Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Philosophy

>> Josh Benaloh: Good afternoon, it’s a pleasure to welcome... Peter is a professor at the University of Luxembourg, the...

advertisement

>> Josh Benaloh: Good afternoon, it’s a pleasure to welcome Peter Ryan today.

Peter is a professor at the University of Luxembourg, the one and only

University of Luxembourg.

>> Peter Ryan: Yes.

>> Josh Benaloh: He has done many things in security and especially is the principal designer and innovator of the Pret a Voter system and now systems of various kinds which he will, as soon as he gets his microphone reset, have an opportunity to start talking about.

>> Peter Ryan: Okay, so many thanks to Josh for the invitation to come and speak here. It’s a pleasure and an honor. So, yeah for a good eight years now I have been working on this Pret a Voter scheme and it has evolved quite a bit in the face of differing requirements, perception of new threats, perception of realization of new cryptographic primitives and so on.

So what I thought I would try and do today is give a very high level view of well the scheme and some of the indications of how it has evolved. And the different pressures and so on. So the evolutions of the species as it were.

Okay so the point of what I plan to present is first of all I just quickly I just described the problem we are trying to address here. I guess many

[indiscernible] you won’t learn anything there. But then I will give a very high level view of Pret a Voter and then some indications of how all the designers evolved over time. And then I will start talking about a couple of the more recent things.

So Pret a Voter is a pony station supervised scheme I should say. A few years back I ventured rather nervously into the area of internet voting with a scheme called Pretty Good Democracy which was in fact developed with

Vanessa Teague. And then most recently the scheme, with a variance of Pret a

Voter which incorporates some of the ideas of Pretty Good Democracy so we get a version called Pret a Voter with confirmation codes. I will talk about the advantages and possible disadvantages of that. So that’s the outline, roughly.

So I just thought that should just --. People almost inveritably, particularly this side of the Atlantic, ask me, “Well, what does the name mean, why”? Well if you speak French literally it’s ready to vote. Yes, ready to vote. But, of course, it throws back to the phrase, the French phrase, Pret a Portier which is ready to wear off the peg I guess. And the idea as actually triggered, I was just riding a bus in London and a saw a

Pret a Manager, you know sandwich store which some of you may have come across. And of course people keep telling me it’s a lousy name in the US and

I know, but I like it.

Okay, so what is the problem with what sort of a bunch of us in this field have been trying to address? Well of course there is an ancient problem that basically goes back to the origins of democracy. There is actually evidence that the Greeks were aware of. The people would try and undermine elections and that there are actually archaeological artifacts that indicate they tried to transfer trust from people into kind of devices, machines.

So really what we are trying to do is make sure the outcome of an election is demonstrably true; demonstrably to everyone. And in a way which sort of cannot be questioned, in particular by the losers. But at the same time of

course we have to guarantee, in most elections at any rate, that all ballots remain private. And of course what makes this problem I guess rather kind of unique in say the field of computer science is that unlike, you know if we are just computing an algorithm or something we really don’t have any objective way of saying what the correct answer is. By definition of the ballot privacy there is sort of no God’s eye view of what the correct answer should be.

And the important point to stress here I guess is that we want to achieve all this in a way which sort of minimizes the amount of trust we have to place sort of anywhere in officials, software, hardware, etc, etc. So that’s the challenge we are trying to address. And well, sort of clearly conventional systems sort of achieve some of this, but involve typically quite a lot of trust in the officials and so forth.

So, to talk about trust; I have been dying to write a paper for a long time with this title: How many Diebold technicians does it take to change an election? So, as you in the US know, sort of a major problem which I guess has been improving a little bit, but it was a big problem I guess 2,000ish.

>>: It has improved in the sense that Diebold no longer exists.

>> Peter Ryan: So people are at best --. Well historically we were expected to trust in the officials conducting the election. More recently, particularly in the US where we sort of have touch screen DRE machines the voters, the elector, are sort of required to trust the suppliers of the code and so forth. And perhaps it certifies in some sense. And what is really scandalous in my mind, and I don’t think anyone here will dispute it, in some cases where people are asked to trust in code which is essentially kept secret, which no experts are allowed to examine or only under strict NDAs or if that. And that really is a totally unacceptable situation. And of course we see places in the world, we have all seen many pictures like this, where people clearly did not trust the handling or the outcome of an election.

So I guess you all sort of know this kind of stuff. I think these figures are about right. They may be a little bit dated now. A very significant chunk of the US electors have been voting on touch screen machines, which until recently you would have to trust purely the code in incited. More recently we VVPAT or voter-verified paper audit trails, but how much that helps is debatable.

Okay so that’s particularly in the US the background. And of course there are similar problems elsewhere in the world. So what basically cryptographers and security folks have been trying to do is, if you like, take a new approach. And the design philosophy behind this approach and I think this is a quote at the top which I attribute to you, but a nice slogan verifies the election of the system. Well I like this phrase because I feel that 74 property like integrity like to guarantee that’s it’s fulfilled by sort of monitoring auditing and so forth is the way to do it. Not by trying to verify thousands of lines of code and trying to assure you that the verified code is actually what is running on every machine on the day, etc, etc. That sort of assurance is extremely fragile on my view.

