a brief intro to aperio and eperio

A Brief Intro to

Aperio and Eperio

Aleksander Essex

University of Waterloo, *University of Ottawa

SecVote 2010Sept. 3, Bertinoro Italy

Aperio and Eperio

• Aperio (Essex, Clark and Adams, WOTE08)

–Paper-based voting–Verifiable w/o crypto

• Eperio (Essex, Clark, Hengartner and Adams, EVT10)

–Electronic Aperio–Optical scan ballots–Verifiable with some crypto

Cryptoless E2E-style voting

• 3-Ballot – Hard to mark but easy to check– Numerous Attacks

• long ballots • short ballots (CEA07)• Etc

• Farnel/Twin– Easy to mark, easy to check but,– Need chain-of-custody to be secure

• If you had it, do you need ?

Aperio

• Easy to mark• Easy to tally• Some repetitive paperwork to verify• No CoC assumption

Aperio Ballot AssemblyWU, Carol

JONES, Alex

SMITH, Bob

Aperio Ballot Assembly

Sheets fused together (voter can’t see bottom sheets)

Reference Lists

450251556051…

Wu, Jones, SmithJones, Wu, SmithSmith, Wu, JonesWu, Jones, Smith…

WU, Carol

JONES, Alex

SMITH, Bob

Wu, Jones, Smith002

#923

WU, Carol

JONES, Alex

SMITH, Bob

#923

Wu, Jones, Smith002

#617

Commitments (tamper-evident envelopes)

AliceAlice AliceAlice

Voting

Casting

Counting

Σ

• Coin toss reveals either– Pink Ballot, Goldenrod Receipt, or,– Pink Receipt, Goldenrod Ballot

Decommitting Protocol

Alice

Alice

Alice

Alice

Alice

Alice

Alice

Alice

Checking Receipts

X X

002

WU, Carol

JONES, Alex

SMITH, Bob

WU, Carol

JONES, Alex

SMITH, Bob

WU, Carol

JONES, Alex

SMITH, Bob

WU, Carol

JONES, Alex

SMITH, Bob

XWU, Carol

JONES, Alex

SMITH, Bob

XWU, Carol

JONES, Alex

SMITH, Bob

X

Checking Tally

Cryptography in Elections

• Conflicting views:– Max-crypto

• Security at expense of simplicity

– No-crypto• Simplicity at expense of security

• Our goal:– Min-crypto

• Balance security and simplicity

Eperio• What it is

– E2E election verification protocol

• What it means for verification– Fewer cryptographic primitives– Smaller datasets– Faster execution– Fewer lines of code

BobAlice

AliceBob

#000 #001

x x

Pret-a-Voter style Ballots

Bubble ID Marked? Candidate

BobAlice

#000

Trustees* copy ballots into a table

Before the election….

*Done obliviously

Bubble ID Marked? Candidate

#000-1st Bob

#000-2nd AliceBobAlice

#000

Before the election….

Trustees* copy ballots into a table

*Done obliviously

Bubble ID Marked? Candidate

#000-1st Bob

#000-2nd Alice

#001-1st Alice

#001-2nd Bob

AliceBob

#001

Before the election….

Trustees* copy ballots into a table

*Done obliviously

Bubble ID Marked? Candidate

#000-1st Bob

#000-2nd Alice

#001-1st Alice

#001-2nd Bob

… … …

… … …And so on…

Before the election….

Bubble ID Marked? Candidate

#000-1st Bob

#000-2nd Alice

#001-1st Alice

#001-2nd Bob

… …

The Eperio Table:

Remember: it’s just the ballots in table-form.

