votes. Obtains an encrypted receipt that even she cannot decrypt outside polling booth• only all n trustees can decrypt it• this can be modified to k of n trustees.
We will describe later how she can be sure the polling machine did not cheat
2. Voter checks for receipt on public website. If it is there, her vote has reached the counting station
CVV - How it worksbased on Chaum voter-verifiable voting system
CVV - How it works
4. Possessor (voter or third party or anyone if receipt on website) can check if receipt is correctly generated.
5. All votes at counting station are serially (partially) decrypted and shuffled by trustees (version of MIX)
6. Final, unencrypted, shuffled votes are counted. Conditional count announced.
7. Trustee decryption and shuffle is audited. Final count announced, election certified.