300 likes | 450 Views
Secure Remote Electronic Voting. CSE-681 Fall 2006 David Foster and Laura Stapleton. Motivation. Current absentee ballot system requires a physical visit to the voting district authorities and one mailing or three mailings between voter and voting district authorities for every election
E N D
Secure Remote Electronic Voting CSE-681 Fall 2006 David Foster and Laura Stapleton
Motivation • Current absentee ballot system requires a physical visit to the voting district authorities and one mailing or three mailings between voter and voting district authorities for every election • Increase voter turnout of overseas military and citizens, disabled voters, out-of-state college students, younger citizens, traveling businessmen, etc. • Increase confidence of election correctness by providing feedback to voters
Characteristics of a Secure Voting System • Completeness • Soundness • Privacy • Unreusability • Eligibility • Fairness • Verifiability
Threats to a Voting System • Insider Attacks • Denial of Service • Vote Buying / Vote Coercion • Virus
Cryptographic Functions • Hash • Digital Signature • Blind Signature • Verifiable Mixing • Blind Commitment
Hash h = H(k1, H(k2, M) • Used to ensure integrity of M • Computationally infeasible to find a different values of M, k1, or k2 that yield the same hash output h • k1 and k2 are random numbers to increase the strength of the resulting hash
Digital Signature • Provides authentication and integrity • Using RSA, signature C of H(M) using secret key d by C = H(M)d mod n • Verify C by public key e by H(M) = Ce mod n • H(M) is hash of message M
Blind Signature • Allows trusted authority to sign data that it can not see • Encrypt message using random number k and trusted authority’s public key e by B = Mke mod n • Authority signs with private key d by S = Mdk mod n • Blind signature extracted with k by C = (S / k) mod n = Md mod n
Verifiable Mixing • Shuffle a list of encrypted data and pass it on to a second authority • Second authority has no way to construct original order • Any party can confirm all the original, unmodified data is present in the shuffled data, and no extra data was added • No one but the shuffler has access to original list
Blind Commitment • Prove to an authority that data has been created and fixed without supplying the data itself • Data owner creates two random keys and calculates the hash h = H(k1 || k2 || M) • Data owner sends k2 and h to authority for safe keeping • Data owner sends k1 and M when data must be revealed and verified
Existing Systems • Traditional (PCOS) • Direct Record Electronic (DRE) • Absentee • VoteHere VHTi • SERVE • EVOX with Multiple Administrators
Traditional (PCOS) • Precinct Counted Optical Scan • Voter fills in circles on paper ballot • Takes completed ballot to optical scanner in a sleeve • Voter inserts paper ballot into scanner • Optical scanner records are transported to central district for processing
Direct Record Electronic • Ballot stored electronically, no paper ballot used • Often use touch screens or push buttons • Paper records may be printed internally during or after an election, but are not subject to voter verification • Results usually reported on an electronic memory module or via modem
Absentee • Registration requires a physical visit to the voting authority or a two-way mailing. • Ballot and return envelopes are mailed prior to election. • Voter completes ballot, encases it in an inner envelope, then mails it to the voting authority in an outer envelope up to the Saturday before Election Day. • Voting officials open the outer envelope, shuffle inner envelopes, then remove and process ballots.
EVOX with Multiple Administrators • Extension of EVOX system • Reduces threat of insider attacks • More than half of the available Administrators must validate each voter • Commissioner • Manager Administrators Anonymizer Tallying • Server • Voter Voter Voter
VoteHere VHTi • DRE system • Creates paper receipt for voter after casting the ballot • Voter may verify that his/her ballot was correctly received by officials • Anyone can verify correct tabulation of results
Al 0,4 Bob 3,5 Clive 2,2 Dan 4,1 Al 4 5 2 1 3 0 No Bob No 2 0 4 5 1 3 Yes Clive 2 2 2 2 2 2 No Dan 5 2 4 3 1 0 VoteHere Receipt Example Choose columns for non-selections Blinded and committed ballot Unblind and decode results Choose column for selection Generate receipt 0 1 2 3 4 5
SERVE • Secure Electronic Registration and Voting Experiment intended for trials in 2004 election • Developed as part of Federal Voting and Assistance Program (FVAP) • Ruled too insecure by Security Peer Review Group • Used Internet for transmissions and heavy use of public key cryptography
Proposed System • Commissioner • Manager Administrators Anonymizer Tallying • Server • Modem Pool • Voter Voter Voter • SERVE’s cryptography • EVOX with Multiple Administrators’ structure • VoteHere’s public audit mechanisms • Bootable CD and modem pool for increased security
Registration • Similar to absentee registration • Propose allowing voters to establish a window for remote voting
Bootable CD • Self-contained, minimal operating system and ballot information • Private key and unique voter ID mailed with CD • Mailed to voters several weeks ahead of time • Voter may use CD to vote up until the Saturday before Election Day
Modem Pool • Provides bridge between voting PCs and servers • Compared to Internet, more resistant to • Spoofing • DoS • Eavesdropping
Administrators • Maintains list of voter IDs, voter public keys, and optionally ballot type information (district, party, etc.) • Each administrator receives a message for the blind commitment of the voter’s ballot EKAi+(V, EKV-(H(k1,i || k2,i || B), k2,i)) • Commits and returns ticket to voter EKV-(EKT+(EKAi-(H(k1,i || k2,i || B), k2,i, D)))
Manager • Signs list of administrators a voter used to validate the ballot • Does not know which administrators were used • Only signs one list per voter ID • Voter sends EKM+(V, EV-( H(A||k1,1||…||k1,n))) • Returned ticket is EV+(EKM-(H(A||k1,1||…||k1,n)))
Anonymizer • Voter sends completed ballot, verification tickets, and keys to unblind data EKANON+(V, EKV-(B, EKT+(EKM-(H(A || k1,1 || … || k1,n)), EKT+(EKA1-(H(k1,1 || k2,1 || B), k2,1, D)), ..., EKT+(EKAn-(H(k1,n || k2,n || B), k2,n, D)), kB, k1,1, ... k1,n, A))))
Anonymizer • Anonymizer uses the list of voter IDs and public keys to decrypt the message. • It creates a list of voter IDs and partially unblinded ballots (B) for publication on the web. • It creates a list of B’s and the tallying server tickets, shuffles via verifiable mixing, and moves the list to the tallying server.
Tallying Server • Ballot data from Anonymizer has the form B, EKT+(EKM-(H(A || k1,1 || … || k1,n)), EKT+(EKA1-(H(k1,1 || k2,1 || B), k2,1, D)), ..., EKT+(EKAn-(H(k1,n || k2,n || B), k2,n, D)), kB, k1,1, ... k1,n, A))) • All information present is protected by the tallying server’s public key, and no information about the specific voter is needed to decrypt, unblind, or verify data.
Tallying Server • Tallying server uses Administrator keys and supplies data to confirm the following: • More than half of the Administrators signed the ballot. • The Manager signed a list that matches the Administrator tickets submitted. • The voter submitted the appropriate type of ballot. • The allowed number of selections for each question was not exceeded. • Unblinded ballots are converted to strings of “yes” or “no” and published to the web for public viewing.
Implementation • Initially target overseas military and citizens (est. 6,000,000) • Create option for domestic voters • System scales linearly as number of voters increases
Conclusion • Reduces number of communication steps between voting authorities and voters prior to the election • Increases voting availability to several demographics • Provides a more secure system than the prior systems • Allows more voters to confirm accuracy of election process, generating confidence in the system