Electronic Voting System Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin Dan S. Wallach IEEE Symp. On Security and Privacy 2004 VoteHere System Analysis, Philip Edward Varner’s thesis Advances in Cryptographic Voting Systems, Ben Adida MIT Ph.D. Disseration 9/2006

EVS 10/11/2006 chow2 Diebold System Analysis Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin Dan S. Wallach IEEE Symp. On Security and Privacy 2004 Present a security analysis of the source code of a paper less electronic voting system (Diebold). Present a security analysis of the source code of a paper less electronic voting system (Diebold). Show this voting system far below even the most minimal security standards applicable in other context. (strong words) Problems include: unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. They demonstrate that Voter can cast unlimited votes without being detected Insider Attacks: Modify the votes Violate voter privacy by matching vote with voters. Better solution: EVS with “voter-verifiable audit trail” (print a paper ballot that can be read and verified by voters. Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin Dan S. Wallach IEEE Symp. On Security and Privacy 2004 Present a security analysis of the source code of a paper less electronic voting system (Diebold). Present a security analysis of the source code of a paper less electronic voting system (Diebold). Show this voting system far below even the most minimal security standards applicable in other context. (strong words) Problems include: unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. They demonstrate that Voter can cast unlimited votes without being detected Insider Attacks: Modify the votes Violate voter privacy by matching vote with voters. Better solution: EVS with “voter-verifiable audit trail” (print a paper ballot that can be read and verified by voters.

EVS 10/11/2006 chow3 VoteHere System Analysis Philip Edward Varner’s thesis. Some companies claimed online voting technical problems are solved, only political/sociological ones remained. Analyze VoteHere system, include attrack tree analysis/attacker models; abuse cases Philip Edward Varner’s thesis. Some companies claimed online voting technical problems are solved, only political/sociological ones remained. Analyze VoteHere system, include attrack tree analysis/attacker models; abuse cases

EVS 10/11/2006 chow4 Related Literature Public Key Cryptography Homomorphic Encryption Homomorphic Encryption Zero Knowledge ProofsZero Knowledge Proofs (Shamir How to share a Secret, CACM 79 paper). Zero Knowledge Proofs Cryptographic Voting Protocol Public Key Cryptography Homomorphic Encryption Homomorphic Encryption Zero Knowledge ProofsZero Knowledge Proofs (Shamir How to share a Secret, CACM 79 paper). Zero Knowledge Proofs Cryptographic Voting Protocol

EVS 10/11/2006 chow5 FOO92 Voting Scheme Requirements of a secure election: Completeness: All voters are counted correctly. Soundness: A dishonest voter cannot disrupt voting Privacy: All votes must be secret Unreusability: no voter can vote twice Eligibility: no one who isn’t allowed to vote can vote Fairness: nothing must affect the voting (DDoS?) Verifiability: no one can falsify the result of voting. Validator and Counter Requirements of a secure election: Completeness: All voters are counted correctly. Soundness: A dishonest voter cannot disrupt voting Privacy: All votes must be secret Unreusability: no voter can vote twice Eligibility: no one who isn’t allowed to vote can vote Fairness: nothing must affect the voting (DDoS?) Verifiability: no one can falsify the result of voting. Validator and Counter

EVS 10/11/2006 chow6 EAS College Voting System Can we trust EAS IT? For some non-critical, non-sensitive voting, vote integrity/convenient can be enforced with just EAS IT. Can we trust 3 rd party server(s) to issue the votes, authenticate voters, and collect votes? Possibility of using campus IT servers, or other EAS lab servers. Should we separate voter authentication system (VAS) with vote counting system (VCS)? How to ensure the VAS does not talk to VCS? Assume open source, how to ensure code is not tempered during the voting period? Can we trust EAS IT? For some non-critical, non-sensitive voting, vote integrity/convenient can be enforced with just EAS IT. Can we trust 3 rd party server(s) to issue the votes, authenticate voters, and collect votes? Possibility of using campus IT servers, or other EAS lab servers. Should we separate voter authentication system (VAS) with vote counting system (VCS)? How to ensure the VAS does not talk to VCS? Assume open source, how to ensure code is not tempered during the voting period?

