election security

What shall I talk about today?

The first part of this talk is largely administrative – letting this audience know a bit about the Python Software Foundation, its mission, and accomplishments.

The larger, latter, section of this talk shall delve into a technical topic that I find interesting: making a secure, anonymous, and verifiable voting system (in Python).

PyCon India 2012 Opening Keynote David Mertz

Who am I?

A Director of the Python Software Foundation (one of eleven).

Chair of PSF Trademarks Committee.

Chair of PSF Outreach and Education Committee.

Creator of the election system used by the PSF (segue coming to topic of the main talk).

PyCon India 2012 David Mertz

More about me:

I used to be well known as author of the IBM developerWorks column Charming Python and Addison-Wesley book Text Processing in Python.

Now I work at a research lab called D. E. Shaw Research who have built the world's fastest supercomputer for doing molecular dynamics.

My academic publications include a number in voting technologies (segue coming). Plus a doctorate in Political Philosophy along the way.


DESRES has an office in Hyderabad, and we are hiring!

The Python Software Foundation (PSF) is a non-profit membership organization devoted to advancing open source technology related to the Python programming language.

It qualifies under the US Internal Revenue Code as a tax-exempt 501(c)(3) scientific and educational public charity, and conducts its business according to the rules for such organizations.

http://www.python.org/psf/

http://www.python.org/psf/mission/


Let's start dry and factual

http://www.python.org/psf/

http://www.python.org/psf/mission/

The mission of the Python Software Foundation is to promote, protect, and advance the Python programming language, and to support and facilitate the growth of a diverse and international community of Python programmers.

The PSF is composed of a membership elected by prior members, who in turn elect a Board of Directors to conduct the daily business of the Foundation.


PSF Finances

PyCon US 2012

Revenue: US$1395K (~75M Rs)

Profit: US$277K

Balances (as of May 31st 2012)

Total equity: US$700K (~38M Rs)

Receivables: US$121K

Payables: US$27K

Net income: US$309K


The biggest PSF revenue source, by far, is PyCon US

Things the PSF Does:

Protects the Intellectual Property in Python (trademarks and copyrights).

Funds conferences & sprints (including a contribution to PyCon India 2012).

Funds Python related projects (targeted development; filling gaps in module coverage; education and outreach efforts, etc).

Runs PSF projects (brochure; website redesign; speed.python.org; sprints; awards; etc).


Things the PSF Does Hereby:

We are honored to grant the Python Software Foundation Community Service Award to Kenneth Gonsalves, posthumously.

The Indian Python Software Society is establishing a Kenneth Gonsalves Memorial Award to be given to Python students. The PSF is likewise pleased to provide seed funding of US$3500 (~190K Rs) to IPSS for this award.


Certificate for family of Kenneth Gonsalves, if they are available

Segue time:

The rest of this talk is about voting systems. It doesn't have anything to do with the PSF per se, although the PSF has used the described method.

This talk doesn't really have much to do with Python either. The systems presented and implemented were written in Python, but you could do it in a different programming language.

... for that matter, you could do most of it with pencils and paper.

PyCon India 2012 A verifiable election system David Mertz

From time to time, the PSF conducts elections to elect members, a Board of Directors, and to pass motions of the membership.

There is a key property that we can rely on, that makes it possible to provide some interesting (theoretical) guarantees for these elections. Namely, the identity – and email address – of every eligible voter is known in advance and centrally maintained.


What I do NOT advocate:

I hasten to observe that I do not support using a system like the one I describe for public/ governmental elections.

It is outside the scope of this talk fully to explain why, but the constraints and properties public elections need cannot be fit into the model given in this talk without compromising principles of democracy.


What can we (almost) guarantee? (part 1)

1. An election should be anonymous. No one should be able to determine how any voter voted (other than a voter herself).

Our system allows a notable weakening of this condition by allowing a single, trusted Election Administrator who can puncture anonymity. This person is, therefore, required to be a disinterested party.

This weakening is much of why our approach does not work for public elections – no one can be trusted to be sufficiently disinterested.


(continued ...)


2. An election should be collectively verifiable. That is, every observer should be able to determine that the tabulation is accurate, and that no ineligible votes are included.

Moreover, each individual voter should be able to determine that her own vote (or non-vote) is accurately included in the collection of ballots.


(continued ...)


3. An election should be secure against tampering. No malicious action by any voter should be able to alter an election. Ideally, no malicious action by an outside hacker should be able to change anything either.

