Security, Privacy, and Electronic Voting

Security, Privacy, and ElectronicVoting

Bridging the Gap between Theory andImplementation

Michael Ginzburg & Kris Kampshoff

Security, Privacy, and Electronic Voting – p.1/34

Outline

� Background and Motivation� Problems with Current Voting Systems� Diebold AccuVote-TS� Requirements for a Secure Voting System� The Secrecy/Auditability Conundrum� Ingredients for a Secure System� “Bulletin Board” Election� Homomorphic ElGamal Encryption� Threshold Decryption� Conclusions


Background and Motivation

� In 2000, the US presidential election was hotly contested,which led to widespread deployment of electronic votingsystems in 2004.� Most of these systems were DRE (Direct Recording Electronic)systems, which leave no paper trail.� Problems with one DRE system in particular (DieboldAccuVote-TS) were discovered and widely reported in 2003.� Many irregularities with DRE machines were reported in 2004.� Our Motivation: Point out the known flaws in existing systems,and examine proposed theoretical systems to see ifimplementation is feasible� Eventual goal: Make voting a painless, secure, and publiclyverifiable process


Diebold AccuVote-TS: Background

�� AccuVote-TS is a complete DRE system (hardware andsoftware):� Using an intelligent Voter Card as the voter interface, the

AccuVote-TS permits voters to view and cast their votes bytouching target areas on an electronically generated ballot.Each unit provides a direct-entry computerized votingapplication that automatically records and storesappropriate ballot information and results. At the end of thevoting period, the system can print precinct totals to beincluded as part of the permanent record and modem[sic]the results to a host computer via TeleResults.� This system was used in 213 counties in 9 states (fortunately,

not in Ohio or Florida) for the 2004 elections.


Diebold AccuVote-TS: Source Code Leak

� AccuVote-TS is not the only DRE system that was used in2004, but it is the system we know the most about.� AccuVote-TS source code was publicly available from acompletely open and insecure FTP site until some time inJanuary 2003.� While Diebold claims to have made significant changes toAccuVote-TS, the state of the source code at the time of theleak casts serious doubts on the security of the system.� Incorrect use of smartcards� Incorrect use or complete absense of cryptography


AccuVote-TS: Highlights

� Avi Rubin, et al. published a devestating critique ofAccuVote-TS after analyzing the source code.� General problems: incorrect use of smartcards andincorrect/absent cryptography.� No cryptography is performed by the smartcards – ever!� This makes ‘homebrew’ smartcards a reality. Attackers

could perform the same actions as an election administrator.� Where cryptography is used, it is woefully inadequate.�

#define DESKEY ((des_key*) ‘‘F2654hD4‘‘)� Single DES is used in CBC mode with a 0 IV to store ballotdata and votes.


AccuVote-TS: Summary

� It is not clear whether or not the leaked source code accuratelyrepresents the final system put in place by Diebold for the 2004election.� Diebold officials released a rebuttal to Rubin’s paper, but itinadequately addressed many of the concerns, and belied acomplete lack of understanding of security issues.� Rubin: “Cryptography, when used at all, is used

incorrectly.”� Diebold: “ This statement is based on the presumption thatthere is a single correct means of using cryptography.”� However, even if significant improvements were made, the

glaring errors present in the leaked code cast great doubt on thesecurity of the final system.


Requirements for a Voting System

� A voting system, electronic or otherwise, must successfullydeal with these problems:� Ballot Modification� Disenfranchisement� Loss of Privacy� Multiple Votes� Vote Commoditization/Voter Coercion� These problems can be generalized into twosomewhat-contradictory requirements: Secrecy andAuditability.


Secrecy/Auditability Conundrum

� Ballot secrecy: Only the voter may know which vote he or shecast.� Ballot auditability: Any interested party should be able to checkunambiguously that the published election result corresponds tothe ballots cast by legitimate voters.


Theoretical Approaches

� All voting systems, electronic or otherwise, require ballotsecrecy and ballot auditability. If these two issues are satisfied,most of the security concerns mentioned previously arealleviated.� However, secrecy and auditability are difficult to achieve at thesame time.� Common themes among the theoretical voting papers wesurveyed are: homomorphic encryption, threshold decryption,and a “bulletin board” metaphor for the collection and auditingof votes.� Here, we will focus on one scheme described in two papers bySchoenmakers, Cramer, and Gennaro, which makes use ofthese three concepts.



� It is impossible to achieve both goals if only a single trustedentity is used

�

Voter Vote

�

Alice Yes 1Bob No 0Carol Yes 1Diane No 0Total 2

� Entity

�

learns all of the voters’ votes.



� We need to distribute the responsibilities of tallying to protectprivacy

�

Voter Vote

��

Alice Yes �1287 +1288Bob No +1999 �1999Carol Yes +1770 �1769Diane No �1334 +1334Total +1148 �1146

� �� and

� � learn none of the voters’ votes, unless they collude.� We need to have a large enough number of talliers so that votersmay trust at least some of them not to collude.


