comp3441 lecture 11: votingmeyden/3441/w11.pdf · not just history some recent news: i (oct 6,...

COMP3441 Lecture 11: Voting

Ron van der Meyden

(University of New South WalesSydney, Australia)

May 27, 2013

R. van der Meyden COMP3441 Lecture 11: Voting

Overview

I Voting Requirements

I Some vote manipulation history

I Vote Counting Schemes

I Paper Secret Ballots

I Voting Machines

I Voting Protocols

I Attacks on Voting Protocols


Voting

A process whereby the preferences of a group of people(nation, state, electorate, party, organisation, shareholders) arecombined to make a decision on some matter, e.g.,

I Election: Which of a set of candidates is to represent theelectorate in parliament?

I Referendum: Should Australia become a republic or not?

I Approval: Should the CEO be remunerated asrecommended by the Board?


Voting reflects multiple security engineering concerns

I Protecting an ideal system behaviour against deliberateattempts to perturb it

I Multiple interacting parties with differing interests: voters,election authorities, parties/candidates up for election

I Very high value asset: e.g., control of society & its assets,ability to make the rules

I High levels of mistrust, much history offraud/manipulation attempts


Electoral Fraud/Manipulation Techniques

I Electoral Roll falsification (e.g., register dead people,babies)

I Multiple Voting

I Ballot Box Stealing

I Ballot Stuffing

I Vote Buying

I Voter Coercion

I Coercion of Electoral Officials


Ballot Stuffing


Gerry-Mandering

Cartoon from Boston Centinel, 1812, of an electoral districtconstructed to favour party of Mass. Governor Elbridge Gerry

Not unknown in Australia:http://en.wikipedia.org/wiki/Bjelkemander


Not just history

Some recent news:

I (Oct 6, 2011) Bulgarian Nicola Yanakiev charged withvote-buying: possesses records of 100+ votes at EUR 50per vote

I (Sep 22, 2011) 65% of the voters on the roll inBalochistan (Pakistan) are fake

I (Sep 22, 2011) Taiwan prosecutors investigate claims ofvote-buying by legislator who holds barbecue party forvoters.

I (Sep 20, 2011) Kentucky county official sentenced to 1year gaol for buying votes for his own reelection.


A more subtle variant?

(Oct 2, 2011) New York mayor Bloomberg in court caseagainst John Hagerty.

Bloomberg paid Hagerty $1M to provide “ballot security”.......a contentious practice that proponents claim ensurescorrectness of the vote, but is argued to actually be intendedto “intimidate minority voters by posting armed poll watchers”

(Hagerty used the money to buy a house instead!)


Vote Counting Rules

Many different approaches in use!

When a vote is a choice of a single candidate:

I First past the post: candidate with the highest number ofvotes wins

I Multiple round:I Runoff: top two candidates progress to second roundI exhaustive ballot: in each round, candidate with the

least votes drops out


Preferential voting: a vote is a ranking of candidates

I Instant runoff: candidate with least 1st preferenceseliminated, votes redistributed to second preference etc(until someone over 50%) (Australian Parliament)

I Single transferable vote (for electing multiple candidates):(fractional or random) excess votes for candidates thathave reached quota are redistributed according topreferences, then votes of lowest rank candidate areredistributed (Australian Senate)

I Copeland’s method: order candidates by the number ofpairwise victories, minus the number of pairwise defeats

I Many others...

These can yield diverse outcomes for the final decision,particularly in close races


Voting System Security Requirements

Given a voting Rule R , even in the face of determined attacks,the system should satisfy

I Integrity: the outcome of the vote = R applied to the setof votes that the voters intended to cast⇒ integrity at each step:

intention → official record of vote → final count

I Verifiability: breaches of integrity can be detected

I Voter Privacy/Anonymity: It is not possible for anotherparty to determine how a particular voter voted.

I Receipt-Freedom: a voter cannot prove to another thatthey cast a particular vote.