EVS 10/11/2006 chow7 VotingVoting Ancient Greece: any politician got 6000 male landowner votes was exiled for 10 years! 13 th century Medieval Venice introduce approval voting (thumb up/down) US 1 st election were viva-voce: voters sworn in and called out their preferences. Early 1800s paper ballots were introduced/generally produced (pre-printed) by political parties, called “party tickets” 1858 Australia introduced secret ballot, printed by state, distributed to eligible voters, voted in isolated booth. Ancient Greece: any politician got 6000 male landowner votes was exiled for 10 years! 13 th century Medieval Venice introduce approval voting (thumb up/down) US 1 st election were viva-voce: voters sworn in and called out their preferences. Early 1800s paper ballots were introduced/generally produced (pre-printed) by political parties, called “party tickets” 1858 Australia introduced secret ballot, printed by state, distributed to eligible voters, voted in isolated booth.

EVS 10/11/2006 chow8 DRE: Direct Recording by Electronic PC type equipment running special purpose voting software. Lack tamper-proof audit-trail. Bugs or malicious code may produce erroneous results/undetected. VVPAT: Mercuri 1992 proposed Voter-Verified Paper Audit Trail. Print out a receipt visible to the voter behind the glass (not taken with voter!); voter gets to confirm or cancel her vote. VVPAT first time significant used in US: 11/2006 with 5 states expected to implement it. page 3 PC type equipment running special purpose voting software. Lack tamper-proof audit-trail. Bugs or malicious code may produce erroneous results/undetected. VVPAT: Mercuri 1992 proposed Voter-Verified Paper Audit Trail. Print out a receipt visible to the voter behind the glass (not taken with voter!); voter gets to confirm or cancel her vote. VVPAT first time significant used in US: 11/2006 with 5 states expected to implement it. page 3

EVS 10/11/2006 chow9 What Makes Voting So Hard? Verifiability vs. Secrecy Alice/Adrienne: two voter Carl, a coercer wishes to influence Alice to vote Red. How to let Alice obtain enough info to personally verify her vote was indeed recorded as Blue; but not so much info that she could convince Carl (selling vote). No incentive for Carl to pay for votes. Adversarial model for Airplane/ATM are less demanding than for a federal election. Verifiability vs. Secrecy Alice/Adrienne: two voter Carl, a coercer wishes to influence Alice to vote Red. How to let Alice obtain enough info to personally verify her vote was indeed recorded as Blue; but not so much info that she could convince Carl (selling vote). No incentive for Carl to pay for votes. Adversarial model for Airplane/ATM are less demanding than for a federal election.

EVS 10/11/2006 chow10 Failure Detection/Recovery Process Those for Banks/Airplane failure are well understood. It is not clear failures in election can always be detected. Recovery often expensive or even impossible. Those for Banks/Airplane failure are well understood. It is not clear failures in election can always be detected. Recovery often expensive or even impossible.

EVS 10/11/2006 chow11 IncentiveIncentive Influencing the outcome of a federal US election worth a lot of money presidential campaign budget reaches $1B. Influencing the outcome of a federal US election worth a lot of money presidential campaign budget reaches $1B.

EVS 10/11/2006 chow12 End-to-End Voting Figure 1-3: End-to-End Voting - only two checkpoints are required.   The receipt obtained from a voter’s interaction with the voting machine is compared against the bulletin board and checked by the voter for correctness.   (2) Any observer checks that only eligible voters cast ballots and that all tallying actions displayed on the bulletin board are valid. Figure 1-3: End-to-End Voting - only two checkpoints are required.   The receipt obtained from a voter’s interaction with the voting machine is compared against the bulletin board and checked by the voter for correctness.   (2) Any observer checks that only eligible voters cast ballots and that all tallying actions displayed on the bulletin board are valid.

EVS 10/11/2006 chow13 End-to-End Verifiability (E2EV) Rather than completely auditing a voting machine’s code and Rather than completely auditing a voting machine’s code and ensuring that the voting machine is truly running the code in question, end-to-end voting verification checks the voting machine’s output only. Rather than maintain a strict chain-of-custody record of all ballot boxes, end-to-end voting checks tally correctness using mathematical proofs. Thus, the physical chain of custody is replaced by a mathematical proof of end-to-end behavior. Instead of verifying the voting equipment, end-to- end voting verifies the voting results. Rather than completely auditing a voting machine’s code and Rather than completely auditing a voting machine’s code and ensuring that the voting machine is truly running the code in question, end-to-end voting verification checks the voting machine’s output only. Rather than maintain a strict chain-of-custody record of all ballot boxes, end-to-end voting checks tally correctness using mathematical proofs. Thus, the physical chain of custody is replaced by a mathematical proof of end-to-end behavior. Instead of verifying the voting equipment, end-to- end voting verifies the voting results.

