Swiss E-Voting Workshop 2010

Similar documents
CRYPTOGRAPHIC PROTOCOLS FOR TRANSPARENCY AND AUDITABILITY IN REMOTE ELECTRONIC VOTING SCHEMES

Addressing the Challenges of e-voting Through Crypto Design

Union Elections. Online Voting. for Credit. Helping increase voter turnout & provide accessible, efficient and secure election processes.

CHAPTER 2 LITERATURE REVIEW

SECURE REMOTE VOTER REGISTRATION

General Framework of Electronic Voting and Implementation thereof at National Elections in Estonia

Privacy of E-Voting (Internet Voting) Erman Ayday

Voting Protocol. Bekir Arslan November 15, 2008

Secure Electronic Voting

COMPUTING SCIENCE. University of Newcastle upon Tyne. Verified Encrypted Paper Audit Trails. P. Y. A. Ryan TECHNICAL REPORT SERIES

Estonian National Electoral Committee. E-Voting System. General Overview

Key Considerations for Implementing Bodies and Oversight Actors

Secure Electronic Voting: New trends, new threats, new options. Dimitris Gritzalis

The usage of electronic voting is spreading because of the potential benefits of anonymity,

Int. J. of Security and Networks, Vol. x, No. x, 201X 1, Vol. x, No. x, 201X 1

Individual Verifiability in Electronic Voting

Uncovering the veil on Geneva s internet voting solution

A MULTIPLE BALLOTS ELECTION SCHEME USING ANONYMOUS DISTRIBUTION

An Overview on Cryptographic Voting Systems

Cryptographic Voting Protocols: Taking Elections out of the Black Box

Key Considerations for Oversight Actors

An untraceable, universally verifiable voting scheme

Using Prêt à Voter in Victorian State Elections. EVT August 2012

Distributed Protocols at the Rescue for Trustworthy Online Voting

E- Voting System [2016]

Security Analysis on an Elementary E-Voting System

Design and Prototype of a Coercion-Resistant, Voter Verifiable Electronic Voting System

Secure Electronic Voting: Capabilities and Limitations. Dimitris Gritzalis

Towards Trustworthy e-voting using Paper Receipts

Response to questions from the Speakers Commission on Digital Democracy regarding electronic voting

Survey of Fully Verifiable Voting Cryptoschemes

PRIVACY PRESERVING IN ELECTRONIC VOTING

Electronic Voting: An Electronic Voting Scheme using the Secure Payment card System Voke Augoye. Technical Report RHUL MA May 2013

Prêt à Voter: a Voter-Verifiable Voting System Peter Y. A. Ryan, David Bismark, James Heather, Steve Schneider, and Zhe Xia

Challenges and Advances in E-voting Systems Technical and Socio-technical Aspects. Peter Y A Ryan Lorenzo Strigini. Outline

Netvote: A Blockchain Voting Protocol

Secretary of State Chapter STATE OF ALABAMA OFFICE OF THE SECRETARY OF STATE ADMINISTRATIVE CODE

Receipt-Free Homomorphic Elections and Write-in Voter Verified Ballots

Formal Verification of Selene with the Tamarin prover

福井大学審査 学位論文 博士 ( 工学 )

Receipt-Free Homomorphic Elections and Write-in Ballots

Secure and Reliable Electronic Voting. Dimitris Gritzalis

Punchscan: Introduction and System Definition of a High-Integrity Election System

Ballot Reconciliation Procedure Guide

Agora. Bringing our voting systems into the 21st century. Whitepaper Version 0.2

Nevada Republican Party

DESIGN AND ANALYSIS OF SECURED ELECTRONIC VOTING PROTOCOL

Paper-based electronic voting

A Verifiable Voting Protocol based on Farnel

Secure Voter Registration and Eligibility Checking for Nigerian Elections

Privacy Issues in an Electronic Voting Machine

Johns Hopkins University Security Privacy Applied Research Lab

Trusted Logic Voting Systems with OASIS EML 4.0 (Election Markup Language)

An Object-Oriented Framework for Digital Voting

Blind Signatures in Electronic Voting Systems

Brittle and Resilient Verifiable Voting Systems

Prêt à Voter with Confirmation Codes

Libertarian Party of Oregon 2018 Primary Election Rules Adopted Amended

Citizen engagement and compliance with the legal, technical and operational measures in ivoting

EVOTING BY INTRODUCTION THE SWISS POLITICAL CONTEXT

Colorado Secretary of State Election Rules [8 CCR ]

