Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 1 Beyond Prêt à Voter Peter Y A Ryan

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 2 Credits With thanks to: –David Chaum –Michael Clarkson –James Heather –Michael Jackson –Thea Peacock –Brian Randell –Ron Rivest –Steve Schneider –and many others….

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 3 Outline Outline of Prêt à Voter “Classic” Prêt à Voter with re-encryption mixes Vulnerabilities and counter-measures Open questions and future work

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 4 The Requirements Key requirements/desiderata (informal and incomplete): –Integrity/accuracy. –Ballot secrecy. –Voter verifiability: the voter should be able to confirm that their vote is accurately included in the count and prove to a 3 rd party if it is not (whilst not revealing their vote). –Minimal dependence on (trust in) system components. –Availability. –No early results. –Public confidence. –Usability –…….

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 5 Assumptions For the purposes of the talk I will make many sweeping assumptions, e.g.,: –An accurate electoral register is maintained. –Mechanisms are in place to ensure that voters can be properly authenticated. –Mechanisms are in place to prevent double voting. –Existence of a secure Web Bulletin Board. –Etc. Note: Supervised rather than remote.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 6 Voter-verifiability in a nutshell Voters are provided with an encrypted “receipt” and are able to verify the decryption in the booth. Copies of the receipts are posted to a web bulletin board. Voters can verify that their (encrypted) receipt is correctly posted. Tellers perform a robust anonymising mix on the batch of posted receipts, revealing the decrypted votes at the end. Checks are performed at each stage to catch any attempt to decouple the encryption on the receipt from the decryption performed by the tellers.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 7 Uses pre-prepared ballot forms that encode the vote in familiar form (an  against the chosen candidate). The candidate list is (independently) randomised for each ballot form. Information allowing the candidate list to be reconstructed is buried cryptographically in an “onion” on each form. An excess number of forms are generated to allow for random auditing, before, during and after the election.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 8 Example (single candidate choice) Each ballot form has a unique, secret, random seed s For each form, a permutation of the candidate list is computed as a publicly known function of this seed. The seed information is buried cryptographically using public keys of a number of tellers in an “onion” printed on the form. The seed can only be extracted by the collective actions of tellers, or suitable subset if a threshold scheme is used.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 9 Typical Ballot Sheet Epicurus Democritus Aristotle Socrates Plato $rJ9*mn4R&8

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 10 Voter marks their choice Epicurus Democritus  Aristotle Socrates Plato $rJ9*mn4R&8

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 11 Voter’s Ballot Receipt  $rJ9*mn4R&8

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 12 Voter casts her vote Once the voter has made their choice, the LH strip is detached and discarded. RH strip constitutes the receipt which is fed into a device that reads the information on the right hand strip. The device will transmit a digital copy of the receipt (the RH strip) to a central server, as a pair (r, Onion), for posting to the web bulletin board. The RH strip is returned to Anne (digitally signed and franked). Here r (  Z v ) is the index value that encodes the position of the .

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 13 Remarks Note that the receipt reveals nothing about the vote. The onion carries the crypto seed, encrypted with the teller’s public keys, that (a subset of) the tellers use to reconstruct the permutation of the candidate list. Without all of these secret keys (or an appropriate subset) the candidate list cannot be reconstructed and hence the vote value cannot be recovered. Vote is not directly encrypted, rather the frame of reference, i.e., the candidate list, is randomised and information defining the frame is encrypted. A VVPAT style mechanism can be incorporated. The voter choice must be made in isolation. Casting an encrypted ballot can be done in the presence of an official, i.e., does have to be in isolation.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 14 Anonymisation and tabulation Once the election has closed and all receipts have been posted to the WBB, a set of tellers perform a robust anonymising mix on the receipts: –Receipts are decrypted by stages and undergo multiple secret shuffles. Intermediate stages are also posted to the WBB for audit. –Tellers transform the “r” index value. The final “r” values that emerge from the mix give the raw vote value in the canonical basis. –Any link between the original receipts and the decrypted values will be lost.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 15 Seeds and offsets Suppose that we have k tellers. Each teller has two public key pairs. For each ballot form 2k random germs are generated: g i,  Z N (some modest size N, e.g., 2 32 ) The seed value is taken to be the sequence of these germ g values: Seed:= g 0, g 1, g 2, g 3, ….....g 2k-1 These germs are now crypto hashed and taken modulo v: d i := hash(g i ) (mod v) i= 0,1,2,……,2k-1 And the candidate list offset  is given by the sum modulo v of these:  :=  i=0 2k-1 d i (mod v)