EVS 10/11/2006 chow14 Advantage of E2EV One need not be privileged to verify the election Any one can check the inputs/outputs against the mathematical proofs. Cryptography makes end-to-end voting verification possible. Encryption  provide ballot secrecy Zero-knowledge proofs  provide public auditing of the tallying process One need not be privileged to verify the election Any one can check the inputs/outputs against the mathematical proofs. Cryptography makes end-to-end voting verification possible. Encryption  provide ballot secrecy Zero-knowledge proofs  provide public auditing of the tallying process

EVS 10/11/2006 chow15 Bulletin Board of Votes Cryptographic voting protocols revolve around a central, digital bulletin board. All messages posted to the bulletin board are authenticated. Any data written to the bulletin board cannot be erased or tampered with. Can be attacked by DDoS but there are known solutions. Name and ID# of voters are posted in plaintext  eligibilty Voter’s name+encrypt(voter’s ballot) posted  no observer can tell what the voter chose. Cryptographic voting protocols revolve around a central, digital bulletin board. All messages posted to the bulletin board are authenticated. Any data written to the bulletin board cannot be erased or tampered with. Can be attacked by DDoS but there are known solutions. Name and ID# of voters are posted in plaintext  eligibilty Voter’s name+encrypt(voter’s ballot) posted  no observer can tell what the voter chose.

EVS 10/11/2006 chow16 Casting and Tallying Processes Casting process let Alice prepare her encrypted vote and cast it to the bulletin board. Tally process aggregates the encrypted votes and produce a decrypted tally, with proofs of correctness of this process posted to the bulletin board for all observers to see. Classical voting scheme performs complete/blind hand-off (drop in a box). Here cryptographic voting performs a controlled hand-off: Individual can trace vote’s entry into the system. Any observer can verify the processing of these encrypted votes into an aggregated, decrypted tally. Casting process let Alice prepare her encrypted vote and cast it to the bulletin board. Tally process aggregates the encrypted votes and produce a decrypted tally, with proofs of correctness of this process posted to the bulletin board for all observers to see. Classical voting scheme performs complete/blind hand-off (drop in a box). Here cryptographic voting performs a controlled hand-off: Individual can trace vote’s entry into the system. Any observer can verify the processing of these encrypted votes into an aggregated, decrypted tally.

EVS 10/11/2006 chow17 Cryptographic Voting

EVS 10/11/2006 chow18 Secret Voter Receipt To avoid vote selling/coercing, all current cryptographic voting schemes require that voters physically appear at a private, controlled polling location: it is the only known way to establish a truly private interaction that prevents voter coercion. Zero Knowledge Proof Neff’s MarkPlege

EVS 10/11/2006 chow19 Tallying the Ballots The secret key for decryption is shared among a number of election officials. Two major techniques:  Homomorphic encryption: aggregation under the covers of encryption; only aggregate tally needs decryption.  Digital version of “shaking the ballot box”: shuffled/scrambled multiple times by multiple parties, dissociated from voter ID, then decrypted The secret key for decryption is shared among a number of election officials. Two major techniques:  Homomorphic encryption: aggregation under the covers of encryption; only aggregate tally needs decryption.  Digital version of “shaking the ballot box”: shuffled/scrambled multiple times by multiple parties, dissociated from voter ID, then decrypted

EVS 10/11/2006 chow20 Randomize Threshold Public-Key Encryption All cryptographic voting systems use All cryptographic voting systems use randomized threshold public-key encryption. The public-key property ensures that anyone can encrypt using a public key. The threshold- decryption property ensures that only a quorum of the trustees (more than the “threshold”), each with his own share of the secret key, can decrypt.  Shamir’s how to share a secret. In addition, using randomized encryption, a single plaintext, e.g. Blue, can be encrypted in many possible ways, depending on the choice of a randomization value selected at encryption time.  avoid cipher attack All cryptographic voting systems use All cryptographic voting systems use randomized threshold public-key encryption. The public-key property ensures that anyone can encrypt using a public key. The threshold- decryption property ensures that only a quorum of the trustees (more than the “threshold”), each with his own share of the secret key, can decrypt.  Shamir’s how to share a secret. In addition, using randomized encryption, a single plaintext, e.g. Blue, can be encrypted in many possible ways, depending on the choice of a randomization value selected at encryption time.  avoid cipher attack

