auditability and verifiability of elecons ronald l....
TRANSCRIPT
AuditabilityandVerifiabilityofElec4ons
RonaldL.RivestMIT
UCDavisDecember1,2016
Havewemadeprogresssince2000?
Hanging chads (2000) >>> Voting Machines at Risk (2015)
Nov.2016–WhoReallyWon?
HillaryorDonald?
Evidence-BasedElec4ons Anelec4onshouldnotonlyfindoutwhowon,butshouldalsoprovideconvincingevidencethatthewinnerreallywon. (Stark&Wagner2012)NO:“TrustmeandmysoEware”YES:“Mistakeswillbemade.Findandfixthem.”YES:“Trustbutverify.”
Outline
• SecurityRequirements• SoTwareIndependence• Audi4ngofPaperBallots• CryptographicVo4ngSchemes(E2E)• Remote(Internet?)Vo4ng???
SecurityRequirements
SecurityRequirements
• Onlyeligiblevotersmayvote,andeacheligiblevotervotesatmostonce.
• Eachcastvoteissecret,evenifvoterwishesotherwise!--Novote-selling!--Noreceiptshowinghowyouvoted!
• Finaloutcomeisverifiablycorrect.• No``trustedpar4es’’–allaresuspect!Vendors,voters,elec4onofficials,candidates,spouses,otherna4on-states,…
SoTwareIndependence
(Rivest&Wack,2006)
AndWhoDoYouHopeYouVotedFor?
SoTwareIndependence
• SoTwareisnottobetrusted!• Avo4ngsystemissoEwareindependentifanundetectederrorintheso4warecannotcauseanundetectablechangeintheelec7onoutcome.
• StronglysoEware-independentifitispossibletocorrectanysuchoutcomeerror
• Example:Paperballots(withhandrecount)
PaperBallots
1893–“Australian”PaperBallot
Whatisusednow?
(VerifiedVo4ng)DRE=DirectRecordingbyElectronicsVVPAT=VoterVerifiedPaperAuditTrail
Elec4onProcess(paperballots)
• Printballots;setup• Vote• Ini4alcount(byscanners);ini4al(“reported”)outcome
• Sta4s4calaudit(byhand)ofpaperballotstoconfirm/disprovereportedoutcome
Audi4ngofPaperBallots
Twoaudi4ngparadigms • Ballot-pollingaudits:Allyouhavearethecastpaperballots.(Like``exitpoll’’ofballots…)
• Comparisonaudits:Usesbothpaperandelectronicrecords(“castvoterecords’’–CVRs)PaperballotgivenanIDwhenscanned;CVRhassameID.AuditcomparespaperballottoitsCVR.
Generalauditstructure
1. Drawanini4alrandomsampleofballots.2. Interpretthembyhand.3. Stopifreportedoutcomeisnowconfirmed
todesiredconfidencelevel.4. Ifallballotshavenowbeenexamined,you
havedoneafullrecount,andaredone.Otherwiseincreasesamplesize;returnto2.
CastVotes
Sample
Bravoaudit[LSY12]
• Ballot-pollingaudit• Risk-limi(ngaudit:providesguaranteethatchanceofaccepQngincorrectoutcomeisatmostgivenrisklimit(e.g.α=0.05).
• Usesreportedmargin-of-victoryasinput(e.g.accumulateproductofA/2orB/2whereA,Barereportedfrac4onsofvotesforAlice,Bob.
• Canneedlesslydoafullrecountifreportedmargin-of-victoryiswrong…
DiffSumaudit[R15]
• Nodependenceonreportedmargin-of-victory.• Fortwo-candidaterace,stopswhen(a–b)2>(a+b)�log10(n)wherea,b=numberofvotesforAlice,Bobn=totalnumberofvotescast
• Risklimit α determinedempirically;forthcomingworkgiveswaytomakethisapproachworkwithrigorousbounds.
Othersocialchoicefunc4ons
Socialchoicefunc4ons
• Notallelec4onsareplurality• Someelec4onsareranked-choice:ballotgivesvoter’spreferences:A>C>D>B
• Aspecified``socialchoicefunc4on’’mapscollec4onsofballotstooutcomes.
• Example:IRV(InstantRunoffVo4ng)–Keepelimina4ngcandidatewithfewestfirst-choicevotesun4lsomecandidatehasamajorityoffirst-choicevotes.(SanFranciscousesIRV.)
Black-boxaudits
• “Black-boxaudits”onlyneedto– drawrandomsamples– derivevariantsamplesofarandomsample– applythesocialchoicefunc4onina“black-box”mannertosomesamples,todeterminethewinnersofthosesamples.
• Black-boxauditsthusapplytoanyvoQngsystem(anysocialchoicefuncQon)!
• Threeexamples:Bayesian,Bootstrap,andT-pileaudits.
Bayesianaudit[RS12]• ``Inverse’’ofsamplingisPolya’sUrn:
• Placesampleinurn.Drawoneballotoutatrandom,puttwocopiesback.Rinseandrepeat.
• ThissamplesBayesianposteriordistribu4onforcollec4onofcastvotes.
• Canthusmeasure“Probabilitythatreportedoutcomeiscorrect”givensample.Stopif>1–α.
CastVotes
Sample
Drawsample Polya’sUrn
Bootstrapaudit[RS15]
• CreatefromgivensampleT(e.g.100)“variantsamples”(e.g.bysubsamplingwithreplacement)
• Stopauditifsampleandallvariantshavesameoutcomeasreportedoutcome.