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 16 Onion construction The germs are buried in the 2k layers of the onion: D 0 is a random value, unique to each ballot form. Then: D i+1 := {g i,D i, } PKTi,, i= 0,…., 2k-1 Onion := D 2k Thus: Onion := {g 2k-1,{g 2k-1,{…..,{g 2,{g 1,{g 0, D 0 } PKT_0 } PKT_1 } PKT_2 …..} PKT_2k-2 } PKT_2k-2 } PKT_2k-1

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 17 Candidate permutations Suppose that we have k tellers. Each teller has two public key pairs. For each ballot form 2k random germs are generated: g i,  Z N (some modest size N, e.g., 2 16 ) The seed value is taken to be the sequence of these germ g values: Seed:= g 0,, g 1, g 2,. g 3, ….....g 2k-1,. These germs are used as keys for a random permutation function f gi And the candidate list permutation  is computed as:  :=  i=0 2k-1 f gi

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 18 Teller transformations Transformations on the ballot pairs: On each ballot pair (r i, D i ), the teller performs the transformation: (r i, D i )  (r i-1, D i-1 ) Where r i-1 = f gi -1 (r i ) and D i-1 = second({D i } SKTi ) Recall: {D i } SKTi-1 = g i-1,D i-1 and

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 19 Teller 1Teller 1' Batch 1Batch 2Batch 3

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 20 What can go wrong… For the accuracy requirement: –Ballot forms may be incorrectly constructed, leading to incorrect decryption of the vote –Ballot receipts could be corrupted before they are entered in the tabulation process. –Tellers may perform the decryption incorrectly. We now discuss the counter-measures to these threats.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 21 Checking the ballot forms We need to check that the seed buried in the onion does correspond to the candidate permutation shown on the ballot form. Checks can be performed by auditors and the voters to catch such corruption: –Random audits of ballot forms performed before, during and after the election period by the Electoral Reform Soc etc. –Voters could also be invited to perform similar checks on randomly selected “dummy” forms. For example, voters could be invited to randomly select a pair of forms, one to check, one to cast their vote.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 22 Auditing ballot forms To check the construction of the ballot forms the values on the form, onion and candidate ordering, can be reconstructed if the seed value is revealed. One of the innovations of Prêt à Voter is to use the tellers in an on-demand mode to reveal the secret seed value buried in the onion. Avoids problems with storing and selectively revealing seeds. Note, for this checking process, the tellers are used in an on-demand basis before and during the election-quite different to the batch mode for the anonymising mix after the election has closed.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 23 Ballot form checking modes In fact, this oracle teller mode suggests several ways for voters to check the well-formedness of ballot forms: 1.Simple, single dummy vote 2.Multiple or ranked dummy vote 3.Given the onion value, the tellers return the candidate ordering Note: vulnerable to authority/tellers collusion attacks. The auditor checks are the more rigorous: not vulnerable to authority/teller collusions.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 24 Recording and transmission To check that receipts are accurately recorded and input into the mix: Voters can visit the WBB and check that their receipt appears correctly recorded. Voter checks can be supplemented by independent audit authorities checking the WBB against the VVPAT style record of ballot receipts (also useful to recount and recovery).

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 25 Auditing the tellers Partial Random Checking of the teller transformations: auditor randomly selects half the of the links to be revealed and checked, but in such a way as not to reveal any links across the two transformations performed by the teller. Go down middle WBB column for each teller and randomly assign ► or ◄ to each pair. For a ►(◄), the tellers reveal the outgoing (incoming) link along with the associated re-encryption randomisation values. Note: because no complete paths across a given teller’s pair of mixes are revealed by the audit process, we can audit the tellers independently.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 26 Auditing the tellers Teller 1Teller 1'

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 27 Advantages of Prêt à Voter Voter experience simple and familiar. Ballot form commitments and checks made before election opens  neater recovery strategies. The vote recording device doesn’t get to learn the vote. Votes are not directly encrypted, just the frame of reference. Highly flexible. Adaptable to remote voting (see talk by Michael Clarkson).

