Ben Hosp, Nils Janson, Phillipe Moore, John Rowe, Rahul Simha,
Jonathan Stanton, Poorvi Vora
{bhosp, simha, jstanton, poorvi} @gwu.edu
Dept. of Computer Science
George Washington University
Integrity during ballot casting: paper receipts
Challenge: allow the voter to keep a record
of her vote so
– she can determine that it has been counted
correctly, yet
– not prove how she voted
This record on paper, so “computer”
problems will not destroy the record
CVV* can do this, with, from the
voter’s POV
 A voting system that will “just work”
 The only additional effort required of the
voter is to pull a lever up or down
arbitrarily.
 Caveat: a non-negligible percentage of
voters or their representatives must make
the effort to check their ballot receipts.
* Based on a method by David Chaum
Election Goals
 Integrity – Correct vote count.
 Anonymity – I can’t tell how you voted.
 Involuntary Privacy – You can’t prove to
me how you voted.
 Voter Verifiability – You, the voter, can verify the
first two goals.
 Public Verifiability – Anyone can verify the
first three goals.
 Robustness – If something goes wrong it can be
detected and fixed
CVV Assumes
 A set of n independent trustees, all of
whom do not collude (can be made k of
n)
– Collusion can violate privacy without being
detected
– Collusion cannot violate integrity without
detection
 All n trustees are functional (can be
made k of n)
– A nonfunctional trustee (or > k nonfunctional
trustees) can cause a denial of service attack
CVV Assumes
 A not necessarily trustworthy polling
machine
– Cannot violate count integrity
– Can violate privacy (sees ballot)
 No collusion between authentication
process and polling machine
– Collusion can lead to ballot stuffing
 Sufficiently large number of receipts
checked – by voter or authorized third
party
– Requires process
poster
CVV is
 A prototype implementation of
Chaum’s voter-verifiable voting
system
 Using commonly available, low-cost
hardware and OS platforms
Stage 2
 Demo 1: walk-through
The Voting Process
Ballot Casting
 The voter uses the voting booth machine
to generate some image: her vote.
 The booth prints out two layers
– which are random by themselves,
– but when overlaid, display the image.
Layer generation
The layers are generated using two strings
of random numbers
–
–
–
–
Each created by adding trustee shares
Each of size half of the number of image pixels
One for the top layer, other for bottom
Laid in staggered form on the two layers
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
Layer generation
 Other half pixels on each layer are such
that the overlay is the correct vote

Other vote:
=
Different types of receipts
 Optical (additive) overlay: Chaum
 Many other symbols by Jeroen van de
Graf
The Voting Process
Receipt Choice
 The voter chooses one layer for her
receipt.
– Some other “stuff” is printed on the chosen layer.
– The unchosen layer is destroyed.
– The chosen layer is stored or transmitted
 It can be shown that the machine can
cheat in only one of the two receipts if the
overlay represents the vote.
The Voting Process
Receipt Checking
 Receipts at counting station can all be checked,
by a third party, for correctness.
 A voter can check her own receipt has reached
the counting station or have it checked by a
third party.
 Automated checking that a hard copy matches
an image at counting station not yet
implemented by CVV. Visual checking possible.
Cheating machine caught with
probability half
If the machine has cheated on a vote
which has the check performed
– it will be detected with non-negligible
probability (one-half?)
– this does not depend on the hardness of
any problem using any computational
model, but
– on the randomness of the voter choice
Does not depend on voter trust of poll
worker checks
The Complete Ballot
P
r
e
The receipt/vote has the following fields:
{
c
h
o
i
c
e
P
o
s
t
{
c
h
o
i
c
e
– The vote ID
– The encrypted image.
– Information for trustees required to decrypt
the top layer.
the bottom layer
– A signature of the vote ID
 info required by non-trustee to recreate above for
chosen layer, but
not unchosen one
used to check commitments.
– A signature of the whole ballot to prevent false
claims of uncounted votes
The Complete Ballot
The information on the ballot
– Can be used by anyone to verify that
the ballot was correctly constructed,
but
– Cannot be used to decrypt the ballot
except by appropriate combination of
trustees.
The Vote-Decryption Process –
similar to a regular MIX
 Random pixels were generated using a
different seed for each trustee for top and
bottom
 The seed of the chosen layer made
available on the receipt for checking
 The other seed made available in nested
encrypted form for the trustees to
generate random part of unchosen layer
The Vote-Decryption Process
Each trustee:
– for each ballot:
 extracts his seed
 incrementally regenerates the random
numbers on the other layer
 adds his share to the ballot
– shuffles all the ballots
– passes on the ballots to the next trustee
Receipt Decryption
R

R
R
R
R
The other vote
R
R
=
R
would have looked like
The Auditor
 The first trustee is asked to reveal, to the
public, a random half of his shuffle.
 The next trustee reveals the other half.
 And so forth
– no ballot can be completely traced through the
shuffles.
The Auditor
 Each trustee provides
– A correspondence between input and output
images
– A seed value
Such that
– the encryption of the seed with his public key
gives the encrypted information
– the difference between the output and input
images of the revealed half of their shuffle was
generated using the seed
 Cheating trustee caught with probability
half for every vote cheated on
Reduce “negative aspects” of
voter verification by
Participation by
major political interests
public interest organizations
as:
– Trustees
– Third party working on behalf of voter to
 Check that receipt is on website
 Check that receipt was correctly generated
(For this, need them to actively obtain receipts)
– Witnesses of trustee decryption process and
audit
Reduce “negative aspects” of
voter verification by - II
Process that includes encouraging
voter verification when fraud
detected or alleged:
– If a voter claims his vote not counted,
encourage enough voters to check their
votes to determine extent of fraud/error
– If a displayed receipt does not check,
check receipts in that precinct to
determine extent of fraud/error
Current status of CVV
 Prototype implemented in Java
 Currently supports low-end ink jet
printing
 Plan
– Open source release
– User-friendly ballots
– Pre-packaged election tool kit for third-party
elections (e.g. student elections). Those
interested please contact us.
– Construction of various other primitives for plug
and play
More Next Steps
 Performance and Robustness Testing and
Enhancements
 Trials in local and school elections
– for education and
– to test usefulness and acceptance of scheme
 With Political Science and Public Affairs Faculty
Determine if there is a difference in acceptance
along group lines:
–
–
–
–
Political parties
Age
Race
Ability (among handicapped; Braille overlay methods can
be developed)
References and
Acknowledgements
 David Chaum
 David Chaum, “Secret-Ballot Receipts: True VoterVerifiable Elections”, IEEE Security and Privacy,
January-February 2004 (Vol. 2, No. 1)
 Poorvi Vora, “David Chaum’s Voter Verification
using Encrypted Paper Receipts”,
www.seas.gwu.edu/~poorvi/Chaum/chaum.pdf
Also on DIMACS website linked from talk abstract
Extras
CVV - How it works
based on Chaum voter-verifiable voting system
1. Voter votes. Obtains an encrypted receipt that
even she cannot decrypt outside polling booth
• only all n trustees can decrypt it
• this can be modified to k of n trustees.
We will describe later how she can be sure the
polling machine did not cheat
2. Voter checks for receipt on public website. If it
is there, her vote has reached the counting
station
CVV - How it works
4. Possessor (voter or third party or anyone if
receipt on website) can check if receipt is
correctly generated.
5. All votes at counting station are serially
(partially) decrypted and shuffled by trustees
(version of MIX)
6. Final, unencrypted, shuffled votes are counted.
Conditional count announced.
7. Trustee decryption and shuffle is audited. Final
count announced, election certified.