Can voters check that their e-vote is cast as they intended and properly included in an accurate count? Vanessa Teague University of Melbourne CIS department seminar, March ’14

Why verifiable voting? What’s wrong with this picture? Electoral Commission server with decryption key Voters PCs Encrypted votes Election outcome RSA

The challenge Vote privacy is relatively easy Using standard crypto and a completely trusted decryption & counting system Verifiability is relatively easy If you don’t care about privacy: just make all the votes public The challenge is to do both: verifiably accurate results that preserve privacy

Electronic election verification Each voter can check that their vote matches their intention Even if the computer they’re using is compromised Everyone can check that the votes were properly handled after casting Not in this talk Details about privacy Verifying the counting software e.g. Rajeev Goré’s work on EVACS. Other important requirements Usability, robustness, security from outside attack,

Outline On the Internet NSW (Everyone Counts) Norway (Gjøsteen, Scytl) Helios (Adida, de Marneffe, Pereira et al.) In the polling place VEC verifiable system based on prêt à voter Electronic ballot markers (WA, Tas, proposed NSW)

iVote (NSW) 2011 Voters log in again later to query the system and see if they get the right “verification” number back Verif1 Verif2 Verif3

iVote 2015 A new version is proposed for 2015 NSW state election Voter sends vote to server using plain SSL/TLS again Each voter checks their vote (unencrypted) with an “auditor” But don’t worry, the auditor can’t possibly tell who you are just by looking at your IP address Auditor promises to check that they all go properly into the count See draft design at 003/125454/iVote_Strategy_for_SGE_2015_amd_1.pdf

iVote (proposed NSW) 2015 Plaintext vote check with auditor Auditor TLS Electoral Commission

Outline On the Internet NSW (Everyone Counts) Norway (Gjøsteen, Scytl) Helios (Adida, de Marneffe, Pereira et al.) In the polling place VEC verifiable system based on prêt à voter Electronic ballot markers (WA, Tas, proposed NSW)

Norway A partially-verifiable Internet voting scheme Used in recent Norwegian local & parliamentary elections Openly-available source code with public docs & papers Uses Norwegian government electronic ID scheme Implemented by Scytl

Example 3: Norway Each voter gets a “code sheet” by snail mail Everyone’s code sheet is different Voter’s PC encrypts party name, sends to server Authorities SMS party code to voter’s mobile phone Corrupt PC can’t lie about your vote undetectably Unless it learns the codes Red Green Chequered Fuzzy Cross Yellow

Norway An admirable process Public consultation, open source code, academic review, honesty about problems Still some gaps in the protocol But at least they know what they are And some bugs in the implementation But there’s a process for finding and fixing them The open process allows for a scientific discussion based on facts & careful analysis

Outline On the Internet NSW (Everyone Counts) Norway (Gjøsteen, Scytl) Helios (Adida, de Marneffe, Pereira et al.) In the polling place VEC verifiable system based on prêt à voter Electronic ballot markers (WA, Tas, proposed NSW)

Helios An “end-to-end verifiable” Internet voting scheme By Adida, de Marneffe, Pereira Source code and docs at heliosvoting.org Used by the IACR in their board elections Each voter can verify that their vote is cast as they intended Properly included in the count Anyone can verify that all the included votes are properly decrypted and tallied

One-page reminder about public key crypto The receiver generates two keys: a public key e (for encrypting), and a private key d (for decrypting) She publicises the public key e People use this for encrypting messages They also include some randomness r Ciphertext C = Enc e (msg, r) She keeps the private key d secret She uses this for decrypting messages

Helios: cast-as-intended verification You don’t trust your PC to encrypt the right thing You do trust your PC for privacy Ask your PC to produce lots of (different) encrypted votes It doesn’t know which one you’re going to use Photograph them, print them, or send them to other devices Ask your PC to ‘open’ all but one of them i.e. to tell you the randomness r it used for encrypting Get the other devices to check the encryption was right They just recompute Enc e (msg, r) Cast the one you didn’t open So your privacy is preserved

So why not use Helios for Aus government elections? Difficulty of cast-as-intended protocol Voters need to understand it to get it right Extension to STV ballots with 97 people Computational scalability

Internet Voting: summary There is no end-to-end verifiable Internet voting scheme that’s Usable for ordinary voters Adaptable to Australian-style preferential elections And we haven’t even talked about Authenticating the voters Preserving privacy

Outline On the Internet NSW (Everyone Counts) Norway (Gjøsteen, Scytl) Helios (Adida, de Marneffe, Pereira et al.) In the polling place Vic verifiable system based on prêt à voter Voting Checking from home that your vote is there Verifying shuffling and decryption Privacy Electronic ballot markers (WA, Tas, proposed NSW)

The Victorian Electoral Commission’s polling-place voting system I’ve done a lot of work on this project But am not representing the VEC’s official position in any way Based on the prêt à voter end-to-end verifiable voting scheme (Ryan, Schneider, Chaum) Implemented by a team at U Surrey (Culnane, Heather, Schneider) With some help from the VEC (Burton) This scheme is end-to-end verifiable Except that the point its output is joined in with the rest of the ballots is observable only by scrutineers

Victoria polling-place 2014 cont’d Each voter gets a human-readable printout to check The printout is transformed into an encrypted receipt The voter gets evidence that this is the vote they intended Without being able to prove to others how they voted Voter takes their encrypted receipt home checks that it’s in the accepted list The accepted list is shuffled & decrypted with a mathematical proof of correctness Which anyone can check Source code at