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 28 Enhancements Re-encryption mixes Distributed generation of ballot forms. Concealment of onion/candidate list associations. Separation of teller modes.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 29 Re-encryption mixes Prêt à Voter Classic uses Chaumian (decryption) mixes. Alternatives: –re-encryption mixes. –Homomorphism schemes etc.. Advantages of re-encryption: –Tellers inject fresh entropy at each stage, hence onion size doesn’t grow with number of tellers and germ size. –Less dependence on availability of tellers: a faulty mix teller can just be binned and replaced. –Full mixing over the El Gamal group. –Clean separation of mixing and decryption stages. –Mixes and audits can be rerun afresh. Downsides: –Need shuffle commitments. –Tricky to mesh with Prêt à Voter.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 30 Re-encryption mixes Prêt à Voter’s rather special representation of the vote in the receipts makes it tricky to mesh with re- encryption mixes. Some possible approaches: 1.Leave r terms unchanged through the mixes. 2.Follow re-encryption mixes with Chaumian decryption mixes. 3.Absorb the r into the onion value 4.transform both r and D terms leaving vote value invariant – but seems to necessitate malleable encryption. 5.Add teller transforms to the index values, storing the entropy in an extra (pre-generated and audited) “onion” value. 6.Primitive for which only orbits of the local permutation group can be generated (“slightly malleable”). 7.Use zero-knowledge/crypto-homomorphism mixes-but looses the conceptual simplicity of the PRC approach (and linear scaling behaviour).

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 31 Discussion Option 1: allows the adversary to partition the mix according the index value, but might be okay where the number of voters vastly exceeds the number of ballot options. Option 2: again the re-encryption mix can be partitioned. Might be a reasonable compromise. Options 3 and 4: seems to work nicely but appears to necessitate malleable encryption for the terms that move through the mix. Not clear whether this introduces vulnerabilities not countered by the mix audits. Option 5: speculative. Option 6: promising, but seems to loose the conceptual simplicity of the PRC approach, and perhaps the linear scaling properties.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 32 El Gamal encryption El Gamal encryption: let  be a generator of cyclic group Z p *, p a large prime. Choose k (2  k  p-2) and let  =  k (mod p). p,  and  made public, k kept secret. (Randomised encryption) of m in {0, …, p-1}: (  x,  x.m) =: (y 1, y 2 ) Re-encryption: (  x+y,  x+y.m) Note: same as directly encrypting m with x+y. Decryption: m = y 2 /y 1 k