So we want to base the assurance of the accuracy of the outcome, the integrity, purely on the basis of transparency, auditability, verifiability, what ever you want to call it. Okay. Yeah, I will skip that bullet.

Okay so to be clear, that doesn’t mean we should completely skip any notions of systems verifications and there are other aspects where it is still important to do that. So we still need to guarantee that they system will run smoothly during the election. We still need to guarantee secrecy which you can guarantee by monitoring, although not an enforceable property in

French [indiscernible] terminology.

But so the crucial point and the one I will be focusing on today is that assurance of the integrity should not depend on the correctness of the code.

It should depend on auditing and transparency. And I guess that’s a way of rephrasing the notion of software independence.

Okay so key requirements I sort of labeled this. I will go through a lot of them. I won’t go into too much detail. There is a lot of [indiscernible] behind these. Lots of people have been coming up with precise mathematical formulations of these notions. They turn out to be extraordinary subtle, but when you get to things like this that could be a whole lecture in itself. So

I labeled.

So clearly the high level property is the integrity. As we say we want to be sure the announced result is correct. It correctly reflects the legitimately coast ballots. We need to guarantee ballot secrecy at the same time and typically with these more sophisticated schemes we also have to guarantee more sort of advanced properties that can be paraphrased roughly that there should be no voter to produce a prove to a third party i.e. some sort of coercion, how they vote and that’s obviously to try and prevent coercion and vote [indiscernible].

And of course there are lots of other properties we also require, but we will skip over those rather quickly, for today anyway.

Okay. So what is often called E2E verifiability or I guess sometimes fully auditable, I guess that’s the same various phrase. There are various phrases here. I will stick to E2E verifiability. So the basic idea is that we should try and provide a voter some way of assuring them it accurately reaches the final tally. But we have to do this in a way that doesn’t reveal to any third party how they voted. And you can see this is a pretty good trick if you can pull it off. People have been struggling with this for decades I guess.

So what typically happens in order to realize this concept is that voters get some sort of receipt at the time they cast their vote. Okay you will see illustrated on how that’s done in Pret a Voter, but obviously other systems use receipts via somewhat different mechanisms. And so that receipt has in hidden form an encrypted/encoded in some way the representation of their vote. But in a way the third parties who don’t hold suitable cryptographic keys or whatever cannot extract it.

Okay and so the idea typically then is that all of these receipts should be posted to some sort of secure web bulletin board. Quite how you realize this concept is another issue as well which we will not get into today. And so voters or perhaps proxies can go to this and check that their receipt appears correctly there and then there is some kind of universal online tabulation process that goes on afterwards. And again, I won’t use a very established cryptographic technique which I won’t go into the details of today.

So at a very high level, sort of 1500 foot level is that the phrase you use in the US? That’s kind of what we are trying to achieve here. Okay, so to introduce Pret a Voter very quickly then.

So the key idea is actually very simple. So in fact voters use a rather, well certainly to say UK voters for example, a rather familiar looking paper ballot form. But what makes it different from the way it would normally happen in say, the UK, is that on each ballot the candidate list is independently randomized. Okay. And there is some representation either written on the form itself or probably more likely the encryption will be committed to a web bulletin board and there will be a sort of pointer to that printed on the ballot form. There is a representation of that candidate order which is later used for tabulation.

Okay so the idea is a typical ballot form might look like this. Okay so there is a list of the candidates in a sort of standard way, at least for the

UK voter and it guess it’s similar in the US, although it would be a more complex looking ballot. There is a lot more real estate spread across it.

But typically UK ballots do sort of contain maybe tops about 10 candidates in a race, so it’s sort of --.

Okay so if you picked up another one at random you would see a different ordering of these candidates okay. And there is some kind of probably pointer to a cryptographic commitment on the web bulletin board on the bottom right hand side. Okay well I will go through a slide or two, but basically the idea is in the booth the voter marks their choice; so Panaromix in this case in the usual way. And in someway in the booth they destroy the left hand part.

So that’s key note. You can do fun stuff in key note. And so that leaves what is now constitutes the receipt. So, well I will come onto the properties of it in a second. So the voting ceremony typically would be the voter would come in, perhaps pre-register in some way. You know show their –

-, would authenticate themselves. They would be given, sealed in an envelope for example, because obviously you need to keep this candidate order secret from officials and so forth. Really the voter should be the only person who sees this candidate order. It is given to them. They go to the booth --.

Yes?

>>: As a mater of technicality, how do you actually destroy the left hand part so it’s destroyed? A flame isn’t really practical. Plunging it in water would work, but people usually tear it in two parts, maybe in four

[indiscernible].

>> Peter Ryan: Well, I mean we will have a perforation or something down the middle. So hopefully that will at least separate the two parts correctly.

How you actually destroy it, and I think the process of destroying it is not so much the issue. It’s how you enforce that it does get destroyed and that’s somewhat delicate.

>>: But shredders are often used in practice.

>> Peter Ryan: A shredder would essentially do it.

>>: [indiscernible].

>> Peter Ryan: Actually in some sense you don’t need so much to destroy it.

What you need to do is destroy the association between the two. So actually in some sense destroying it is not so much the issue. And arguably, there may be some context where it actually would make sense maybe to actually leave them lying there. I will come to that perhaps later on if we have --.

