Socio-technical Trade-offs in
Cryptographic Voting Schemes
Peter Y A Ryan
University of Newcastle
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
1
Introduction
• Designing dependable, trustworthy e-voting systems is
vastly challenging:
– Want high-assurance of accuracy whilst maintaining ballot
secrecy.
– Minimal trust in components, officials, suppliers etc.
– Ideally, trust should ultimately rest on the electorate themselves.
– Must be useable and understandable by the electorate at large.
• Probably impossible to achieve all of these
simultaneously, hence trade-offs need to be investigated
and evaluated.
• Tension between making the system as simple as
possible for voters (“vote and go”) on the one hand and
ensuring that trust rests ultimately on the voters.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
2
Outline
• Overview of Prêt à Voter “Classic”.
• Outline of some vulnerabilities with Prêt à
Voter “Classic”.
• Enhancements to counter these
vulnerabilities.
• Trade-offs.
• Conclusions.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
3
Typical Prêt à Voter “Classic” Ballot
Sheet
Epicurus
Democritus
Aristotle
Socrates
Plato
$rJ9*mn4R&8
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
4
Voter marks their choice
Epicurus
Democritus

Aristotle
Socrates
Plato
$rJ9*mn4R&8
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
5
Voter’s Ballot Receipt

$rJ9*mn4R&8
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
6
Remarks
• Order of candidates is randomised for each ballot form,
hence the receipt reveals nothing about the vote.
• Vote is not directly encrypted, rather the frame of
reference, i.e., the candidate list, is randomised and
information defining the frame is encrypted.
• Voter does not need to communicate their vote to the
device.
• Vote casting (of the receipt) could be in the presence of
an official.
• Signatures (digital and physical?) could be applied.
• A paper audit trail mechanism could be incorporated
(similar to VVPAT but recording encrypted receipts).
• Works for ranked, approval, STV etc.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
7
Tabulation
• All cast receipts are posted to a secure
Web Bulletin Board (WBB). A sort of
“virtual sport’s hall”.
• A set of “tellers” now perform an
anonymising mix/decryption on the posted
receipts.
• Outputs of each phase of the mix are also
posted to the WBB.
• Final column shows decrypted votes.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
8
What can go wrong…
• For the accuracy requirement:
– Ballot forms may be incorrectly constructed,
leading to incorrect encoding of the vote.
– Ballot receipts could be corrupted before they
are entered in the tabulation process.
– Tellers may perform the mix/decryption
incorrectly.
• In this talk I will concentrate on the first of
these.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
9
Auditing ballot forms
• “Authority” generates and prints a large number of ballot
forms.
• Random audits before, during and after the election
period by independent authorities (and possibly the
voters themselves).
• To check the construction of the ballot forms the values
on the form, onion and candidate ordering, can be
reconstructed if the seed value is revealed.
• Use the tellers in an on-demand mode to reveal the
secret seed value buried in the onion. Avoids problems
with storing and selectively revealing seeds.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
10
Advantages of Prêt à Voter
• Voter experience simple and familiar.
• No need for voters to have personal keys or computing
devices.
• Ballot form commitments and checks made before
election opens  neater recovery strategies.
• Votes are not directly encrypted, just the frame of
reference in which votes encoded. Hence:
– The vote recording device doesn’t get to learn the vote.
– No need for ZK proofs of correctly formed encrypted receipts or
cut-and-choose protocols. (but onus of proof shifts to the wellformedness of the ballot forms).
– Avoids subliminal channels, side channels and social
engineering attacks.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
11
Vulnerabilities
• Need to trust “The Authority” (for secrecy).
• Need to trust the auditors (absence of collusion).
• Need to protect ballot form information (chain of
custody).
• Chain voting.
• Enforcing the destruction of LH strips.
• Need to constrain the WBB audits, i.e., reveal
only L or R links.
• Separation of teller modes, i.e., ensure that each
ballot form is processed only once.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
12
Distributed creation of ballot forms
• We would like to set things up so only the voters
gets to see the onion/candidate list association.
No single entity knows or controls the entropy.
• On-demand printing of ballot forms.
• This can be achieved with a “pre-mix” that
mirrors the tabulation mixes of PàV Classic.
• Mixing is done under an extra layer of encryption
that can be stripped off at the last moment.
• Can be adapted for remote variants.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
13
Distributed generation of (ElGamal)
onions
• An initial clerk generates a set of pairs of onions. Each
pair has the same initial plaintext seed s:
((x, Rx.s), (y, T y.s))
• These pairs are put through a set of re-encryption
anonymising mixes:
((x, Rx.s), (y, T y. s))
• i.e. a re-encryption and injection of fresh entropy to the
seed value s.
• After a number of mixes:
((x…, R x…. s…)), (y…, T y…. s…))
• These pairs can now be distributed in this form. The
candidate list is hidden in this form. These could be
randomly audited at this stage.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
14
Revealing the ballot form
• The booth device can then decrypt the LH onion to give
the candidate permutation :
(, (y…, T y…. s…))
• Can be adapted to remote versions (use the Cornell
protocol to convert the LH onion to be encrypted under
the voter Vi’s PK.
((x…, Vi x…. s…)), (y…, T y…. s…))
• A similar construction is possible original RSA onions.
