Towards a Dependability Case for the Chaum Voting Scheme Peter Y A Ryan University of Newcastle With Jeremy Bryans, Bev Littlewood, Lorenzo Strigini, Peter Ayton,…. 26 May 2004 DIMACS P Y A Ryan Dependability of the Chaum Scheme 1 Background • Security strand of DIRC project: Dependability Interdisciplinary Research Collaboration (dirc.org.uk). • Design and evaluation of computer-based systems for dependability. • Socio-technical approach. • E-voting, and the Chaum scheme is particular a nice example of such a system with secrecy and integrity requirements. • Full dependability case will need to encompass the surrounding socio-technical system and detail the assumptions etc. 26 May 2004 DIMACS P Y A Ryan Dependability of the Chaum Scheme 2 Design Philosophy • Many e-voting schemes call for heavily trust in the technical components. Little or no monitoring. • The Chaum scheme by contrast shifts the dependence away from the technical components to the vigilance of the users: voters, officials, auditors etc. • The probability of undetected corruption of votes is negligible. • Dependability by the people for the people. 26 May 2004 DIMACS P Y A Ryan Dependability of the Chaum Scheme 3 Socio-technical aspects • Consequently, the surrounding system, procedures and behaviour of humans are critical. • Error handling and recovery strategies need to be carefully designed and evaluated. • Hence, need to examine the socio-technical failure modes and counter-measures. • Errors need to be diagnosed and thresholds for triggering the recovery strategies established. • Careful trade-off needed between: – aborting elections too easily. – Allowing the possibility of significant, undetected corruption. 26 May 2004 DIMACS P Y A Ryan Dependability of the Chaum Scheme 4 Chaum • Key ingredient: provide an encrypted ballot receipt that allows the voter to check that their vote is included in the tally whilst not revealing the vote. • The challenge is to provide high assurance that the ballot will be decrypted correctly. • Uses a cut and choose protocol plus a robust anonymising mix. • Shows that, up to certain probabilistic and computational limits, voter-verifiability and ballot secrecy can be simultaneously achieved. 26 May 2004 DIMACS P Y A Ryan Dependability of the Chaum Scheme 5 Chaum in a nutshell • Vote encoded in two parts, each separately (pseudo-) random noise. • Voter gets choice between the components and gets to run well-formedness checks on retained part. • Booth passes a copy of the receipt along with nested decryption information (“Russian dolls”) to a series of tellers. • Tellers perform an anonymising mix on the batch of receipts, striping off layers of encryption at each stage. • Random audits performed on the tellers. • In principle: if all checks are performed assiduously, the chance of p votes being corrupted undetected falls off as 1/2p. 26 May 2004 DIMACS P Y A Ryan Dependability of the Chaum Scheme 6 Anne casts a vote • Anne registers and logs on in the booth. • Anne makes her voting choice. • Anne’s choice is represented by matching symbols on two layers/strips. • If the Anne now confirms the choice, the booth now prints the encrypted “Russian dolls”. • Assuming that these cryptographic commitments match, Anne signals “okay” and is now invited to choose to retain either the upper or lower strip. • “To retain” and the appropriate seed information is now printed on the chosen part. “To destroy” on the reject strip. • She leaves the booth, surrenders the strip and witnesses its destruction and runs a well-formedness check on the retained part. • Finally she should check that her ballot is correctly posted on the web. 26 May 2004 DIMACS P Y A Ryan Dependability of the Chaum Scheme 7 Socio-technical vulnerabilities • Booth prints incorrect vote and voter fails to notice. • Voter choice between layers/strips is highly predictable or coercible. • Small proportion of voters perform the checks. • Voters tend to fail to notify erroneous checks. • Notifications are not properly diagnosed, collated and/or acted upon. • Voter may flag false errors. Note: this is not verifiable by a 3rd party. 26 May 2004 DIMACS P Y A Ryan Dependability of the Chaum Scheme 8 “Are you sure that you want to destroy the lower layer?” • It is essential that booth not be able to predict or coerce the voter’s choice of layer/strip. • But ~80% of people asked to “randomly” choose heads or tails choose heads. • Correlation with second choice also high. • What proportion of voters would notice if the booth “lied” about their choice? • Should a second try be allowed if voter flags error? Or even a third? Might be voter error. • Putting all these together could result in a highly predicatable or coersable choice and so weaken the scheme. 26 May 2004 DIMACS P Y A Ryan Dependability of the Chaum Scheme 9 Counter-measures • Aid voter’s randomness, e.g., coin in a perspex cylinder. • Use a different, e.g. mechanical technique to mark the layer or strip for destruction. • Perform well-formedness checks (tricky without compromising vote secrecy) immediately after first error report by voter to help detect corrupt booth. • Establish suitable error diagnosis and recovery strategies. 26 May 2004 DIMACS P Y A Ryan Dependability of the Chaum Scheme 10 Teller errors • Similarly need to define error-handling and recovery strategies for the teller audits. • E.g., set thresholds for alerts-need to counter under the radar collusion attacks by tellers. 26 May 2004 DIMACS P Y A Ryan Dependability of the Chaum Scheme 11 Public Trust • Not enough for the system to be dependable, it must also be seen to be dependable. • The scheme is complex and difficult to understand. • To what extent could “the average voter” understand the scheme and believe the claims? • To what extent would assurances of experts suffice? • How easy would it be to undermine public confidence (e.g., “Andrey’s attack”)? 26 May 2004 DIMACS P Y A Ryan Dependability of the Chaum Scheme 12 Trials • Plan to perform a number of trails at DIRC sites. • Possible questions to address: – Do people understand the procedures and checks okay? – Do they understand the encoding of the vote (especially if we use the Prêt à Voter version)? – How diligent are they in performing the various checks, reporting problems? – Do they understand what they are supposed to do when an error occurs (e.g., a check fails)? – How easily can they be fooled or coerced about their choice of layer/strip? – To what extent do they understand the rationale behind the checks? – To what extent do they need to understand the rationale in order to perform the checks with reasonable diligence? – To what extent would they trust the scheme (as compared to pen and paper, DRE etc?) (for accuracy and for privacy)? – Do they regard the voter verification as a valuable feature? 26 May 2004 DIMACS P Y A Ryan Dependability of the Chaum Scheme 13 Conclusions • The Chaum scheme minimises dependence on technical components. • For the accuracy requirement, no trust (dependence) need to placed in the components. • The checks mean that an election can be verified as opposed to the election system. • Technical (mathematical) core appears robust. • The surrounding socio-technical mechanisms (error handling, recovery strategies, thresholds,…) need to be carefully designed and evaluated. • Public understanding and trust is likely to be an obstacle to uptake. 26 May 2004 DIMACS P Y A Ryan Dependability of the Chaum Scheme 14 Future work • Formal analysis of the scheme (and variants). • Construct full risk analysis/dependability case: – Elucidation of the goals and requirements; technical, social, political, legal, economic… – Investigate social threats. – Specify and evaluate error handling and recovery strategies. – Conduct full risk analysis. • To what extent is fairness and absence of bias achieved? • Investigate how public trust could be established, maintained (undermined). • Investigate mental models. • Conduct trails. 26 May 2004 DIMACS P Y A Ryan Dependability of the Chaum Scheme 15 Further information • www.dirc.org.uk • Various Newcastle tech reports: – CS-TR-809 (gives full details of the original scheme) – “A simplified version of the Chaum e-voting scheme” (presents a pedagogic, simplified version) – FAST 2003 • E-voting Workshop at DSN, Florence end June 2004. 26 May 2004 DIMACS P Y A Ryan Dependability of the Chaum Scheme 16