Secret-Ballot Receipts
True Voter-Verifiable Elections
David Chaum
Main Points
•
•
•
•
WOTE I and Standardization workshop
(Focus on polling-place elections)
Don’t have to trust computers with integrity
Four system examples
–
–
–
–
•
•
•
•
Janken
High-registration printing
Subtractive light
Additive light
Mixing with bitmaps and its audit
Provisional voting & adjudication
Comparison of current proposals
(Paper instruments can be modified before recount)
OUTLINE
• Introduction
•
•
•
•
WOTE and WEST
Polling-place election background
Receipt system introduction
Educational example receipt system
• Three example receipt systems
• Comparison with non-receipt systems
• Comments on Standardization
Secret-Ballot Technology
Paradigms (core of elections)
A&R
• Manual counting of objects in container
• Mechanical counting of human interaction
A&R
• Electronic counting of objects in container
Same
basis
A
Same
basis
A
A&R
A
• Electronic counting of human interaction
(some with printed record!)
• “Computers voting”
• Something new: “People Voting”
Vote-counting mechanisms
Hand count
Mechanical counter
Electronic counter
Multiple-trustee Crypto
“Computers Voting”
Known Systems: Mix-Net, Homomorphic, Blind-signed Voting
Encrypted Votes
Plaintext Votes
(different order)
Alan Newberger • Andrew Neff • Ari Renvall • Arnaud Sahuguet • Arto Salomaa • Atsushi Fujioka • Baraani-Dastjerdi • Ben
Davenport • Berry Schoenmakers • Birgit Pfitzmann • Brandon William DuRette • C. C. Tai • C. Lei • Choonsik Park • Chungchieh Shan • Colin Boyd • Fumiaki Miura • G. Poupard • H. Imai • H. Nurmi • Holger Petersen • J. M. Fischer •J. Borrell • J. K.
Jan • J. Pieprzyk • J. Rif • J. Stern • Jason Woodard • Joe Kilian • Jong-Hyeon Lee • Josh Cohen/Benaloh • Kaoru Kurosawa •
Kazue Sako • Kazuo Ohta • Kazutomo Itoh • Kenneth R. Iversen • L. Chen • L. Santean • Lorrie Faith Cranor • M. Burminster
• M. Merritt • M. Waidner • Mark A. Herschberg • Markus Michels • Masayuki Abe • Matthew Franklin • Michael Ben-Or •
Michael Ian Shamos • Michael J. Radwin • Miyako Ohkubo • Moti Young • N. Lynch • Nathan Linial • V. Niemi • P.A. Fouque •
Patrick Horster • Q. He • R. DeMillo • R. H. Lin • R. Safavi-Naini • Rafail Ostrovsky • Ron K. Cytron • Ronald Cramer • Steve
Chien • Steven Myers • T. Asano • T. Matsumoto • Tatsuaki Okamoto • V. Niemi • W. Juang • Y. Afek • Y. Matias • Z. Su
“Secret Ballot” Principle
• Definition—Voter must not be be able
to convince others of how he or she
voted (a kind of “involuntary privacy”)
• Rationale —To prevent “Improper
Influence,” such as vote selling and
various kinds of coercion
“Unconditional Integrity”
• Definition—Even infinite computing
power should not allow incorrect tally
(except with negligible probability) –
privacy may have to be computational…
• Rationale—Integrity should take priority
over privacy (since changing outcome
allows privacy rules to be changed!)
OUTLINE
• Introduction
•
•
•
•
WOTE and WEST
Polling-place election background
Receipt system introduction
Educational example receipt system
• Three example receipt systems
• Comparison with non-receipt systems
• Comments on Standardization
Two truisms are false
1. Receipts including who you voted for
violate the “Secret Ballot” principle.
Not if they are readable in the voting booth
but unreadable once taken outside.
2. The computers used to vote and to
tally the votes must be trusted with the
correctness of the tally.
Not if copies of encrypted votes on voters’
receipts can be posted along with proofs
of corectness for the tally process.
First True “Voter-Verifiable”
Election System
Voters can directly verify that their
votes are included in the tally
without
needing to trust any procedures,
computers, or cryptography used by
those conducting the election
The new scheme presented is
of practical interest
•
Integrity is much higher but less costly
– Reduced need for physical security, audit,
observing, testing, etc.
•
Robustness is much higher but less costly
– Receipts sufficient to count the votes
•
Hardware cost may even be lower
– “Ordinary” hardware costs less than “special”
– Though, printer/viewer has additional cost
•
Example system parts will be demoed
OUTLINE
• Introduction
•
•
•
•
WOTE and WEST
Polling-place election background
Receipt system introduction
Educational example receipt system
• Three example receipt systems
• Comparison with non-receipt systems
• Comments on Standardization
Rules of Janken
 Each of two people
chooses one hand
symbol and shows it at
the same time
 Winner is determined
by arrows (same
symbol requires retry)
Audience participation packets
• Each bag has all three
hand symbols divided
into two envelopes
(randomly for each bag)
• The sealed white
envelope has one
symbol inside (shown
transparent); the claspfastened manila has two
Voting instructions
1. Unseal the plastic bag and remove the manila
envelope (leave the white one in the bag).