CastVotes
Sample
Drawsample
VariantSample
VariantSample
VariantSample
T-pileaudit• “Deal”sampleinround-
robinmannerintoT(e.g.T=7)disjointpiles.
• Stopauditifsampleandallpileshavesameoutcomeasreportedoutcome.
• Provablyrisk-limi4ngunderreasonableassump4onthatmostlikelysampleoutcomeiscorrectone.
• Butnotasefficientasgeneralbootstrapaudit…
CastVotes
Sample
Drawsample
Pile1 Pile2 PileT
ComparisonAudits
• Moreefficient(1/margin-of-victory)sinceyouarees4ma4ngerrorrateinCVRs(near0)ratherthanvotesharesofcandidates(near½)
• Typicalauditmayonlyneedtoauditafewdozensofballots
• Bayesianauditcandocomparisonaudits• Othermethods:SOBA[BJLLS11]
End-to-endVerifiableVo4ng
End-to-EndVerifiableVo4ng• Provides“end-to-end”integrity;votesare
– “castasintended”(verifiedbyvoter)– “collectedascast”(verifiedbyvoterorproxy)– “countedascollected”(verifiedbyanyone)
• Paperballotshaveonlyfirstproperty;onceballotiscast,integritydependson“chainofcustody”ofballots.
• End-to-endsystemsprovidesoTwareindependence,verifiablechainofcustody,andverifiabletally.
PublicBulle4nBoard(PBB)
• E2Esystemshave“publicbulleQnboard”pos4ngelec4oninforma4on(includingencryp4onsofballots).
• PBBposts“evidence”thatreportedwinneriscorrect.
PublicBulle(nBoard:<Elec4on>SystemPKparametersVoter/Votepairs:“Abe_Smith”,E(voteAbe_Smith)
“Ben_Jones”,E(voteBen_Jones)…ReportedwinnerProofofcorrectness</Elec4on>
Ballotsareencrypted
• Votergivencopyofherencryptedballotas“receipt”
• Howcansheverifythatencryp4onwasdonecorrectly?Wasvote“verifiablycastasintended?”– Answer:votercanarbitrarilydecideeithertocastencryptedvote,ortoauditencryp4onbyaskingfordecryp4onparameters.(Benaloh)
Votercanconfirmchainofcustody
• VoternamesandreceiptspostedonPBB• Voterchecks“collectedascast”byverifyingthathername/receiptispostedonPBB
• Ifitismissing,shecancrediblycomplainifherreceiptis``authen4c’’ (e.g.hardtoforge).
• EnoughcrediblecomplaintsèRe-runelec4on!
Anyonecanverifytally
• Systempublishesfinaltally(reportedoutcome)andNIZKproofthatreportedoutcomeiscorrect.
• Decryp4ngindividualballotsnotnecessarywithhomomorphictallying:E(v1)E(v2)=E(v1+v2)Productofciphertextsisciphertextforsum.Onlyproductofallvotesneedstobedecrypted.
• Anothercommonapproachbasedonmixnets.
E2Edeploymentsinrealelec4ons
• Scantegrity(Chaum;TakomaPark,MD;2009&2011)
• Wombat(Rosen;3elec4onsinIsrael;2011&2012)
• PrêtàVoter(Ryan;NewSouthWales,Australia;2014)
• StarVote(Aus4n,Texas)(DeBeauvoir;inprogress…)
Hybridpaper+electronic
• Somesystems(likeScantegrity,Wombat,andStarVote)havebothapaperballotANDanelectronicE2Esubsystem.
• Canauditpaperballotsasusual.• CanauditelectronicrecordsonPBBasusualforE2Esystem.(Thatis,votercanverifyhervoteisthere,andanyonecanverifytally.)
Scantegrityconfirma4oncodes
Invisiblecodessolves“receiptauthen4city”problem:voteronlygetscodesforcandidatesshevotedfor.
Wombatvo4ng
• PrintedballothasplaintextchoiceandQRcodeequivalent.
• VotercastspaperballotintoballotboxandhasQRcodescannedforPBB.
• TakesQRcodereceipthometolookuponPBB.
WhencanIvoteontheInternet?(oronmyphone?)
h�p://voteinyourpajamas.org/
• U.S.VoteFounda4on2015ReportonInternetVo4ng:– E2EnecessaryforIV– But:E2Eshouldfirstbewell-establishedandunderstoodforin-personvo4ng,and
– E2EnotsufficientforIV:manyproblemsremain:
• Malware• DDOSa�acks• Authen4ca4on• MITMa�acks• Zero-daya�acksonservers• Coercion&vote-selling• …
HeliosVo4ng(Adida)
• PrototypeE2Einternetvo4ngsystemh�ps://vote.heliosvo4ng.org/
• Useshomomorphictallying• Usedbysomeprofessionalsocie4es…• Noprotec4onagainstmalware,DDOS,coercion,etc…
• Notsuitableforrealpoli4calelec4ons!
Challenges/OpenProblems
• Proofsofrisk-limi4ngcharacterforBootstrapaudits
• Developtheoryforprecinct-levelaudits• Be�erE2Edisputeresolu4on• Goodmul4-channelremotevo4ngmethods(mail+phone?)
• Be�erwaystoexplainauditstonon-technicalfolks(sta4s4cs;crypto;assump4ons…)
Conclusions
• Elec4onintegrityremainsahardproblemandagoodresearcharea.
• Internetvo4ngis(orshouldbe)alongwaysoff(20years?)
• End-to-endverifiablevo4ngmethods(especiallyhybridmethodswithpaperballots)arethewaytogo.
Thanksforyoura�en4on!
TheEnd