James Heather, University of SurreyPeter Y A Ryan, University of LuxembourgVanessa Teague, University of Melbourne

Background: PGD (1.0)Combines Code Voting with Verifiable

tallyingHigh privacy and integrity guarantees from

untrusted voting clientsEach voter gets a sheet of codes via a

“secure” channelone for each candidateOne Ack

They enter the code of their chosen candidateCheck they got the correct Ack

PGD 1 Ballot constructionDistributed ballot construction produces, for

each Ballot ID:Encrypted codes on the BB

listed in a random (candidate) order Described by a PaV-style onion

Unencrypted codes for the code sheets Printing these out is the main privacy vulnerability

PGD1 TallyingSubmitted codes are

encrypted by a Vote ServerMatched to the code on the BB using a

distributed plaintext equivalence test This gives an index

Tallied using the PaV onion

Background: PGD (1.0)Good:

Even a cheating client can’t mis-cast or drop the vote

A coercer can’t find out the vote afterwards Unless they have both the code sheet and control of

the device

Bad:A coercer can steal the code sheet before the

voteA colluding threshold of trustees can misrecord

the vote

Extending PGD to STV, Borda etc

Each voter lists the candidates in their order of preference

Obvious extension: send off the codes in order of preferenceDoesn’t work because a cheating device can

rearrange them

Idea A: IncrementalCode sheet has a Vote Code and Ack Code for

each candidateSend in Vote Codes in preference order,

wait for the Ack Code before sending the next Vote Code

Very secure but very slowCheating device can’t manipulate the vote

Idea C: 2 dimensional tableEach voter receives a code for each

candidate, for each preferenceOne Ack

Candidate 1st 2nd 3rd 4th

Incumbent

3772

5839 4892 0934

Imprudent 4909

5345 1223 2225

Repellent 9521

5893 3333 3209

Insolvent 7387

3455 3352 3409

Ballot ID: 3884092844 Ack: 28902

To vote Repellent, Insolvent, Imprudent, Incumbent:

Send 9521, 3455, 1223, 0934Expect return Ack 28902

Idea C (cont’d)Candidate 1st 2nd 3rd 4th

Incumbent 3772 5839 4892 0934

Imprudent 4909 5345 1223 2225

Repellent 9521 5893 3333 3209

Insolvent 7387 3455 3352 3409

Ballot ID: 3884092844 Ack: 28902

Idea C: pros and consVoting in one step; Ack returns in one simple

stepAs strong a defence against cheating client as

PGD 1.0Device can’t change vote without knowing

codesSame privacy guarantee as PGD 1.0

Single ack implies receipt-freeness even if the coercer observes ack return

Idea B: Return Ack codes in ballot orderEach voter receives

A list of candidate codes in a random, secret order

A list of preference-ack codes in preference order

The voter sends the candidate codes in preference order

and receives the preference-ack codesin the order the candidates appear on their

code sheet

Example

To vote Repellent, Insolvent, Imprudent, Incumbent:

Send 9521, 7387, 4909, 3772Expect return pref-acks W,C,K,T

Candidate Vote Code

Incumbent

3772

Imprudent 4909

Repellent 9521

Insolvent 7387

Ballot ID: 3884092844

Preference Pref-Ack Code

1st K

2nd T

3rd C

4th W

Ballot ID: 3884092844

Pref-AckW

C

K

T

Idea B: security propertiesIntegrity: A cheating client (who doesn’t

know the meaning of the preference codes) can swap two preferences undetectably only if it knows which two positions on the code sheet they correspond to.Not great if there are only 2 candidates

Privacy is guaranteed against an adversary who eitherDoes not observe the voter’s communications,

orDoes not see the code sheet

Idea B: pros and consVoting in one step; Ack returns in one

(complicated) step(Somewhat) weaker defence against cheating

client than PGD 1.0Because if the device can guess or discover the

candidates’ ballot positions, it can swap the votes

(Somewhat) weaker privacy than PGD 1.0Because if an attacker observes the code sheet

and the pref-ack return they can learn the vote

ConclusionDemocracy has numerous and powerful

adversariesOften insiders

PGD does a decent job of addressing many of the threatsEspecially untrusted client machines

But there are more features to add before fielding in real electionsCoercion-resistance

EVT/WOTE 2011August 2011San Francisco

Idea C: 2d tableCandidate Vote

Code Incumbent

3772

Imprudent

4909

Repellent

9521

Insolvent 7387

Ballot ID: 3884092844

Incompetent Red

Green

Chequered Fuzzy

Cross

$rJ9*mn4R&8