A crucial element here is that even the Election Administrator cannot tamper with an election in a way that is not detectable by observers and/or eligible voters.


Things we do not guarantee:

The system described makes no effort to prevent vote buying/coercion. For PSF elections we assume that voters act free of undue influence.

The identity of eligible voters is a matter of public record; again, this fits the PSF membership model (but the count of voters would suffice).

In the event of a challenge to results or to the conduct of an election, a challenger would need to abandon anonymity, at least to auditors.


(All reasons why this doesn't match public elections)

The simplicity of how it works:

The basic concept is that each voter is assigned a random ballot-id associated with her ballot, and the mapping from eligible voters is known only to the Election Administrator.

When an election is completed, the set of cast ballots – each identified only by ballot-id – is published. The code actually used in the last PSF election is at:

http://gnosis.cx/psf/


Suppose that we have a list of eligible voters, e.g.:Anand Chittipothu, [email protected] DiPierro, [email protected] Kaplan-Moss, [email protected] Mertz, [email protected] Pillai, [email protected] Ram, [email protected] Ramachandran, [email protected] van Rossum, [email protected]

We know the identity of all the voters, and that they number 8 total (the second fact can be inferred from the first, of course).


(These happen to be PSF members either mentioned or likely in audience)

mailto:[email protected]

mailto:[email protected]

Generating ballot-id's is a very simple script:#!/usr/bin/env python3from random import randint, choicefrom string import ascii_uppercase as uppercasefrom time import asctime, strftimeout=open('Ballot-Map-'+strftime('%Y-%m-%d'),'w')for person in open('Address_List.members'): ballotID = choice(uppercase)+\ choice(uppercase)+\ "%0.3d" % randint(0,1000) print(ballotID,"\t",person, file=out)


(Finally some Python code!)

We have produced an annotated list of eligible voters with random ballot-id's. Remember, this mapping is maintained confidentially by the Election Administrator and given to no one else:

QG996 Anand Chittipothu, [email protected] Massimo DiPierro, [email protected] Jacob Kaplan-Moss, [email protected] David Mertz, [email protected] Anand Pillai, [email protected] Vasudev Ram, [email protected] Prabhu Ramachandran, [email protected] Guido van Rossum, [email protected]


Another script, send-ballot-ids, was used to process the generated file, e.g. Ballot-Map-2012-09-19, and send ballots to voters; another step that may not be obvious is important to prevent tampering.

Remember our concern to prevent tampering, even by the Election Administrator? To address this, the administrator commits to the exact set of ballot-id's used, but doesn't actually reveal what they are. E.g. she can publish this:

% cut -c-5 Ballot-Map-2012-09-26 | sort | shasumb7f1ada5057273482db97eafecf4476c5b3fb6c7 -


(The 'sort' in there is no accident)

This “commitment” to ballot-id's is nuanced. The full set of (purported) ballot-id's is published at the end of the election (along with the full ballots).

If the Election Administrator had not published this “commitment,” she could stuff the ballot at the end with newly invented ballot-id's having the votes she desired.

With the commitment, eligible voters – who either do or do not cast a ballot – can verify their vote against the eventually published archive of ballots, leaving no room for stuffed ballots.


The Election Administrator sends a personalized ballot to each eligible voter that incorporates a voter's ballot-id.

Within the voting period, some or all of the eligible voters vote by sending back their ballot (with ballot-id) to the Election Administrator (more is better, but we cannot mandate 100% participation by PSF members).


Email is a likely way to handle sending and receiving personalized ballots, but it could be physical papers or other internet protocols without affecting the guarantees.

The system described does not address message-level or transport-level security. It would be nice if every voter installed GPG and published a public key, but we could not count on that within the PSF.


Note that the voting procedure and publication is neutral as to the tabulation and voting rules used. Ballots are just documents, and whether an organization wants “first pass the post” or “ranked preference” voting – and similar tabulation choices – is open within this framework.


Collective Verification:

Every actual voter can verify that the ballot matching their ballot-id contains the votes they intended.

Every eligible but non-voter can also verify that their ballot-id is excluded from the published archive.

Every observer can verify that the ballot archive contains a subset of the committed ballot-id's.

Every observer can check the tabulation of the ballot archive independently.


The last several PSF elections were conducted using the method described. Following the most recent election, some voters expressed a preference for using a web interface rather than sending text files over email.