Prêt à Voter Uses pre-prepared paper ballot forms that encode the vote in familiar form. The candidate list is randomised for each ballot form. Information defining the candidate list is encrypted in an “onion” value printed on each ballot form. Actually, we print a serial number that points to the encrypted values in a public table Red Green Chequered Fuzzy Cross $rJ9*mn4R&8

Ballot auditing Each voter can challenge as many ballots as they like And get a proof that the onion matches the candidate list Then don’t use that ballot Then vote on an unchallenged one So you can’t prove how you voted Red Green Chequered Fuzzy Cross $rJ9*mn4R&8

Voting Fill in the boxes as usual Use a computer to help Check its printout Against candidate list Shred candidate list Computer uploads vote Same info as on printout Take printout home It doesn’t reveal the vote $rJ9*mn4R&8 Red Green Chequered Fuzzy Cross $rJ9*mn4R&

Outline On the Internet NSW (Everyone Counts) Norway (Gjøsteen, Scytl) Helios (Adida, de Marneffe, Pereira et al.) In the polling place Vic verifiable system based on prêt à voter Voting Checking from home that your vote is there Verifying shuffling and decryption Privacy Electronic ballot markers (WA, Tas, proposed NSW)

Checking from home that your vote is there There’s a public website listing all the receipts More precisely, there’s a “bulletin board” which is a public website augmented with some evidence that everyone sees the same data Find yours

Outline On the Internet NSW (Everyone Counts) Norway (Gjøsteen, Scytl) Helios (Adida, de Marneffe, Pereira et al.) In the polling place Vic verifiable system based on prêt à voter Voting Checking from home that your vote is there Verifying shuffling and decryption Privacy Electronic ballot markers (WA, Tas, proposed NSW)

Verifying shuffling and decryption Now we have a list of encrypted votes On a public website Encrypted, and linked to voter’s identities Because each voter still holds their receipt We want to Shuffle the votes To break the link with voter ID Decrypt the votes Prove that this was done correctly

What’s public-key cryptography? The receiver generates two keys: a public key e (for encrypting), and a private key d (for decrypting) She publicises the public key e People use this for encrypting messages They also include some randomness She keeps the private key d secret She uses this for decrypting messages

Picture of public-key cryptography Sender Receiver RSA

Re-randomising encryption Without knowing the secret key, re-do the randomness used in the encryption The message stays the same But the new encryption can’t be linked to the old one

Randomised partial checking By Jakobsson, Juels & Rivest Significant improvements by Wikström We can’t (completely) prevent a hacker from breaking in to all the computers and changing the votes, but We can check the process thoroughly enough to be confident that If the checks succeed then The system produced the right output With very high probability

Randomised partial checking A pair of mix servers shuffle and rerandomise Choose randomly to prove the link to start or end

Provable decryption step Trust me, this can be done Using chaum-pedersen proofs of dlog equality Showing proper decryption of El Gamal ciphertext given El Gamal public key

Outline On the Internet NSW (Everyone Counts) Norway (Gjøsteen, Scytl) Helios (Adida, de Marneffe, Pereira et al.) In the polling place Vic verifiable system based on prêt à voter Voting Checking from home that your vote is there Verifying shuffling and decryption Privacy Electronic ballot markers (WA, Tas, proposed NSW)

Privacy Whenever you have a computer helping you fill in your vote, that computer is a privacy risk So is the ballot printer There are some clever schemes for verifiable voting that don’t tell your computer how you voted e.g. the “plain” version of prêt à voter in which you fill in the ballot with a pencil But none of them work with 30-candidate STV This scheme does about the best I can imagine at preserving privacy while providing a usable 30- candidate STV vote

Summary This provides a rigorous after-the-fact argument that the answer was right (with high probability) To the court we’d say We worked really hard to make sure the software was correct We worked really hard to make the computers secure But even if these were not perfect: The voters & the public could check the integrity of the data directly And the scrutineers can reconcile that with the rest of the count And would have detected a manipulation with high probability

Feedback If you’d like to write your own proof checker, verifier, signature checker, etc, for vVote, please come and talk to me, If you think you’ve found a bug, please come and talk to me, If you read the supporting materials and you think you’ve found a bug, please come and talk to me.

Outline On the Internet Helios (Adida, de Marneffe, Pereira et al.) NSW (Everyone Counts) Norway (Gjøsteen, Scytl) In the polling place VEC verifiable system based on prêt à voter Electronic ballot markers (WA, Tas, proposed NSW)

A human-readable paper record So the voter can check directly that their vote is cast as they intended Electronic ballot marker Vote on a computer, print your vote, put it in a ballot box In use in WA & Tas, proposed in NSW Good for voters who need assistance and also for validity checking for everyone

Conclusion Verifiable Internet voting is an unsolved problem Verifiable polling-place voting has several sensible solutions But there are important details in extending them to Australian voting

So what happens now? The AEC recently produced a discussion paper on Internet voting "7.8 As noted in Part 1, the extent to which it can be guaranteed that votes cast on the internet will not be susceptible to interference of one form or another has been a matter of vigorous dispute. This paper takes no stand on that issue,..." "7.17 The need for new transparency mechanisms to replace those associated with the paper ballot remains a matter of fundamental importance, and one which will rise in significance in direct proportion to the number of people actually using internet voting. Elaboration of such mechanisms is beyond the scope of this paper."