1 / 41

Beyond Pr ê t à Voter

Beyond Pr ê t à Voter. Peter Y A Ryan. Credits. With thanks to: David Chaum Michael Clarkson James Heather Michael Jackson Thea Peacock Brian Randell Ron Rivest Steve Schneider and many others…. Outline. Outline of Pr ê t à Voter “Classic”

heaton
Télécharger la présentation

Beyond Pr ê t à Voter

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Beyond Prêt à Voter Peter Y A Ryan P Y A Ryan Prêt à Voter

  2. Credits • With thanks to: • David Chaum • Michael Clarkson • James Heather • Michael Jackson • Thea Peacock • Brian Randell • Ron Rivest • Steve Schneider • and many others…. P Y A Ryan Prêt à Voter

  3. Outline • Outline of Prêt à Voter “Classic” • Prêt à Voter with re-encryption mixes • Vulnerabilities and counter-measures • Open questions and future work P Y A Ryan Prêt à Voter

  4. The Requirements • Key requirements/desiderata (informal and incomplete): • Integrity/accuracy. • Ballot secrecy. • Voter verifiability: the voter should be able to confirm that their vote is accurately included in the count and prove to a 3rd party if it is not (whilst not revealing their vote). • Minimal dependence on (trust in) system components. • Availability. • No early results. • Public confidence. • Usability • ……. P Y A Ryan Prêt à Voter

  5. Assumptions • For the purposes of the talk I will make many sweeping assumptions, e.g.,: • An accurate electoral register is maintained. • Mechanisms are in place to ensure that voters can be properly authenticated. • Mechanisms are in place to prevent double voting. • Existence of a secure Web Bulletin Board. • Etc. • Note: Supervised rather than remote. P Y A Ryan Prêt à Voter

  6. Voter-verifiability in a nutshell • Voters are provided with an encrypted “receipt” and are able to verify the decryption in the booth. • Copies of the receipts are posted to a web bulletin board. Voters can verify that their (encrypted) receipt is correctly posted. • Tellers perform a robust anonymising mix on the batch of posted receipts, revealing the decrypted votes at the end. • Checks are performed at each stage to catch any attempt to decouple the encryption on the receipt from the decryption performed by the tellers. P Y A Ryan Prêt à Voter

  7. Prêt à Voter • Uses pre-prepared ballot forms that encode the vote in familiar form (an  against the chosen candidate). • The candidate list is (independently) randomised for each ballot form. • Information allowing the candidate list to be reconstructed is buried cryptographically in an “onion” on each form. • An excess number of forms are generated to allow for random auditing, before, during and after the election. P Y A Ryan Prêt à Voter

  8. Example (single candidate choice) • Each ballot form has a unique, secret, random seed s • For each form, a permutation of the candidate listis computed as a publicly known function of this seed. • The seed information is buried cryptographically using public keys of a number of tellers in an “onion” printed on the form. • The seed can only be extracted by the collective actions of tellers, or suitable subset if a threshold scheme is used. P Y A Ryan Prêt à Voter

  9. Typical Ballot Sheet P Y A Ryan Prêt à Voter

  10. Voter marks their choice P Y A Ryan Prêt à Voter

  11. Voter’s Ballot Receipt P Y A Ryan Prêt à Voter

  12. Voter casts her vote • Once the voter has made their choice, the LH strip is detached and discarded. • RH strip constitutes the receipt which is fed into a device that reads the information on the right hand strip. • The device will transmit a digital copy of the receipt (the RH strip) to a central server, as a pair (r, Onion), for posting to the web bulletin board. • The RH strip is returned to Anne (digitally signed and franked). • Here r (Zv ) is the index value that encodes the position of the . P Y A Ryan Prêt à Voter

  13. Remarks • Note that the receipt reveals nothing about the vote. • The onion carries the crypto seed, encrypted with the teller’s public keys, that (a subset of) the tellers use to reconstruct the permutation of the candidate list. • Without all of these secret keys (or an appropriate subset) the candidate list cannot be reconstructed and hence the vote value cannot be recovered. • Vote is not directly encrypted, rather the frame of reference, i.e., the candidate list, is randomised and information defining the frame is encrypted. • A VVPAT style mechanism can be incorporated. • The voter choice must be made in isolation. • Casting an encrypted ballot can be done in the presence of an official, i.e., does have to be in isolation. P Y A Ryan Prêt à Voter