Trustees shuffle rowsBubble ID Marked? Candidate

#001-2nd Bob

#003-2nd Bob

#007-1st Bob

#029-2nd Alice

#001-1st Bob

… …

Trustees mask columns

Bubble ID Marked? Candidate

#001-2nd Bob

#003-2nd Bob

#007-1st Bob

#029-2nd Alice

#001-1st Bob

… …

Cryptographically committed and published

Bubble ID Marked? Candidate

#001-2nd Bob

#003-2nd Bob

#007-1st Bob

#029-2nd Alice

#001-1st Bob

… …

Bubble ID Marked? Candidate

#001-2nd Bob

#003-2nd Bob

#007-1st Bob

#029-2nd Alice

#001-1st Bob

… …

Bubble ID Marked? Candidate

#001-2nd Bob

#003-2nd Bob

#007-1st Bob

#029-2nd Alice

#001-1st Bob

… …

Bubble ID Marked? Candidate

#001-2nd Bob

#003-2nd Bob

#007-1st Bob

#029-2nd Alice

#001-1st Bob

… …

Many independent shuffled copies

created

More instances scales security assurance

Bubble ID Marked? Candidate

#000-1st Yes Bob

#000-2nd No Alice

#001-1st Yes Alice

#001-2nd No Bob

… … …

#000

#001

x

x

Ballots recorded by scanner

During the election…

Bubble ID Marked? Candidate

#001-2nd No Bob

#003-2nd Yes Bob

#007-1st Yes Bob

#029-2nd No Alice

#001-1st Yes Alice

… … …

After the election: Bubble ID Marked? Candidate

#000-1st Yes Bob

#000-2nd No Alice

#001-1st Yes Alice

#001-2nd No Bob

… … …

Trustees fill in middle columns

Bubble ID Marked? Candidate

#001-2nd Yes Bob

#031-2nd Yes Bob

#001-1st Yes Alice

#029-2nd No Alice

#021-1st Yes Bob

… … …

After the election:Bubble ID Marked? Candidate

#000-1st Yes Bob

#000-2nd No Alice

#001-1st Yes Alice

#001-2nd No Bob

… … …

Trustees fill in middle columns

The Audit ChallengeBubble ID Marked? Candidate

#001-2nd No Bob

#003-2nd Yes Bob

#007-1st Yes Bob

#029-2nd No Alice

#001-1st Yes Bob

… … …

Bubble ID Marked? Candidate

#001-2nd Yes Bob

#003-2nd Yes Bob

#007-1st Yes Bob

#029-2nd No Alice

#001-1st Yes Bob

… … …

Bubble ID Marked? Candidate

#001-2nd No Bob

#003-2nd Yes Bob

#007-1st Yes Bob

#029-2nd No Alice

#001-1st Yes Bob

… … …

Bubble ID Marked? Candidate

#001-2nd No Bob

#003-2nd No Bob

#007-1st Yes Bob

#029-2nd Yes Alice

#001-1st No Bob

… … …

• Challenge• Public coin toss• One column from each instance challenged

• Response• Trustees post decommitments

Checking receipts

Bubble ID Marked? Candidate

#001-2nd Yes Bob

#003-2nd Yes Bob

#007-1st Yes Bob

#029-2nd No Alice

#001-1st Yes Bob

… … …

Checking receipts

Bubble ID Marked? Candidate

#007-1st Yes Bob

#006-2nd Yes Bob

#042-1st Yes Bob

#029-2nd No Alice

#007-2nd No Bob

… … …

Bubble ID column decommitted

Checking receipts

Bubble ID Marked? Candidate

#007-1st Yes Bob

#006-2nd Yes Bob

#042-1st Yes Bob

#029-2nd No Alice

#007-2nd No Bob

… … …

Voter looks up receipt. Checks for match.

#007

x

Bubble ID Marked? Candidate

#001-2nd No Bob

#003-2nd Yes Bob

#007-1st Yes Bob

#029-2nd No Alice

#001-1st Yes Bob

… … …

Tally audit

Bubble ID Marked? Candidate

#001-2nd No Bob

#003-2nd Yes Alice

#007-1st Yes Alice

#029-2nd No Bob

#001-1st Yes Bob

… … …

Candidate column decommitted

Tally audit

Bubble ID Marked? Candidate

#001-2nd No Bob

#003-2nd Yes Alice

#007-1st Yes Alice

#029-2nd No Bob

#001-1st Yes Bob

… … …

Tally like any election

Tally audit

+

Bubble ID Marked? Candidate

#001-2nd No Bob

#003-2nd Yes Alice

#007-1st Yes Alice

#029-2nd No Bob

#001-1st Yes Bob

… … …

Bubble ID Marked? Candidate

#001-2nd No Bob

#003-2nd Yes Bob

#007-1st Yes Bob

#029-2nd No Alice

#001-1st Yes Bob

… … …

Repeat as necessary…

Bubble ID Marked? Candidate

#007-1st Yes Bob

#006-2nd Yes Bob

#042-1st Yes Bob

#029-2nd No Alice

#007-2nd No Bob

… … …

Bubble ID Marked? Candidate

#001-2nd No Alice

#003-2nd Yes Bob

#007-1st Yes Bob

#029-2nd Yes Alice

#001-1st No Bob

… … …

Review

Bubble ID Marked? Candidate

#001-2nd No Bob

#003-2nd Yes Bob

#007-1st Yes Bob

#029-2nd No Alice

#001-1st Yes Bob

… … …

•Eperio table instance •Just a copy of ballots•Independently shuffled•Committed•Published

•Columns•Right + middle = tally•Left + middle = receipt info

How is Eperio different?

• Table structure• Commitment scheme• Implementation options

What does this mean?

• Speed (10-100x faster)• Data download (10-100x smaller)• Small code size (50 lines of Python)

Bubble ID Marked? Candidate

004 B X Bob

008 B X Alice

007 A X Alice

002 A Bob

004 A Alice

008 A Bob

002 B X Alice

007 B Bob

Table structure: a comparison

Eperio

Verification in a spreadsheet!Bubble ID Marked? Candidate

004 B X Bob

008 B X Alice

007 A X Alice

002 A Bob

004 A Alice

008 A Bob

002 B X Alice

007 B Bob

Bubble ID Marked? Candidate

004 B X Bob

008 B X Alice

007 A X Alice

002 A Bob

004 A Alice

008 A Bob

002 B X Alice

007 B Bob

OpenSSL OpenSSL

Implementation options (for audits)

Custom code Small script + Encryption utility

Spreadsheet + Encryption utility

Spreadsheet all-in-one?

Eperio

Eperio

eperio.orgFind out more at