Towards a Dependability Case
for the Chaum Voting Scheme
Peter Y A Ryan
University of Newcastle
With Jeremy Bryans, Bev Littlewood, Lorenzo
Strigini, Peter Ayton,….
26 May 2004
DIMACS
P Y A Ryan
Dependability of the Chaum Scheme
1
Background
• Security strand of DIRC project: Dependability
Interdisciplinary Research Collaboration (dirc.org.uk).
• Design and evaluation of computer-based systems for
dependability.
• Socio-technical approach.
• E-voting, and the Chaum scheme is particular a nice
example of such a system with secrecy and integrity
requirements.
• Full dependability case will need to encompass the
surrounding socio-technical system and detail the
assumptions etc.
26 May 2004
DIMACS
P Y A Ryan
Dependability of the Chaum Scheme
2
Design Philosophy
• Many e-voting schemes call for heavily trust in
the technical components. Little or no
monitoring.
• The Chaum scheme by contrast shifts the
dependence away from the technical
components to the vigilance of the users: voters,
officials, auditors etc.
• The probability of undetected corruption of votes
is negligible.
• Dependability by the people for the people.
26 May 2004
DIMACS
P Y A Ryan
Dependability of the Chaum Scheme
3
Socio-technical aspects
• Consequently, the surrounding system, procedures and
behaviour of humans are critical.
• Error handling and recovery strategies need to be
carefully designed and evaluated.
• Hence, need to examine the socio-technical failure
modes and counter-measures.
• Errors need to be diagnosed and thresholds for
triggering the recovery strategies established.
• Careful trade-off needed between:
– aborting elections too easily.
– Allowing the possibility of significant, undetected corruption.
26 May 2004
DIMACS
P Y A Ryan
Dependability of the Chaum Scheme
4
Chaum
• Key ingredient: provide an encrypted ballot
receipt that allows the voter to check that their
vote is included in the tally whilst not revealing
the vote.
• The challenge is to provide high assurance that
the ballot will be decrypted correctly.
• Uses a cut and choose protocol plus a robust
anonymising mix.
• Shows that, up to certain probabilistic and
computational limits, voter-verifiability and ballot
secrecy can be simultaneously achieved.
26 May 2004
DIMACS
P Y A Ryan
Dependability of the Chaum Scheme
5
Chaum in a nutshell
• Vote encoded in two parts, each separately (pseudo-)
random noise.
• Voter gets choice between the components and gets to
run well-formedness checks on retained part.
• Booth passes a copy of the receipt along with nested
decryption information (“Russian dolls”) to a series of
tellers.
• Tellers perform an anonymising mix on the batch of
receipts, striping off layers of encryption at each stage.
• Random audits performed on the tellers.
• In principle: if all checks are performed assiduously, the
chance of p votes being corrupted undetected falls off as
1/2p.
26 May 2004
DIMACS
P Y A Ryan
Dependability of the Chaum Scheme
6
Anne casts a vote
• Anne registers and logs on in the booth.
• Anne makes her voting choice.
• Anne’s choice is represented by matching symbols on two
layers/strips.
• If the Anne now confirms the choice, the booth now prints the
encrypted “Russian dolls”.
• Assuming that these cryptographic commitments match, Anne
signals “okay” and is now invited to choose to retain either the upper
or lower strip.
• “To retain” and the appropriate seed information is now printed on
the chosen part. “To destroy” on the reject strip.
• She leaves the booth, surrenders the strip and witnesses its
destruction and runs a well-formedness check on the retained part.
• Finally she should check that her ballot is correctly posted on the
web.
26 May 2004
DIMACS
P Y A Ryan
Dependability of the Chaum Scheme
7
Socio-technical vulnerabilities
• Booth prints incorrect vote and voter fails to
notice.
• Voter choice between layers/strips is highly
predictable or coercible.
• Small proportion of voters perform the checks.
• Voters tend to fail to notify erroneous checks.
• Notifications are not properly diagnosed,
collated and/or acted upon.
• Voter may flag false errors. Note: this is not
verifiable by a 3rd party.