  14. Anonymisation and tabulation • Once the election has closed and all receipts have been posted to the WBB, a set of tellers perform a robust anonymising mix on the receipts: • Receipts are decrypted by stages and undergo multiple secret shuffles. Intermediate stages are also posted to the WBB for audit. • Tellers transform the “r” index value. The final “r” values that emerge from the mix give the raw vote value in the canonical basis. • Any link between the original receipts and the decrypted values will be lost. P Y A Ryan Prêt à Voter

  15. Seeds and offsets • Suppose that we have k tellers. Each teller has two public key pairs. For each ballot form 2k random germs are generated: gi,ZN (some modest size N, e.g., 232) • The seed value is taken to be the sequence of these germ gvalues: Seed:= g0,g1,g2,g3, ….....g2k-1 • These germs are now crypto hashed and taken modulo v: di := hash(gi) (mod v) i= 0,1,2,……,2k-1 • And the candidate list offset  is given by the sum modulo v of these:  :=  i=02k-1di (mod v) P Y A Ryan Prêt à Voter

  16. Onion construction • The germs are buried in the 2k layers of the onion: • D0 is a random value, unique to each ballot form. Then: Di+1 := {gi ,Di,}PKTi, , i= 0,…., 2k-1 Onion := D2k • Thus: Onion := {g2k-1 ,{g2k-1 ,{…..,{g2,{g1,{g0, D0 }PKT_0 }PKT_1 }PKT_2…..}PKT_2k-2 }PKT_2k-2 }PKT_2k-1 P Y A Ryan Prêt à Voter

  17. Batch 1 Batch 2 Batch 3 Teller 1 Teller 1' P Y A Ryan Prêt à Voter

  18. What can go wrong… • For the accuracy requirement: • Ballot forms may be incorrectly constructed, leading to incorrect decryption of the vote • Ballot receipts could be corrupted before they are entered in the tabulation process. • Tellers may perform the decryption incorrectly. • We now discuss the counter-measures to these threats. P Y A Ryan Prêt à Voter

  19. Checking the ballot forms • We need to check that the seed buried in the onion does correspond to the candidate permutation shown on the ballot form. • Checks can be performed by auditors and the voters to catch such corruption: • Random audits of ballot forms performed before, during and after the election period by the Electoral Reform Soc etc. • Voters could also be invited to perform similar checks on randomly selected “dummy” forms. For example, voters could be invited to randomly select a pair of forms, one to check, one to cast their vote. P Y A Ryan Prêt à Voter

  20. Auditing ballot forms • To check the construction of the ballot forms the values on the form, onion and candidate ordering, can be reconstructed if the seed value is revealed. • One of the innovations of Prêt à Voter is to use the tellers in an on-demand mode to reveal the secret seed value buried in the onion. Avoids problems with storing and selectively revealing seeds. • Note, for this checking process, the tellers are used in an on-demand basis before and during the election-quite different to the batch mode for the anonymising mix after the election has closed. P Y A Ryan Prêt à Voter

  21. Ballot form checking modes • In fact, this oracle teller mode suggests several ways for voters to check the well-formedness of ballot forms: • Simple, single dummy vote • Multiple or ranked dummy vote • Given the onion value, the tellers return the candidate ordering • Note: vulnerable to authority/tellers collusion attacks. • The auditor checks are the more rigorous: not vulnerable to authority/teller collusions. P Y A Ryan Prêt à Voter

  22. Recording and transmission • To check that receipts are accurately recorded and input into the mix: • Voters can visit the WBB and check that their receipt appears correctly recorded. • Voter checks can be supplemented by independent audit authorities checking the WBB against the VVPAT style record of ballot receipts (also useful to recount and recovery). P Y A Ryan Prêt à Voter

  23. Auditing the tellers • Partial Random Checking of the teller transformations: auditor randomly selects half the of the links to be revealed and checked, but in such a way as not to reveal any links across the two transformations performed by the teller. • Go down middle WBB column for each teller and randomly assign ► or ◄ to each pair. • For a ►(◄), the tellers reveal the outgoing (incoming) link along with the associated re-encryption randomisation values. • Note: because no complete paths across a given teller’s pair of mixes are revealed by the audit process, we can audit the tellers independently. P Y A Ryan Prêt à Voter

  24. Auditing the tellers Teller 1 Teller 1' P Y A Ryan Prêt à Voter

  25. Advantages of Prêt à Voter • Voter experience simple and familiar. • Ballot form commitments and checks made before election opens  neater recovery strategies. • The vote recording device doesn’t get to learn the vote. • Votes are not directly encrypted, just the frame of reference. • Highly flexible. • Adaptable to remote voting (see talk by Michael Clarkson). P Y A Ryan Prêt à Voter

