180 likes | 307 Views
VeryVote A Voter Verifiable Code Voting System. Rui Joaquim rjoaquim@cc.isel.ipl.pt (INESC-ID ISEL) Carlos Ribeiro carlos.ribeiro@ist.utl.pt (INESC-ID IST) Paulo Ferreira paulo.ferreira@inesc-is.pt (INESC-ID IST). Introduction. VeryVote is an Internet voting system.
E N D
VeryVoteA Voter Verifiable Code Voting System Rui Joaquim rjoaquim@cc.isel.ipl.pt (INESC-ID \ ISEL) Carlos Ribeiro carlos.ribeiro@ist.utl.pt (INESC-ID \ IST) Paulo Ferreira paulo.ferreira@inesc-is.pt (INESC-ID \ IST)
Introduction • VeryVote is an Internet voting system. • Internet voting: (+) brings more convenience to voters, allowing to vote from anywhere with an Internet connection. (–) suffers from the secure platform problem. • The client platform is not controlled nor trustworthy. • How to guarantee the election integrity in this setup? (–) vote buying and coercion issues inherent to remote voting.
VeryVote Overview • VeryVote addresses the secure platform problem. • VeryVote uses a code voting approach. • Prevents the misbehavior of the not trusted client platform. • However, it “does not” provide mechanisms to verify if the vote is counted as intended by the voter. • VeryVote vote protocol is a fusion between a generic code voting protocol and the MarkPledge technique. • Cast-as-intended voter verification. • Universal count-as-cast verification. end-to-end verifiability.
Election Server The Problem Voter Vote A Vote A Tally Thank you! Thank you! A B Vote B APP Voter’s PC
Election Server Generic Code Voting Approach Voter Code Sheet Vote codes A – 3WQ B – M8W C – WAM … Confirmation code JRF 3WQ Tally A B JRF • How we can verify the tally? • Publishing the received vote codes and associated candidates. • Each voter can verify her vote. • Anyone can do the vote count. • But, the voter cannot correct her vote. The election tally is already published!!! • Is there a better way? • Yes, VeryVote. APP Voter’s PC
MarkPledge Overview • MarkPledge is a cut-and-choose technique proposed to provide cast-as-intended verification to poll station voting, and works based on two functions: BitEnc(b) and OpenBitEnc(BitEnc(b), challenge). BitEnc(0) = BitEnc(1) = encrypted value
MarkPledge Overview • MarkPledge is a cut-and-choose technique proposed to provide cast-as-intended verification to poll station voting, and works based on two functions: BitEnc(b) and OpenBitEnc(BitEnc(b), challenge). BitEnc(0) = BitEnc(1) = OpenBitEnc( BitEnc(0), c1 ) = SQ1 OpenBitEnc( BitEnc(1), c1 ) = JRF encrypted value c1 decrypted value
MarkPledge Overview • MarkPledge is a cut-and-choose technique proposed to provide cast-as-intended verification to poll station voting, and works based on two functions: BitEnc(b) and OpenBitEnc(BitEnc(b), challenge). BitEnc(0) = BitEnc(1) = OpenBitEnc( BitEnc(0), c1 ) = SQ1 OpenBitEnc( BitEnc(0), c2 ) = IPS OpenBitEnc( BitEnc(1), c1 ) = JRF OpenBitEnc( BitEnc(1), c2 ) = JRF encrypted value c2 c1 decrypted value
MarkPledge Overview • MarkPledge is a cut-and-choose technique proposed to provide cast-as-intended verification to poll station voting, and works based on two functions: BitEnc(b) and OpenBitEnc(BitEnc(b), challenge). BitEnc(0) = BitEnc(1) = OpenBitEnc( BitEnc(0), c2 ) = IPS OpenBitEnc( BitEnc(1), c2 ) = JRF encrypted value c2 decrypted value
MarkPledge Vote/Receipt VerificationPoll station voting (inside the voting booth) Printer Voter Vote Machine JRF Random challenge (c) Commit to c Bob After the election end: • The Vote Machine publishes the MarkPledge vote/receipts. • External organizations verify the correctness of the published data. • The voter verify her receipt (and correct her vote if necessary). • The votes are tallied using a protocol with counted-as-cast verification. Challenge = c
Election Preparation • A set of trustees create a threshold shared election key pair. • The Election Server (ES) pre-computes and commits to the votes to be used in the election. • The BitEnc(b) constructions are built using the election public key. • The code sheets are created and associated to a pre-computed vote. • The confirmation code is the value encrypted in the elements of the BitEnc(1) construction. Pre-computed Vote BitEnc(0) BitEnc(0) BitEnc(1)JRF BitEnc(0) Code Sheet Vote codes Alice – 3WQ Bob – M8W Charles – WAM Dino – QGH Confirmation code JRF
Election Preparation • The code sheets are distributed to the voters: • Anonymous distribution + ES does not know who the voters are (more privacy guarantees). – Allows the ES to add votes for the voters that did not vote. • Non anonymous distribution + Easier distribution process. + Prevents or makes detectable the addition of votes. – The ES knows who voted for who. • Just before the election, the trustees create and announce a Shared Random Election Value (SREV) • The SREV value is not known at the creation time of the pre-computed votes. • The SREV will be used as a random source in the challenge generation process.
