Kickoff Meeting E-Voting Seminar An Introduction to Cryptographic Voting Systems Andreas Steffen Hochschule für Technik Rapperswil andreas.steffen@hsr.ch A. Steffen, 27.02.2012, Kickoff.pptx 1
Cryptographic Voting Systems Summary: Due to repeated failures and detected vulnerabilities in both electro-mechanical and electronic voting machines, voters have somehow lost faith that the outcome of a poll always represents the true will of the electorate. Even more uncertain is electronic voting over the Internet which is potentially prone to coercion and vote-selling (this doesn t seem to be an issue in Switzerland). Manual counting of paper ballots is not really an option in the 21 st century and is not free from tampering either. Modern cryptographic voting systems allow true end-to-end verification of the complete voting process by any individual voter, without sacrificing secrecy and privacy. A. Steffen, 27.02.2012, Kickoff.pptx 2
E-Voting in my home town Schlieren Hidden PIN Internet-based voting does not have to be more secure as voting per snail mail Justice Department of the Canton of Zurich A. Steffen, 27.02.2012, Kickoff.pptx 3
[In]Security Features??? Protection from Man-in-the-Middle attacks A. Steffen, 27.02.2012, Kickoff.pptx 4
E-Voting Website A. Steffen, 27.02.2012, Kickoff.pptx 5
Voter Login A. Steffen, 27.02.2012, Kickoff.pptx 6
Ballot (PHP Form) A. Steffen, 27.02.2012, Kickoff.pptx 7
E-Voting in my home town Schlieren PIN A. Steffen, 27.02.2012, Kickoff.pptx 8
Voter Authentication A. Steffen, 27.02.2012, Kickoff.pptx 9
Transmission Receipt A. Steffen, 27.02.2012, Kickoff.pptx 10
Conclusion So what? You are not allowed to know. The exact transaction processing is kept secret due to security reasons Justice Department of the Canton of Zurich A. Steffen, 27.02.2012, Kickoff.pptx 11
Traditional Chain-of-Custody Security Sealing Software Verification Tallying Verification by proxy only Source: Ben Adida, Ph.D. Thesis 2006 A. Steffen, 27.02.2012, Kickoff.pptx 12
Desirable: End-to-End Verification by Voter Secrecy? Privacy? Source: Ben Adida, Ph.D. Thesis 2006 A. Steffen, 27.02.2012, Kickoff.pptx 13
End-to-End Auditable Voting System (E2E) Any voter can verify that his or her ballot is included unmodified in a collection of ballots. Any voter (and typically any independent party additionally) can verify [with high probability] that the collection of ballots produces the correct final tally. No voter can demonstrate how he or she voted to any third party (thus preventing vote-selling and coercion). Source: Wikipedia A. Steffen, 27.02.2012, Kickoff.pptx 14
Solution: Cryptographic Voting Systems Mixnet A B C Threshold Decryption A B C ElGamal / Paillier Tamper-Proof Bulletin Board Homomorphic Tallying Source: Ben Adida, Ph.D. Thesis 2006 A. Steffen, 27.02.2012, Kickoff.pptx 15
Proposed E2E Systems Punchscan by David Chaum. Prêt à Voter by Peter Ryan. Scratch & Vote by Ben Adida and Ron Rivest. ThreeBallot by Ron Rivest (paper-based without cryptography) Scantegrity II by David Chaum, Ron Rivest, Peter Ryan et al. (add-on to optical scan voting systems using Invisible Ink) Helios by Ben Adida (www.heliosvoting.org/) Selectio Helvetica by BFH (www.baloti.ch) Primevote by MSE graduates Christoph Galliker and Halm Reusser (www.smartprimes.ch) A. Steffen, 27.02.2012, Kickoff.pptx 16
Conclusion Modern Cryptographic Voting Systems allow true end-to-end verification of the whole voting process by anyone while maintaining a very high level of secrecy. Due to the advanced mathematical principles they are based on, Cryptographic Voting Systems are not easy to understand and are therefore not readily accepted by authorities and the electorate. But let s give Cryptographic Voting Systems a chance! They can give democracy a new meaning in the 21 st century! A. Steffen, 27.02.2012, Kickoff.pptx 17
E-Voting Literature and Simulators http://security.hsr.ch/msevote/ Collection of MSE E-Voting seminar papers E-Voting Simulator based on the Paillier Cryptosystem E-Voting Simulator on the Damgard-Jurik Cryptosystem Generalized Paillier, reduces to Paillier Cryptosystem with s = 1 Threshold Decryption with Distributed Keys issued by Trusted Dealer Assume generator g = n+1 ( = 1, = 1) The Paillier Cryptosystem, presented at the BFH E-Voting seminar A. Steffen, 27.02.2012, Kickoff.pptx 18
E-Voting Seminar Project Verifiable E-Voting System for Shareholder Meetings. Example: Novartis AG with 2 745 623 000 shares Item 1: Approval of the Annual Report and Financial Statements yes / no / abstention (32 bit field per option) Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 Voter 7 Voter 8 Voter 9 Voter 10 Total 550 000 010 shares 500 000 010 shares 400 000 010 shares 350 000 010 shares 300 000 010 shares 150 000 010 shares 100 000 010 shares 50 000 010 shares 50 000 010 shares 50 000 010 shares 2 500 000 100 shares A. Steffen, 27.02.2012, Kickoff.pptx 19
E-Voting Seminar Project Tasks keysize, N, T Threshold Key Generation by Trusted Dealer 1 protected channel Partial Private Key i=1, Partial N, Private T, d, n Key i=n, N, T, d, n Paillier Cryptosystem keysize = 1536 bits V=10, N=5, T=3 Public Key n, g=n+1 Ballot Encrypt. 2 and ZKP by Voter v Encrypted Ballot v=1, Encrypted c, a[], Ballot e[], z[] v=v, c, a[], e[], z[] Partial Decrypt. by Trustee i Encrypted Tally ct ZKP Check 3 Weighted Tallying Shareholder Registry v[], w[] 4 Partiallly Decr. Tally i=1, Partial N, Private T, pt, n Key i=n, N, T, pt, n Threshold Decryption Decrypted Tally yes, no, abstention 5 A. Steffen, 27.02.2012, Kickoff.pptx 20
Conditions Goal: Restrict effort spent on project to 90 working hours (3 ECTS) Programming or scripting language: Arbitrary Program code without whistles and bells! No GUI required, may be a command line program. I/O Format: JSON Big numbers encoded as hexadecimal strings {"v":1,"c":"2fe698..daf57e"} Details of interface specification to be settled among tasks Deliverables: Commented program code and final test run data Slides of final presentation A. Steffen, 27.02.2012, Kickoff.pptx 21