Electronic Voting Ronald L. Rivest MIT CSAIL Norway June 14, 2004.

Slides:



Advertisements
Similar presentations
Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.
Advertisements

Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.
Electronic Voting Systems
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Can voters check that their e-vote is cast as they intended and properly included in an accurate count? Vanessa Teague University of Melbourne
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark.
Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs)
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
A method for electronic voting with Coercion-free receipt David J. Reynolds (unaffiliated)
Self-Enforcing E-Voting (SEEV) Feng Hao Newcastle University, UK CryptoForma’13, Egham.
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.
Reusable Anonymous Return Channels
Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)
Josh Benaloh Senior Cryptographer Microsoft Research.
© VoteHere, Inc. All rights reserved. November 2004 VHTi Data Demonstration Andrew Berg Director, Engineering.
17-803/ ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS / Electronic Voting Session 8: The 2004 Election Michael I. Shamos,
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.
Ben Hosp, Nils Janson, Phillipe Moore, John Rowe, Rahul Simha, Jonathan Stanton, Poorvi Vora {bhosp, simha, jstanton, Dept. of Computer.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Kickoff Meeting „E-Voting Seminar“
Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Recent Developments in Voting System Standards Ronald L. Rivest Frontiers in Electronic Elections (Milan) September 15, 2005.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
UMBC Protocol Meeting 10/01/03 Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04) Paul Syverson NRL Markus Jakobsson Ari.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Ballot Processing Systems February, 2005 Submission to OASIS EML TC and True Vote Maryland by David RR Webber.
How Elections Should Really Be Run Josh Benaloh Senior Cryptographer Microsoft Research.
Civitas Toward a Secure Voting System AFRL Information Management Workshop October 22, 2010 Michael Clarkson Cornell University.
Cryptographic Voting Protocols: A Systems Perspective By Chris Karlof, Naveen Sastry, and David Wagner University of California, Berkely Proceedings of.
Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.
Perspectives on “End-to-End” Voting Systems Ronald L. Rivest MIT CSAIL NIST E2E Workshop George Washington University October 13, 2009 Ballot Bob Ballot.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David.
Optimistic Mixing for Exit-Polls Philippe Golle, Stanford Sheng Zhong, Yale Dan Boneh, Stanford Markus Jakobsson, RSA Labs Ari Juels, RSA Labs.
Digital Democracy: A look at Voting Machines Presented by Justin Dugger April 2003.
Masked Ballot Voting for Receipt-Free Online Elections Sam Heinith, David Humphrey, and Maggie Watkins.
6. Esoteric Protocols secure elections and multi-party computation Kim Hyoung-Shick.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
Andreas Steffen, , LinuxTag2009.ppt 1 LinuxTag 2009 Berlin Verifiable E-Voting with Open Source Prof. Dr. Andreas Steffen Hochschule für Technik.
A remote voting system based on Prêt à Voter coded by David Lundin Johannes Clos.
The Paillier Cryptosystem
Privacy and Anonymity Using Mix Networks* Slides borrowed from Philippe Golle, Markus Jacobson.
Electronic Voting R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.
WHY THE vvpat has failed
A Brief Introduction to Mix Networks Ari Juels RSA Laboratories © 2001, RSA Security Inc.
Almost Entirely Correct Mixing With Applications to Voting Philippe Golle Dan Boneh Stanford University.
Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Ronald L. Rivest MIT NASEM Future of Voting Meeting June 12, 2017
Perspectives on “End-to-End” Voting Systems
ThreeBallot, VAV, and Twin
Some slides borrowed from Philippe Golle, Markus Jacobson
Secure and Insecure Mixing
ISI Day – 20th Anniversary
Some Thoughts on Electronic Voting
Some Thoughts on Electronic Voting
Some Thoughts on Electronic Voting
Ronald L. Rivest MIT ShafiFest January 13, 2019
Presentation transcript:

Electronic Voting Ronald L. Rivest MIT CSAIL Norway June 14, 2004

Outline u PK Cryptography – very short history u Introduction to Voting u Voting using mix-nets u Randomized Partial Checking (Jakobsson/Juels/Rivest USENIX ‘02) u Pedagogic variant of Chaum’s proposal

PK Cryptography short history u 1976 – Diffie&Hellman New Directions in Cryptography: proposed DH key agreement and PKC u 1977 – RSA PK scheme proposed u 1980’s – Academic crypto blossoms; 1000’s of papers published (e.g El Gamal PKC; 1985 Zero Knowledge GMR; …) u 1990’s World Wide Web (SSH; e-commerce begins); academic research continues to blossom (e.g Cramer-Shoup PKC) u 2000’s – ?? Crypto applied to voting ??

