Challenges and Advances in E-voting Systems Technical and Socio-technical Aspects. Peter Y A Ryan Lorenzo Strigini. Outline

Similar documents
COMPUTING SCIENCE. University of Newcastle upon Tyne. Pret a Voter with a Human-Readable, Paper Audit Trail. P. Y. A. Ryan. TECHNICAL REPORT SERIES

COMPUTING SCIENCE. University of Newcastle upon Tyne. Verified Encrypted Paper Audit Trails. P. Y. A. Ryan TECHNICAL REPORT SERIES

Human readable paper verification of Prêt à Voter

TECHNICAL REPORT SERIES. No. CS-TR-1071 February, Human readable paper verification of Pret a Voter. David Lundin and Peter Y. A. Ryan.

An Overview on Cryptographic Voting Systems

CHAPTER 2 LITERATURE REVIEW

Prêt à Voter with Confirmation Codes

Prêt à Voter: a Systems Perspective

Prêt à Voter: a Voter-Verifiable Voting System Peter Y. A. Ryan, David Bismark, James Heather, Steve Schneider, and Zhe Xia

Electronic Voting: An Electronic Voting Scheme using the Secure Payment card System Voke Augoye. Technical Report RHUL MA May 2013

Addressing the Challenges of e-voting Through Crypto Design

The usage of electronic voting is spreading because of the potential benefits of anonymity,

Thoughts On Appropriate Technologies for Voting

Voting Protocol. Bekir Arslan November 15, 2008

Arthur M. Keller, Ph.D. David Mertz, Ph.D.

E-Voting, a technical perspective

General Framework of Electronic Voting and Implementation thereof at National Elections in Estonia

Using Prêt à Voter in Victorian State Elections. EVT August 2012

Introduction of Electronic Voting In Namibia

The Use of New Voting Technologies (NVT)

A vvote: a Verifiable Voting System

Security of Voting Systems

Accessible Voter-Verifiability

PRIVACY in electronic voting

L9. Electronic Voting

Secure Electronic Voting: Capabilities and Limitations. Dimitris Gritzalis

Cryptographic Voting Protocols: Taking Elections out of the Black Box

Design and Prototype of a Coercion-Resistant, Voter Verifiable Electronic Voting System

L14. Electronic Voting

Swiss E-Voting Workshop 2010

Secure Electronic Voting

An Introduction to Cryptographic Voting Systems

vvote: a Verifiable Voting System

An untraceable, universally verifiable voting scheme

Brittle and Resilient Verifiable Voting Systems

E- Voting System [2016]

Democracy depends on losers accepting the results

STATE OF NEW JERSEY. SENATE, No th LEGISLATURE

Electronic Voting. Mohammed Awad. Ernst L. Leiss

Punchscan: Introduction and System Definition of a High-Integrity Election System

The name or number of the polling location; The number of ballots provided to or printed on-demand at the polling location;

Privacy of E-Voting (Internet Voting) Erman Ayday

DIRECTIVE November 20, All County Boards of Elections Directors, Deputy Directors, and Board Members. Post-Election Audits SUMMARY

Secure Voter Registration and Eligibility Checking for Nigerian Elections

Secure and Reliable Electronic Voting. Dimitris Gritzalis

Estonian National Electoral Committee. E-Voting System. General Overview

Johns Hopkins University Security Privacy Applied Research Lab

Key Considerations for Implementing Bodies and Oversight Actors

Int. J. of Security and Networks, Vol. x, No. x, 201X 1, Vol. x, No. x, 201X 1

Distributed Protocols at the Rescue for Trustworthy Online Voting

Direct Recording Electronic Voting Machines

Outline. Elections as a challenge problem. History of (US) election mechanisms. Secrecy, vote buying and coercion. Election integrity

Trusted Logic Voting Systems with OASIS EML 4.0 (Election Markup Language)

SECURITY, ACCURACY, AND RELIABILITY OF TARRANT COUNTY S VOTING SYSTEM

Every electronic device used in elections operates and interacts

evoting after Nedap and Digital Pen

Towards Trustworthy e-voting using Paper Receipts

Every Vote Counts: Ensuring Integrity in Large-Scale DRE-based Electronic Voting

福井大学審査 学位論文 博士 ( 工学 )

The E-voting Controversy: What are the Risks?

Cuyahoga County Board of Elections

Towards a Standard Architecture for Digital Voting Systems - Defining a Generalized Ballot Schema

Electronic Voting in Belgium Past, Today and Future

Statement on Security & Auditability

Office for Democratic Institutions and Human Rights OSCE/ODIHR DISCUSSION PAPER IN PREPARATION OF GUIDELINES FOR THE OBSERVATION OF ELECTRONIC VOTING

ARKANSAS SECRETARY OF STATE

A paramount concern in elections is how to regularly ensure that the vote count is accurate.