Verifiability

I Individual: a voter can verify that their vote has beencounted as cast

I Public: anyone can verify that the votes cast have beencounted correctly

I End-to-end: all steps of the process can be verified(possibly through a mix of public-private checks)


Voter Privacy/Anonymity

Defining this precisely requires some care:

Example: an election with three voters (Alice, Bob, Carol)each placing one vote for two candidates Yvonne and Ziggy.

Outcome: Ziggy wins by three votes to none. How did Alicevote?

Careful statement: Let V = {v1 . . . vn} be the n voters and letB = {b1, . . . , bn} be their n votes as cast. Based on thepublicly available evidence from the voting process, every pairof injective functions f , g : V → B should be equally likely asan association between the voters and the votes.


Receipt Freedom

A vote buyer/coercer would like to get evidence that theperson whose vote they sought to buy/coerce voted as theywished.

A scheme is receipt free if the voter does not receive anyevidence that can be used to prove to another party how theyvoted.

Problem: This conflicts with voter verifiabilty, where receiptshelp a voter to check that their vote has been included in thecount.


Example: Australia Paper Ballot Process

I Authentication process for registration/address changesto electoral roll

I proof of IDI personal reference

I Voting at multiple locations, no authentication of voters

I Line struck through name of voter on electoral roll beforeissuing ballot paper

I Voter marks ballot paper in pencil in private voting booth

I Voter places ballot paper in ballot box

I Ballot boxes opened and counted, observed by scrutineersfrom parties to election


Example: Australia Paper Ballot Process

Security largely based on physical security and audit

E.g., protections against multiple voting, as self or others

I Integrity of electoral roll verified through comparison withother data sources, door-knocks by Electoral Commissionand political parties

I Copies of electoral roll from different voting boothscompared to detect multiple votes

I Electoral Commission/police investigation of multiplevotes

I Election invalidated if the extent of multiple voting isenough to have changed outcome


Do Australian Paper Ballots satisfy the properties?

I Vote Integrity: yes, subject to physical security, verifiedchain of custody of ballot boxes

I Verifiability:I individual verifiability: not directly (no receipt received)I public verifiability: yes, security of ballots and count

verified by scrutineers

I Voter anonymity: yes, ballot marked in private, notlinkable to voter

I Receipt Freedom: no direct receipt, but, particularlysenate elections


Italian Attack

I Used by mafia in Italian elections

I Ordering on low ranked candidates used to encode aunique identifier of the voter

I Allows coercer/vote buyer to verify that vote by aparticular voter is as instructed

I Led to abandonment of preferential voting in Italy

I (on the plus side, a voter can use it to verify their vote, ifballots are published!)

Australian Senate Ballot papers have a very large number ofcandidates, so are susceptible: e.g.,http://en.wikipedia.org/wiki/Candidates_of_the_

Australian_federal_election,_2010#New_South_

Wales_2


http://en.wikipedia.org/wiki/Candidates_of_the_Australian_federal_election,_2010#New_South_Wales_2



Another form of receipt: photographic image of ballot paper(e.g., with mobile phone)

Coerced voter can defeat coercion by revising their vote afterphotographing


Chain voting attack

1. Coercer obtains a single blank ballot paper

2. fills it according to their preference

3. gives to a coerced voter, with instructions to cast this astheir vote and return with a fresh blank ballot

4. go to step 2


Voting machine technology

Particularly in US, public demands for fast counts has lead toadoption of voting machinesFederal Votes managed at State government level, largediversity of technologies:

I paper

I punched card

I optical card

I direct recording electronic voting machines


Attacks on Voting Machines

I Voter Privacy attack on Dutch Nedap voting machineshttp://www.youtube.com/watch?v=B05wPomCjEY

I Princeton Virus attack on Diebold machinehttp://www.youtube.com/watch?v=kDEBMp6uwdc

I Man in the Middle hardware attack on Diebold VotingMachineshttp://www.youtube.com/watch?v=DMw2dn6K1oI