Election Server VeryVote Vote Protocol Voter Code Sheet Vote codes Alice – 3WQ Bob – M8W Charles – WAM Dino – QGH Confirmation code JRF Vote Receipt Alice – JRF Bob – I5W Charles – JCU Dino – KAI 3WQ Pre-computed Vote BitEnc(0) BitEnc(0) BitEnc(1)JRF BitEnc(0) After the election end: • The ES publishes all the pre-computed votes and corresponding Final Votes and receipts. • The trustees verify the correctness of the published data. • The voters confirm their receipts with the verified receipts. If any error is detected they make correct vote, because the election tally is not yet published. • After the claiming stage, the votes are anonymized by a mix net and decrypted by the trustees. Final Vote BitEnc(1)JRF BitEnc(0) BitEnc(0) BitEnc(0) APP Voter’s PC challenge = hash( , SREV)
Election Server VeryVote Integrity Quick analysis Voter Code Sheet Vote codes Alice – 3WQ Bob – M8W Charles – WAM Dino – QGH Confirmation code JRF Vote Receipt Alice – JRF Bob – I5W Charles – JCU Dino – KAI Pre-computed Vote BitEnc(0) BitEnc(0) BitEnc(1)JRF BitEnc(0) 3WQ • The APP “cannot” modify the voter’s choice because it does not know the vote codes. • The ES “cannot” modify the voter’s choice because the process changes the vote receipt. Final Vote BitEnc(1)JRF BitEnc(0) BitEnc(0) BitEnc(0) APP Voter’s PC challenge = hash( , SREV)
Election Server VeryVote Integrity Quick analysis Voter Code Sheet Vote codes Alice – 3WQ Bob – M8W Charles – WAM Dino – QGH Confirmation code KJE Vote Receipt Alice – KJE Bob – JRF Charles – JCU Dino – KAI Pre-computed Vote BitEnc(0) BitEnc(0) BitEnc(1)JRF BitEnc(0) 3WQ • The ES can create a fake receipt if it can find the right permutation of the BitEnc(b) values. • The probability of this happening is approximately P1 = n! / #CC • This probability can be made constant if we generate the challenge from the Pre-Computed Vote. P2 = (n – 1) / #CC Final Vote BitEnc(0) BitEnc(1)JRF BitEnc(0) BitEnc(0) APP Voter’s PC challenge = hash( , SREV)
Conclusions • VeryVote provides end-to-end verifiability in the Internet voting scenario. • The voter can privately verify and correct her vote before the tally publication. • The tally process is verifiable. • VeryVote successfully addresses one of the most important problems of remote electronic voting. • The secure platform problem. • VeryVote has a simple voter interaction, and therefore is very appealing for real use. • To the eyes of the voter, the VeryVote protocol is very similar to a generic code voting protocol. • VeryVote do not offer any special protection against vote buying and coercion. • It suffer from the problems of traditional remote voting systems, e.g. postal voting. • The verification mechanisms of VeryVote do not break the voter’s privacy per se. Although, the voter can collaborate with the attacker to produce a convincing vote receipt. Questions?