Secret-Ballot Receipts

True Voter-Verifiable Elections David Chaum

Main Points

• WOTE I and Standardization workshop• (Focus on polling-place elections)• Don’t have to trust computers with integrity• Four system examples

– Janken– High-registration printing– Subtractive light– Additive light

• Mixing with bitmaps and its audit• Provisional voting & adjudication• Comparison of current proposals• (Paper instruments can be modified before recount)

OUTLINE

• Introduction• WOTE and WEST• Polling-place election background• Receipt system introduction• Educational example receipt system

• Three example receipt systems• Comparison with non-receipt systems• Comments on Standardization

Secret-Ballot Technology Paradigms (core of elections)

• Manual counting of objects in container

• Mechanical counting of human interaction

• Electronic counting of objects in container

• Electronic counting of human interaction (some with printed record!)

• “Computers voting”

• Something new: “People Voting”

Sam

eba

sis

Sam

eba

sis

A&R

A&R

A&R

A

A

A

Vote-counting mechanisms

Hand count Mechanical counter

Electronic counter Multiple-trustee Crypto

Alan Newberger • Andrew Neff • Ari Renvall • Arnaud Sahuguet • Arto Salomaa • Atsushi Fujioka • Baraani-Dastjerdi • Ben Davenport • Berry Schoenmakers • Birgit Pfitzmann • Brandon William DuRette • C. C. Tai • C. Lei • Choonsik Park • Chung-chieh Shan • Colin Boyd • Fumiaki Miura • G. Poupard • H. Imai • H. Nurmi • Holger Petersen • J. M. Fischer •J. Borrell • J. K. Jan • J. Pieprzyk • J. Rif • J. Stern • Jason Woodard • Joe Kilian • Jong-Hyeon Lee • Josh Cohen/Benaloh • Kaoru Kurosawa • Kazue Sako • Kazuo Ohta • Kazutomo Itoh • Kenneth R. Iversen • L. Chen • L. Santean • Lorrie Faith Cranor • M. Burminster • M. Merritt • M. Waidner • Mark A. Herschberg • Markus Michels • Masayuki Abe • Matthew Franklin • Michael Ben-Or • Michael Ian Shamos • Michael J. Radwin • Miyako Ohkubo • Moti Young • N. Lynch • Nathan Linial • V. Niemi • P.A. Fouque • Patrick Horster • Q. He • R. DeMillo • R. H. Lin • R. Safavi-Naini • Rafail Ostrovsky • Ron K. Cytron • Ronald Cramer • Steve Chien • Steven Myers • T. Asano • T. Matsumoto • Tatsuaki Okamoto • V. Niemi • W. Juang • Y. Afek • Y. Matias • Z. Su

“Computers Voting”Known Systems: Mix-Net, Homomorphic, Blind-signed Voting

Plaintext Votes(different order)Encrypted Votes

“Secret Ballot” Principle

• Definition—Voter must not be be able to convince others of how he or she voted (a kind of “involuntary privacy”)

• Rationale —To prevent “Improper Influence,” such as vote selling and various kinds of coercion

“Unconditional Integrity”

• Definition—Even infinite computing power should not allow incorrect tally (except with negligible probability) – privacy may have to be computational…

• Rationale—Integrity should take priority over privacy (since changing outcome allows privacy rules to be changed!)

OUTLINE

• Introduction• WOTE and WEST• Polling-place election background• Receipt system introduction• Educational example receipt system

• Three example receipt systems• Comparison with non-receipt systems• Comments on Standardization

Two truisms are false

1. Receipts including who you voted for violate the “Secret Ballot” principle.

Not if they are readable in the voting booth but unreadable once taken outside.

2. The computers used to vote and to tally the votes must be trusted with the correctness of the tally.

Not if copies of encrypted votes on voters’ receipts can be posted along with proofs of corectness for the tally process.

First True “Voter-Verifiable”Election System

Voters can directly verify that their votes are included in the tally

without needing to trust any procedures, computers, or cryptography used by those conducting the election

The new scheme presented is of practical interest

• Integrity is much higher but less costly– Reduced need for physical security, audit,

observing, testing, etc.

• Robustness is much higher but less costly– Receipts sufficient to count the votes

• Hardware cost may even be lower– “Ordinary” hardware costs less than “special”– Though, printer/viewer has additional cost

• Example system parts will be demoed

OUTLINE

• Introduction• WOTE and WEST• Polling-place election background• Receipt system introduction• Educational example receipt system

• Three example receipt systems• Comparison with non-receipt systems• Comments on Standardization

Rules of Janken

Each of two people chooses one hand symbol and shows it at the same time

Winner is determined by arrows (same symbol requires retry)

Audience participation packets

• Each bag has all three hand symbols divided into two envelopes (randomly for each bag)

• The sealed white envelope has one symbol inside (shown transparent); the clasp-fastened manila has two

Voting instructions

1. Unseal the plastic bag and remove the manila envelope (leave the white one in the bag).

2. Open the clasp and look inside the manila envelope without showing its content to anyone.

3. To vote “Yes” take the winning hand symbol out; to vote “No” take the other symbol out.

4. Place the hand symbol you’ve chosen in the bag facing out so its easy to see from outside.

5. Leave the bag in the hat at the front of the room.

Counting Rules

• Each bag is counted as a “Yes” vote if the symbol in its sealed envelope wins over that revealed by the slip facing out of the bag.

• Bags are counted as “No” when the symbol in the white envelope loses to that displayed.