  26. Enhancements • Re-encryption mixes • Distributed generation of ballot forms. • Concealment of onion/candidate list associations. • Separation of teller modes. P Y A Ryan Prêt à Voter

  27. Re-encryption mixes • Prêt à Voter Classic uses Chaumian (decryption) mixes. • Alternatives: • re-encryption mixes. • Homomorphism schemes etc.. • Advantages of re-encryption: • Tellers inject fresh entropy at each stage, hence onion size doesn’t grow with number of tellers and germ size. • Less dependence on availability of tellers: a faulty mix teller can just be binned and replaced. • Full mixing over the El Gamal group. • Clean separation of mixing and decryption stages. • Mixes and audits can be rerun afresh. • Downsides: • Need shuffle commitments. • Tricky to mesh with Prêt à Voter. P Y A Ryan Prêt à Voter

  28. Re-encryption mixes • Prêt à Voter’s rather special representation of the vote in the receipts makes it tricky to mesh with re-encryption mixes. Some possible approaches: • Leave r terms unchanged through the mixes. • Follow re-encryption mixes with Chaumian decryption mixes. • Absorb the r into the onion value • transform both r and D terms leaving vote value invariant – but seems to necessitate malleable encryption. • Add teller transforms to the index values, storing the entropy in an extra (pre-generated and audited) “onion” value. • Primitive for which only orbits of the local permutation group can be generated (“slightly malleable”). • Use zero-knowledge/crypto-homomorphism mixes-but looses the conceptual simplicity of the PRC approach (and linear scaling behaviour). P Y A Ryan Prêt à Voter

  29. Discussion • Option 1: allows the adversary to partition the mix according the index value, but might be okay where the number of voters vastly exceeds the number of ballot options. • Option 2: again the re-encryption mix can be partitioned. Might be a reasonable compromise. • Options 3 and 4: seems to work nicely but appears to necessitate malleable encryption for the terms that move through the mix. Not clear whether this introduces vulnerabilities not countered by the mix audits. • Option 5: speculative. • Option 6: promising, but seems to loose the conceptual simplicity of the PRC approach, and perhaps the linear scaling properties. P Y A Ryan Prêt à Voter

  30. El Gamal encryption • El Gamal encryption: • let  be a generator of cyclic group Zp*, p a large prime. Choose k (2kp-2) and let  = k (mod p). • p,  and  made public, k kept secret. • (Randomised encryption) of m in {0, …, p-1}: (x, x.m) =: (y1, y2) • Re-encryption: (x+y, x+y.m) • Note: same as directly encrypting m with x+y. • Decryption: m = y2 /y1k P Y A Ryan Prêt à Voter

  31. Option 3 • Let d be the ballot seed. Encrypt -d in the El Gamal pair to form the onion. (x, x. -d) =: (y1, y2) • Where d (mod ) can be taken as the offset. • A receipt pair can be transformed to: (r, x, x. -d)  (x, x. r-d) • This can be put through a conventional re-encryption mix and the final decryption yields the vote value directly. • Fine for cyclic shifts of the candidate list, needs elaboration for full permutations. P Y A Ryan Prêt à Voter

  32. Prêt à Voter Vulnerabilities • Chain voting. • Authority knowledge of ballot form information. • Destruction of LH strips. • Separation of teller modes. P Y A Ryan Prêt à Voter

  33. Chain Voting • Effective against many conventional voting systems: • Coercer smuggles a blank ballot form out of the polling station and marks it with their preferred candidate. • They intercept a voter entering the polling station, hand them the marked up form and tell them that if they emerge from the station with a fresh, unmarked form they will be rewarded. • Return to step 1. P Y A Ryan Prêt à Voter

  34. Counter-measures • In a system like the UK system in which voters are given a ballot form when they register and are them observed to cast the form in the ballot box, this can be quite effective: if the voter emerges with a fresh, blank form it is a strong indication that they cast the coercer’s marked form. • For a conventional system, a possible counter-measure is to use a system along the lines of the French system: ballot forms are not controlled, only their casting. Ballot forms are freely available at the polling station. Voters register at the moment that they cast their vote, in an envelope. P Y A Ryan Prêt à Voter