• ElGamal construction is suitable for re-encryption mixes
during the tabulation/anonymising mix.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
15
On-demand printing
• We can minimise chain voting and chain of
custody problems by arranging the print ballot
forms at the last moment, i.e., in the booth.
• Note subtle distinction between creating and
printing.
• Use fresh, additional sources of entropy, e.g.,
fibres in the paper, the voters themselves etc.
• The problem now is that we can’t pre-audit precommitted forms.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
16
Post-auditing
• A possible solution is to re-introduce cutand-choose element to the protocol along
with post-auditing.
• Note: Chaum’s original scheme suggested
devices available at the polling station to
check receipts. Probably retain this, in
particular to check digital signatures and to
spot problems early, but additionally
perform checks on WBB posted data.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
17
2 sided ballot forms
Thales
Plato
Plato
Thales
Socrates
Socrates
7y6G
&9j5
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
H56
$Mz
18
Vote selection
• Forms can be printed in the booth.
• Voter makes an arbitrary choice as to
which side to use.
• They mark their cross (or ranking etc)
against the candidate of choice as before.
• The other side is left blank.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
19
Vote selection
Plato
Thales
Plato
X
Thales
Socrates
Socrates
7y6G
&9j5
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
H56
$Mz
20
Receipts
Plato
X
Thales
Socrates
7y6G
&9j5
NeSC Edinburgh
27 Feb 2006
H56
$Mz
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
21
Discussion
• The unused side can now be checked for wellformedness (at the time of casting and later in the WBB).
• This avoids some of the vulnerabilities of PaV Classic
but at the cost of re-introducing the social engineering
Chaum/Neff vulnerabilities noted by Karlof et al.
• Note: still no need for the voter to communicate their
vote to the device, hence no subliminal/side channels
etc.
• Also counters klepographic attacks.
• Note: symmetry between the two sides!
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
22
Post-auditing
• Receipts could be checked again on exit
from the polling stations.
• In addition, all the info would be posted to
the WBB. The slip, unused side could be
checked for well-formedness.
• Seeds revealed for the unused sides.
• Need mechanisms to prevent leakage of
seeds for used sides, e.g., authorisation
code on LHS?
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
23
Discussion
• This solution avoids a lot of the
vulnerabilities of Classic, e.g., no need to
trust the auditing authorities, but makes
the protocol a little more complex for the
voter. And may re-introduce the possibility
of “social-engineering” attacks.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
24
“assisting the voter”
• We could envisage a device to help the
voter mark the form and destroy the LHS.
• But then we need to trust this to cheat in
some, e.g., scanning the candidate list
before destruction.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
25
Conclusion
• Ideally we would like the trust to rest
ultimately with the electorate.
• This seems to be impossible without
involving the voters in the verification
process.
• Compromisers and trade-offs are
inevitable.
• Verify the election not the system.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
26
Future work
• On the current model:
–
–
–
–
–
–
Determine exact requirements.
Formal analysis and proofs.
Construct threat and trust models.
Investigate error handling and recovery strategies.
Develop a full, socio-technical systems analysis.
Develop prototypes and run trials, e.g., e-voting
games!
– Investigate public understanding, acceptance and
trust.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
36
Future work
• Beyond the current scheme:
– Finalise remote, coercion resistant version
(using “capabilities”).
– Re-encryption mixes.
– Establish minimal assumptions.
– Alternative sources of seed entropy: Voters,
optical fibres in the paper, quantum…?
– Alternative robust mixes, e.g., ZK shuffle
proofs.
– Quantum variants.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
37
References
•
•
•
•
•
•
•
•
•
•
•
David Chaum, Secret-Ballot receipts: True Voter-Verifiable Elections, IEEE Security and Privacy
Journal, 2(1): 38-47, Jan/Feb 2004.
J W Bryans & P Y A Ryan “A Dependability Analysis of the Chaum Voting Scheme”, Newcastle
Tech Report CS-TR-809, 2003.
J W Bryans & P Y A Ryan, “Security and Trust in a Voter-verifiable Election Scheme”, FAST 2003.
P Y A Ryan & J W Bryans “A Simplified Version of the Chaum Voting Scheme”, Newcastle TR
2004
P Y A Ryan, Towards a Dependability Case for the Chaum Voting Scheme, DIMACS June 2004.
P Y A Ryan, “E-voting”, presentation to the Caltech/MIT workshop on voting technology, MIT
Boston 1-2 October 2004.
P Y A Ryan, “A Variant of the Chaum Voter-verifiable Election scheme”, WITS, 10-11 January
2005 Long Beach Ca.
D Chaum, P Y A Ryan, S A Schneider, “A Practical, Voter-Verifiable Election Scheme”, Newcastle
TR 880 December 2004, Proceedings ESORICS 2005, LNCS 3679.
B Randell, P Y A Ryan, “Trust and Voting Technology”, NCL CS Tech Report 911, June 2005, to
appear IEEE Security and Privacy Magazine.
P Y A Ryan, T Peacock, “Prêt à Voter, A Systems Perspective”, NCL CS Tech Report 929,
September 2005, submitted to IEEE Security and Privacy Symposium 2006.
Clarkson and Myers, “Coercion-resistant Remote Voting using Decryption Mixes”, at FEE 2005.
http://www.win.tue.nl/~berry/fee2005/
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
38