But enforcing the separation of those two parts is delicate and that’s something which maybe we will talk more about later.

Okay, so he goes into the booth, or she goes into the booth, marks, detaches and somehow destroys, or at least discards the left hand side. And then can come out of the booth and goes back to the officials and has the information on this scanned and posted to the web bulletin board. And then they will get some kind of copy which should presumably be validated in some way. There are some delicate issues there too which we are starting to touch on yesterday. Perhaps framed in some way and possibly digitally signed to try and sort of guarantee its authenticity, make it hard to counterfeit. Again there is quite a lot of delicate issues there too which maybe we will get into in discussion. And basically they can now take this copy away and later they can visit, use it to visit the web bulletin board or possibly they might sort of give it to help “voter helper” organizations to do it on their behalf or something.

And well potentially we can also keep additional copies of these things because they are already now in encrypted form. There is potential for keeping various additional copies, which would seem not to do any harm and to keep multiple copies of these things.

Okay, so as indicated previously these things get posted. Voters or proxies can visit and check that they all appear correctly. And then once we have reached the end of a certain phase and hearing that any disputes have been suitably resolved we can then go into the tabulation.

Okay, so this could be using anonymising mix followed by decryption in a verified fashion there are standard techniques for doing that; or possibly with homomorphic tabulation. You just merge them all together into one big ciphertext exploiting the sort of algebraic homomorphic properties and then you decrypt that and that somehow allows you to extract the total in one decryption shot. So you don’t have to decrypt the individual ballots in that case, which is the way that the anonymity of the ballots privacy is guaranteed there.

Okay. And I won’t go too much into all the details, but essentially all these steps are basically three phases that you have to guarantee happen correctly. So you can see from the correctness from the encoding of your votes what you have to do is guarantee that the ballots you are given are well formed; in the sense that the information buried in the ciphertext correctly matches the order shown on the ballot form. And we can do that essentially by various forms of random audit and again I will talk a little bit about some of the options, the procedures and the kind of audits we can do to guarantee that.

Then we need to try and guarantee that all the legitimately cast receipts get into the tabulation. So that’s basically by this sort of checking on the web bulletin process that I kind of indicated. In essence again there are some subtleties I am glossing over. And then you have to guarantee that all of these encrypted ballots are correctly decrypted in some sense and the output counted up.

So the three phases you have to guarantee that everything is done correctly in each of those phases. If all those are correct you have got to sort of indirection which should, if a voter checks that their receipt is correctly on the bulletin board they should get a guarantee via the sort of indirection that their vote automatically gets correctly counted. But in a way because it goes via this encryption they cannot show how they voted to a third party.

Does that sort of make sense? Roughly there are sort of three key legs of this argument.

Okay, so a few quick remarks about this. Some of them will probably be apparent to you immediately, but there are a few which are more subtle, which

I was telling Josh, weren’t actually sort of designed in at the beginning. I only realized them a bit later. And they are actually interesting properties.

Well first of all, which should be apparent but if you don’t have the keys to decrypt the cryptographic values you cannot interpret what this cross represents in terms of a candidate in a vote. The vote experience is fairly familiar and the additional checks are of course optional so the basic casting of a vote is pretty much the same as you would do it in the UK anyway. And here we get into the sort of rather more subtle properties which are kind of a spin-off of the design.

One very nice feature is that, you will notice, at no point does a voter actually have to communicate that choice to a device, right. If you contrast that with say a DRE or quite a lot of the even cryptographic schemes the voter has to tell the device how they want to vote. And well either that is just directly cast supposedly or some kind of encryption of it is generated or multiple encryptions or whatever.

But in any case the device learns how the voter wants to vote and we potentially have sort of side channels, leakage. The way it’s done in Pret a

Voter because all the encryption is done in advance you can see we sidestep those kinds of threats, which is kind of neat.

And another interesting point is that, sorry remark that your correctness of your receipt rests on the correctness of your ballot. And so we can offer say the opportunities to say voters or to independent auditors to audit, check the construction of randomly chosen ballots. And this auditing process is particularly clean from both the privacy point of view because obviously at this point no vote has been cast. It hasn’t even necessarily been associated with a voter.

So the auditing process here poses no threat to the privacy of the vote which is in contrast with some other sort of cryptographic systems. And resolving who’s guilty, if you like, is clear cut here as well. Right, it’s simply an issue of whether the ballot is well formed or not and that’s a clear cut issue. If it’s not than clearly whatever device created that ballot is cheating.

So this is in contrast with some other schemes. The device produces an encryption, the voter opts to audit it using, and you know, a challenge style option. So it’s opened up and the candidate is reeled and then maybe the voter says, “Well that’s not the candidate I want being put on the screen”.

And then you have the difficulty, you are not entirely sure who is telling the truth here.

So in that sense it’s kind of quite clear cut. Which I think is nice. And you can see that it potentially can handle a quite nicely richer voting system like ranked, instant run-off, approval, etc.

Okay so verification I probably need to keep going fairly quickly. I think I have given indication of these things already. So I think we can probably skip --. Yeah, I pretty much said those bullets. Okay, so let’s carry on.

