AuditabilityandVerifiabilityofElec4ons

RonaldL.RivestMIT

UCDavisDecember1,2016

Havewemadeprogresssince2000?

Hanging chads (2000) >>> Voting Machines at Risk (2015)

Nov.2016–WhoReallyWon?

HillaryorDonald?

Evidence-BasedElec4ons Anelec4onshouldnotonlyfindoutwhowon,butshouldalsoprovideconvincingevidencethatthewinnerreallywon. (Stark&Wagner2012)NO:“TrustmeandmysoEware”YES:“Mistakeswillbemade.Findandfixthem.”YES:“Trustbutverify.”

Outline

•  SecurityRequirements•  SoTwareIndependence•  Audi4ngofPaperBallots•  CryptographicVo4ngSchemes(E2E)•  Remote(Internet?)Vo4ng???

SecurityRequirements

SecurityRequirements

•  Onlyeligiblevotersmayvote,andeacheligiblevotervotesatmostonce.

•  Eachcastvoteissecret,evenifvoterwishesotherwise!--Novote-selling!--Noreceiptshowinghowyouvoted!

•  Finaloutcomeisverifiablycorrect.•  No``trustedpar4es’’–allaresuspect!Vendors,voters,elec4onofficials,candidates,spouses,otherna4on-states,…

SoTwareIndependence

(Rivest&Wack,2006)

AndWhoDoYouHopeYouVotedFor?

SoTwareIndependence

•  SoTwareisnottobetrusted!•  Avo4ngsystemissoEwareindependentifanundetectederrorintheso4warecannotcauseanundetectablechangeintheelec7onoutcome.

•  StronglysoEware-independentifitispossibletocorrectanysuchoutcomeerror

•  Example:Paperballots(withhandrecount)

PaperBallots

1893–“Australian”PaperBallot

Whatisusednow?

(VerifiedVo4ng)DRE=DirectRecordingbyElectronicsVVPAT=VoterVerifiedPaperAuditTrail

Elec4onProcess(paperballots)

•  Printballots;setup•  Vote•  Ini4alcount(byscanners);ini4al(“reported”)outcome

•  Sta4s4calaudit(byhand)ofpaperballotstoconfirm/disprovereportedoutcome

Audi4ngofPaperBallots

Twoaudi4ngparadigms •  Ballot-pollingaudits:Allyouhavearethecastpaperballots.(Like``exitpoll’’ofballots…)

•  Comparisonaudits:Usesbothpaperandelectronicrecords(“castvoterecords’’–CVRs)PaperballotgivenanIDwhenscanned;CVRhassameID.AuditcomparespaperballottoitsCVR.

Generalauditstructure

1.  Drawanini4alrandomsampleofballots.2.  Interpretthembyhand.3.  Stopifreportedoutcomeisnowconfirmed

todesiredconfidencelevel.4.  Ifallballotshavenowbeenexamined,you

havedoneafullrecount,andaredone.Otherwiseincreasesamplesize;returnto2.

CastVotes

Sample

Bravoaudit[LSY12]

•  Ballot-pollingaudit•  Risk-limi(ngaudit:providesguaranteethatchanceofaccepQngincorrectoutcomeisatmostgivenrisklimit(e.g.α=0.05).

•  Usesreportedmargin-of-victoryasinput(e.g.accumulateproductofA/2orB/2whereA,Barereportedfrac4onsofvotesforAlice,Bob.

•  Canneedlesslydoafullrecountifreportedmargin-of-victoryiswrong…

DiffSumaudit[R15]

•  Nodependenceonreportedmargin-of-victory.•  Fortwo-candidaterace,stopswhen(a–b)2>(a+b)�log10(n)wherea,b=numberofvotesforAlice,Bobn=totalnumberofvotescast

•  Risklimit α determinedempirically;forthcomingworkgiveswaytomakethisapproachworkwithrigorousbounds.

Othersocialchoicefunc4ons

Socialchoicefunc4ons

•  Notallelec4onsareplurality•  Someelec4onsareranked-choice:ballotgivesvoter’spreferences:A>C>D>B

•  Aspecified``socialchoicefunc4on’’mapscollec4onsofballotstooutcomes.

•  Example:IRV(InstantRunoffVo4ng)–Keepelimina4ngcandidatewithfewestfirst-choicevotesun4lsomecandidatehasamajorityoffirst-choicevotes.(SanFranciscousesIRV.)

Black-boxaudits

•  “Black-boxaudits”onlyneedto– drawrandomsamples– derivevariantsamplesofarandomsample– applythesocialchoicefunc4onina“black-box”mannertosomesamples,todeterminethewinnersofthosesamples.

•  Black-boxauditsthusapplytoanyvoQngsystem(anysocialchoicefuncQon)!

•  Threeexamples:Bayesian,Bootstrap,andT-pileaudits.

Bayesianaudit[RS12]•  ``Inverse’’ofsamplingisPolya’sUrn:

•  Placesampleinurn.Drawoneballotoutatrandom,puttwocopiesback.Rinseandrepeat.

•  ThissamplesBayesianposteriordistribu4onforcollec4onofcastvotes.

•  Canthusmeasure“Probabilitythatreportedoutcomeiscorrect”givensample.Stopif>1–α.

CastVotes

Sample

Drawsample Polya’sUrn

Bootstrapaudit[RS15]

•  CreatefromgivensampleT(e.g.100)“variantsamples”(e.g.bysubsamplingwithreplacement)

•  Stopauditifsampleandallvariantshavesameoutcomeasreportedoutcome.

CastVotes

Sample

Drawsample

VariantSample

VariantSample

VariantSample

T-pileaudit•  “Deal”sampleinround-

robinmannerintoT(e.g.T=7)disjointpiles.

