Kickoff Meeting „ E-Voting Seminar“

A. Steffen, 27.02.2012, Kickoff.pptx 1

Kickoff Meeting „E-Voting Seminar“

An Introduction toCryptographic Voting

SystemsAndreas Steffen

Hochschule für Technik [email protected]


Cryptographic Voting Systems

• Due to repeated failures and detected vulnerabilities in both electro-mechanical and electronic voting machines, voters have somehow lost faith that the outcome of a poll always represents the true will of the electorate.

• Even more uncertain is electronic voting over the Internet which is potentially prone to coercion and vote-selling (this doesn‘t seem to be an issue in Switzerland).

• Manual counting of paper ballots is not really an option in the21st century and is not free from tampering either.

• Modern cryptographic voting systems allow true end-to-end verification of the complete voting process by any individual voter, without sacrificing secrecy and privacy.

Summary:


E-Voting in my home town Schlieren

Hidden PIN

„Internet-based voting does not have tobe more secure as voting per snail mail“Justice Department of the Canton of Zurich


[In]Security Features

???

Protection fromMan-in-the-Middle

attacks


E-Voting Website


Voter Login


Ballot (PHP Form)


E-Voting in my home town Schlieren

PIN


Voter Authentication


Transmission Receipt


Conclusion

So what?„You are not allowed to know. The exact transactionprocessing is kept secret due to security reasons“

Justice Department of the Canton of Zurich


Traditional Chain-of-Custody Security

Tallying

Source: Ben Adida, Ph.D. Thesis 2006

Software VerificationSealing

Verification by proxy only


Desirable: End-to-End Verification by Voter


Secrecy?Privacy?


End-to-End Auditable Voting System (E2E)

• Any voter can verify that his or her ballot is included unmodified in a collection of ballots.

• Any voter (and typically any independent party additionally) can verify [with high probability] that the collection of ballots produces the correct final tally.

• No voter can demonstrate how he or she voted to any third party (thus preventing vote-selling and coercion).

Source: Wikipedia


Solution: Cryptographic Voting Systems


A B C

A

B

C

Threshold Decryption

ElGamal / Paillier

HomomorphicTallying

Mixnet

Tamper-ProofBulletin Board


Proposed E2E Systems

• Punchscan by David Chaum.• Prêt à Voter by Peter Ryan.• Scratch & Vote by Ben Adida and Ron Rivest.• ThreeBallot by Ron Rivest (paper-based without

cryptography)• Scantegrity II by David Chaum, Ron Rivest, Peter Ryan et

al.(add-on to optical scan voting systems using Invisible Ink)

• Helios by Ben Adida (www.heliosvoting.org/)• Selectio Helvetica by BFH (www.baloti.ch)• Primevote by MSE graduates Christoph Galliker and Halm

Reusser(www.smartprimes.ch)


Conclusion

• Modern Cryptographic Voting Systems allow true end-to-end verification of the whole voting process by anyone while maintaining a very high level of secrecy.

• Due to the advanced mathematical principles they are based on, Cryptographic Voting Systems are not easy to understand and are therefore not readily accepted by authorities and the electorate.

• But let‘s give Cryptographic Voting Systems a chance!They can give democracy a new meaning in the 21st century!


E-Voting Literature and Simulators

• http://security.hsr.ch/msevote/• Collection of MSE E-Voting seminar papers• E-Voting Simulator based on the Paillier Cryptosystem• E-Voting Simulator on the Damgard-Jurik Cryptosystem

• Generalized Paillier, reduces to Paillier Cryptosystem with s = 1

• Threshold Decryption with Distributed Keys issued by Trusted Dealer

• Assume generator g = n+1 ( = 1, = 1)• The Paillier Cryptosystem, presented at the BFH E-Voting

seminar


E-Voting Seminar Project

• Verifiable E-Voting System for Shareholder Meetings.• Example: Novartis AG with 2‘745‘623‘000 shares• Item 1: Approval of the Annual Report and Financial

Statements yes / no / abstention (32 bit field per option)

• Voter 1550‘000‘010 sharesVoter 2500‘000‘010 sharesVoter 3400‘000‘010 sharesVoter 4350‘000‘010 sharesVoter 5300‘000‘010 sharesVoter 6150‘000‘010 sharesVoter 7100‘000‘010 sharesVoter 8 50‘000‘010 sharesVoter 9 50‘000‘010 sharesVoter 10 50‘000‘010 shares

Total 2‘500‘000‘100 shares


Partial Private Keyi=N, N, T, d, n

Encrypted Ballotv=V, c, a[], e[],

z[]

E-Voting Seminar Project Tasks

Threshold KeyGeneration byTrusted Dealer

1

Public Keyn, g=n+1

Ballot Encrypt.and ZKP by Voter

v

2

Encrypted Ballotv=1, c, a[], e[],

z[]

keysize, N, T

Partial Private Keyi=1, N, T, d, n

ZKP CheckWeighted

Tallying

3

Shareholder Registryv[], w[]

Partial Decrypt.by Trustee i

4

Encrypted Tallyct

Partial Private Keyi=N, N, T, pt, n

Partiallly Decr. Tallyi=1, N, T, pt, n

ThresholdDecryption

5

Decrypted Tallyyes, no,

abstention

Paillier Cryptosystemkeysize = 1536 bitsV=10, N=5, T=3

protected channel


Conditions

• Goal: Restrict effort spent on project to 90 working hours (3 ECTS)

• Programming or scripting language: Arbitrary• Program code without whistles and bells!

• No GUI required, may be a command line program.• I/O Format: JSON

• Big numbers encoded as hexadecimal strings{"v":1,"c":"2fe698..daf57e"}

• Details of interface specification to be settled among tasks• Deliverables: Commented program code and final test run

data• Slides of final presentation

Documents

Kickoff Meeting „ E-Voting Seminar“