EVS 10/11/2006 chow21 Tallying under the Covers of Encryption Using a special form of randomized public-key encryption called homomorphic public-key encryption, it is possible to combine two encryptions into a third encryption of a value related to the original two, i.e. the sum. For example, using only the public key, it is possible to take an encryption of x and an encryption of y and obtain an encryption of x + y, all without ever learning x or y or x + y. First proposed by Benaloh, vote are encrypted either 0 (Blue) or 1 (Red) In addition, a zero-knowledge proof is typically required for each submitted vote, in order to ensure that each vote is truly the encryption of 0 or 1, and not, for example, Otherwise, a malicious voter could easily throw off the count by a large amount with a single ballot. Using a special form of randomized public-key encryption called homomorphic public-key encryption, it is possible to combine two encryptions into a third encryption of a value related to the original two, i.e. the sum. For example, using only the public key, it is possible to take an encryption of x and an encryption of y and obtain an encryption of x + y, all without ever learning x or y or x + y. First proposed by Benaloh, vote are encrypted either 0 (Blue) or 1 (Red) In addition, a zero-knowledge proof is typically required for each submitted vote, in order to ensure that each vote is truly the encryption of 0 or 1, and not, for example, Otherwise, a malicious voter could easily throw off the count by a large amount with a single ballot.

EVS 10/11/2006 chow22 Homomorphic public-key encryption The The entire homomorphic operation is publicly verifiable by any observer, who can simply re- compute it on his own using only the public key. Unfortunately, homomorphic voting does not support write-in votes well: the encrypted homomorphic counters must be assigned to candidates before the election begins. The The entire homomorphic operation is publicly verifiable by any observer, who can simply re- compute it on his own using only the public key. Unfortunately, homomorphic voting does not support write-in votes well: the encrypted homomorphic counters must be assigned to candidates before the election begins.

EVS 10/11/2006 chow23 Shaking the Virtual Ballot Box A different form of tallying is achievable using a mixnet, as first described by Chaum [39] In a mixnet, a sequence of mix servers, each one usually operated by a different political party, takes all encrypted votes on the bulletin board, shuffles and rerandomizes them according to an order and a set of randomization values kept secret, and posts the resulting set of ciphertexts back to the bulletin board. The next mix server then performs a similar operation, and so on until the last mix server. Then, all trustees cooperate to decrypt the individual resulting encryptions, which have, by now, been dissociated from their corresponding voter identity. Each mix server must provide a zero-knowledge proof that it performed correct mixing, never removing, introducing, or changing the underlying votes. A different form of tallying is achievable using a mixnet, as first described by Chaum [39] In a mixnet, a sequence of mix servers, each one usually operated by a different political party, takes all encrypted votes on the bulletin board, shuffles and rerandomizes them according to an order and a set of randomization values kept secret, and posts the resulting set of ciphertexts back to the bulletin board. The next mix server then performs a similar operation, and so on until the last mix server. Then, all trustees cooperate to decrypt the individual resulting encryptions, which have, by now, been dissociated from their corresponding voter identity. Each mix server must provide a zero-knowledge proof that it performed correct mixing, never removing, introducing, or changing the underlying votes.

EVS 10/11/2006 chow24 Mixnet vs. Homomorphic Mixnet is more difficult to operate  Mixnet is more difficult to operate  the re- encryption and shuffle processes must be executed on a trusted computing base, keeping the details of the shuffle secret from all others. Two important advantages of Mixnet:   the complete set of ballots is preserved for election auditing   free-form ballots, including write-ins, are supported. Mixnet is more difficult to operate  Mixnet is more difficult to operate  the re- encryption and shuffle processes must be executed on a trusted computing base, keeping the details of the shuffle secret from all others. Two important advantages of Mixnet:   the complete set of ballots is preserved for election auditing   free-form ballots, including write-ins, are supported.