Design of Distributed Voting Systems

Trustwave Subscriber Agreement for Digital Certificates Ver. 15FEB17

Ronald L. Rivest MIT CSAIL Warren D. Smith - CRV

An Introduction to Cryptographic Voting Systems

MINISTRY OF COMMUNICATIONS AND INFORMATION TECHNOLOGY (Department of Information Technology) NOTIFICATION New Delhi, the 11th April, 2011

Human readable paper verification of Prêt à Voter

A vvote: a Verifiable Voting System

Validation formelle de protocoles de sécurité: le vote électronique de Scytl pour la Suisse

PRIVACY in electronic voting

Rules for the Election of Directors

Every Vote Counts: Ensuring Integrity in Large-Scale DRE-based Electronic Voting

Selectio Helvetica: A Verifiable Internet Voting System

Should We Vote Online? Martyn Thomas CBE FREng Livery Company Professor of Information Technology Gresham College

PROCEDURES FOR USE OF VOTE TABULATORS. Municipal Elections Township of Norwich

vvote: a Verifiable Voting System

Colorado Secretary of State Election Rules [8 CCR ]

Electronic Voting Systems

GI-Edition. Proceedings. Lecture Notes in Informatics. Robert Krimmer, Rüdiger Grimm (Eds.) 3 rd international Conference on Electronic Voting 2008

STAR-Vote: A Secure, Transparent, Auditable, and Reliable Voting System

Internet Voting the Estonian Experience

PROCEDURES FOR THE USE OF VOTE COUNT TABULATORS

Internet Voting: Experiences From Five Elections in Estonia

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

Thoughts On Appropriate Technologies for Voting

A homomorphic encryption-based secure electronic voting scheme

Towards Secure Quadratic Voting

Pretty Good Democracy for more expressive voting schemes

City of Toronto Election Services Internet Voting for Persons with Disabilities Demonstration Script December 2013

Protocol to Check Correctness of Colorado s Risk-Limiting Tabulation Audit

On Some Incompatible Properties of Voting Schemes

SECURITY, ACCURACY, AND RELIABILITY OF TARRANT COUNTY S VOTING SYSTEM

Security Assets in E-Voting

THE INFORMATION TECHNOLOGY ACT, 2000 ARRANGEMENT OF SECTIONS

Declaration of Certification Practices Certificates of the General Council of Notaries

The Economist Case Study: Blockchain-based Digital Voting System. Team UALR. Connor Young, Yanyan Li, and Hector Fernandez

How to challenge and cast your e-vote

RECEIPT-FREE UNIVERSALLY-VERIFIABLE VOTING WITH EVERLASTING PRIVACY

E-Voting: Switzerland's Projects and their Legal Framework in a European Context

SoK: Verifiability Notions for E-Voting Protocols

Transcription:

Swiss E-Voting Workshop 2010 Verifiability in Remote Voting Systems September 2010 Jordi Puiggali VP Research & Development Jordi.Puiggali@scytl.com

Index Auditability in e-voting Types of verifiability Verifiability methods for e-voting Conclusions 2.

Auditability in traditional voting Tangible physical elements Voter Electoral board Tangible physical elements Observers / auditors Results Votes and processes (e.g., counting) are based on tangible elements. Audit can be done by voters, observers and independent auditors by human means when the processes are carried out Observers can monitor the behavior of other observers to detect any fraud practices 3.

Auditability in postal voting Postal vote Voter Postal Service Electoral board Results The audit of the vote delivery process and storage in the ballot box is difficult if not impossible: Voters only can verify the selection they made but cannot verify if the same vote is received by the Electoral Board Observers can audit the opening of the votes stored in the Ballot Box, but they have no access to the vote delivery process and have limited access to the process of storing the postal votes in the ballot box 4. Observers / auditors

Auditability in e-voting Logical environment E-vote Voter Logical environment Electoral board Observers / auditors e-ballotbox e-results Logical environment Votes and processes are happening in a logical dimension: Audit cannot be done by human means Difficult to monitor the behavior of other observers 5.

Index Auditability in e-voting Types of verifiability Verifiability methods for e-voting Conclusions 6.

Types of verifiability Based on who can verify Individual verifiability This verification process is voter centered: only the voter that casts the vote is able to implement the verification process This verification process is focused on preserving voter privacy and preventing vote selling/coercion practices Universal verifiability This verification process is focused on the public and therefore, it is not only restricted to voters This verifiability is focused on auditing the correct behavior of the processes related to the election, such as the vote decryption and counting To preserve voter privacy, universal verifiability shall not allow to trace individual votes to voters 7.