Okay, so I wanted to say a little bit about how the system has evolved. So I am not going to go into a sort of great deal of detail here, but these bullets indicate some of the sort of key development steps, or branching steps if you like in the evolution. So the first version of Pret a Voter, I should have perhaps said earlier, that I was inspired in this by an earlier schemed [indiscernible] which used Visio crypto to do the encoding. So I was very much inspired by that and Pret a Voter was a large attempt to sort of simplify both conceptually and technologically the procedures there.

So [indiscernible] original scheme used decryption mixes, which actually have some quite nice features from our point of views and technical features. It allowed us to very neatly deal with full permutations of the candidates. So if you set it up right basically as the thing goes through the decryption mix you can basically unfold various permutations which were applied in the construction of the ballot. You apply the inverse permutations in the opposite order.

So basically you can take, say a vector of rankings as it’s fed through the mix the vector is transformed in a sort of contravariant way, if that’s the word, I always get the two confused: variant and contravariant. So what pops out at the end is in fact the ballot with the ranking represented in economical standard order, which is kind of nice. So in the process you lose any information about what the original permutations were.

So that was a nice feature, but it causes a whole bunch of down sides to decryptions as some of you are aware, right. They are sort of very inflexible, fragile. As the size of the encryption grows the more mixes you go through, and so on and so forth; so later variances moved to re-encryption mixes, which I guess some of you are probably familiar with. These in many ways are much more elegant, much more flexible; re-encryptions can be done by devices or servers that don’t know any secret keys in contrast to decryption mixes. So basically you can have sort of as many as you want. You can switch them in and out and so on and so forth. So there are a lot of nice features of re-encryption mixes. They are much more robust, flexible and so forth.

The flaw is that when there is no obvious way to reproduce this rather neat trick that I described for decryption mixes, to sort of drag the ranking vector or whatever because the re-encryption mix basically doesn’t extract any plain text information as the thing goes through. So the earlier variance just used cyclic shifts. So you can just use exploit the homomorphic to easily handle cyclic shifts and that’s good enough for just plurality votes; just using a single candidate, at least from a privacy point of view. We then got a bit worried that from an integrity point of view this was still a bit doggy because you can see even though a cyclic shift is enough to conceal the choice, if an addressee is somehow able to manipulate some ballots in an undetectable way he knows precisely what shift to apply to transform a certain candidate to another.

Okay, so cyclic shifts are sort of fragile. So the next thing is we actually went on with Vanessa, we went onto a Florentine square based permutations if that rings a bell, so sort of affine permutations which kind of counters that. But it’s still not sort of rick enough to handle, and if you want to handle ranked voting or something than clearly it’s still not enough to conceal the information.

So the most recent variance do go onto handle full permutations, but the trouble is that as far as we have been able to determine so far the only way you can actually do that is if you have got N candidates you have basically got N encryptions, one for each candidate. And that allows you in a fairly straight forward way to handle full permutations. What I would really like to find, and if you like a little challenge for people, is if you recall the original scheme had a single encryption to represent the full permutation, there is no way that the permutation algebra, and permutation algebra seems to mesh with simple homomorphic properties.

>>: [indiscernible].

>> Peter Ryan: Well somehow, we --. The ideal would be to have a representation of the ballot which just has say a single ciphertext which encodes the whole permutation and be able to feed this through a mix; so mimicking the rather nice property that we had up there for example. We can do it naively, but things come out at the end with still the information about original permutation preserved, which we don’t want to do. Okay. So there is an interesting challenge here. And I don’t know how to do that.

That would be the sort of next step along that second bullet if we could do it.

So, another thing that we developed in later versions and this was, well partly to counter the issue that as I described originally, the sum authority that generates all the ballots and encryptions and so on. If that is corrupt or leaks than of course you have problems. So it seems to, well that’s one issue. And another issue is as people pointed out cryptographic style attacks. Like where if you have a single device generating say the randomness of an encryption, if there is a trojan horse there they can actually exploit subliminal channels to leak information to the outside.

So we looked at ways to try and counter both of those issues and I guess the neatest is to have a distributed generation process. So there is a bunch of entities that collaborate to generate the encryptions and so forth in such a way that no single entity knows or can control the final values. So you counter those kinds of issues. So that was a further development.

Another thing that we worked on is the possibility of print on demand ballots. Okay. The way I have described it so far the implication was that all these ballots are generated in advance. Perhaps some of them pre-ordered them in advance and so forth. That has nice properties, but on the other hand then you have to worry about chain of custody issues with this batch of ballots.

So arguably you might be better of rather than printing them in bulk in advance to print them, you know, on demand, perhaps even in the booth, right there with the voter. So if you do this rather nicely it sort of strongly guarantees that the voter is the only person who sees the candidate order, assuming it is properly destroyed and so forth.

But then of course you get into issues that in a sense you start getting into the standard issues with other schemes that you have to worry about, the trustworthiness of the printing device, or the decryption device in the booth, so you start having to do random audits, Benaloh challenges, cut-andchoose and so forth. But, anyway, we have constructions which can handle print on demand. They are quite nice. Sort of using paired onions kind of notions; an onion which can be decrypted by the device in the booth and then another one which is decrypted by the tellers later during tabulation. So there are some quite nice constructions there. So let’s see how are we doing? Yes I have got another 20 or 25 minutes or so, okay.

