james heather, university of surrey peter y a ryan, university of luxembourg vanessa teague,...
TRANSCRIPT
James Heather, University of SurreyPeter Y A Ryan, University of LuxembourgVanessa Teague, University of Melbourne
Background: PGD (1.0)Combines Code Voting with Verifiable
tallyingHigh privacy and integrity guarantees from
untrusted voting clientsEach voter gets a sheet of codes via a
“secure” channelone for each candidateOne Ack
They enter the code of their chosen candidateCheck they got the correct Ack
PGD 1 Ballot constructionDistributed ballot construction produces, for
each Ballot ID:Encrypted codes on the BB
listed in a random (candidate) order Described by a PaV-style onion
Unencrypted codes for the code sheets Printing these out is the main privacy vulnerability
PGD1 TallyingSubmitted codes are
encrypted by a Vote ServerMatched to the code on the BB using a
distributed plaintext equivalence test This gives an index
Tallied using the PaV onion
Background: PGD (1.0)Good:
Even a cheating client can’t mis-cast or drop the vote
A coercer can’t find out the vote afterwards Unless they have both the code sheet and control of
the device
Bad:A coercer can steal the code sheet before the
voteA colluding threshold of trustees can misrecord
the vote
Extending PGD to STV, Borda etc
Each voter lists the candidates in their order of preference
Obvious extension: send off the codes in order of preferenceDoesn’t work because a cheating device can
rearrange them
Idea A: IncrementalCode sheet has a Vote Code and Ack Code for
each candidateSend in Vote Codes in preference order,
wait for the Ack Code before sending the next Vote Code
Very secure but very slowCheating device can’t manipulate the vote
Idea C: 2 dimensional tableEach voter receives a code for each
candidate, for each preferenceOne Ack
Candidate 1st 2nd 3rd 4th
Incumbent
3772
5839 4892 0934
Imprudent 4909
5345 1223 2225
Repellent 9521
5893 3333 3209
Insolvent 7387
3455 3352 3409
Ballot ID: 3884092844 Ack: 28902
To vote Repellent, Insolvent, Imprudent, Incumbent:
Send 9521, 3455, 1223, 0934Expect return Ack 28902
Idea C (cont’d)Candidate 1st 2nd 3rd 4th
Incumbent 3772 5839 4892 0934
Imprudent 4909 5345 1223 2225
Repellent 9521 5893 3333 3209
Insolvent 7387 3455 3352 3409
Ballot ID: 3884092844 Ack: 28902
Idea C: pros and consVoting in one step; Ack returns in one simple
stepAs strong a defence against cheating client as
PGD 1.0Device can’t change vote without knowing
codesSame privacy guarantee as PGD 1.0
Single ack implies receipt-freeness even if the coercer observes ack return
Idea B: Return Ack codes in ballot orderEach voter receives
A list of candidate codes in a random, secret order
A list of preference-ack codes in preference order
The voter sends the candidate codes in preference order
and receives the preference-ack codesin the order the candidates appear on their
code sheet
Example
To vote Repellent, Insolvent, Imprudent, Incumbent:
Send 9521, 7387, 4909, 3772Expect return pref-acks W,C,K,T
Candidate Vote Code
Incumbent
3772
Imprudent 4909
Repellent 9521
Insolvent 7387
Ballot ID: 3884092844
Preference Pref-Ack Code
1st K
2nd T
3rd C
4th W
Ballot ID: 3884092844
Pref-AckW
C
K
T
Idea B: security propertiesIntegrity: A cheating client (who doesn’t
know the meaning of the preference codes) can swap two preferences undetectably only if it knows which two positions on the code sheet they correspond to.Not great if there are only 2 candidates
Privacy is guaranteed against an adversary who eitherDoes not observe the voter’s communications,
orDoes not see the code sheet
Idea B: pros and consVoting in one step; Ack returns in one
(complicated) step(Somewhat) weaker defence against cheating
client than PGD 1.0Because if the device can guess or discover the
candidates’ ballot positions, it can swap the votes
(Somewhat) weaker privacy than PGD 1.0Because if an attacker observes the code sheet
and the pref-ack return they can learn the vote
ConclusionDemocracy has numerous and powerful
adversariesOften insiders
PGD does a decent job of addressing many of the threatsEspecially untrusted client machines
But there are more features to add before fielding in real electionsCoercion-resistance
Idea C: 2d tableCandidate Vote
Code Incumbent
3772
Imprudent
4909
Repellent
9521
Insolvent 7387
Ballot ID: 3884092844