Bulletin Board Election

� A voting scheme proposed by Cramer, Gennaro, andSchoenmakers. Relies on a “bulletin board” model:� Any parties (including passive observers) can see bulletin

board contents� Each active participant can post messages by appending themessage to their own designated area� Digital signatures are used to verify access to the varioussections of the bulletin board� No party can erase anything from the bulletin board� Broadcast channel such that everybody is able to view whatis posted


Bulletin Board Election: Process

� Phase 1 – Setup� Bulletin board servers are set up. This includes thegeneration and certification of public keys� Deadlines for the various phases of the election aredetermined� List of eligible voters is determined� List of talliers is determined� All of the above info is distributed to all relevant parties (voters,

talliers, election observers, etc.)



� Phase 2 – Registration� Talliers register their public keys with the bulletin board� Eligible voters register their public keys with the bulletinboard� List of talliers and list of voters is ‘frozen’ (digitally signed,contents possibly time-stamped)



� Phase 3 – Voting� Registered voters cast their votes by sending in theirencrypted ballots, which are digitally signed by the voterand verifiable by the public key registered with the voter’ssection on the bulletin board� Election officials freeze the contents of the voters’ sectionson the bulletin board, and accumulate the valid ballots� Talliers produce their sub-tallies� The election officials freeze the contents of the talliers’sections on the bulletin board. The final tally as computedfrom the sub-tallies is also included� The observers read the complete contents of the bulletinboard, and check that all valid ballots are counted, and validsub-tallies correspond to the final tally


Cryptographic Protocols

� How can we guarantee that votes are tallied accurately withoutcompromising voter secrecy?� By using special-purpose cryptographic protocols that rely ontechniques such as verifiable secret sharing andzero-knowledge proofs of knowledge.� Homomorphic encryption:� A public key encryption algorithm

�is called

homomorphic if it satisfies the property��

for any public key� �

and any messages � � and � � . Hence,if we ‘multiply’ two encrypted messages (for the samepublic key), the result is an encryption of the ‘sum’ of theoriginal messages.


Cryptographic Protocols

� The security of the scheme can be chosen to be a cryptosystembased on either the difficulty of the discrete logarithm problemOR the hardness of factoring.� The ElGamal cryptosystem (which relies on the difficulty of thediscrete logarithm problem) will be used for the security of theelection scheme because is has some nice properties that makeit easy to work with.


ElGamal Review

� Review of the ElGamal Cryptosystem:�� is a 1024-bit prime�� is a 160-bit prime satisfying� ��

�� is an element of order�� Each participant in the system generates a key pair by picking arandom number � such that

�� and setting the privatekey equal to � and the public key

� �� . Because of the

hardness of the discrete logarithm problem, no one is able tofind � given only

�

and� .


Using ElGamal

� To encrypt a message � for a recipient with public key�

, onecomputes the ciphertext

� "! # � � $! � $� � , where % is arandom number

�� % � � .� Benefit of ElGamal: since % is random for each encryption, theresult will be different each time (even for the same message).� To decrypt the ciphertext

"! # the recipient will use their

private key �: � � # &� �

.


Homomorphic ElGamal

� The ElGamal cryptosystem can be easily modified to behomomorphic by setting � �� '

for a vote � in( �! � )

. (Thislimits voting to a yes-or-no scheme; more complicated versionsare possible for multi-way voting.)� Multiplying

� �! # � � � $*! � $* � � '* by �! # � � � $+! � $ + � � ' +

, we get �! # � �� ! # � � � � �! # � � # � �� $* , $ +! � $* , $ + � � ' * , '+ ,

which is an ElGamal encryption of� '* , '+

.


Simplified Overview of the Voting Scheme

� The two main stages for an election are as follows:1. Voting: Each voter

-/. submits a ballot of the form� .! # . � � $0! � $0 � � '0

, where � . 1 ( �! � )is the desired

vote and

�

is the (shared) public key of the talliers (more onthis later).

2. Tallying: The product of all submitted ballots,

. � 2� 3 0 $0! � 3 0 $0 � � 3 0 '0 4, is computed. The talliers

jointly decrypt the product, which yields the sum of thevotes, . � . , as the desired tally.� How is voter privacy ensured? Because no entity is ever in

possession of the decryption (private) key 5 that corresponds tothe talliers’ public key

�. The tally of the votes is decrypted

using a threshold cryptosystem.


Threshold Cryptosystem

� Purpose: to share a private key among a set of entities such thatmessages can only be decrypted when a substantial set ofentities cooperate.� The main protocols of such a system are:� a key generation protocol to generate the private key jointly

by the receivers, and� a decryption protocol to jointly decrypt a ciphertext withoutexplicitly reconstructing the private key.


Threshold Cryptosystem

� The result of the key generation protocol is that each tallier

687

will possess a share 5 7 1 9;: of a secret 5. The talliers arecommitted to these shares as the values

� 7 �� <= are madepublic.� The shares 5 7 are chosen such that the secret 5 can bereconstructed from any set

>

of

?shares:

(1) 5 � 7@ A 5 7 B 7DC A, where

B 7DC A � .@ AFE G 7 H .. E 7

� The public key

� �� <

is broadcast to all participants in thesystem; however, no single participant ever learns the secret 5.