So further possibilities which have been explored, although not really I guess implemented or exploited yet. So one idea was to in addition to the copies of the receipts that voters walk away with is that they are to keep locally some kind of verified encrypted paper audit trail I called it. Okay, so some local paper record of all the encrypted receipts that have been cast.

And this would be a way of sort of backing up these kind of distributed records held in a distributed fashion by the voters. And various independent entities could in principal go to this and check the consistency with the web bulletin board and so forth. Okay, let me, yes, not dwell too much on that.

Another possibility which I started thinking about later is, so this is all very well, but it is still an encrypted paper audit trail so for people who are sort of worried about the cryptographic aspect of this they may not really find that this gives them much sort of additional assurance. One possibility is to create in addition to the encrypted receipt some kind of human readable receipt. And there are some tricks that we suggested for Pret a Voter in order, as a side effect to generate a plain text version of the receipt which could be cast separately and kept as a paper audit trail as well. Again there are sort of issues there which Josh and I just discussed a little bit.

Okay, so I think that sort of quickly went through some of the key designs, steps, or branches in the evolution. Let me just talk a little bit about some of these key design decisions which have emerged from all this.

So I mentioned the need to audit the ballots in some way. And there are various possibilities which are brought to mind here. And the most natural one to certainly a sort of security person is if you really want to place the trust of the system on the voters themselves is to give the voters the option to randomly choose perhaps as many ballots as they want and audit them and so forth. That feels nice in principal, but of course it complicates the life of the voters and whether that’s really the way to go is not clear.

So the other extreme is just to put the onus of this on independent auditors, or you could do a mix and match of those. And there are various decisions here. How exactly do you do the audit procedure? Again there are various options. We could use Benaloh challenges. We could use some sort of cutand-choose. So one option at one point that I came up with which I sort of quite liked, but nobody else seems to particularly like is to have two sided ballot forms. You have a Pret a Voter form on each side and you actually have three columns. And so basically the voter has to randomly choose one side and, well if they vote with that side conventionally and they destroy the left hand part, but that leaves a complete sort of virgin ballot form on the other side, which can be routinely audited.

That has an advantage that it sort of keeps track of how many ballots each voter has. Because one of the issues is if you allow, even I guess even with

Benaloh challenges or cut-and-choose is that you have got voters running around with multiple ballots. You have to be careful that this does not allow them to cast multiple votes.

So there is a bunch of possibilities here. I have already mentioned preprinted verses print-on-demand. Another issue is are you better off using homomorphic mix verses mix tabulations and anonymizing mixes? That’s again not entirely clear to me. It depends a little bit, well to some extent the complexity of the kind of counting process you are doing. Another interesting one is whether we should go for everlasting privacy.

Okay. Pret a Voter as I have described it here is obviously using public key encryption so in the long-term that may well be broken 10 to 20 years hence.

Is that a serious issue from the point of view of voters? And people have come up with suggestions of ways that you can have unconditional privacy.

Typically that’s sacrifices unconditional integrity in some sense. Well we won’t go too much into detail here.

So in principal we could get everlasting privacy, but there is bound to be some sort of trade off here. So again that’s something we have to decide.

Another sort of interesting option I touched on verified encrypted paper audit trails. So I guess I will mention this in threats, but one of the issues that I think could well be a concern with verified schemes is sort of psychological attacks. Okay. So some addressee puts out some campaign saying, “You know, these guys claim that your vote is protected by this encryption, but we can break this encryption”, or “there is an easier way than just reading how you voted”.

And even if this is a complete crock if enough voters believe this they will potentially be coerced. So how do we deal with that? Well one option could be to just take this VEPAT to the extreme that in fact we don’t let the voters walk away with their own receipts. So this is the verified encrypted paper audit trail a few slides back, okay.

So in principal we could just keep, you know, well curated VEPAT of the receipts and use that to check against the web bulletin board and place

[indiscernible] of this kind of checking on independent auditors and the curation of this. So the voters would no longer walk away with their own receipts and that might mitigate some of these psychological threats. But of course it takes the voters out of the loop in terms of the amount of, to the extent of which they can contribute to the assurance.

So there’s a bunch of things we have been thinking about. I would actually be interested in people’s feedback for those of you that are in the room.

Okay. So very quickly, some vulnerabilities that have worried us. I mean how seriously you should you take these in comparison to other kind of coercion threats is of course interesting. So chain voting is one and that’s a well known attack with even conventional voting systems, but it becomes potentially even worse for verified schemes. So should I quickly say does everyone know what chain voting is? Well I will just quickly say, I think we probably have time.

So the idea is that say we have got a conventional voting system, the UK for example. A coercer manages to smuggle out a blank form, ballot. He marks it

up the way he wants and then intercepts a voter as they arrive. He hands this marked up ballot to them and says cast this and come out with another blank one. Okay. And in theory in the UK ballots are a sort of controlled resource. A voter is only supposed to get one, be handed one, and they are to be seen to cast one in the ballot. So that means that if they come out and give the coercer a blank one that it’s very strong evidence that they cast the marked up one. And of course you can iterate this as much as you want.

