210 likes | 370 Views
Coercion-Resistant STV tallying. Vanessa Teagu e Dept. Computer Science and Software Engineering University of Melbourne Joint work with Lee Naish Dagstuhl Frontiers of Electronic Voting . Plan. Explaining the problem Defining a solution STV tallying Some ideas that don’t work
E N D
Coercion-Resistant STV tallying Vanessa Teague Dept. Computer Science and Software Engineering University of Melbourne Joint work with Lee Naish Dagstuhl Frontiers of Electronic Voting
Plan • Explaining the problem • Defining a solution • STV tallying • Some ideas that don’t work • Our solution • Conclusion
What a vote looks like ALPTicket.pdf
Problem: Coercion(The “Italian attack”) • In the Australian Senate, 70 candidates • Before the election, the coercer tells the voter a particular vote, choosing one that’s unlikely to appear otherwise • After the election, perhaps during tallying, the coercer looks for that vote • This is a problem even for paper-based systems • Verifiability vs. coercion-resistance • Breaking up the vote is impossible
Plan • Explaining the problem • Defining a solution • STV tallying • Some ideas that don’t work • Our solution • Conclusion
Defining coercion • Most definitions don’t consider STV • Those based on faking credentials or swapping votes don’t apply • For the voter, deciding whether to obey the coercer involves calculating the probability of getting caught • The probability is a function of other’s votes • For the coercer, rewarding or punishing the voter involves calculating the probability that that voter obeyed.
Defining coercion (cont’d) • Based on a definition by Okamoto • Extended for probabilistic information • The system is coercion-resistant if • For all votes demanded by the coercer • For all votes submitted by the voter (instead) • The probability that the coercer can be “confident enough” that the voter disobeyed is “low enough”
Security model • Tallier is not a coercer, but not trusted to count properly • It proves that it is doing the tally correctly, without revealing enough information to allow coercion • (Related work by Goh & Golle • removes this separation between coercer and tallier, but • only works for one-seat STV)
Plan • Explaining the problem • Defining a solution • STV tallying • Some ideas that don’t work • Our solution • Conclusion
More details: Tallying • For electing multiple candidates by “proportional representation” • Used in Cambridge MA, Ireland & Australia • Every voter lists all candidates in their order of preference
More on tallying (one seat) • Tally every vote’s first preference • If a candidate gets a majority, they win. STOP • Eliminate the candidate with the lowest tally • Redistribute: • Delete that candidate from every vote • Shift other candidates up • Go to 1
Even more on tallying (multi-seat) • Let the quota be • Tally every vote’s first preference • If a candidate gets a quota, they get a seat. • Redistribute their votes, re-weighted so that the total weight is equal to the excess over a quota • e.g. if they got 1.5 quotas, multiply by 1/3 = (1.5-1)/1.5 • Go to 2 • Eliminate the candidate with the lowest tally • Redistribute • Go to 1
Plan • Explaining the problem • Defining a solution • STV tallying • Some ideas that don’t work • Our solution • Conclusion
Idea that doesn’t work (1) • Reveal only the preferences that are used • The coercer can put candidates unlikely to be elected at the front of the required permutation • In multi-seat STV, preferences after a candidate who gets a seat are used
Idea that doesn’t work (2) • Reveal only which votes are being redistributed • (and which candidate is being eliminated) • The coercer can keep track of particular votes and note that some sequences don’t occur • e.g. if A gets is eliminated first, then B, the coercer could see that nobody put A first and B second • Coercer can make this more likely by careful choice of A and B
Idea that doesn’t work (3) • Reveal the tally of every candidate after every round of eliminations • Again, the coercer can see that some sequences don’t occur • If redistributing A’s votes doesn’t increase B’s tally, then nobody put A before B • This is (a bit less than) what the Australian Electoral Commission reveals
Plan • Explaining the problem • Defining a solution • STV tallying • Some ideas that don’t work • Our solution • Conclusion
Solution that does work • The tallier writes its computations on the bulletin board • At each round, tallier reveals • Who gets a seat or gets eliminated • For multi-seat STV, the weight of redistributed votes • Correct to only a few decimal places • Proves correctness with (honest-verifier) ZKPs
Solution that does work (cont’d) • Every vote is a square matrix of modified El Gamal values • Vij is Enc(1) if candidate j is the i-th preference, Enc(0) otherwise • Tallying of first row by homomorphism • As in Cramer, Gennaro, Schoenmakers • Proof of who should be eliminated (or seated) by range proof • e.g. Mao • Proof of correct redistribution of candidate c’ s votes by • Chaum, Evertse & van de Graaf’s proof of simultaneous dlog, and • Cramer, Damgård and Schoenmakers’ proofs of partial knowledge • “c is in row 1 and I deleted row 1, or c is in row 2 and I deleted row 2, or …”
Conclusion • Coercion resistance for STV is subtle • Even the Aus electoral commission got it wrong • For this work, efficiency is an issue • This generates about 100TB of data • Further work • It would be nice not to have to trust the EC not to be a coercer • An end-to-end voting system