I Panel Tampering Attack on Sequoia Voting Machine (Sep2011)http://www.youtube.com/watch?v=6ClrHPShljM


http://www.youtube.com/watch?v=B05wPomCjEY

http://www.youtube.com/watch?v=kDEBMp6uwdc

http://www.youtube.com/watch?v=DMw2dn6K1oI

http://www.youtube.com/watch?v=6ClrHPShljM

Responses

Demands by researchers that

I voting machines print a paper audit record that is verifiedby the voter

I software and hardware designs be open sourced to allowfor evaluation

Software used in ACT Government elections is open source:http://www.elections.act.gov.au/elections_and_

voting/electronic_voting_and_counting

Allowed ANU researchers to find a bug in counting softwarethat could have altered the outcome of an election.


http://www.elections.act.gov.au/elections_and_voting/electronic_voting_and_counting

http://www.elections.act.gov.au/elections_and_voting/electronic_voting_and_counting

Chaum Mixnets

An approach to combining voter verifiability, voter anonymityand integrity:

I ballot paper is encrypted so that it does not reveal thevote (anonymity), voter receives a copy

I encrypted ballots are posted on a website, so voter cancheck their vote is included (voter verifiability)


I encrypted votes are randomly shuffled by a sequence oftrustees as part of the decryption process, but the shuffleremains a secret (maintaining anonymity)

I the shuffle can be audited for correctness (with highprobability) (public verifiability) without revealing theconnection between encrypted and decrypted votes.(maintaining anonymity)


Decryption Mixnets

In decryption mixnets, each trustee T publishes a public key Kand retains a secret key K−1

Inputs to trustee are messages Ci = {ri ,Mi}K , where

I ri is random padding

I Mi is a message

Trustee decrypts, retains ri , shuffles the Mi and publishes theshuffle

Several levels of trustees with public keys K1, . . .Kn gives anonion:

{r1, {r2, {r3, . . .}Kn . . .}K2}K1


Randomized Partial Checking

To verify that a trustee has correctly decrypted and shuffled(and not interfered with the votes):

I Independent auditor randomly selects half of themessages Ci

I Trustee required to reveal the message mapping Ci → Mj

and pad riI auditor verifies that {ri ,Mj}K = Ci

After two trustee phases, with in-edge audited iff out-edge notaudited, randomized Partial Checking verification reduces theset of possible sources for each output value to 1/2 of theinputs.


Repeat to further reduce attacker knowledge ...


Useability

For this idea to be practically useable by (cryptographicallynaive) voters, the crypto aspects need to be turned intosomething they can understand.

Several approaches:

I Chaum: visual cryptography

I Ryan et al: (Pret a Voter) randomized ordering ofcandidates on ballot.


Visual Cryptography

Invented by Shamir and Naor in 1994:

Plaintext (could be image) is spread across a number oftransparencies, when overlaid this reconstructs the (essenceof) the original

A demo:http://leemon.com/crypto/VisualCrypto.html


http://leemon.com/crypto/VisualCrypto.html

In Chaum’s voting application

I one (randomly chosen) sheet (with random unique ID) iskept as voter receipt, and a copy is cast (the otherdiscarded)

I Voter verifies vote on bulletin board by overlaying withrecorded vote to check identity


Pret a Voter

Abbot

Gillard

Brown

Rudd

Tenzin Gyatso X

Stalin

2G789KK3e5


I Ballot has candidates in random order

I Ballot identifier is onion encryption of candidate order +nonces

I Voter receives copy of right half as receipt, verifies this isposted on bulletin board

I mixnet operations use nonces to shuffle candidate orderon ballots cast, while maintaining correspondence


Security Properties

Privacy:

I Ballot as cast/posted on bulletin board does not identifyvoter or their vote

I mixnet, even after audit, (very probably) does not linkballot cast to final decrypted version

Breaching privacy would require

I Linking voter to ballot ID (e.g. steal/coerce receipt)

I Breach/corruption of sufficient trustees to form a chainto final unencrypted ballot


Integrity & Verifiability

Voter Verifiability using receipts

Trustee audit gives probabilistic guarantee on chain todecrypted

Count can be publicly verified from publication of decryptedballots


Receipt Freedom

Lack of linking of receipt and unecrypted ballot means receiptis not useful to coercer.