And this is potentially even worse in a verified scheme because of course you have these identifiers on the ballots and they are posted later to the web bulletin board so the coercer can actually check the marked up one that they gave the voters fetch up from the bulletin board. So that’s kind of tricky.

Though we have some mitigations I am not sure we have got any [indiscernible] entirely satisfactory. And tricks like covering the unique identifier with a scratch strip which shouldn’t be removed until appointed casting in the presence of officials is one trick that we have thought about. And how feasible scratch strips are I don’t know.

Italian attacks would, yes, I guess that’s somewhat related. If you have got a complicated ballot with say lots of candidates and ranked voting you can actually see that there are [indiscernible] possibilities. A coercer can essentially construct a unique identifier. You know say vote for this candidate in the first place and then a particular unique pattern lower down, which will with high probability identify their ballot. So again, that’ something, well that’s not special to Pret a Voter this is common to I guess most of these schemes.

The randomization attack is perhaps worth mentioning very quickly here because this is a particularly nasty one actually for Pret a Voter I think; a particularly subtle one. And it’s actually interesting because a lot of the standard definitions of coercion resistance actually miss this property which is actually interesting. So the idea here is that the coercer actually says,

“You must come out with a receipt with a cross in the first position or whatever, some designated position”. And in the absence of some other sort of counter measure that essentially randomizes the voters vote.

Okay. So in this case the coercer clearly doesn’t learn how the voter has voted so you are not violating any kind of privacy property, but nonetheless you are influencing by randomizing their vote. So that’s an interesting property and particularly interesting to see how a lot of the standard definitions fail to capture that one.

Well we sort of touched on this one. I think I doubt we have too much time to talk about it too much. Psychological attacks I have also mentioned. So let’s try and crack on.

So I should quickly mention some other sort of competing schemes; Scantegrity

II which is a new scheme due to Chaum. I would really hope to say a few words about these, but I don’t think I really have time. In Israel they have recently developed the Wombat system which is actually somewhat similar in spirit I think to STARVote, kind of. Well yes, there are some important differences I know, yeah okay. [indiscernible]. A while back came up with a

CRYPTO_free scheme which attempts to give verifiability without actually using encryption. Again I don’t have time to go through that. Yeah I had better crack on.

Okay. So let me quickly towards the end try and introduce the key ideas of

Pretty Good Democracy and Pret a Voter with code voting, with confirmation codes. So first of all let’s mention code voting, which as far as I am aware goes back to Chaum in about 2001. So this is designed for internet voting okay. And the idea is sort of very simple; you distribute code sheets through some supposedly secure channel like mail to the voters. So these are in some sense sort of private code books okay. They are random codes against the candidates.

So in order to vote, let’s see that’s the next slide. Well this might be a sort of typical one, okay. So these are all sort of essentially random codes. To vote the voter logs on, maybe authenticates themselves, provides to the vote server their serial number and the vote code of their candidate of choice. And in principal they should get back the appropriate, let’s sort of skip back, the appropriate Ack code corresponding to that candidate.

Okay. So that’s kind of nice. You can see it side steps quite a lot of the insecurities of the internet. The Ack codes give some useful purpose in the sense that it presumably partly authenticates the server you are talking to.

It gives you some confirmation that the correct code reached that server, but beyond that you have no idea how that code is going to be interpreted, encountered. So it’s not end-to-end verifiable.

So the point of Pretty Good Democracy was just to pick up on that idea and try and add some verifiability ingredients. So there are basically two key ideas here. One is rather than allow the vote server to know all these codes, you know have a database of them, these codes are secret shared in some way, but amongst a set of trustees. All right. And also for receiptfreeness we suggest using a single Ack code per code sheet. And that has some implications which we might have time to touch on.

So one of these code sheets, a PGD code sheet might look a bit like this.

Notice now there is only sort of one column of codes, okay and a single unique confirmation code at the bottom. Okay so the basic idea without going through the details is again the voter logs on, the client perhaps generates an encrypted --. They supply the appropriate vote code the machine, it would generate some suitable encryption under the public key of these trustees, along with a zero proof of knowledge of that code for technical reasons.

And basically a threshold set of the trustees should perform PET tests against pre-posted encryptions on the web bulletin board. Okay. And if the voter has submitted a valid code for that code sheet one of these PET tests should test out. Okay, so that will be flagged on the web bulletin board.

And they will then collectively reveal through some kind of threshold encryption the appropriate acknowledgment code.

Okay. So the point of this is that, well basically assuming that knowledge of these codes hasn’t somehow leaked out, if the voter gets the correct Ack code back that should give them a strong guarantee that a threshold set of trustees have collaborated to correctly register their vote. And basically we can have Pret a Voter like mechanisms to ensure that this is correctly sort of decrypted interpreted later and counted. That’s the rough gist very quickly. Does that sort of make sense? That level?

So again, I probably have to crack on a little bit. So on the web bulletin board we might have an encryption, will be say Rose for each code ballot in this case. So a serial number, and then we have pairs, we have an encryption

of the appropriate code along with a candidate and these are all permuted in some way; separately permuted in fact in a Pret a Voter like fashion for each ballot.

