secret-ballot receipts true voter-verifiable elections david chaum
TRANSCRIPT
Secret-Ballot Receipts
True Voter-Verifiable Elections David Chaum
Main Points
• WOTE I and Standardization workshop• (Focus on polling-place elections)• Don’t have to trust computers with integrity• Four system examples
– Janken– High-registration printing– Subtractive light– Additive light
• Mixing with bitmaps and its audit• Provisional voting & adjudication• Comparison of current proposals• (Paper instruments can be modified before recount)
OUTLINE
• Introduction• WOTE and WEST• Polling-place election background• Receipt system introduction• Educational example receipt system
• Three example receipt systems• Comparison with non-receipt systems• Comments on Standardization
Secret-Ballot Technology Paradigms (core of elections)
• Manual counting of objects in container
• Mechanical counting of human interaction
• Electronic counting of objects in container
• Electronic counting of human interaction (some with printed record!)
• “Computers voting”
• Something new: “People Voting”
Sam
eba
sis
Sam
eba
sis
A&R
A&R
A&R
A
A
A
Vote-counting mechanisms
Hand count Mechanical counter
Electronic counter Multiple-trustee Crypto
Alan Newberger • Andrew Neff • Ari Renvall • Arnaud Sahuguet • Arto Salomaa • Atsushi Fujioka • Baraani-Dastjerdi • Ben Davenport • Berry Schoenmakers • Birgit Pfitzmann • Brandon William DuRette • C. C. Tai • C. Lei • Choonsik Park • Chung-chieh Shan • Colin Boyd • Fumiaki Miura • G. Poupard • H. Imai • H. Nurmi • Holger Petersen • J. M. Fischer •J. Borrell • J. K. Jan • J. Pieprzyk • J. Rif • J. Stern • Jason Woodard • Joe Kilian • Jong-Hyeon Lee • Josh Cohen/Benaloh • Kaoru Kurosawa • Kazue Sako • Kazuo Ohta • Kazutomo Itoh • Kenneth R. Iversen • L. Chen • L. Santean • Lorrie Faith Cranor • M. Burminster • M. Merritt • M. Waidner • Mark A. Herschberg • Markus Michels • Masayuki Abe • Matthew Franklin • Michael Ben-Or • Michael Ian Shamos • Michael J. Radwin • Miyako Ohkubo • Moti Young • N. Lynch • Nathan Linial • V. Niemi • P.A. Fouque • Patrick Horster • Q. He • R. DeMillo • R. H. Lin • R. Safavi-Naini • Rafail Ostrovsky • Ron K. Cytron • Ronald Cramer • Steve Chien • Steven Myers • T. Asano • T. Matsumoto • Tatsuaki Okamoto • V. Niemi • W. Juang • Y. Afek • Y. Matias • Z. Su
“Computers Voting”Known Systems: Mix-Net, Homomorphic, Blind-signed Voting
Plaintext Votes(different order)Encrypted Votes
“Secret Ballot” Principle
• Definition—Voter must not be be able to convince others of how he or she voted (a kind of “involuntary privacy”)
• Rationale —To prevent “Improper Influence,” such as vote selling and various kinds of coercion
“Unconditional Integrity”
• Definition—Even infinite computing power should not allow incorrect tally (except with negligible probability) – privacy may have to be computational…
• Rationale—Integrity should take priority over privacy (since changing outcome allows privacy rules to be changed!)
OUTLINE
• Introduction• WOTE and WEST• Polling-place election background• Receipt system introduction• Educational example receipt system
• Three example receipt systems• Comparison with non-receipt systems• Comments on Standardization
Two truisms are false
1. Receipts including who you voted for violate the “Secret Ballot” principle.
Not if they are readable in the voting booth but unreadable once taken outside.
2. The computers used to vote and to tally the votes must be trusted with the correctness of the tally.
Not if copies of encrypted votes on voters’ receipts can be posted along with proofs of corectness for the tally process.
First True “Voter-Verifiable”Election System
Voters can directly verify that their votes are included in the tally
without needing to trust any procedures, computers, or cryptography used by those conducting the election
The new scheme presented is of practical interest
• Integrity is much higher but less costly– Reduced need for physical security, audit,
observing, testing, etc.
• Robustness is much higher but less costly– Receipts sufficient to count the votes
• Hardware cost may even be lower– “Ordinary” hardware costs less than “special”– Though, printer/viewer has additional cost
• Example system parts will be demoed
OUTLINE
• Introduction• WOTE and WEST• Polling-place election background• Receipt system introduction• Educational example receipt system
• Three example receipt systems• Comparison with non-receipt systems• Comments on Standardization
Rules of Janken
Each of two people chooses one hand symbol and shows it at the same time
Winner is determined by arrows (same symbol requires retry)
Audience participation packets
• Each bag has all three hand symbols divided into two envelopes (randomly for each bag)
• The sealed white envelope has one symbol inside (shown transparent); the clasp-fastened manila has two
Voting instructions
1. Unseal the plastic bag and remove the manila envelope (leave the white one in the bag).
2. Open the clasp and look inside the manila envelope without showing its content to anyone.
3. To vote “Yes” take the winning hand symbol out; to vote “No” take the other symbol out.
4. Place the hand symbol you’ve chosen in the bag facing out so its easy to see from outside.
5. Leave the bag in the hat at the front of the room.
Counting Rules
• Each bag is counted as a “Yes” vote if the symbol in its sealed envelope wins over that revealed by the slip facing out of the bag.