2. Open the clasp and look inside the manila
envelope without showing its content to anyone.
3. To vote “Yes” take the winning hand symbol out;
to vote “No” take the other symbol out.
4. Place the hand symbol you’ve chosen in the bag
facing out so its easy to see from outside.
5. Leave the bag in the hat at the front of the room.
Counting Rules
• Each bag is counted as a “Yes” vote if the
symbol in its sealed envelope wins over that
revealed by the slip facing out of the bag.
• Bags are counted as “No” when the symbol in
the white envelope loses to that displayed.
• (All sealed envelopes must be opened,
whether bag voted or not.)
Your vote was encrypted
(neat thing #1)
•
•
•
•
Everyone could see the symbol you chose
Symbol encodes your vote
Still, only you know how you voted!
You have just used an “encrypted vote”
The dealer could not cheat
(neat thing #2)
• Each bag has two envelopes with correct
number of slips—easy to see
• No duplications per bag
– Within envelope (voter sees)
– Across envelopes (at count—depends on vote)
• Distribution of “hands” uniform
– Each hand should appear in sealed envelopes
the same number of times
“Bulletin Board Voting”—
Beyond the “room voting” model
• “Not what they do, just what they post”
• Applies to real polling place elections
• Booths are watched to ensure the desired
degree of ballot secrecy
OUTLINE
• Introduction
• Example receipt systems
1. High-registration systems
2. Subtractive optical systems
3. Additive optical systems
• Overview of properties/mechanisms
• Comparison with non-receipt systems
• Comments on Standardization
Per election
Per voter
Summary of Overall Process
1. Machine accepts votes from voter
2. Machine prints receipt and lets voter see it
3. Voter randomly chooses a pattern to be
printed that will hide the info on the receipt
4. The pattern is printed as background on the
receipt, which is then provided to the voter
5. Receipts—as taken by voters—are published
6. Outcome is determined only from published
receipts and its correctness is proven to any
interested party through posted data
High-resolution system
The letter “e”
The cleartext backgrounds trick
Subtractive
System
(related to Naor Shamir Visual Cryptography)
Top
Layer:
Bottom
Layer:
Both
Layers
Overlaid:
Part-Transparent
Opaque
Laminated
Top Layer
Bottom Layer
IEEE Security & Pivacy Jan/Feb 2004 or www.voterverifiable.com
Additive System
Newsweek, March 29, 2004 print edition “The Future of Digital Voting” by Steven Levy
Example two-stripe symbology
Example three-stripe symbology
After the polls close
Receipt
Batch
Intermediate
Batch
Tally
Batch
receipt
image
ballot
image
1,000,000
receipt
image
ballot image
1,000,001
receipt
image
1,625,962
ballot
image
Trustee
Transform
Trustee
Transform
Trustee
Transform
Batches successively published on the web once polls close
After the polls close
Receipt
Batch
Intermediate
Batch
Tally
Batch
receipt
image
ballot
image
1,000,000
receipt
image
ballot image
1,000,001
receipt
image
1,625,962
ballot
image
Trustee
Transform
Trustee
Transform
Trustee
Transform
Then a randomly chosen half of the transformations are “opened”
Introducing the properties
(proofs in the paper
at www.voterverifiable.com)
Properties [1 of 4]
• If your receipt is properly posted, you
can be sure that your vote is included
in the final tally [see also property 3]
• If your receipt is not properly posted,
you should be able to demonstrate
this (because it should have
document security attributes
including a digital signature)
Properties [2 of 4]
• No matter how incorrectly a system
operates, there are only two ways it can
change a correctly-posted ballot without
being detected:
– printing text from a guessed pattern and
hoping that the voter chooses that pattern;
or
– incorrectly performing a step among the tally
process steps and hoping that this step is
not among the half selected for audit.
Properties [3 of 4]
Changing n ballots means:
• Chance that no cheating is
detected is at most 1/2n
• Chance of getting caught cheating
is at least 1–1/2n
Properties [4 of 4]
• Your receipt cannot be decrypted by
anyone, or otherwise linked to your
vote [more later], except by
decrypting with (or breaking)
sufficiently many secret keys (of
which each trustee has its own).