Types of verifiability 8. Based on what is verified Cast as intended The main objective of this verification process is to allow voters to verify that their cast votes really represent their voter intent This verification process is individual (only voter knows her voter intent) Recorded as cast The main objective of this verification is to confirm that the voter intent has been properly stored (recorded) in the ballot box This verification process is mainly individual (only voter knows her voter intent) Counted as recorded The objective of this verification is similar to any open audit processes in traditional elections: auditors and observers can verify that votes belong to valid voters and are not manipulated when counted This verification supports individual voter verification (presence of votes in the ballot box used for counting), and universal verification (verification of the ballot box opening process) End-to End verification = cast as intended + recorded as cast + counted as recorded

Types of verifiability Verifiability and election processes Vote preparation Vote casting Vote reception vote Electoral board Cast as intended Recorded as cast Voter Individual verifiability Individual verifiability Universal + Counted as recorded Vote Counting Results 9. Election observers / auditors

Individual verifiability Cast as intended risks Postal voting scheme: The voter herself introduces the ballot with her voting preferences in the envelope Cast as intended verification is inherent to this scheme Voting options Voter Envelope Remote electronic voting scheme: Voter preferences are represented as en electronic vote The voter cannot verify by human means if the electronic vote really represents her intent Encryption and digital signature prevent manipulation but do not provide verifiability 10. Voter Voting options Vote preparation E-vote Malicious software

Individual verifiability Recorded as cast risks Postal voting scheme: The vote can be intercepted, deleted or modified while being transported to the counting center The voter has no means to ensure that the vote received by the election officials contains her intent Counting Center Voting options? Voter Envelope Remote electronic voting scheme: The vote can be intercepted, deleted or modified while being sent to the voting platform Encryption and digital signature prevent manipulation but does not provide verifiability 11.

Universal verifiability Counted as recorded risks Postal voting scheme: The storage of the postal votes is not easy to monitor by auditors Mainly the counting process can be directly overseen by observers and independent auditors to ensure the integrity of the results Remote electronic voting scheme: Votes and processes are happening in a logical dimension: audit cannot be done by human means Malicious software or intruders could change the values of the received votes or change the counting process behavior to influence the election results Observers / auditors AUDIT Results 12. Vote Counting

Index Auditability in e-voting Types of verifiability Verifiability methods for e-voting Conclusions 13.

Verification techniques Vote encryption challenge Cast as intended Return codes Cast as intended and recorded as cast Bulletin Board Recorded as cast Voting receipts Counted as recorded Universal verifiable decryption Homomorphic tally Universal verifiable Mixing 14.

Audit processes in remote e-voting Cast as intended verification Vote encryption challenge The vote is encrypted and the application generates an encryption proof (e.g., hash of the encrypted vote) The voter can challenge the application to verify the proper encryption of the vote before casting it: Challenge: voter asks the application for showing the secret random parameters used to encrypt the vote Verification: voter uses the random parameters and the encryption proof to verify if the encrypted vote contains her voter intent New encryption: the vote is encrypted again with new random parameters, and a new encryption proof is generated Probabilistic verification Challenge Send vote 15. Voter Voting options Vote preparation Verify E-vote Extract voting options

Audit processes in remote e-voting Return Codes Cast as intended verification Recorded as cast verification Voter has a Voting Card with a set of voter unique Return Codes related to the voting options When casting a vote, the voting platform calculates Return Codes from the received encrypted vote and sends them to the voter The voter uses the Voting Card to verify that the received Return Codes match her selected candidates. Usually two approaches: Pre-encrypted ballots: Voting Card also contains vote casting codes per candidate Voter encrypted ballots: the vote is encrypted in the voting terminal (does not use pre-encrypted codes per candidate) Remote voter E-vote Voting server 16. Voting Card Check Return Code Return Code

Audit processes in remote e-voting Bulletin Boards Generic tool for verifiability, usually used for recorded as cast verification Public broadcast channel/repository where: Election data (e.g., encrypted votes) is published only by authorized parties Once published, data cannot be deleted or modified The list of received votes can be published in the Bulletin Board, so voters can verify their votes have been properly received and stored Voter Verify E-vote List of received votes Bulletin Board Sensitive data (e.g., votes connected to voting order or voter identities) should not be published for privacy issues 17.