My colleague Massimo DiPierro developed such a web interface with my assistance. His code is on github and a live test version of it is at web2py.● https://github.com/mdipierro/evote/● http://tests.web2py.com/evote●


https://github.com/mdipierro/evote/

http://tests.web2py.com/evote

Massimo's E-Vote uses the same general principles as the system I have described thus far, but allows creation of elections and casting votes purely within web interfaces.

The code to implement E-Vote requires scaffolding for an MVC web framework, and therefore uses more code than the <100 lines in the PSF system (of which <50 lines are essential), but E-Vote is still quite compact and simple.

E-Vote is a bit more automated than the PSF system, but it also offers slightly improved guarantees.


Anyone may create an election at the demo URL for E-Vote; sign-in uses OpenID. An administrator creates a ballot using a markup format and enters the email addresses of all eligible voters.

Voters are each sent a custom link incorporating a UUID associated with their individual ballot:

To: [email protected]: Simple ElectionDate: Fri, 21 Sep 2012 16:12:21 +0000

Link to vote: https://tests.web2py.com/evote/default/vote/21/ voter-B110C66787DC459BA72BA74D422684FE


https://tests.web2py.com/evote/default/vote/21/

After voting at the prior link:


While these ballots use ballot-id's, as with the previous code, in E-Vote the mapping between the UUID/URL for voting and the stored ballot-id is not retained after the URL is used. What a ballot-id still does, however, is make each ballot unique, even if it contains the same vote(s) as another ballot.

Discarding the UUID/ballot-id association obscures voter identity. While a malicious Election Administrator who controlled the code could still covertly store the mapping, if a trusted third party hosts the code, the Election Administrator cannot access that mapping.


The most interesting thing on a completed E-vote ballot is probably its signature. This is generated using RSA public-key cryptography:

# Pure-Python RSA module: http://stuvel.eu/rsaimport rsa, base64def sign(text, privk_pem): privkey = rsa.PrivateKey.load_pkcs1(privk_pem) signature = base64.b16encode( rsa.sign(text,privkey,'SHA-1')) return signature


The public key that may be used to verify a signature is published. In fact, it is contained in the “Ballot Verification Code” link on the ballot:

% cat ballot-verification.py# This program allows you to verify your ballot # using the RSA algorithm.import base64, rsa # this is the ballot to verifyballot = """<h2>Simple Election</h2><input checked="checked" value="1"/>yes<input value="2"/>no<input value="3"/>abstain<pre>ballot-21-000001</pre>""".strip()


(continued...)

Continuing the verification code...# this is the ballot RSA signaturesignature = base64.b16decode("5E5CD5...2330B4")# this is the election public keypk_pem = """-----BEGIN RSA PUBLIC KEY-----MIGJAoGBAIlKHjsPqghsAvQhqGY8DZxoGIyRUkk6OlEhJUoDqCmF2rpeR9u4u3z+

MMNaWIO4iVsPQnO1JFYJr5Zim1TokLyvz+1HglYRlwW9yLMZjz/tUOFhTPu8zvq4

dHBXF47rIS5Cv4ravS5sB0zG7fQN6znWrHOO961yJSiL1KWtL/jfAgMBAAE=

-----END RSA PUBLIC KEY-----"""# this is the code that verifies the signaturepublic_key = rsa.PublicKey.load_pkcs1(pk_pem)if rsa.verify(ballot,signature,public_key)==None: print 'valid'else: print 'invalid'


Putting a signature on each ballot “commits” the Election Admin (who is code, really) more strongly than did the commitment of the ballot-id list.

A voter can save her signed ballot (and/or the verification script above) which prevents the Election Administrator from being able to deny receiving the ballot. Only the election private-key could have signed the ballot, and only the Election Administrator (via the software) has that key.

This model doesn't work in email, since it is a completed ballot that gets signed, not the blank.


Each voter can make sure her own ballot is included, as before. As well, every observer can independently verify the signatures on each ballot.

E-Vote handles non-voters by generating a “blank” ballot for each eligible voter who did not participate, and sends them a notice that is similar to that received by voters when they vote.



A picture of my cat:

Every technical talk needs a cute kitten, right?

(Python pose?)


Wrap-up / Questions?● This talk describe two variations on a voting system

that enforces properties of Anonymity, Collective Verifiability, and Security Against Tampering.

● There are other properties that one might hope for, but these strike me as more-or-less the right ones for an online, explicit-membership organization like the PSF.

● If we have time, I'd love feedback on my ideas (or catch me in the hallways).

election security

Technology