1 / 18

Prêt à Voter with Human-Readable Paper Audit Trail

Prêt à Voter with Human-Readable Paper Audit Trail. Peter Y A Ryan University of Newcastle. Technical Requirements. Elections should be “free and fair”. Typical, key requirements: Integrity/accuracy. Ballot secrecy Voter verifiability

leola
Download Presentation

Prêt à Voter with Human-Readable Paper Audit Trail

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Prêt à Voter with Human-Readable Paper Audit Trail Peter Y A Ryan University of Newcastle P Y A Ryan Prêt à Voter

  2. Technical Requirements • Elections should be “free and fair”. • Typical, key requirements: • Integrity/accuracy. • Ballot secrecy • Voter verifiability • Universal verifiability: anyone should be able to verify the count. • Receipt-freeness: there should be no way for the voter to construct a proof to a third party of which way they voted. • Coercion resistance: even an active coercer who can participate in stages of the protocol cannot determine the way a vote was cast. • Availability: all eligible voters should be able to cast their vote without let or hindrance throughout the voting period. • Robustness: • Ease of use, public understanding and trust, cost effective, scalable etc. etc….. P Y A Ryan Prêt à Voter

  3. Assumptions • For the purposes of the talk I will make many sweeping assumptions, e.g.,: • An accurate electoral register is maintained. • Mechanisms are in place to ensure that voters can be properly authenticated. • Mechanisms are in place to prevent double voting. • Existence of a secure Web Bulletin Board. • Crypto algorithms are sufficiently secure. • Etc. P Y A Ryan Prêt à Voter

  4. Prêt à Voter • Uses pre-prepared ballot forms that encode the vote in familiar form (e.g., an  against the chosen candidate or rankings against the candidates). • The candidate list is randomised for each ballot form. • Information allowing the candidate list to be reconstructed is buried cryptographically in a value printed on each ballot form. • An excess number of forms are generated to allow for random auditing, before, during and after the election. P Y A Ryan Prêt à Voter

  5. Typical Ballot Sheet P Y A Ryan Prêt à Voter

  6. The voting “ceremony” • Can be varied, but possible scenario: • Voter enters the polling station and takes a ballot form at random, sealed in an envelope. • The voter goes to a booth, extracts the ballot form and marks their choice. • LH strip is discarded. • The voter leaves the booth with the RH strip, which constitutes the receipt, and registers with an official. • A digital copy, (r, Onion), of the receipt is made and posted to the WBB. The receipt is digitally signed and franked. Additionally, a paper audit copy can be made. • Helper Organisations at hand to confirm posting and check well-formedness of the receipt. • The voter walks away contended clutching their receipt. P Y A Ryan Prêt à Voter

  7. Voter marks their choice P Y A Ryan Prêt à Voter

  8. Voter’s Ballot Receipt P Y A Ryan Prêt à Voter

  9. Public understanding and confidence • Systems needs not only to be trustworthy but also seen to be trustworthy. • Assurance arguments very subtle, involve crypto etc. • Assurances of “experts” probably not enough. • Avoid crypto: Randell/Ryan, Rivest’s ThreeBallot. • Or Verified Encrypted PAT-but doesn’t help with public understanding and confidence. P Y A Ryan Prêt à Voter

  10. Human-Readable PAT • Incorporate a human-readable (un-encrypted) PAT. • Fall-back in the event of the crypto count being called into question. Or maybe routinely (randomly), especially during trials and early phases of deployment. P Y A Ryan Prêt à Voter

  11. Prêt à Voter with HRPAT P Y A Ryan Prêt à Voter

  12. Prêt à Voter with HRPAT P Y A Ryan Prêt à Voter

  13. Prêt à Voter receipt P Y A Ryan Prêt à Voter

  14. Prêt à Voter HRPAT P Y A Ryan Prêt à Voter

  15. Prêt à Voter HRPAT with serial # removed P Y A Ryan Prêt à Voter

  16. Discussion • Presumably should bolster public confidence (and maybe also comply with various legal and standards requirements). • But, may introduce certain threats. • As a spin-off seems to provide a robust counter-measure to the retention of the LH strip problem of PaV. • PaV seems particularly well-suited to a HRPAT. Not clear how one would do it for PunchScan or VoteHere (MarkPledge). • I for one would hope that such a HRPAT could be seen as a crutch to be jettisoned once trust and confidence in PaV or similar had been established. P Y A Ryan Prêt à Voter

  17. Threats • Chain voting-but note the procedure with the serial #s is similar to that proposed (by Jones?) to counter chain-voting. • Note also similarity with the French voting system (envelopes, registering at time of casting etc.) P Y A Ryan Prêt à Voter

  18. Variants • On-demand serial #s. • Colour coding in place of serial #s-but may allow chain-voting threats to sneak back in. • Retain the serial #, in some form (i.e., some link between the protected receipt and the HRPA ballot). • Scratch strip. • Non-human readable serial #s? • Check voters mark match. P Y A Ryan Prêt à Voter

More Related