Ben Hosp, Nils Janson, Phillipe Moore, John Rowe, Rahul Simha, Jonathan Stanton, Poorvi Vora {bhosp, simha, jstanton, Dept. of Computer Science George Washington University
Integrity during ballot casting: paper receipts Challenge: allow the voter to keep a record of her vote so –she can determine that it has been counted correctly, yet –not prove how she voted This record on paper, so “computer” problems will not destroy the record
CVV* can do this, with, from the voter’s POV A voting system that will “just work” The only additional effort required of the voter is to pull a lever up or down arbitrarily. Caveat: a non-negligible percentage of voters or their representatives must make the effort to check their ballot receipts. * Based on a method by David Chaum
Election Goals Integrity – Correct vote count. Anonymity – I can’t tell how you voted. Involuntary Privacy – You can’t prove to me how you voted. Voter Verifiability – You, the voter, can verify the first two goals. Public Verifiability – Anyone can verify the first three goals. Robustness – If something goes wrong it can be detected and fixed
CVV Assumes A set of n independent trustees, all of whom do not collude (can be made k of n) –Collusion can violate privacy without being detected –Collusion cannot violate integrity without detection All n trustees are functional (can be made k of n) –A nonfunctional trustee (or > k nonfunctional trustees) can cause a denial of service attack
CVV Assumes A not necessarily trustworthy polling machine –Cannot violate count integrity –Can violate privacy (sees ballot) No collusion between authentication process and polling machine –Collusion can lead to ballot stuffing Sufficiently large number of receipts checked – by voter or authorized third party –Requires process
poster
CVV is A prototype implementation of Chaum’s voter-verifiable voting system Using commonly available, low-cost hardware and OS platforms
Stage 2 Demo 1: walk-through
The Voting Process Ballot Casting The voter uses the voting booth machine to generate some image: her vote. The booth prints out two layers –which are random by themselves, –but when overlaid, display the image.
Layer generation The layers are generated using two strings of random numbers –Each created by adding trustee shares –Each of size half of the number of image pixels –One for the top layer, other for bottom –Laid in staggered form on the two layers R R R R R R R R R R R R R RR R
Layer generation Other half pixels on each layer are such that the overlay is the correct vote = Other vote:
Different types of receipts Optical (additive) overlay: Chaum Many other symbols by Jeroen van de Graf
The Voting Process Receipt Choice The voter chooses one layer for her receipt. –Some other “stuff” is printed on the chosen layer. –The unchosen layer is destroyed. –The chosen layer is stored or transmitted It can be shown that the machine can cheat in only one of the two receipts if the overlay represents the vote.
The Voting Process Receipt Checking Receipts at counting station can all be checked, by a third party, for correctness. A voter can check her own receipt has reached the counting station or have it checked by a third party. Automated checking that a hard copy matches an image at counting station not yet implemented by CVV. Visual checking possible.
Cheating machine caught with probability half If the machine has cheated on a vote which has the check performed –it will be detected with non-negligible probability (one-half?) –this does not depend on the hardness of any problem using any computational model, but –on the randomness of the voter choice Does not depend on voter trust of poll worker checks
The Complete Ballot The receipt/vote has the following fields: –The vote ID –The encrypted image. –Information for trustees required to decrypt the top layer. the bottom layer –A signature of the vote ID info required by non-trustee to recreate above for chosen layer, but not unchosen one used to check commitments. –A signature of the whole ballot to prevent false claims of uncounted votes { { PrechoicePrechoice PostchoicePostchoice
The Complete Ballot The information on the ballot –Can be used by anyone to verify that the ballot was correctly constructed, but –Cannot be used to decrypt the ballot except by appropriate combination of trustees.
The Vote-Decryption Process – similar to a regular MIX Random pixels were generated using a different seed for each trustee for top and bottom The seed of the chosen layer made available on the receipt for checking The other seed made available in nested encrypted form for the trustees to generate random part of unchosen layer
The Vote-Decryption Process Each trustee: –for each ballot: extracts his seed incrementally regenerates the random numbers on the other layer adds his share to the ballot –shuffles all the ballots –passes on the ballots to the next trustee
Receipt Decryption R R R R R RR R = The other vote would have looked like
The Auditor The first trustee is asked to reveal, to the public, a random half of his shuffle. The next trustee reveals the other half. And so forth –no ballot can be completely traced through the shuffles.
The Auditor Each trustee provides –A correspondence between input and output images –A seed value Such that –the encryption of the seed with his public key gives the encrypted information –the difference between the output and input images of the revealed half of their shuffle was generated using the seed Cheating trustee caught with probability half for every vote cheated on
Reduce “negative aspects” of voter verification by Participation by major political interests public interest organizations as: –Trustees –Third party working on behalf of voter to Check that receipt is on website Check that receipt was correctly generated (For this, need them to actively obtain receipts) –Witnesses of trustee decryption process and audit
Reduce “negative aspects” of voter verification by - II Process that includes encouraging voter verification when fraud detected or alleged: –If a voter claims his vote not counted, encourage enough voters to check their votes to determine extent of fraud/error –If a displayed receipt does not check, check receipts in that precinct to determine extent of fraud/error
Current status of CVV Prototype implemented in Java Currently supports low-end ink jet printing Plan –Open source release –User-friendly ballots –Pre-packaged election tool kit for third-party elections (e.g. student elections). Those interested please contact us. –Construction of various other primitives for plug and play
More Next Steps Performance and Robustness Testing and Enhancements Trials in local and school elections –for education and –to test usefulness and acceptance of scheme With Political Science and Public Affairs Faculty Determine if there is a difference in acceptance along group lines: –Political parties –Age –Race –Ability (among handicapped; Braille overlay methods can be developed)
References and Acknowledgements David Chaum David Chaum, “Secret-Ballot Receipts: True Voter- Verifiable Elections”, IEEE Security and Privacy, January-February 2004 (Vol. 2, No. 1) Poorvi Vora, “David Chaum’s Voter Verification using Encrypted Paper Receipts”, Also on DIMACS website linked from talk abstract
Extras
1.Voter votes. Obtains an encrypted receipt that even she cannot decrypt outside polling booth only all n trustees can decrypt it this can be modified to k of n trustees. We will describe later how she can be sure the polling machine did not cheat 2.Voter checks for receipt on public website. If it is there, her vote has reached the counting station CVV - How it works based on Chaum voter-verifiable voting system
CVV - How it works 4.Possessor (voter or third party or anyone if receipt on website) can check if receipt is correctly generated. 5.All votes at counting station are serially (partially) decrypted and shuffled by trustees (version of MIX) 6.Final, unencrypted, shuffled votes are counted. Conditional count announced. 7.Trustee decryption and shuffle is audited. Final count announced, election certified.