Two mixes per trustee
Batch 2 n – 1
Batch 2n
Trustee n
Batch 2 n + 1
Trustee n
Links opened afterwards
(inspired by Jakobsson, Juels, & Rivest)
Batch 2 n – 1
Trustee n
Batch 2 n
Batch 2 n + 1
Trustee n
A Mix Network as a Black Box
1
message 2
2
message 3
3
Mix network
4
message 1
message 4
Basic Three Mix Cascade
Trustee A
Trustee B
z y x
Trustee C
Processing the Bitmaps
Trustee
z1y1x1
m1z1y1x1
z2y2x2
m2z2y2x2
z3y3x3
m3z3y3x3
Trustee
z2y2
x2
m2z2y2
x1
z3y3
x3
y2
m3z3y3 y3
z1y1
m1z1y1
y1
Trustee
z2 z2
m2z2
m2
z1
m1z1 z1
m3
z3
m3z3
z3
m1
OUTLINE
• Introduction
• Example receipt systems
• Comparison with non-receipt systems
– Four classes of non-receipt systems
– Table of properties: Integrity, Privacy, Secrecy,
Robustness and Costs
– Additional features/properties
• Comments on Standardization
VoteMeter & PrinterFace
• State-Level controls
(including version #s)
• Better blind voter
integrity
• Open interface
standard
• See VoteMeter.com
Current
touchscreen
DRE
Vote
meter
Cleartext
voterverifiable
trail
Separate
entering &
casting
stations
Encrypted
voterverifiable
receipts
1. Integrity (tallied as cast with
transparency, the basis of voter
confidence)
Poor
Better (all
electronic)
Better
(punch card
like)
Better
(precinct
scan like)
Excellent
(provable)
1.1 need to trust system provider
yes
partly
partly
partly
no need
1.2 need to assume no provider
collusion
n/a
yes
n/a
yes
no need
1.3 need recount of ballot artifact
n/a
n/a
yes
yes
no need
1.4 voter verifiable end-to-end
no
no
no
no
yes
1.5 protections for audio voting
no
partly
n/a
partly
n/a
2. Privacy (Secrecy Part I: voter
protected from being linked to
vote by system)
Fair
Poor
Fair
Poor
Good
2.1 trust additional machine
providers
no
required
no
required
no
2.2 privacy of provisional votes
no
no
no
no
yes
3. Ballot secrecy (Secrecy Part II:
voter protected from improper
influence schemes)
OK
OK
Unacceptable
Unacceptable
OK
3.1 allows voter to “sign” ballot
artifact
n/a
n/a
yes
yes
no
Attributes
System
Class
4. Robustness (against failures
and Denial-Of-Service attacks)
Poor
Good
(electronic)
Good
(paper)
Good
(paper)
Excellent
4.1 equipment problems survived
limited
failure
failure of
one
failure
failure of two
loss of all
4.2 unattributable discrepancies
(D.O.S)
yes
partly
yes
yes
no
5. Operational cost
Low
Low plus
High
High
Medium
5.1 consumables cost
none
seals
blank paper
blank paper
blank paper
5.2 procedure complexity
low (with
legal
exposure)
low (statelevel
review/
audit)
high (with
manual
recount)
high (with
manual
recount)
medium
(with web
publishing)
5.3 secured storage and transport
costs
high
high minus
very high
very high
low
6. Cost Option I: as appliance
(dedicated integrated device)
High
High plus
Higher
Highest
Highest
6.1 hardware manufacturing cost
high
high plus
(extra PDA
per station)
higher (extra
printer &
display &
box)
higher
(second
station per
precinct)
higher
(extra
printer /
viewer )
6.2 one-time software
complexity/cost
high
high plus
separate
slightly higher
higher (two
stations)
highest
(crypto and
web)
6.3 upgrade, maintenance costs
(reduced if interchangeable parts
with open interfaces)
high
lower (two
separate
parts)
higher (paper
handling,
possibly
separate)
lower
(separate part
per precinct)
higher
(paper
handling,
possibly
separate)
7. Cost Option II: open platform
(standard PC’s, printers, touch
monitors)—but not all suitable
Low—
probably
unsuitable
Low plus
(PDA)—
probably
unsuitable
Low plus
(printer)—
probably
unsuitable
Medium—
probably
unsuitable
Medium—
probably
suitable
7.1 cost (including
upgrade/maintenance)
low
low plus
(PDA)
low plus
(printer &
display)
medium
(precinct
scan)
medium
(printer /
viewer)
7.2 suitability in terms of integrity,
secrecy and robustness
maybe
(weak
integrity &
robustness)
maybe
(weak plus
integrity &
privacy)
maybe (weak
integrity)
maybe (weak
integrity and
privacy)
yes (full
integrity)
Other aspects for comparsion
1.
2.
3.
4.
Adjudicating which ballots to count
Reliably capturing voter intent
Preventing Ballot-style fraud
Creating/repairing voter confidence
OUTLINE
•
•
•
•
Introduction
Example receipt systems
Comparison with non-receipt systems
Comments on Standardization
Standardization thoughts
• Clearly defined technical rating system for
multiple attributes
– At least include measureable/clear functional
attributes (e.g., main rows of chart: integrity,
privacy, reliability costs…)
– Minimums should be the only involvement of
political processes in the standardization
• Role of Federal Government?—“Provable”
systems could change everything!
Conclusion