Decrypting the Ballots

� To decrypt a ciphertext

�! I � � J! � J� � withoutreconstructing the secret 5, the talliers execute the followingprotocol:� Each tallier

67 broadcasts K 7 � � <= and proves inzero-knowledge that log L � 7 � log � K 7 .� Let

>

denote any subset of

?authorities who passed the

zero-knowledge proof. By raising � to both sides ofequation (1), it follows that the plaintext can be recovered as� � I & 7@ A K M=ON P7 .

� Step 2 assures that the decryption is correct and successful evenif up to Q � ?

talliers are malicious or simply fail to execute theprotocol.


Encryption and Proof of Validity of Ballot

� Too big to fit on slide!� The resulting proof of validity requires only a few modularexponentiations.


Proof of knowledge for log R S T log U S

�

Prover VerifierV �! I � � J! � J W

K 1YX 9 :� "! # [Z � \! � \ ! #^]Z _ _ 1[X 9 :

%Z K �a` _ % ] � $ � � b

� $ � # I b

� In order to make the protocols non-interactive, the verifier willbe implemented using either a trusted source of random bits(i.e. a beacon) or using the Fiat-Shamir heuristic, whichrequires a hash function.


Decrypting the Ballots

� Using the threshold cryptosystem outlined above, the mainsteps of the bulletin board voting protocol are now:� Voter

-. posts a ballot

� .! I . to the bulletin board(accompanied by a non-interactive proof of validity)� When the deadline is reached, the proofs of validity arechecked by the talliers and the productc ! d � e.gf � � .! e.gf � I . is formed� Finally, the talliers jointly execute the decryption protocol(outlined above) for

c ! d to obtain the value of� d &c <

. (A non-interactive proof of knowledge is usedin Step 1 of the decryption protocol)


Final Tally

� As a result, we get � h i

, where

6

is equal to the differencebetween the number of yes-votes and no-votes, � j � � 6� � j

(where

j

is the total number of voters). Hence,6 � log k

which is, in general, considered hard to compute because of thediscrete logarithm problem.� But

6

must be computed, as it is the final tally of the votes!What to do?� The value of

6

can easily be determined by iterativelygenerating

h E e! hE e , �! hE e , �!l l l until is found. While thiswould normally be considered a naive brute-force approach tosolving a discrete logarithm, here it makes sense because

j

(thenumber of voters) is relatively small.


Extension to Multi-way Elections

� Many elections require choosing between more than just twochoices.� There are multiple ways to solve this problem. One way(described below) keeps the size of the ballots constant, whileincreasing the size of the ballot’s proof of validity).� To get an election for a 1-out-of-

�choice, take

�

(independently generated) generators

h .! �m nm �

, andaccumulate the votes for each option separately.� The proof of ballot validity of a ballot

�! I now boilsdown to a proof of knowledge ofjpo� L � � j o� q I & h � sr � � � r jpo� L � � j o� q I & h .This automatically guarantees that the voter cannot vote formore than one option at a time, since the voter can onlygenerate this proof of validity for at most one generator

h . .Security, Privacy, and Electronic Voting – p.30/34

Extension to Multi-way Elections 2

� Computing the final tally is generally more complicated.� After decryption by the authorities, a number is obtainedthat represents the final tally, � h i*� � � � h iut , where the

6 . ’sform the result of the election.� Since

6 . v �

and

.gf � 6 . � j

, computation of the

6 . ’s isfeasible for reasonable values of

jand

�.


Major Achievements

Three major achievmeents of the scheme:� 1) The work required of the voter is minimal.� 2) The protocol, as well as the time and communicationcomplexity for each voter, is independent of Q (the number ofauthorities/talliers).� 3) The new scheme can easily be extended using techniques for“proactive” threshold cryptosystems to leave the system (andits keys) in place for a really long time without fearing that thesecret key gets compromised.


Problems with This Scheme

� Every participant requires a public-private key pair. Thisincludes the servers running a bulletin board, the talliers, andmost importantly, every single voter. The logistics ofgenerating/distributing key pairs for every voter in a secure androbust manner would be a nightmare.� Asymmetric cryptography (ElGamal) is more expensivecomputationally than the symmetric-key protocols being usedin current systems. This may not scale well to large elections.� Due to its use of electronic “receipts” (the encrypted anddigitally signed vote posted to the voter’s section of the bulletinboard), a third-party could force a voter to use a particularchoice for % for the encryption of the ballot. If this is done, thethird-party would then be able to coerce the voter to vote in aparticular way.


Conclusions

� Some current implementations of electronic voting systems aresimply not secure enough to trust for something as important asour electoral process.� On the other hand, the current theoretical systems we haveexamined, while provably secure, may have problems withlogistics and matters of scale.


Security, Privacy, and Electronic Voting

Documents

Transcript of Security, Privacy, and Electronic Voting