• (All sealed envelopes must be opened, whether bag voted or not.)

Your vote was encrypted (neat thing #1)

• Everyone could see the symbol you chose

• Symbol encodes your vote

• Still, only you know how you voted!

• You have just used an “encrypted vote”

The dealer could not cheat (neat thing #2)

• Each bag has two envelopes with correct number of slips—easy to see

• No duplications per bag– Within envelope (voter sees)– Across envelopes (at count—depends on vote)

• Distribution of “hands” uniform– Each hand should appear in sealed envelopes

the same number of times

“Bulletin Board Voting”— Beyond the “room voting” model• “Not what they do, just what they post”

• Applies to real polling place elections

• Booths are watched to ensure the desired degree of ballot secrecy

OUTLINE

• Introduction

• Example receipt systems1. High-registration systems

2. Subtractive optical systems

3. Additive optical systems

• Overview of properties/mechanisms

• Comparison with non-receipt systems

• Comments on Standardization

Summary of Overall Process

1. Machine accepts votes from voter

2. Machine prints receipt and lets voter see it

3. Voter randomly chooses a pattern to be printed that will hide the info on the receipt

4. The pattern is printed as background on the receipt, which is then provided to the voter

5. Receipts—as taken by voters—are published

6. Outcome is determined only from published receipts and its correctness is proven to any interested party through posted data

Per

vote

rPer

ele

ctio

n

High-resolution systemThe letter “e”

The cleartext backgrounds trick

Subtractive System

Laminated Top Layer Bottom LayerIEEE Security & Pivacy Jan/Feb 2004 or www.voterverifiable.com

Part-Transparent

TopLayer:

BottomLayer:

BothLayers

Overlaid:Opaque

(related to Naor Shamir Visual Cryptography)

Additive System

Newsweek, March 29, 2004 print edition “The Future of Digital Voting” by Steven Levy

Example two-stripe symbology

Example three-stripe symbology

After the polls close

Batches successively published on the web once polls close

TrusteeTransform

TrusteeTransform

TrusteeTransform

receiptimage

ReceiptBatch

receiptimage

receiptimage

TallyBatch

ballotimage

ballot image

ballotimage

IntermediateBatch

1,000,000

1,000,001

1,625,962

After the polls close

Then a randomly chosen half of the transformations are “opened”

TrusteeTransform

TrusteeTransform

TrusteeTransform

receiptimage

ReceiptBatch

receiptimage

receiptimage

TallyBatch

ballotimage

ballot image

ballotimage

IntermediateBatch

1,000,000

1,000,001

1,625,962

Introducing the properties (proofs in the paper

at www.voterverifiable.com)

Properties [1 of 4]

• If your receipt is properly posted, you can be sure that your vote is included in the final tally [see also property 3]

• If your receipt is not properly posted, you should be able to demonstrate this (because it should have document security attributes including a digital signature)

Properties [2 of 4]

• No matter how incorrectly a system operates, there are only two ways it can change a correctly-posted ballot without being detected: – printing text from a guessed pattern and

hoping that the voter chooses that pattern; or

– incorrectly performing a step among the tally process steps and hoping that this step is not among the half selected for audit.

Properties [3 of 4]

Changing n ballots means:

• Chance that no cheating is detected is at most 1/2n

• Chance of getting caught cheating is at least 1–1/2n

Properties [4 of 4]

• Your receipt cannot be decrypted by anyone, or otherwise linked to your vote [more later], except by decrypting with (or breaking) sufficiently many secret keys (of which each trustee has its own).

Two mixes per trustee

Trustee n

Batch 2 n – 1 Batch 2n Batch 2 n +1

Trustee n

Links opened afterwards(inspired by Jakobsson, Juels, & Rivest)

Trustee n

Batch 2 n – 1 Batch 2 n Batch 2 n +1

Trustee n

A Mix Network as a Black Box

message 2

message 3

message 1

message 4

Mix network

1

2

3

4

Basic Three Mix Cascade

Trustee A Trustee B Trustee C

xyz

Processing the Bitmaps

Trustee Trustee Trustee

m2

m3

m1

m1z1y1x1

x1y1z1

x2y2z2

x3y3z3

m2z2y2x2

m3z3y3x3

y3z3

m3z3y3

y2z2

m2z2y2

m1z1y1

y1z1

x3

x2

x1

z2

m2z2

m1z1

z1

z3

m3z3

y2

y1

y3

z2

z1

z3

OUTLINE

• Introduction

• Example receipt systems

• Comparison with non-receipt systems– Four classes of non-receipt systems

– Table of properties: Integrity, Privacy, Secrecy, Robustness and Costs

– Additional features/properties

• Comments on Standardization

VoteMeter & PrinterFace

• State-Level controls (including version #s)

• Better blind voter integrity

• Open interface standard

• See VoteMeter.com

Other aspects for comparsion

1. Adjudicating which ballots to count

2. Reliably capturing voter intent

3. Preventing Ballot-style fraud

4. Creating/repairing voter confidence

OUTLINE

• Introduction

• Example receipt systems

• Comparison with non-receipt systems

• Comments on Standardization

Standardization thoughts

• Clearly defined technical rating system for multiple attributes– At least include measureable/clear functional

attributes (e.g., main rows of chart: integrity, privacy, reliability costs…)

– Minimums should be the only involvement of political processes in the standardization

• Role of Federal Government?—“Provable” systems could change everything!

Conclusion