Okay, so in essence what the trustees do is I guess along side this would be posted the encryption of the code, the submitted vote code. They would do a

PET test against each of these and if they find that one checks out as having the same code buried cryptographically inside they flag it and then they decrypt the acknowledgment code. Okay. So that’s the gist of it very quickly. So I need to crack on.

So a crucial point about this which does make both Vanessa and I a bit nervous about this is of course if knowledge of these codes leaks out then the integrity can clearly be undermined. And that, I freely admit, is a serious draw back. So I certainly wouldn’t allocate this for highly critical elections, but maybe for low criticality elections. It is at least an improvement on code voting. I think you will agree yeah?

Okay. I think I had better crack on the other bullets. Okay. Well there are various things we would like to do to improve this which I guess I will skip on. It would obviously be nice to have a better way of --. And we have actually got a very nice distributed construction of these of the stuff on the web bulletin board, but of course the sod of it is that at some point we have to decrypt or extract this, and print it and distribute it. So we have that sort of privacy bottleneck at that point. So if we could side step that it would be nice.

Okay. So let me just then quickly round up, I guess we did start a few minutes late didn’t we? Well, we are actually about --. Okay, so we should finish within the hour.

Okay so let me then finally touch on this sort of newer idea of bringing this pretty good democracy mechanism into Pret a Voter. So we bring it back into the context of supervised polling station voting. Okay so the idea is basically we cast the Pret a Voter ballot in the same way, except we use this mechanism in the background so that the voter ideally should get the correct code verifiable, checkable code immediately at the time that they vote. And of course there are issues of availability online of the threshold sets of trustees, but that’s a mere implementation practicality.

Okay. Oh, and I should point out here that when we do this whereas for the internet scheme in order to guarantee receipt freeness I --. Receipt freeness basically means that the voter shouldn’t be able to construct some sort of proof to present to a third party how they voted. In that context we use a single Ack code, okay, to preserve that. Because if we didn’t, if we had distinct Ack codes, for example, being posted to the web bulleting board any coercer who sees the web bulletin board and the code sheet can obviously deduce what was voted.

But here we can actually, because we have got the Pret a Voter randomization, we can actually reintroduce distinct, I should say, confirmation codes I guess. Okay, so again, skipping over quickly. We have a nice distributer construction of the web bulleting board which I won’t go through. Of course we have to print these things. Let’s --.

So the underlying printing might look like this typically. So again we have a randomized candidate all in the usual fashion. A middle bit where the

voter puts their marks and then we have some confirmation codes in this third column right. So this third column is kind of new. And in practice what I was thinking about was some kind of way of implementing this idea where we actually have the codes that are initially concealed. Say under a scratch strip or with invisible ink or something.

Okay. So the voter gets a thing like this, takes it off to the booth, makes a mark, destroys the left hand part again, and now takes this, and they should be instructed to leave the scratch strips intact up to this point.

Okay, so they take it back again into the election officials. This is scanned and submitted to the web bulletin board. And the idea is that again, this is a set threshold. A set of trustees should register this in the

Pretty Good Democracy fashion and return the appropriate confirmation code.

Okay. And once the code has reached the, there we go, the polling station then the scratch strip, the appropriate scratch strip is scratched off and we hope that the codes will match. And so that gives the voter and observers some sort of stronger assurance that in fact the vote has been already correctly registered on the web bulletin board. And so the idea would be, well I will skip over that, but basically a copy, for example a photo copy, could be made of that which the voter can now walk away with.

Okay. So I don’t think I need to dwell. You can see that if we set this up right it essentially meshes with Pretty Good Democracy. You can use the same mechanisms as Pret a Voter sorry.

Okay. One interesting point is that if you think about it, if you are familiar with Scantegrity II you can see how the something Scantegrity II’ish potentially emerging here. But I guess I had better skip on that.

Okay. So I am pretty much at the end. So hopefully that has given you a very quick skate over the sort of developments, eight years of development of

Pret a Voter. So future work, well we want more rigorous proofs of, you know, the cryptographic core of the scheme against suitably defined properties. Even pinning those properties down, as I say, is delicate in itself. But, we would also like to do a broader analysis of the system which, you know, includes the procedures on the human beings, not just the sort of cryptographic core of the scheme. That’s an interesting challenge too.

We have made a start on it, but I think there is quite a long way to go with that. We want obviously to do more trials, deployments. Some of you are aware we have currently been working with people like Roland in the back, with folks in Victoria State in Australia to look at adapting it for use there. I am personally a little nervous about this. It seems like we have jumped into the deep end because they have phenomenally complicated voting system there. And well it’s not entirely clear that Pret a Voter is in fact the most suitable to try there, but you know that’s another discussion point.

We will certainly look at everlasting privacy and talking to [indiscernible] and people in [indiscernible]. This is actually probably fairly straight forward to do; to just put in everlasting privacy back end onto Pret a Voter.

There are lots of issues. I mean everybody who writes a paper in this topic says, “We assume the existence of a secure web bulletin board”. To my knowledge nobody has really looked seriously about how we actually implement that. Maybe you know of something, but. There have been a few attempts, but

I don’t think any of them really quite achieve it.

It may be that Auditorium constitutes a useful, at least building block, in that. And just a little joke to show I like names I would love to come up with a quantum version of this whole thing and call it Pret a Teleporter.