26 May 2004
DIMACS
P Y A Ryan
Dependability of the Chaum Scheme
8
“Are you sure that you want to
destroy the lower layer?”
• It is essential that booth not be able to predict or coerce
the voter’s choice of layer/strip.
• But ~80% of people asked to “randomly” choose heads
or tails choose heads.
• Correlation with second choice also high.
• What proportion of voters would notice if the booth “lied”
about their choice?
• Should a second try be allowed if voter flags error? Or
even a third? Might be voter error.
• Putting all these together could result in a highly
predicatable or coersable choice and so weaken the
scheme.
26 May 2004
DIMACS
P Y A Ryan
Dependability of the Chaum Scheme
9
Counter-measures
• Aid voter’s randomness, e.g., coin in a perspex
cylinder.
• Use a different, e.g. mechanical technique to
mark the layer or strip for destruction.
• Perform well-formedness checks (tricky without
compromising vote secrecy) immediately after
first error report by voter to help detect corrupt
booth.
• Establish suitable error diagnosis and recovery
strategies.
26 May 2004
DIMACS
P Y A Ryan
Dependability of the Chaum Scheme
10
Teller errors
• Similarly need to define error-handling and
recovery strategies for the teller audits.
• E.g., set thresholds for alerts-need to
counter under the radar collusion attacks
by tellers.
26 May 2004
DIMACS
P Y A Ryan
Dependability of the Chaum Scheme
11
Public Trust
• Not enough for the system to be dependable, it
must also be seen to be dependable.
• The scheme is complex and difficult to
understand.
• To what extent could “the average voter”
understand the scheme and believe the claims?
• To what extent would assurances of experts
suffice?
• How easy would it be to undermine public
confidence (e.g., “Andrey’s attack”)?
26 May 2004
DIMACS
P Y A Ryan
Dependability of the Chaum Scheme
12
Trials
• Plan to perform a number of trails at DIRC sites.
• Possible questions to address:
– Do people understand the procedures and checks okay?
– Do they understand the encoding of the vote (especially if we use the
Prêt à Voter version)?
– How diligent are they in performing the various checks, reporting
problems?
– Do they understand what they are supposed to do when an error occurs
(e.g., a check fails)?
– How easily can they be fooled or coerced about their choice of
layer/strip?
– To what extent do they understand the rationale behind the checks?
– To what extent do they need to understand the rationale in order to
perform the checks with reasonable diligence?
– To what extent would they trust the scheme (as compared to pen and
paper, DRE etc?) (for accuracy and for privacy)?
– Do they regard the voter verification as a valuable feature?
26 May 2004
DIMACS
P Y A Ryan
Dependability of the Chaum Scheme
13
Conclusions
• The Chaum scheme minimises dependence on technical
components.
• For the accuracy requirement, no trust (dependence)
need to placed in the components.
• The checks mean that an election can be verified as
opposed to the election system.
• Technical (mathematical) core appears robust.
• The surrounding socio-technical mechanisms (error
handling, recovery strategies, thresholds,…) need to be
carefully designed and evaluated.
• Public understanding and trust is likely to be an obstacle
to uptake.
26 May 2004
DIMACS
P Y A Ryan
Dependability of the Chaum Scheme
14
Future work
• Formal analysis of the scheme (and variants).
• Construct full risk analysis/dependability case:
– Elucidation of the goals and requirements; technical, social,
political, legal, economic…
– Investigate social threats.
– Specify and evaluate error handling and recovery strategies.
– Conduct full risk analysis.
• To what extent is fairness and absence of bias
achieved?
• Investigate how public trust could be established,
maintained (undermined).
• Investigate mental models.
• Conduct trails.
26 May 2004
DIMACS
P Y A Ryan
Dependability of the Chaum Scheme
15
Further information
• www.dirc.org.uk
• Various Newcastle tech reports:
– CS-TR-809 (gives full details of the original scheme)
– “A simplified version of the Chaum e-voting scheme”
(presents a pedagogic, simplified version)
– FAST 2003
• E-voting Workshop at DSN, Florence end June
2004.
26 May 2004
DIMACS
P Y A Ryan
Dependability of the Chaum Scheme
16