secret ballot receipts: true voter verifiable elections author: david chaum published: ieee security...
TRANSCRIPT
Secret Ballot Receipts:
True Voter Verifiable Elections
Author: David Chaum
Published: IEEE Security & Privacy
Presenter: Adam Anthony
Outline
Paper Selection Criteria Secret Ballot Discussion Electronic vs. Handwritten ballots Summary of Results Physical Receipt Characteristics Verifying Votes Properties of the system Encoding, decoding, tallying votes Conclusion
Paper Selection
Google Scholar: 25 Citations Published in IEEE Security and Privacy 2004 David Chaum: founded the International
Association for Cryptographic Research, has filed 25 separate cryptography related patents
Referenced directly in Wednesday’s paper Scored 1,545,673 out of a possible 1,545,674
points on the “Adam Anthony thinks it’s a really neat paper” scale
Secret Ballots
Required by free democracies Basic premise: The voter brings nothing out of the
polling place that he didn’t bring in that would provide information as to who he voted for. Buttons, T-Shirts, etc. allowed Copy of ballot, plaintext ballot materials, not allowed
Trust Issues
Handwritten Ballots are the “Gold Standard” of voting
Electronic voting machines are considered insecure QuickTime™ and a
Sorenson Video 3 decompressorare needed to see this picture.
Summary of Results
Use visual encryption to produce a zero-information ballot receipt
Eliminates the need for proprietary “black box” systems Setup:
A normal computer running openly published, verifiable software
A special receipt printer User may take part of the encrypted receipt with him which
can be used (personally, or by his party affiliation officials) to verify the correctness of his ballot
Additionally, correctness can be verified without revealing who he voted for
Tallying of votes is also quickly verifiable
Printer Requirements
Printer fundamentally appears to be a simple cash register receipt printer
Printer heads are positioned to print on both the front and back of a clear polymer tape
The tape is actually 2 laminated pieces of tape The bottom inch contains instructions for
separating the tape
Receipts, continued
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Encoding a Receipt
Generate one pad of random pixel symbols (white sheet)
The second pad is created by choosing the correct symbol to either allow transparency or opacity (red sheet)
Transparent portions produce the type-set report
Swap every other pixel symbol between the two sheets so that either layer can be chosen as the receipt
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Verifying Receipts
Handheld scanners can be used to verify ballot consistency outside the polling place
Digital copies of the receipts are sent to the main server
Online: Enter the serial number at the bottom of the receipt and verify the image on record is identical to your own
Eventually, all ballots are decrypted and posted online as well, to verify the count
Properties
1. If your receipt is correctly posted, you can be sure (with acceptable probability) that your vote will be included correctly in the tally
2. No one can decode your receipt or otherwise link it to your vote except by breaking the code or decrypting it using all the secret keys, each of which is assigned to a different trustee
3. There are only 3 ways a system could change a voter’s ballot without direct detection
1. Print an incorrect layer, gambling they’ll choose the other layer2. Use the same serial number for 2 different receipts, hoping the
2 voters choose the same layer3. Perform a tally process step incorrectly, taking the chance that
the step will escape selection during the audit4. There is a 50/50 chance that any of the above fraud attempts will
succeed, per ballot
Meat, Potatoes, Hold the Vegetables
Where we’ve been: System Hardware Specification Encoding Receipts Verifying Receipts Properties of the system
Where we’re going Mathematical model of the voting process Mathematical model of the tallying process Proof of system properties
About Dolls
Author uses the “Russian Doll” analogy to explain the decryption process.
A Doll consists of a set of random pads, added together (mod 2)
The largest doll is used to create the “background” sheet There is a set of private keys that “opens” one of each of
the dolls. The output of the decryption yields a partially decrypted
message, as well as the value of the next “doll” Several trustees oversee each phase of decryption,
basic key management schemes protect against missing/corrupt trustees
Voting Phase
1. The voter supplies a ballot image B
2. The system responds by providing two 4-tuples <Lz,q,Dt,Db> - this is the data printed on each separate layer
3. The voter visually verifies that Lt Lb = B and that q, Dt, Db are identical on both layers
4. Voter aborts if there is a problem, or selects x = t or b for his choice of the top or bottom layer
Voting Phase, cont.
5. The system makes two digital signatures, and provides them as a 2-tuple <sx(q), ox(Lz,q,Dt,Db, sx(q)) >
6. The voter (or a designate) performs a consistency check to ensure that the digital signatures of the 2-tuple check, using agreed public inverses of the system’s private signature functions sx and ox,with the unsigned version of the corresponding values of the selected 4-tuple (as printed) on the selected layer, and that sx(q) correctly determines Dx and the half of the elements of Lx that it should determine
Yet more on the voting phase
Remember that each layer contains an equal amount of ‘red’ bits (the message) and ‘white’ bits (the sum of dolls)
Let Rz and Wz be matrices representing the set of red and white bits for layer image Lz
Let h and h’ be pseudo-random functions of q
ei is a public key corresponding to a trustee’s private key di
Lti,2j - (i mod 2) = Rt
Lti,2j - (i + 1 mod 2) = Wt
Lbi,2j - (i + 1 mod 2) = Rb
Lbi,2j - (i mod 2) = Wb
Rx Wy = Bx
Wzi,j = (dz
k dzk-1 … dz
1)
d’zl = h(sz(q),l)
dzl = h’(d’zl)
Dzl = el(d’zl … e2(dz
2(e1(d’z1))
The final Doll, Dz = Dzk
Decryption to Plaintext
Input Lx and Dy , refer to them as Bk, Dk
Compute d’l from Dk using the proper private key
Dk-1 = Dk/ d’l Find dl using h’
Compute Bk-1 = Bk dl
B0 = Bz, the plaintext ballot
More important than decryption
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Conclusion
Reduces the cost of integrity while raising its level dramatically
Voters are able to assure their own vote Voting can be more accessible due to the better handling of
provisional ballots Hardware system costs are lower than current black-box
systems, cost of printers should be less than the money saved Simpler maintenance, easier upgrade, multiple uses Open code means opposing parties will work hard to assure
its integrity, and the government can fund the operation as well
The auditing of trustees and system integrity is easily automated, and mathematically sound