• Bags are counted as “No” when the symbol in the white envelope loses to that displayed.
• (All sealed envelopes must be opened, whether bag voted or not.)
Your vote was encrypted (neat thing #1)
• Everyone could see the symbol you chose
• Symbol encodes your vote
• Still, only you know how you voted!
• You have just used an “encrypted vote”
The dealer could not cheat (neat thing #2)
• Each bag has two envelopes with correct number of slips—easy to see
• No duplications per bag– Within envelope (voter sees)– Across envelopes (at count—depends on vote)
• Distribution of “hands” uniform– Each hand should appear in sealed envelopes
the same number of times
“Bulletin Board Voting”— Beyond the “room voting” model• “Not what they do, just what they post”
• Applies to real polling place elections
• Booths are watched to ensure the desired degree of ballot secrecy
OUTLINE
• Introduction
• Example receipt systems1. High-registration systems
2. Subtractive optical systems
3. Additive optical systems
• Overview of properties/mechanisms
• Comparison with non-receipt systems
• Comments on Standardization
Summary of Overall Process
1. Machine accepts votes from voter
2. Machine prints receipt and lets voter see it
3. Voter randomly chooses a pattern to be printed that will hide the info on the receipt
4. The pattern is printed as background on the receipt, which is then provided to the voter
5. Receipts—as taken by voters—are published
6. Outcome is determined only from published receipts and its correctness is proven to any interested party through posted data
Per
vote
rPer
ele
ctio
n
High-resolution systemThe letter “e”
The cleartext backgrounds trick
Subtractive System
Laminated Top Layer Bottom LayerIEEE Security & Pivacy Jan/Feb 2004 or www.voterverifiable.com
Part-Transparent
TopLayer:
BottomLayer:
BothLayers
Overlaid:Opaque
(related to Naor Shamir Visual Cryptography)
Additive System
Newsweek, March 29, 2004 print edition “The Future of Digital Voting” by Steven Levy
Example two-stripe symbology
Example three-stripe symbology
After the polls close
Batches successively published on the web once polls close
TrusteeTransform
TrusteeTransform
TrusteeTransform
receiptimage
ReceiptBatch
receiptimage
receiptimage
TallyBatch
ballotimage
ballot image
ballotimage
IntermediateBatch
1,000,000
1,000,001
1,625,962
After the polls close
Then a randomly chosen half of the transformations are “opened”
TrusteeTransform
TrusteeTransform
TrusteeTransform
receiptimage
ReceiptBatch
receiptimage
receiptimage
TallyBatch
ballotimage
ballot image
ballotimage
IntermediateBatch
1,000,000
1,000,001
1,625,962
Introducing the properties (proofs in the paper
at www.voterverifiable.com)
Properties [1 of 4]
• If your receipt is properly posted, you can be sure that your vote is included in the final tally [see also property 3]
• If your receipt is not properly posted, you should be able to demonstrate this (because it should have document security attributes including a digital signature)
Properties [2 of 4]
• No matter how incorrectly a system operates, there are only two ways it can change a correctly-posted ballot without being detected: – printing text from a guessed pattern and
hoping that the voter chooses that pattern; or
– incorrectly performing a step among the tally process steps and hoping that this step is not among the half selected for audit.
Properties [3 of 4]
Changing n ballots means:
• Chance that no cheating is detected is at most 1/2n
• Chance of getting caught cheating is at least 1–1/2n
Properties [4 of 4]
• Your receipt cannot be decrypted by anyone, or otherwise linked to your vote [more later], except by decrypting with (or breaking) sufficiently many secret keys (of which each trustee has its own).
Two mixes per trustee
Trustee n
Batch 2 n – 1 Batch 2n Batch 2 n +1
Trustee n
Links opened afterwards(inspired by Jakobsson, Juels, & Rivest)
Trustee n
Batch 2 n – 1 Batch 2 n Batch 2 n +1
Trustee n
A Mix Network as a Black Box
message 2
message 3
message 1
message 4
Mix network
1
2
3
4
Basic Three Mix Cascade
Trustee A Trustee B Trustee C
xyz
Processing the Bitmaps
Trustee Trustee Trustee
m2
m3
m1
m1z1y1x1
x1y1z1
x2y2z2
x3y3z3
m2z2y2x2
m3z3y3x3
y3z3
m3z3y3
y2z2
m2z2y2
m1z1y1
y1z1
x3
x2
x1
z2
m2z2
m1z1
z1
z3
m3z3
y2
y1
y3
z2
z1
z3
OUTLINE
• Introduction
• Example receipt systems
• Comparison with non-receipt systems– Four classes of non-receipt systems
– Table of properties: Integrity, Privacy, Secrecy, Robustness and Costs
– Additional features/properties
• Comments on Standardization
VoteMeter & PrinterFace
• State-Level controls (including version #s)
• Better blind voter integrity
• Open interface standard
• See VoteMeter.com
Other aspects for comparsion
1. Adjudicating which ballots to count
2. Reliably capturing voter intent
3. Preventing Ballot-style fraud
4. Creating/repairing voter confidence
OUTLINE
• Introduction
• Example receipt systems
• Comparison with non-receipt systems
• Comments on Standardization
Standardization thoughts
• Clearly defined technical rating system for multiple attributes– At least include measureable/clear functional
attributes (e.g., main rows of chart: integrity, privacy, reliability costs…)
– Minimums should be the only involvement of political processes in the standardization
• Role of Federal Government?—“Provable” systems could change everything!
Conclusion