Audit processes in remote e-voting Counted as recorded verification Voting Receipts When a vote is received in the voting platform, a Voting Receipt is generated and sent to the voter Voting Receipts are generated and published at the time of vote counting: Voters can verify the presence of their votes during the vote counting process, checking the list of Voting Receipts Voting Receipts are digitally signed to prevent bogus complaints. Usual approaches: Receipts based on random challenges Receipts based on a hash of the encrypted vote E-vote Results Remote voter Voting Receipt Voting Receipts Verify 18.

Audit processes in remote e-voting Counted as recorded verification Universal verifiable decryption Objective Audit process based on the input and output data of the counting process Inputs: Encrypted votes Outputs Decrypted votes / decrypted result Cryptographic proofs of correct behavior of the cryptographic processes (e.g., Zero Knowledge Proofs) Audit process shall preserve the privacy of voters and the integrity of the election Shall not allow the correlation of encrypted votes and decrypted ones Input: encrypted votes COUNTING PROCESS P P P Outputs: decrypted votes/result, proofs of correct behavior 19. Verification process

Audit processes in remote e-voting Homomorphic Tally Encrypted votes are operated. The result of this operation is then decrypted The decryption result is the operation (homomorphic properties) of the plaintext votes For instance, the number of the times each voting option has been selected Verification: Anyone can calculate the result of the operation using the encrypted votes The process generates proofs of correct decryption of the result that can be verified by anyone Verify Verify Encrypted votes Aggregation Encrypted aggregation Decryption Results P Proofs PUBLISHED PUBLISHED PUBLISHED 20.

Audit processes in remote e-voting Universal verifiable Mix-nets Several nodes shuffle and re-encrypt/decrypt the votes for breaking the correlation between the original input order and the output one The shuffled and re-encrypted/decrypted vote output from one node is used as the input of another one The vote contents are obtained (decrypted) at the last node Verification: Each mix-node calculates proofs of correct shuffling and correct reencryption/decryption All the proofs are verifiable by anyone to detect that the input and output votes are based on the same original votes (i.e., have not been changed) Verify Decryption Proofs P P P Results 21. Verify P Proofs P Proofs Verify Decrypted votes P Verify

Technique Pros Cons Vote encryption challenge Return codes Pre-encrypted Ballots Return codes Voter encrypted Ballots Bulletin Board Does not require logistics (e.g., Voting Cards) Usability: vote verification can be done by comparing codes Usability: vote verification can be done by comparing codes More robust against manipulation of vote cards Facilitates the universal verification of the election Audit processes in remote e-voting Analysis (i) Usability problems: voters need the assistance of mathematical tools for verifying Does not provide recorded as cast verification (requires voting receipts to achieve it) Vote cards can be manipulated to cheat the voter Logistics: requires delivering vote cards to the voters Logistics: requires delivering vote cards to the voters Could compromise voter privacy at long term if not properly implemented 22.

Technique Pros Cons Voting receipts hash value Voting receipts challenge value Universal verifiable - Homomorphic Tally Universal verifiable - Mixing 23. Prevents disclosure of the encrypted/decrypted votes Prevents disclosure of the encrypted/decrypted votes Allows to verify the proper decryption of the vote (partial counted as cast verification) Fast method for simple (only selection) and small range (few candidates) elections Flexibility: do not pose limitations in the format of the vote Scalability: drastic reduction of cryptographic operations in medium/large range elections Audit processes in remote e-voting Analysis (ii) Requires universal verifiable methods to achieve counted as recorded properties Requires universal verifiable methods to achieve full counted as recorded properties Flexibility: does not support write-in candidates and have problems with preferential elections Scalability: the number of encryption operations per voter is proportional to the number of possible voting options Is slower in small range elections (compared with homomorphic tally)

Index Auditability in e-voting Types of verifiability Verifiability methods for e-voting Conclusions 24.

Conclusions Remote voting schemes pose verifiability issues: Postal voting: some processes cannot be verified by the voter or by auditors (recorded as cast verification) Remote electronic voting: voting processes are carried out in a logical dimension Individual and Universal verification processes need to provide the following verification properties to be End-to-End verifiable: Cast as intended Recorded as cast Counted as recorded Advance cryptographic techniques are focused to achieve these verification properties There are not techniques that achieve all the objectives and therefore, multiple techniques must be combined It is important to analyze and understand the limitations and drawbacks of the techniques before designing a final solution 25.

Questions Any questions? 26.

27.

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback