Socio-technical Trade-offs in Cryptographic Voting Schemes Peter Y A Ryan University of Newcastle NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 1 Introduction • Designing dependable, trustworthy e-voting systems is vastly challenging: – Want high-assurance of accuracy whilst maintaining ballot secrecy. – Minimal trust in components, officials, suppliers etc. – Ideally, trust should ultimately rest on the electorate themselves. – Must be useable and understandable by the electorate at large. • Probably impossible to achieve all of these simultaneously, hence trade-offs need to be investigated and evaluated. • Tension between making the system as simple as possible for voters (“vote and go”) on the one hand and ensuring that trust rests ultimately on the voters. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 2 Outline • Overview of Prêt à Voter “Classic”. • Outline of some vulnerabilities with Prêt à Voter “Classic”. • Enhancements to counter these vulnerabilities. • Trade-offs. • Conclusions. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 3 Typical Prêt à Voter “Classic” Ballot Sheet Epicurus Democritus Aristotle Socrates Plato $rJ9*mn4R&8 NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 4 Voter marks their choice Epicurus Democritus Aristotle Socrates Plato $rJ9*mn4R&8 NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 5 Voter’s Ballot Receipt $rJ9*mn4R&8 NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 6 Remarks • Order of candidates is randomised for each ballot form, hence the receipt reveals nothing about the vote. • Vote is not directly encrypted, rather the frame of reference, i.e., the candidate list, is randomised and information defining the frame is encrypted. • Voter does not need to communicate their vote to the device. • Vote casting (of the receipt) could be in the presence of an official. • Signatures (digital and physical?) could be applied. • A paper audit trail mechanism could be incorporated (similar to VVPAT but recording encrypted receipts). • Works for ranked, approval, STV etc. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 7 Tabulation • All cast receipts are posted to a secure Web Bulletin Board (WBB). A sort of “virtual sport’s hall”. • A set of “tellers” now perform an anonymising mix/decryption on the posted receipts. • Outputs of each phase of the mix are also posted to the WBB. • Final column shows decrypted votes. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 8 What can go wrong… • For the accuracy requirement: – Ballot forms may be incorrectly constructed, leading to incorrect encoding of the vote. – Ballot receipts could be corrupted before they are entered in the tabulation process. – Tellers may perform the mix/decryption incorrectly. • In this talk I will concentrate on the first of these. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 9 Auditing ballot forms • “Authority” generates and prints a large number of ballot forms. • Random audits before, during and after the election period by independent authorities (and possibly the voters themselves). • To check the construction of the ballot forms the values on the form, onion and candidate ordering, can be reconstructed if the seed value is revealed. • Use the tellers in an on-demand mode to reveal the secret seed value buried in the onion. Avoids problems with storing and selectively revealing seeds. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 10 Advantages of Prêt à Voter • Voter experience simple and familiar. • No need for voters to have personal keys or computing devices. • Ballot form commitments and checks made before election opens neater recovery strategies. • Votes are not directly encrypted, just the frame of reference in which votes encoded. Hence: – The vote recording device doesn’t get to learn the vote. – No need for ZK proofs of correctly formed encrypted receipts or cut-and-choose protocols. (but onus of proof shifts to the wellformedness of the ballot forms). – Avoids subliminal channels, side channels and social engineering attacks. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 11 Vulnerabilities • Need to trust “The Authority” (for secrecy). • Need to trust the auditors (absence of collusion). • Need to protect ballot form information (chain of custody). • Chain voting. • Enforcing the destruction of LH strips. • Need to constrain the WBB audits, i.e., reveal only L or R links. • Separation of teller modes, i.e., ensure that each ballot form is processed only once. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 12 Distributed creation of ballot forms • We would like to set things up so only the voters gets to see the onion/candidate list association. No single entity knows or controls the entropy. • On-demand printing of ballot forms. • This can be achieved with a “pre-mix” that mirrors the tabulation mixes of PàV Classic. • Mixing is done under an extra layer of encryption that can be stripped off at the last moment. • Can be adapted for remote variants. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 13 Distributed generation of (ElGamal) onions • An initial clerk generates a set of pairs of onions. Each pair has the same initial plaintext seed s: ((x, Rx.s), (y, T y.s)) • These pairs are put through a set of re-encryption anonymising mixes: ((x, Rx.s), (y, T y. s)) • i.e. a re-encryption and injection of fresh entropy to the seed value s. • After a number of mixes: ((x…, R x…. s…)), (y…, T y…. s…)) • These pairs can now be distributed in this form. The candidate list is hidden in this form. These could be randomly audited at this stage. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 14 Revealing the ballot form • The booth device can then decrypt the LH onion to give the candidate permutation : (, (y…, T y…. s…)) • Can be adapted to remote versions (use the Cornell protocol to convert the LH onion to be encrypted under the voter Vi’s PK. ((x…, Vi x…. s…)), (y…, T y…. s…)) • A similar construction is possible original RSA onions. • ElGamal construction is suitable for re-encryption mixes during the tabulation/anonymising mix. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 15 On-demand printing • We can minimise chain voting and chain of custody problems by arranging the print ballot forms at the last moment, i.e., in the booth. • Note subtle distinction between creating and printing. • Use fresh, additional sources of entropy, e.g., fibres in the paper, the voters themselves etc. • The problem now is that we can’t pre-audit precommitted forms. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 16 Post-auditing • A possible solution is to re-introduce cutand-choose element to the protocol along with post-auditing. • Note: Chaum’s original scheme suggested devices available at the polling station to check receipts. Probably retain this, in particular to check digital signatures and to spot problems early, but additionally perform checks on WBB posted data. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 17 2 sided ballot forms Thales Plato Plato Thales Socrates Socrates 7y6G &9j5 NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes H56 $Mz 18 Vote selection • Forms can be printed in the booth. • Voter makes an arbitrary choice as to which side to use. • They mark their cross (or ranking etc) against the candidate of choice as before. • The other side is left blank. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 19 Vote selection Plato Thales Plato X Thales Socrates Socrates 7y6G &9j5 NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes H56 $Mz 20 Receipts Plato X Thales Socrates 7y6G &9j5 NeSC Edinburgh 27 Feb 2006 H56 $Mz P Y A Ryan Socio-technical trade-offs in Voting Schemes 21 Discussion • The unused side can now be checked for wellformedness (at the time of casting and later in the WBB). • This avoids some of the vulnerabilities of PaV Classic but at the cost of re-introducing the social engineering Chaum/Neff vulnerabilities noted by Karlof et al. • Note: still no need for the voter to communicate their vote to the device, hence no subliminal/side channels etc. • Also counters klepographic attacks. • Note: symmetry between the two sides! NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 22 Post-auditing • Receipts could be checked again on exit from the polling stations. • In addition, all the info would be posted to the WBB. The slip, unused side could be checked for well-formedness. • Seeds revealed for the unused sides. • Need mechanisms to prevent leakage of seeds for used sides, e.g., authorisation code on LHS? NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 23 Discussion • This solution avoids a lot of the vulnerabilities of Classic, e.g., no need to trust the auditing authorities, but makes the protocol a little more complex for the voter. And may re-introduce the possibility of “social-engineering” attacks. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 24 “assisting the voter” • We could envisage a device to help the voter mark the form and destroy the LHS. • But then we need to trust this to cheat in some, e.g., scanning the candidate list before destruction. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 25 Conclusion • Ideally we would like the trust to rest ultimately with the electorate. • This seems to be impossible without involving the voters in the verification process. • Compromisers and trade-offs are inevitable. • Verify the election not the system. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 26 Future work • On the current model: – – – – – – Determine exact requirements. Formal analysis and proofs. Construct threat and trust models. Investigate error handling and recovery strategies. Develop a full, socio-technical systems analysis. Develop prototypes and run trials, e.g., e-voting games! – Investigate public understanding, acceptance and trust. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 36 Future work • Beyond the current scheme: – Finalise remote, coercion resistant version (using “capabilities”). – Re-encryption mixes. – Establish minimal assumptions. – Alternative sources of seed entropy: Voters, optical fibres in the paper, quantum…? – Alternative robust mixes, e.g., ZK shuffle proofs. – Quantum variants. NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 37 References • • • • • • • • • • • David Chaum, Secret-Ballot receipts: True Voter-Verifiable Elections, IEEE Security and Privacy Journal, 2(1): 38-47, Jan/Feb 2004. J W Bryans & P Y A Ryan “A Dependability Analysis of the Chaum Voting Scheme”, Newcastle Tech Report CS-TR-809, 2003. J W Bryans & P Y A Ryan, “Security and Trust in a Voter-verifiable Election Scheme”, FAST 2003. P Y A Ryan & J W Bryans “A Simplified Version of the Chaum Voting Scheme”, Newcastle TR 2004 P Y A Ryan, Towards a Dependability Case for the Chaum Voting Scheme, DIMACS June 2004. P Y A Ryan, “E-voting”, presentation to the Caltech/MIT workshop on voting technology, MIT Boston 1-2 October 2004. P Y A Ryan, “A Variant of the Chaum Voter-verifiable Election scheme”, WITS, 10-11 January 2005 Long Beach Ca. D Chaum, P Y A Ryan, S A Schneider, “A Practical, Voter-Verifiable Election Scheme”, Newcastle TR 880 December 2004, Proceedings ESORICS 2005, LNCS 3679. B Randell, P Y A Ryan, “Trust and Voting Technology”, NCL CS Tech Report 911, June 2005, to appear IEEE Security and Privacy Magazine. P Y A Ryan, T Peacock, “Prêt à Voter, A Systems Perspective”, NCL CS Tech Report 929, September 2005, submitted to IEEE Security and Privacy Symposium 2006. Clarkson and Myers, “Coercion-resistant Remote Voting using Decryption Mixes”, at FEE 2005. http://www.win.tue.nl/~berry/fee2005/ NeSC Edinburgh 27 Feb 2006 P Y A Ryan Socio-technical trade-offs in Voting Schemes 38