Outline u PK Cryptography – very short history u Introduction to Voting u Voting using mix-nets u Randomized Partial Checking (Jakobsson/Juels/Rivest USENIX ‘02) u Pedagogic variant of Chaum’s proposal

Voting tech is in transition… u Voting tech follows technology: Stones  Paper  Levers  Punch cards  Op-scan  Computers(??) u Punch cards “out” after Nov. ’00 u DRE’s (touch-screen) require VVPAT (voter-verified paper audit trail) in Cal. u Is technology ready for electronic (paperless) voting?

Voting is a hard problem u Voter Registration - each eligible voter votes at most once u Voter Privacy – no one can tell how any voter voted, even if voter wants it; no “receipt” for voter u Integrity – votes can’t be changed, added, or deleted; tally is accurate. u Availability – voting system is available for use when needed u Ease of Use – esp. for disabled

Voting is important u Cornerstone of our (any!) democracy u Voting security is clearly an aspect of national security. u “Those who vote determine nothing; those who count the votes determine everything.” -- Joseph Stalin

Are DRE’s trustworthy? u Diebold fiascoes..?? u Intrinsic difficulty of designing and securing complex systems u Many units (100,000’s) in field, used occasionally, and managed by the semi-trained u Certification process is “riddled with problems” (NYT editorial 5/30/04)

Voter-Verified Paper Audit Trails? u Rebecca Mercuri: Voting machine should produce “paper audit trail” that voter can inspect and approve. u VVPAT is “official ballot” in case of dispute or recounts. u David Dill (Stanford CS Prof.) initiated on-line petition that ultimately resulted in California requiring VVPAT’s on many DRE’s.

VVPAT’s controversial… u Still need to guard printed ballots. u Two-step voting procedure may be awkward for some voters (e.g. disabled). u Doesn’t catch all problems (e.g. candidate missing from slate) u Malicious voters can cause DOS by casting suspicion on voting machine u Not “end-to-end” security: –Helps ensure votes “cast as intended” –Doesn’t help ensure votes “counted as cast”.

Outline u PK Cryptography – very short history u Introduction to Voting u Voting using mix-nets u Randomized Partial Checking (Jakobsson/Juels/Rivest USENIX ‘02) u Pedagogic variant of Chaum’s proposal

Can cryptography help? u Yes – using “mix-nets” (Chaum) and “voter-verified secret ballots” (Chaum; Neff) u Official ballot is electronic not paper. u Ballot is encrypted version of choices. u Ballots posted on public bulletin board. u Voter gets paper “receipt” so she can: –Ensure that her ballot is properly posted –Detect voting machine error or fraud

Voting using mix-nets u E: encrypt choices  ballot (done at each voting machine) u S 1 …S k : mix-servers provide anonymity (secretly permute and re-encrypt) u D: decrypt ballots (trustees threshold decrypt) ES2S2 DS1S1 SkSk Posted on bulletin board (Plaintext choices) Plaintext choices

Voter needs evidence u That her vote is “cast as intended”: u That her ballot is indeed encryption of her choices, and what her ballot is. This is extremely challenging, since She can’t compute much herself She can’t take away anything that would allow her to prove how she voted u So: she takes away evidence that allows her (as she exits polling site) to detect whether cheating occurred, and receipt to prove what her ballot is.

Everyone needs evidence u That votes are “counted as cast”: u That mix-servers (“mixes”) properly permute and re-encrypt ballots. This is challenging, since Mixes can not reveal the permutation they applied to ballots u That trustees properly decrypt the permuted ballots This is relatively straightforward, using known techniques.

Outline u PK Cryptography – very short history u Introduction to Voting u Voting using mix-nets u Randomized Partial Checking (Jakobsson/Juels/Rivest USENIX ‘02) u Pedagogic variant of Chaum’s proposal

Robust mixes u Provide proof (or at least strong evidence) of their correct operation. u Anyone can check proof. u Even if all mixes are corrupt and collude, it is infeasible for them to produce such proof (universally verifiable). u Proof does not reveal input / output correspondence! Proof or evidence

Practical Robust Mixes u Jakobsson “Flash Mix” (PODC ‘99) u Mitomo and Kurosawa (Asiacrypt ‘00) u Desmedt and Kurosawa (EC ‘00) u Neff (ACM CCS ‘01) u Furukawa-Sako (Crypto ‘01) u Golle (ACM CCS ‘02) u Golle, Zhong, Boneh, Jakobsson, Juels (Asiacrypt ‘02) u …

“Randomized Partial Checking Mix u Conceptually very simple u Very efficient u Works with any cryptosystem u Aimed at voting u Force each mix to reveal and prove half of its input-output correspondences u No complete path from input to output revealed; voter’s anonymity preserved within set of at least ½ the voters.