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 33 Option 3 Let d be the ballot seed. Encrypt  -d in the El Gamal pair to form the onion. (  x,  x.  -d ) =: (y 1, y 2 ) Where d (mod ) can be taken as the offset. A receipt pair can be transformed to: (r,  x,  x.  -d )  (  x,  x.  r-d ) This can be put through a conventional re- encryption mix and the final decryption yields the vote value directly. Fine for cyclic shifts of the candidate list, needs elaboration for full permutations.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 34 Prêt à Voter Vulnerabilities Chain voting. Authority knowledge of ballot form information. Destruction of LH strips. Separation of teller modes.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 35 Chain Voting Effective against many conventional voting systems: 1.Coercer smuggles a blank ballot form out of the polling station and marks it with their preferred candidate. 2.They intercept a voter entering the polling station, hand them the marked up form and tell them that if they emerge from the station with a fresh, unmarked form they will be rewarded. 3.Return to step 1.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 36 Counter-measures In a system like the UK system in which voters are given a ballot form when they register and are them observed to cast the form in the ballot box, this can be quite effective: if the voter emerges with a fresh, blank form it is a strong indication that they cast the coercer’s marked form. For a conventional system, a possible counter-measure is to use a system along the lines of the French system: ballot forms are not controlled, only their casting. Ballot forms are freely available at the polling station. Voters register at the moment that they cast their vote, in an envelope.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 37 Chain voting and Prêt à Voter Particularly virulent with WBB systems. Conventional counter-measure fails. Countermeasures: –Note: –Voters don’t need sight of the onion value in order to make their selection. –casting an encrypted ballot can be in the presence of a voting official. Hence: –Conceal the onion under a scratch strip. –Official checks scratch strip is intact at time of casting. –Also need to check that form used to cast corresponds to the forms given to the voter when they register. –Handling ballot forms in sealed envelopes also helps.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 38 Authority knowledge Entities that create and handle the ballot forms must be trusted to keep onion/candidate lists secret. Countermeasures: –Create pairs on “entangled” onions. Conceal one under a scratch card or cryptographically and perform a pre-mix. –Have a further entity translate the exposed onions into candidate lists. –Random audit the resulting forms. –Cast encrypted receipts in presence of an official and reveal the onion value at this point. Further possibilities: –“Mirror”, robust pre-mix on entangled onions (run Plaintext Equivalence Tests (PET) the entangled onion pairs and PRC the mix) –Just in time candidate lists. –Just in time onions. –Multiple entangled onions (independently reveal candidate lists for n-1) Plenty of possibilities, some adaptable to remote contexts.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 39 Destruction of LH strips Procedural: officials oversee destruction of LH strips. Mechanical: device that automatically strips off the LH strip and discards it. Decoy strips: plentiful supply of alternative LH strips provided in the booth. Scratch strips: onion under the strip (in 2D bar code?) candidate list overprinted: revealing the onion destroys the list. Disc ballots!? Ballot “forms” take the form of a pair of discs sealed together. After selection they are separated. Axial symmetry ensures that the original configuration is lost. Quantum!? Ballot “forms” using entangled q-bits. Measurement to reveal candidate lists collapses the wave functions.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 40 Confusion of tellers modes Essential that any onion can be processed at most once. –Allow on-demand teller mode only during the pre- election phase. Ensure that all audited ballot as destroyed. –Procedural/Mechanical: any processed form is invalidated to prevent reuse. –Cryptographic, e.g., authentication codes that are destroyed when the onion is used. –Just in time candidate lists: revealed only at the time that the voter makes their selection.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 41 Future work On the current model: –Determine exact requirements. –Formal analysis and proofs. –Construct threat and trust models. –Investigate error handling and recovery strategies. –Develop a full, socio-technical systems analysis. –Develop prototypes and run trials, e.g., e-voting games! –Investigate public understanding and trust.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 42 Future work Beyond the current scheme: –Alternative sources of seed entropy: Voters, optical fibres in the paper,…? –Protocols for on-demand/distributed generation and checking of ballot forms, e.g., authenticated onion establishment. –(Threshold) schemes to thwart collusion attacks on checking modes. –Alternative robust mixes. –Adaptation to remote voting (Cornell work).

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 43 References David Chaum, Secret-Ballot receipts: True Voter-Verifiable Elections, IEEE Security and Privacy Journal, 2(1): 38-47, Jan/Feb J W Bryans & P Y A Ryan “A Dependability Analysis of the Chaum Voting Scheme”, Newcastle Tech Report CS-TR-809, J W Bryans & P Y A Ryan, “Security and Trust in a Voter-verifiable Election Scheme”, FAST P Y A Ryan & J W Bryans “A Simplified Version of the Chaum Voting Scheme”, Newcastle TR 2004 P Y A Ryan, Towards a Dependability Case for the Chaum Voting Scheme, DIMACS June P Y A Ryan, “E-voting”, presentation to the Caltech/MIT workshop on voting technology, MIT Boston 1-2 October P Y A Ryan, “A Variant of the Chaum Voter-verifiable Election scheme”, WITS, January 2005 Long Beach Ca. D Chaum, P Y A Ryan, S A Schneider, “A Practical, Voter-Verifiable Election Scheme”, Newcastle TR 880 December 2004, Proceedings ESORICS 2005, LNCS B Randell, P Y A Ryan, “Trust and Voting Technology”, NCL CS Tech Report 911, June P Y A Ryan, T Peacock, “Prêt à Voter, A Systems Perspective”, NCL CS Tech Report 929, September 2005.