Okay. So we are pretty much at the end. What are some of the issues here?

Well I think it’s fair to say we have quite a few potential candidates now of really trustworthy auditable systems. They exist, but to date very little deployment has happened. They both mainly just exist in the sort of laboratory so far. Why is that? That’s an interesting question. There seems to be quite a lot of resistance to these things. People don’t like the cryptography; they don’t understand the cryptography and so forth. Can we overcome those hurdles? How best do we overcome them? I think these are interesting issues. Well, I will skip that one.

Well I thought I was going to have five minutes to write conclusions, but I didn’t write --. That’s probably pretty much the conclusions. Okay. So I would like to just thank various people who have helped in the evolution of

Pret a Voter. And well the evolution of the subject in general. I should also thank the funding agency in Luxembourg. And I think I can stop there.

Thank you.

>>: [indiscernible] why do you mention independent auditors? Like do they have to be independent? Candidates can conceal elections. So if I run a monarchy; and the monarchy candidates concedes I should be fairly happy. And it’s fairly easy to have the ballots counted by a democrat, or a republican, or monarchies, or the communists all in the same room.

>> Peter Ryan: Oh, so it depends what you mean by --. They don’t have to be independent from parties necessarily? Is that what you are saying?

>>: [indiscernible].

>> Peter Ryan: Yes, sorry. I meant you would have a bunch that would be independent of each other, but they may well be associated with the parties or you know the Woman’s Electoral League or something like this. So they don’t necessarily have to be individually independent from parties, but there will be a bunch of them who would be mutually distrustful is what I was trying to say.

>>: And now that we are nitpicking. Archeology has become remarkably good at continuing documents across a cut, even a straight cut, goes on mistake by some part of archeology. You had better have a 5 mm of extra between the part you throw away and the part you keep.

>> Peter Ryan: Yes, yes. There are forensic sort of issues throughout there if we are not careful. And one of the nice, well potentially nice, counter measures to this issue of well rather than forcing the destruction of the left hand side one possibility is to have lots of decoy left hand sides, sort of lying around. So in that case that’s an alternative way. You don’t so much hide or destroy the information [indiscernible].

>>: To separate the strip and then you return to the voting station and destroy it under control; that maybe doable in a flame.

>> Peter Ryan: There are indeed issues like that, yes. So this decoy strip idea is nice, but if you don’t take care, you know, about this forensic

matching issue than it doesn’t necessarily help you. So yeah, there are issues. There are a whole bunch of issues about how to counter threats of retention of the left hand side.

>>: There were a couple of things that came up for me. One you were talking about Pret a Voter with codes sort of converges with Scantegrity II --.

>> Peter Ryan: Potentially, yes.

>>: And when I was looking at it thinking of the scratch off strip and the burden of giving the scratch off strip to a voter and say don’t scratch. Ooh that’s difficult, but --.

>> Peter Ryan: Don’t scratch the itch, yeah.

>>: But the invisible ink trick could work nicely there because voters don’t normally carry around invisible ink in their pens.

>> Peter Ryan: Yes, okay, that’s true.

>>: Because then with invisible ink perhaps that could be revealed by the appropriate people at the appropriate time. The voter’s wont mess with it because it’s invisible.

>> Peter Ryan: Yeah, that’s a good point. We don’t allow voters to go into the booth with coins in their pockets or --.

>>: Yeah, but they have got thumbnails.

>> Peter Ryan: No, no that’s a good point. Yeah.

>>: Okay.

>> Peter Ryan: Yeah, I mean I could perhaps elaborate on that Scantegrity analogy, but time permitting. But maybe there are other questions before we do that.

>>: Well I have another question that might, that you might have some insight on. And that’s this: one thing that occurs to me that you really want for permutations and for the ballot printing, is we have homomorphic encryption functions where the function is addition, and we have it where the function is multiplication. Would it be useful here if we had one where the basic operation is a permutation and then you homomorphically combine the ciphertext to get a [indiscernible]. Do you have any thoughts as to whether or not that could be done?

>>: [indiscernible].

>>: I am not aware of any at this point.

>>: Nor am I, but.

>> Peter Ryan: Could be a high risk research proposal.

>>: Hopefully not that high risk. It seems like its one idea that there is no reason, no fundamental reason why --. I am not talking about fully homomorphic in multiple operations, one simple operation.

>> Peter Ryan: Yeah, that would be cool. I mean I have wondered about that, but I have --.

>>: [indiscernible].

>>: Yeah, it’s a little painful, but I guess that’s doable. It’s true.

>>: [indiscernible].

>>: I would optimistically think there might be some nice clean way of doing that.

>> Peter Ryan: I would be very happy to talk more about that. I have looked around a bit and have spoken to [indiscernible] on point about this. Well he appointed me [indiscernible] at that point which obviously doesn’t really get you any closer.

>>: There are people who might be good at this sort of thing. And I think we have, in this room maybe some people who will be best [indiscernible].

>> Peter Ryan: Cool. I would be very happy to discuss that further.

>>: Okay, well no further questions? No. Thank you.

Related documents
record records Database Vocabulary It can be useful to collect information.
record records Database Vocabulary It can be useful to collect information.
Download
advertisement