•  Stopauditifsampleandallpileshavesameoutcomeasreportedoutcome.

•  Provablyrisk-limi4ngunderreasonableassump4onthatmostlikelysampleoutcomeiscorrectone.

•  Butnotasefficientasgeneralbootstrapaudit…

CastVotes

Sample

Drawsample

Pile1 Pile2 PileT

ComparisonAudits

•  Moreefficient(1/margin-of-victory)sinceyouarees4ma4ngerrorrateinCVRs(near0)ratherthanvotesharesofcandidates(near½)

•  Typicalauditmayonlyneedtoauditafewdozensofballots

•  Bayesianauditcandocomparisonaudits•  Othermethods:SOBA[BJLLS11]

End-to-endVerifiableVo4ng

End-to-EndVerifiableVo4ng•  Provides“end-to-end”integrity;votesare

– “castasintended”(verifiedbyvoter)– “collectedascast”(verifiedbyvoterorproxy)– “countedascollected”(verifiedbyanyone)

•  Paperballotshaveonlyfirstproperty;onceballotiscast,integritydependson“chainofcustody”ofballots.

•  End-to-endsystemsprovidesoTwareindependence,verifiablechainofcustody,andverifiabletally.

PublicBulle4nBoard(PBB)

•  E2Esystemshave“publicbulleQnboard”pos4ngelec4oninforma4on(includingencryp4onsofballots).

•  PBBposts“evidence”thatreportedwinneriscorrect.

PublicBulle(nBoard:<Elec4on>SystemPKparametersVoter/Votepairs:“Abe_Smith”,E(voteAbe_Smith)

“Ben_Jones”,E(voteBen_Jones)…ReportedwinnerProofofcorrectness</Elec4on>

Ballotsareencrypted

•  Votergivencopyofherencryptedballotas“receipt”

•  Howcansheverifythatencryp4onwasdonecorrectly?Wasvote“verifiablycastasintended?”– Answer:votercanarbitrarilydecideeithertocastencryptedvote,ortoauditencryp4onbyaskingfordecryp4onparameters.(Benaloh)

Votercanconfirmchainofcustody

•  VoternamesandreceiptspostedonPBB•  Voterchecks“collectedascast”byverifyingthathername/receiptispostedonPBB

•  Ifitismissing,shecancrediblycomplainifherreceiptis``authen4c’’ (e.g.hardtoforge).

•  EnoughcrediblecomplaintsèRe-runelec4on!

Anyonecanverifytally

•  Systempublishesfinaltally(reportedoutcome)andNIZKproofthatreportedoutcomeiscorrect.

•  Decryp4ngindividualballotsnotnecessarywithhomomorphictallying:E(v1)E(v2)=E(v1+v2)Productofciphertextsisciphertextforsum.Onlyproductofallvotesneedstobedecrypted.

•  Anothercommonapproachbasedonmixnets.

E2Edeploymentsinrealelec4ons

•  Scantegrity(Chaum;TakomaPark,MD;2009&2011)

•  Wombat(Rosen;3elec4onsinIsrael;2011&2012)

•  PrêtàVoter(Ryan;NewSouthWales,Australia;2014)

•  StarVote(Aus4n,Texas)(DeBeauvoir;inprogress…)

Hybridpaper+electronic

•  Somesystems(likeScantegrity,Wombat,andStarVote)havebothapaperballotANDanelectronicE2Esubsystem.

•  Canauditpaperballotsasusual.•  CanauditelectronicrecordsonPBBasusualforE2Esystem.(Thatis,votercanverifyhervoteisthere,andanyonecanverifytally.)

Scantegrityconfirma4oncodes

Invisiblecodessolves“receiptauthen4city”problem:voteronlygetscodesforcandidatesshevotedfor.

Wombatvo4ng

•  PrintedballothasplaintextchoiceandQRcodeequivalent.

•  VotercastspaperballotintoballotboxandhasQRcodescannedforPBB.

•  TakesQRcodereceipthometolookuponPBB.

WhencanIvoteontheInternet?(oronmyphone?)

h�p://voteinyourpajamas.org/

•  U.S.VoteFounda4on2015ReportonInternetVo4ng:–  E2EnecessaryforIV–  But:E2Eshouldfirstbewell-establishedandunderstoodforin-personvo4ng,and

–  E2EnotsufficientforIV:manyproblemsremain:

•  Malware•  DDOSa�acks•  Authen4ca4on•  MITMa�acks•  Zero-daya�acksonservers•  Coercion&vote-selling•  …

HeliosVo4ng(Adida)

•  PrototypeE2Einternetvo4ngsystemh�ps://vote.heliosvo4ng.org/

•  Useshomomorphictallying•  Usedbysomeprofessionalsocie4es…•  Noprotec4onagainstmalware,DDOS,coercion,etc…

•  Notsuitableforrealpoli4calelec4ons!

Challenges/OpenProblems

•  Proofsofrisk-limi4ngcharacterforBootstrapaudits

•  Developtheoryforprecinct-levelaudits•  Be�erE2Edisputeresolu4on•  Goodmul4-channelremotevo4ngmethods(mail+phone?)

•  Be�erwaystoexplainauditstonon-technicalfolks(sta4s4cs;crypto;assump4ons…)

Conclusions

•  Elec4onintegrityremainsahardproblemandagoodresearcharea.

•  Internetvo4ngis(orshouldbe)alongwaysoff(20years?)

•  End-to-endverifiablevo4ngmethods(especiallyhybridmethodswithpaperballots)arethewaytogo.

Thanksforyoura�en4on!

TheEnd