RPC illustrated u Mixes are paired (S 1,S 2 ), (S 3,S 4 ), etc. u For each ballot B between elements of a pair (e.g. (S 1,S 2 )), produce “challenge bit” b from hash of all bulletin board contents u If b = 0, first server must reveal where B came from and prove it by revealing keys/randomness. u If b = 1, second server must reveal where B goes and prove it by revealing keys/randomness. ES2S2 DS1S1 SkSk

Security theorem u An adversary who queries random oracle (  hash function) at most q times will have a chance of at most q 2 -t of producing a bulletin board transcript that passes public verification yet where the vote count has been altered by t votes.

Outline u PK Cryptography – very short history u Introduction to Voting u Voting using mix-nets u Randomized Partial Checking (Jakobsson/Juels/Rivest USENIX ‘02) u Pedagogic variant of Chaum’s proposal

A pedagogical variant of Chaum’s voting proposal u Used in my class this spring as introductory example, before going into details of Chaum’s and Neff’s schemes. u Captures many significant features, but not all; some problems/concerns not well handled. u Intended to be simpler to explain and understand than full versions. u Related to Jakobsson/Juels/Rivest RPC mix- net scheme. u Main ideas (e.g. cut and choose) already present in Chaum’s scheme.

Pedagogical variant (overview) u Voting machine produces ballot that is encryption of voter’s choices. u Ballot is posted on bulletin board as “official cast ballot” (electronic). u Voter given receipt copy of ballot. u Voter given evidence that ballot correctly encodes his intended choices. u Ciphertexts “mixed” for anonymity. u Ciphertexts decrypted and counted (threshold decryption by trustees).

Pedagogical variant (details) u Voter V i prepares choices B i u Machine prints and signs B i, C i, D i, r i, s i and gives them to voter. C i is encryption of B i (randomization r i ) D i is re-encryption of C i (randomization s i ) u If voter doesn’t like B i, she starts over. u Voter destroys either r i or s i, and keeps the other information as evidence (paper). u Voting machine signs and posts (V i, D i,”final”), and gives (paper) receipt copy to voter. u Final D i ’s mixed up (mixnet), decrypted, and counted.

Pedagogical variant (details) BiBi CiCi DiDi riri sisi u El-Gamal encryption and re-encryption: C i = (g r i, B i *y r i ), D i = (g r i +s i,B i *y r i +s i ) u Voter keeps only one link as evidence (similar to Jakobsson/Juels/Rivest, or Chaum) u Any attempt by voting machine to cheat will be detected with probability ½. u Voter can check evidence on exit. u Signed B i ’s are easy to get…

Pedagogical variant (details) BiBi CiCi DiDi riri u El-Gamal encryption and re-encryption: C i = (g r i, B i *y r i ), D i = (g r i +s i,B i *y r i +s i ) u Voter keeps only one link as evidence (similar to Jakobsson/Juels/Rivest, or Chaum) u Any attempt by voting machine to cheat will be detected with probability ½. u Voter can check evidence on exit. u Signed B i ’s are easy to get…

Pedagogical variant (details) BiBi CiCi DiDi sisi u El-Gamal encryption and re-encryption: C i = (g r i, B i *y r i ), D i = (g r i +s i,B i *y r i +s i ) u Voter keeps only one link as evidence (similar to Jakobsson/Juels/Rivest, or Chaum) u Any attempt by voting machine to cheat will be detected with probability ½. u Voter can check evidence on exit. u Signed B i ’s are easy to get…

Variant with “visual crypto” u Naor/Shamir: can do “xor” visually: += = = = = = = = 0

Variant with visual crypto u Print B i ’ and B i ’’ on transparencies u Visually verify B i ’ + B i ’’ = B i u Keeps D’ i, D’’ i, and either (B’ i,r’ i ) or (B’’ i,r’’ i ) B’ i D’ i r’ i B’’ i D’’ i r’’ i BiBi +

Variant with visual crypto u Print B i ’ and B i ’’ on transparencies u Visually verify B i ’ + B i ’’ = B i u Keeps D’ i, D’’ i, and either (B’ i,r’ i ) or (B’’ i,r’’ i ) B’ i D’ i r’ i D’’ i

Variant with visual crypto u Print B i ’ and B i ’’ on transparencies u Visually verify B i ’ + B i ’’ = B i u Keeps D’ i, D’’ i, and either (B’ i,r’ i ) or (B’’ i,r’’ i ) D’ i B’’ i D’’ i r’’ i

Variant with visual crypto u Any attempt by voting machine to cheat will result in detection with probability ½.

Pedagogical variant (summary) u Schemes such as these (Chaum / Neff) provide an interesting degree of “end-to-end” security: from voter’s intentions to final tally. u Paper is used, but not to record official ballots or for recounts, but as commitments so fraud and error can be detected.

Conclusions u Voting technology is in a state of transition to electronics. u It seems possible to have electronic voting without: trusting machines for integrity using paper ballots for recounts revealing how any voter votes u How can we do all of this well?

(The End)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.