Scratch & Vote: Self-Contained Paper-Based Cryptographic Voting

Transcription

1 Scratch & Vote: Self-Contained Paper-Based Cryptographic Voting Ben Adida Ronald L. Rivest 30 October 2006

2

3 The Next Harvard Pres!

4 Chain of Custody

5 Chain of Custody /* * source * code */ 1 if (... Vendor

6 Chain of Custody Voting Machine 2 /* * source * code */ if (... 1 Vendor

7 Chain of Custody Polling Location 3 Voting Machine 2 /* * source * code */ if (... 1 Vendor

8 Chain of Custody Polling Location 4 3 Voting Machine 2 /* * source * code */ if (... 1 Vendor Alice

9 Chain of Custody Polling Location 4 3 Voting Machine 2 /* * source * code */ if (... 1 Vendor Alice

10 Chain of Custody Polling Location 4 3 Voting Machine 2 /* * source * code */ if (... 1 Vendor Alice 5 Ballot Box Collection

11 Chain of Custody Polling Location 4 3 Voting Machine 2 /* * source * code */ if (... 1 Vendor Alice Results Ballot Box Collection

12 Chain of Custody Alice Polling Location 4 3 Voting Machine VVPAT 2 /* * source * code */ if (... 1 Vendor Results Ballot Box Collection

13 End-to-End

14 End-to-End Voting Machine /* * source * code */ if (... Vendor Polling Location

15 End-to-End Voting Machine /* * source * code */ if (... Vendor Polling Location Ballot Box / Bulletin Board Alice

16 End-to-End Voting Machine /* * source * code */ if (... Vendor Polling Location Ballot Box / Bulletin Board Results... Alice

17 End-to-End Voting Machine /* * source * code */ if (... Vendor Polling Location Ballot Box / Bulletin Board Results... Alice 1 Receipt

18 End-to-End Voting Machine /* * source * code */ if (... Vendor Polling Location Ballot Box / Bulletin Board Results... Alice 1 2 Receipt

19 Cryptographic End-to-End Voting Voting Machine /* * source * code */ if (... Vendor Polling Location Ballot Box / Bulletin Board Results... Alice 1 2 Receipt

20 Cryptographic Open-Audit End-to-End Voting Voting Machine /* * source * code */ if (... Vendor Polling Location Ballot Box / Bulletin Board Results... Alice 1 2 Receipt

21 Properties of OAV (1) Alice verifies her vote. (2) Everyone verifies tallying. (3) Alice cannot be coerced by Eve.

22 A Bulletin Board Bulletin Board Bridget: Clinton Carol: Rice

23 A Bulletin Board Bulletin Board Bridget: Clinton Carol: Rice Alice

24 A Bulletin Board Bulletin Board Alice: Rice Bridget: Clinton Carol: Rice Alice

25 A Bulletin Board Bulletin Board Alice: Rice Bridget: Clinton Carol: Rice Tally Rice...2 Clinton...1 Alice

26 An Encrypted Bulletin Board Bulletin Board Alice: Rice Bridget: Clinton Carol: Rice Tally Rice...2 Clinton...1 Alice

27 Verification Ballot Data Flow

28 Alice Bridget encryption Encrypted Votes Verification Ballot Data Flow

29 Alice Bridget encryption Encrypted Votes Verification Ballot Data Flow

30 Alice Bridget encryption Encrypted Votes anonymization Verification Ballot Data Flow

31 decryption Alice Bridget encryption Encrypted Votes anonymization Verification Ballot Data Flow

32 decryption Alice Bridget encryption Encrypted Votes anonymization Tally Results Verification Ballot Data Flow

33 decryption Alice Bridget encryption Encrypted Votes anonymization Tally Registration Database Results Verification Ballot Data Flow

34 The Need for Simple

35 The Need for Simple Too complicated = disenfranchisement. voter experience needs to be almost as simple as it is today

36 The Need for Simple Too complicated = disenfranchisement. voter experience needs to be almost as simple as it is today Intuitive enough for officials to adopt

37 The Need for Simple Too complicated = disenfranchisement. voter experience needs to be almost as simple as it is today Intuitive enough for officials to adopt But... let s not expect everyone to understand everything.

38 Continuing the Simplicity Trend Chaum s Punchscan Ryan s Prêt-à-Voter Benaloh s simple cryptographic voting

39 Scratch-and-Vote Experience

40 Charlie Adam Bob Bob DavidCharlie David Adam 1. Receive two ballots.

41 Charlie Adam Bob David Charlie Adam Bob David r 1 r 2 r 3 r 4 2. Choose one randomly for auditing by scratch-off.

42 Bob Charlie David Adam 3. Vote.

43 arlie Bob David Adam Adam Bob Charlie David Charlie Bob Adam David Bob Charlie David Adam 4. Tear & Discard left half of ballot.

44 5. Tear & Discard scratch-off. Scan & take home

45 Tallying

46 Bulletin Board Alice Bridget Carol

47 PARAMETERS #1 - Adam #2 - Bob #3 - Charlie #4 - David M=28, Key = pk Bob Charlie David E pk (2 28 ; r 1 ) E pk (2 56 ; r 2 ) E pk (2 84 ; r 3 ) E pk (2 0 ; r 4 ) Adam H(pk) r 1 r 2 r 3 r 4

48 Homomorphic Tallying Vote for Adam Vote for Bob Vote for Charlie Vote for David Sample Tally [B+2001, P1999]

49 Proof of Ballot (NIZK)

50 Proof of Ballot (NIZK) Malicious Voter submits: Enc(1000)

51 Proof of Ballot (NIZK) Malicious Voter submits: Enc(1000) in S&V, ciphertexts are picked ahead of time

52 Proof of Ballot (NIZK) Malicious Voter submits: Enc(1000) in S&V, ciphertexts are picked ahead of time but... what if election officials collude with a voter to throw the election with a bad ballot?

53 Proof of Ballot (NIZK) Malicious Voter submits: Enc(1000) in S&V, ciphertexts are picked ahead of time but... what if election officials collude with a voter to throw the election with a bad ballot? election officials must prepare proofs of correct ballot form ahead of time, on bulletin board (~80K per full ballot).

54 Practical Considerations 5 questions, 5 options per question. Ballot Verification: less than a second. Barcode Encoding: PDF417 open standard. Barcode Size: 10 square inches of barcode for a full sheet visual ballot. Proof Time: ~3 seconds per ballot.

55 Limitations Write-in Votes: not supported Take-Home Receipt: not currently legal

56 Scratch & Vote Personal Verification: scratch and verify Open-Audit: anyone can verify the tally Incoercible: voting booth & encryption Simple: common & cheap tech, process is close to current voting.

57 Questions?