RECEIPT-FREE UNIVERSALLY-VERIFIABLE VOTING WITH EVERLASTING PRIVACY

Pretty Good Democracy for more expressive voting schemes

Colorado Secretary of State Election Rules [8 CCR ]

On Some Incompatible Properties of Voting Schemes

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

The Effectiveness of Receipt-Based Attacks on ThreeBallot

ARKANSAS SECRETARY OF STATE. Rules on Vote Centers

Designing issues and requirement to develop online e- voting system systems having a voter verifiable audit trail.

GAO ELECTIONS. States, Territories, and the District Are Taking a Range of Important Steps to Manage Their Varied Voting System Environments

VOTERGA SAFE COMMISSION RECOMMENDATIONS

Risk-Limiting Audits

Electronic Voting Machine Information Sheet

SMART VOTING. Bhuvanapriya.R#1, Rozil banu.s#2, Sivapriya.P#3 Kalaiselvi.V.K.G# /17/$31.00 c 2017 IEEE ABSTRACT:

Ad Hoc Voting on Mobile Devices

PRIVACY PRESERVING IN ELECTRONIC VOTING

Ronald L. Rivest MIT CSAIL Warren D. Smith - CRV

Volume I Appendix A. Table of Contents

Privacy in evoting (joint work with Erik de Vink and Sjouke Mauw)

SECURE REMOTE VOTER REGISTRATION

Should We Vote Online? Martyn Thomas CBE FREng Livery Company Professor of Information Technology Gresham College

CRYPTOGRAPHIC PROTOCOLS FOR TRANSPARENCY AND AUDITABILITY IN REMOTE ELECTRONIC VOTING SCHEMES

RANKED VOTING METHOD SAMPLE PLANNING CHECKLIST COLORADO SECRETARY OF STATE 1700 BROADWAY, SUITE 270 DENVER, COLORADO PHONE:

Secure Electronic Voting: New trends, new threats, new options. Dimitris Gritzalis

Formal Verification of Selene with the Tamarin prover

EXPERIENCING SMALL-SCALE E-DEMOCRACY IN IRAN. Mohsen Kahani Department of Computer Engineering,

Good morning. I am Don Norris, Professor of Public Policy and Director of the

WHY, WHEN AND HOW SHOULD THE PAPER RECORD MANDATED BY THE HELP AMERICA VOTE ACT OF 2002 BE USED?

PRESIDEN T /VICE PRESIDENT OF THE UNITED STATES Vote for One

An Examination of Vote Verification Technologies: Findings and Experiences from the Maryland Study 1

Requiring Software Independence in VVSG 2007: STS Recommendations for the TGDC

ASSEMBLY, No STATE OF NEW JERSEY. 217th LEGISLATURE INTRODUCED FEBRUARY 27, 2017

A Robust Electronic Voting Scheme Against Side Channel Attack

CALTECH/MIT VOTING TECHNOLOGY PROJECT A

Transcription:

Challenges and Advances in E-voting Systems Technical and Socio-technical Aspects Peter Y A Ryan Lorenzo Strigini 1 Outline The problem. Voter-verifiability. Overview of Prêt à Voter. Resilience and socio-technical aspects Conclusions. Future work (in ReSIST) 2

The Problem Highly adversarial: system trying to cheat voters, voters trying to cheat the system, coercers trying to influence voters, voters trying to fool coercers etc. The Ancient Greeks experimented with primitive technological solutions to try to shift the trust from people (officials) to mechanical devices. In the US technological devices for voting have been used for over a century: e.g., lever machines since 1887, punch cards, optical scans, touch screen etc. prompted by high instance of fraud with paper ballots! All have problems, see Steal this Vote Andrew Gumbel. 3 The Computer Ate my Vote In the 2004 US presidential election, ~30% of the electorate used DRE, touch screen devices. Aside from the thank you for your vote for Kerry, have a nice day what assurance do they have that their vote will be accurately counted? What do you do if the vote recording and counting process is called into question? Need to trust the (proprietary) software. Voter Verifiable Paper Audit Trail (VVPAT) and Mercuri method have been proposed. But paper trails are not infallible either. Nedap machines in the Netherlands etc. 4

Florida 2000 5 The challenge Digital voting technologies hold out promise of accessible and efficient democracy. Want high assurance that all votes are accurately recorded and counted-whilst maintaining ballot secrecy. The challenge is to reconcile these two conflicting requirements whilst minimising, ideally eliminating, dependence on the components (devices, tellers, software, hardware, officials etc.) of the scheme. Needs to be usable and sufficiently understandable to be widely trusted. 6