Chain/ Italian attack still possible, as with other paperschemes.


Other Possible Attacks

Count manipulator obtains receipts from exiting voters,

I buys them

I “We are doing vote checking as a public service, wouldyou like us to check your vote?”

can then undetectably alter ballots with these identifiers.


Randomization Attack

Coercer requires coerced voters to vote for candidate at thetop of the paper.

(In effect, a vote for a random candidate.)

Increases influence of other votes.


Three Ballot

A scheme proposed by Ron Rivest that does not requirecryptography:

I Voter receives three copies of ballot paper

I To vote FOR a candidate, mark that candidate TWICE

I To vote AGAINST a candidate, mark that candidateONCE

I No candidate should have 0 or 3 marks

I Checking machine verifies these rules have been followed

I Voter casts all three ballots, and retains a copy of one asa receipt

I Election authority publishes list of names of voters whovoted, and all votes cast


A three-ballot paper

Mother Teresa

Hillary Clinton

Pauline Hanson

Nicole Kidman

Mother Teresa

Hillary Clinton

Pauline Hanson

Nicole Kidman

Mother Teresa

Hillary Clinton

Pauline Hanson

Nicole Kidman

235676879 54634856 94785673


A vote for Nicole Kidman

Mother Teresa

Hillary Clinton

Pauline Hanson

Nicole Kidman

Mother Teresa

Hillary Clinton

Pauline Hanson

Nicole Kidman

Mother Teresa

Hillary Clinton

Pauline Hanson

Nicole Kidman

235676879 54634856 94785673


Another vote for Nicole Kidman

Mother Teresa

Hillary Clinton

Pauline Hanson

Nicole Kidman

Mother Teresa

Hillary Clinton

Pauline Hanson

Nicole Kidman

Mother Teresa

Hillary Clinton

Pauline Hanson

Nicole Kidman

235676879 54634856 94785673


Counting votes

If there are n voters, with k FOR candidate X, and n − kAGAINST candidate X, then X receives

2k + (n − k) = n + k

marks when the ballots are are counted.

So to calculate the number of voters FOR a candidate, justsubtract n.

Remark: Three-ballot does not work for preferential votecounting rules


Security Properties of Three-Ballot

Privacy/Anonymity: Yes, as for paper ballots, provided linkingof voter to ballot identifiers not possible

I Voter randomly chooses ballot paper

I Checking machine/process can be trusted not to dolinking

I voter randomly adds ID number stickers after verification


Integrity & Verifiabilty:

I Public can verify number of ballots is correct (size of listof voters = 3*no. of ballots?)

I Public can check count

I Individual voter can check their receipt counted is as cast.(1/3 chance of detecting ballot modifications by electionauthority)


Receipt Freedom

Every possible marked (single) ballot paper can be constructedas the receipt, while still voting for the chosen candidate.

So the receipt contains no information about a voter voted.

BUT: a variant of the Italian attack is possible:

Three pattern attack: coercer/voter buyer requires the threeballots to be filled with a different unique pattern on each,checks that all three patterns appear on bulletin board.


Other Attacks

Count manipulator obtains receipts from exiting voters,

I buys them

I “We are doing vote checking as a public service, wouldyou like us to check your vote?”

can then undetectably alter ballots with these identifiers.

Chain attack still possible, as with other paper schemes.


Conclusion

These protocols add a level of verifiability to existing paperprocesses, at the cost of increased complexity to voters andelection authorities, and new points of vulnerability to besecured.

No system yet that perfectly addresses all security propertiesand all possible attacks.

An active area of research!


comp3441 lecture 11: votingmeyden/3441/w11.pdf · not just history some recent news: i (oct 6,...

Documents