  35. Chain voting and Prêt à Voter • Particularly virulent with WBB systems. Conventional counter-measure fails. • Countermeasures: • Note: • Voters don’t need sight of the onion value in order to make their selection. • casting an encrypted ballot can be in the presence of a voting official. • Hence: • Conceal the onion under a scratch strip. • Official checks scratch strip is intact at time of casting. • Also need to check that form used to cast corresponds to the forms given to the voter when they register. • Handling ballot forms in sealed envelopes also helps. P Y A Ryan Prêt à Voter

  36. Authority knowledge • Entities that create and handle the ballot forms must be trusted to keep onion/candidate lists secret. • Countermeasures: • Create pairs on “entangled” onions. Conceal one under a scratch card or cryptographically and perform a pre-mix. • Have a further entity translate the exposed onions into candidate lists. • Random audit the resulting forms. • Cast encrypted receipts in presence of an official and reveal the onion value at this point. • Further possibilities: • “Mirror”, robust pre-mix on entangled onions (run Plaintext Equivalence Tests (PET) the entangled onion pairs and PRC the mix) • Just in time candidate lists. • Just in time onions. • Multiple entangled onions (independently reveal candidate lists for n-1) • Plenty of possibilities, some adaptable to remote contexts. P Y A Ryan Prêt à Voter

  37. Destruction of LH strips • Procedural: officials oversee destruction of LH strips. • Mechanical: device that automatically strips off the LH strip and discards it. • Decoy strips: plentiful supply of alternative LH strips provided in the booth. • Scratch strips: onion under the strip (in 2D bar code?) candidate list overprinted: revealing the onion destroys the list. • Disc ballots!? Ballot “forms” take the form of a pair of discs sealed together. After selection they are separated. Axial symmetry ensures that the original configuration is lost. • Quantum!? Ballot “forms” using entangled q-bits. Measurement to reveal candidate lists collapses the wave functions. P Y A Ryan Prêt à Voter

  38. Confusion of tellers modes • Essential that any onion can be processed at most once. • Allow on-demand teller mode only during the pre-election phase. Ensure that all audited ballot as destroyed. • Procedural/Mechanical: any processed form is invalidated to prevent reuse. • Cryptographic, e.g., authentication codes that are destroyed when the onion is used. • Just in time candidate lists: revealed only at the time that the voter makes their selection. P Y A Ryan Prêt à Voter

  39. Future work • On the current model: • Determine exact requirements. • Formal analysis and proofs. • Construct threat and trust models. • Investigate error handling and recovery strategies. • Develop a full, socio-technical systems analysis. • Develop prototypes and run trials, e.g., e-voting games! • Investigate public understanding and trust. P Y A Ryan Prêt à Voter

  40. Future work • Beyond the current scheme: • Alternative sources of seed entropy: Voters, optical fibres in the paper,…? • Protocols for on-demand/distributed generation and checking of ballot forms, e.g., authenticated onion establishment. • (Threshold) schemes to thwart collusion attacks on checking modes. • Alternative robust mixes. • Adaptation to remote voting (Cornell work). P Y A Ryan Prêt à Voter

  41. References • David Chaum, Secret-Ballot receipts: True Voter-Verifiable Elections, IEEE Security and Privacy Journal, 2(1): 38-47, Jan/Feb 2004. • J W Bryans & P Y A Ryan “A Dependability Analysis of the Chaum Voting Scheme”, Newcastle Tech Report CS-TR-809, 2003. • J W Bryans & P Y A Ryan, “Security and Trust in a Voter-verifiable Election Scheme”, FAST 2003. • P Y A Ryan & J W Bryans “A Simplified Version of the Chaum Voting Scheme”, Newcastle TR 2004 • P Y A Ryan, Towards a Dependability Case for the Chaum Voting Scheme, DIMACS June 2004. • P Y A Ryan, “E-voting”, presentation to the Caltech/MIT workshop on voting technology, MIT Boston 1-2 October 2004. • P Y A Ryan, “A Variant of the Chaum Voter-verifiable Election scheme”, WITS, 10-11 January 2005 Long Beach Ca. • D Chaum, P Y A Ryan, S A Schneider, “A Practical, Voter-Verifiable Election Scheme”, Newcastle TR 880 December 2004, Proceedings ESORICS 2005, LNCS 3679. • B Randell, P Y A Ryan, “Trust and Voting Technology”, NCL CS Tech Report 911, June 2005. • P Y A Ryan, T Peacock, “Prêt à Voter, A Systems Perspective”, NCL CS Tech Report 929, September 2005. P Y A Ryan Prêt à Voter

More Related