Technical Requirements Elections should be free and fair. Typical, key requirements: (unconditional) integrity: count accurately reflects votes cast. Ballot secrecy: the way a voter cast their vote should only be known to the voter. Voter verifiability: the voter should be able to confirm that their vote is accurately included in the count and prove to a 3 rd party if it is not (without having to revealing their vote). Universal verifiability: anyone should be able to verify the count. Availability: all eligible voters should be able to cast their vote without let or hindrance throughout the voting period. Ease of use, public understanding and trust, cost effective, scalable etc. etc.. 7 Assumptions For the purposes of the talk we will make many sweeping assumptions, e.g.: An accurate electoral register is maintained and available. Mechanisms are in place to ensure that voters can be properly authenticated. Existence of a secure Web Bulletin Board. Crypto algorithms are sufficiently secure. Etc. 8

Voter-verifiability in a nutshell Voters can confirm that their vote is accurately but not prove to a third party how they voted. Voters are provided with an encrypted receipt. Copies of the receipts are posted to a secure web bulletin board. Voters can verify that their (encrypted) receipt is correctly posted. A (universally) verifiable, anonymising tabulation is performed on the posted receipts. Checks (random audits) are performed at each stage to detect any attempt to corrupt the encryption and the decryption or the receipts. The guarantees of integrity are not dependent on correct behaviour of software, hardware, officials etc. 9 Voting with commuting diagrams Web Bulletin Board Receipts Mix Receipts* E D (= E -1 ) Votes Magic Votes* 10

Prêt à Voter The key innovation of Prêt à Voter is to encode the vote by randomising the candidate order. Voter experience simple and familiar. Votes are not directly encrypted, just the frame of reference in which votes encoded. Hence: The vote recording device doesn t get to learn the vote. No need for ZK proofs of correct encryption of votes-but onus of proof shifts to showing the well-formedness of the ballot forms. Avoids subliminal, kleptographic and side channels. Prior work: Chaum, Benaloh, Neff, 11 Typical Ballot Sheet Obelix Asterix Idefix Panoramix Geriatrix $rj9*mn4r&8 12

Voter marks their choice Obelix Asterix Idefix! Panoramix Geriatrix $rj9*mn4r&8 13 Voter s Ballot Receipt! Cast-valid $rj9*mn4r&8 449034729948 14

After the voting phase Once the election is closed, digital copies of the receipts are posted to the Web Bulletin Board (WBB). The voters can visit the WBB and confirm that their receipt appears correctly. Additionally, checks could be performed by independent entities between the (encrypted) paper audit trail and posted receipts. A verifiable, anonymising tabulation is performed with all intermediate stages posted to the WBB. 15 Batch 1 Batch 2 Batch 3 Teller 1 Teller 1' 16

Auditing the tellers Teller 1 Teller 1' 17 Enhancements Vulnerability analysis. Randomising encryption and re-encryption mixes. Distributed generation of encrypted ballots. On-demand decryption and printing of ballot forms. (A variant of) Adida/Rivest off-line audit mechanism. Coercion-resistant remote variants (with Cornell). Crypto-free, scratch card version. 18

Resilience aspects cryptography-supported voter-verifiability promises much more integrity and privacy than paper systems run-time monitoring reduces need for special, heavily verified machinery but there is more to a voting system error/attack detection does not make error/attack tolerance.. recovery delegated to human part of system 19 ICT fault tolerance in the election system Adversaries... Ballots...... from voting booths Attacks Ballot processing system Vote count Outputs from error checks Triggers to external recovery/compensatio n mechanisms (e.g., recounts, prosecutions, re-run of election) 20

Effects of strong error detection election corruption is made more difficult but detected errors are expensive, so: error recovery (automated and human) is important better coverage may shift attackers preference, e.g. from attempting undetected vote corruption to simply sinking the election good integrity and privacy; availability issues e.g. DDoS attacks on bulleting boards? increased requirements for ICT support to be robust/resilient 21 Wider socio-technical aspects attacker s target might become simply the reputation of the election system implications cross the boundary between what can be designed (hardware, procedures) and political management so, a range of issues from user-friendliness, HCI of voting machines to choice of algorithms that public will be able to trust to ensuring enough parties do perform the checks that anyone may perform to ensuring correct perception of trustworthiness of each specific election 22

Conclusions we have presented: a technical problem, some solutions Maximal transparency (consistent with ballot secrecy). Accuracy independent of software, hardware, etc. High assurance of detection of corruption. Verify the election not the system! And open issues 23 Conclusions cont. E-voting is a ReSIST problem par excellence.. large distributed system, complex dependability requirements, evolving threats must work well the first time around, every time - implying need for resilience ICT entwined with users and their reactions 24

Future work Further enhancements (simplifications!?) Further analysis of the resilience of the system Investigate recovery mechanisms and strategies Investigate socio-technical aspects Investigate public understanding and trust Basis for a ReSIST case study 25

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback