addressing the challenges of e-voting through crypto … · addressing the challenges of e-voting...
TRANSCRIPT
AddressingtheChallengesofe-VotingThroughCryptoDesign
ThomasZachariasUniversityofEdinburgh
29November2017Scotland’sDemocraticFuture:ExploringElectronicVoting
ScottishGovernmentandUniversityofEdinburghSchoolofInformaticsWorkshop
2
Whendoweactuallysetupanelectronicvotingprocedure?
• Whatistheextentof“digitilisation”ofatraditionalelectionprotocolthatqualifiesase-voting?
3
Whendoweactuallysetupanelectronicvotingprocedure?
E-votingmeanstheuseofelectronicmeansinoneofthefollowingthreeprocesses:
• Identificationofvoters• Castingthevote
• Countingthevote
Source:https://www.e-voting.cc/en/it-elections/definitions/
4
Whendoweactuallysetupanelectronicvotingprocedure?
• Whatistheextentof“digitilisation”ofatraditionalelectionprotocolthatqualifiesase-voting?–Registration–Voting–Counting–Auditing
10
Thebenefitsofe-voting
● Increasetheparticipationofsocialgroupsthatfaceconsiderablephysicalbarriers.
● Increasetheefficiencyofthepreparationoftheelectionandthecalculationofthefinalresults.
● Reducethefinancialcostoftheelections(inlongterm).
11
Therisksofe-voting
• Unauthorised interventionofthirdpartiesmaycausedenialofservice.
• Large-scalemanipulationbyasmallgroupofinsiders.
• Lackofwidelyagreedstandards fortheelectionprocedure(infrastructure,software).
12
Thechallengesofe-voting
● Atanypointofreplacingthetraditionalprotocolwithelectronicmeans, extremecareinthealgorithmicdesign,implementation,andexecutionoversight isrequired.
13
Thechallengesofe-voting
● Preservethefundamentalrequirementsofavotingsystem.
Availability
Integrity Privacy
14
Addressinge-votingchallengesviacryptographictools
Accessibility
Integrity Privacy
Availability
Integrity Privacy
15
Moderncryptographicdesign
1. Understandingandformaldefinitionofthestudiednotion.
2. Rigorousspecificationofthethreatmodel.3. Realisation viaawell-describedconstruction.4. Mathematicalproof oftheconstruction’s
securityunderthedefinedthreatmodel.
16
Moderncryptographyinthereal-world
● Secureinternetcommunication(HTTPSoverTLS/SSL,end-to-endencryption).
● Authentication (Digitalsignatures,passwordmanagement).
● Privacypreservation(aggregatestatistics,anonymouswebbrowsing).
● Blockchaintechnologies(Bitcoin,Ethereum,smartcontracts).
17
Moderncryptographyinthereal-world
● Securewebbrowsing.● E-banking.● E-mail.● Privacy-preservingprofilemanagement.● Securemessaging.● Decentralised publiclyverifiabletransactions.
18
Thenecessityofcryptographyforrealising securee-voting
• Collecting,storing and/orcommunicatingsensitiveelectiondataovertly,caneasilyjeopardise electionsecurity.
• Offline (onsite):avotecollectiondevicethatkeepslogsofunencryptedballotcastingcannotprotectvoters’privacywhenthelogsareaudited.
• Online:whenevertwodevicesshouldinteract,secureandauthenticatedcommunicationmustbeappliedtoprotecttheexchangeddata.
19
Addressinge-votingchallengesviacryptographictools
Accessibility
Integrity Privacy
Availability
Integrity Privacy
21
Ballotsecrecy
• Encryptionrealises theconceptofa“digitalenvelope”.– Thevoter’sselectioniscryptographically“sealed”.– Anattackercannotobtaininformationabouttheencryption’scontent(voteselection).
22
Voter-voteUnlinkability
• Atsomepointoftheelectionprocess,thevotesmustbeanonymised,topreventcoercionandvote-selling.
23
Voter-voteUnlinkability
• Mix-nets:apowerfulcryptographicprimitiverealising voteshufflinginadigitalballotbox.
𝐸𝑛𝑐(𝑉&)
𝐸𝑛𝑐(𝑉()
𝐸𝑛𝑐(𝑉))
𝐸𝑛𝑐(𝑉*)
𝐶& 𝐶( 𝐶) 𝐶*
𝐶&, 𝐶(, 𝐶), 𝐶* = {𝐸𝑛𝑐 𝑉& , 𝐸𝑛𝑐 𝑉( , 𝐸𝑛𝑐 𝑉) , 𝐸𝑛𝑐 𝑉* }
Mix-net
24
Voter-voteUnlinkability
• Additivehomomorphictally:amathematicalpropertyofspecialencryptionschemes(E.g.ElGamal,Paillier)thatallowforthecountingofvotesinencryptedmanner.
𝐸𝑛𝑐 𝑋 1 𝐸𝑛𝑐 𝑌 = 𝐸𝑛𝑐(𝑋 + 𝑌)
YES YESNO NO
25
Voter-voteUnlinkability
• Additivehomomorphictally:amathematicalpropertyofspecialencryptionschemes(E.g.ElGamal,Paillier)thatallowforthecountingofvotesinencryptedmanner.
𝐸𝑛𝑐 𝑋 1 𝐸𝑛𝑐 𝑌 = 𝐸𝑛𝑐(𝑋 + 𝑌)
NO :2votesYES:2votes
26
Voter-voteUnlinkability
• Anonymousauthentication:thevoterproveshereligibilityviaaone-showanonymouscredential(e.g.blindsignatureofthevoter’sballot).
“Iamaneligibleuserandthisismyvote”
“Iconfirmyoureligibilityandrecordyourvote”
27
Coercionresistance
• Concernsaboutcoercioninothertypesofremotevoting(e.g.postalvoting)alsoapplytointernetvoting.
• Incaseswherepostalvotingisallowed,internetvotingcouldbeused,supportingmultiplevotingasacoercioncountermeasure(Estoniane-voting).
30
Usability:makinge-votingfeasibleforeverycitizen
• Whenballotencodingisappliedduringvotecasting,thevoterinteractsviaauser-friendlyinterfaceinadesignatedvotingdevice,ortheirbrowser.
• Basicfamiliaritywithastandardoperatingsystem(e.g.,Windows,iOS,Android)orwebbrowser(e.g.,Edge/Explorer,Safari,Chrome,Firefox)istheonlyrequiredbackground.
34
Usability:makinge-votingfeasibleforeverycitizen
• Whencode-voting isapplied,thevoterobtainsaballotwithapre-encodingoftheelectionoptions(vote-code).
35
What is your stance on the potential of adopting e-voting for national elections?
Serial number: 1001 VERY POSITIVE
4 POSITIVE
5 NEUTRAL
2 NEGATIVE
3 VERY NEGATIVE
Usability:makinge-votingfeasibleforeverycitizen
36
Usability:makinge-votingfeasibleforeverycitizen
• Whencode-voting isapplied,thevoterobtainsaballotwithalistofrandomcryptographicpre-encodingoftheelectionoptions(vote-code).
• Thevotersimplysubmitsthevote-codethatcorrespondtoheroptionselection,whichcanbedoneinlightwight electronicdevices.
37
Serialnumber:100Vote-code:5
Usability:makinge-votingfeasibleforeverycitizen
Serial number: 1001 VERY POSITIVE
4 POSITIVE
5 NEUTRAL
2 NEGATIVE
3 VERY NEGATIVE
38
Usability:makinge-votingfeasibleforeverycitizen
• Whencode-voting isapplied,thevoterobtainsaballotwithalistofrandomcryptographicpre-encodingoftheelectionoptions(vote-code).
• Thevotersimplysubmitsthevote-codethatcorrespondtoheroptionselection,whichcanbedoneinanyelectronicdevicewithinternetaccess.
• Incasethevotingdeviceistrustedforprivacy,votecastingcanrunviaauser-friendlyinterface.
39
Faulttolerance:protectingtheelection’sliveness
• Thresholdcryptographyincombinationwithadistributedsystemarchitectureallowsforasecureanduninterruptedelectionaccessandexecution,evenwhenasubstantialamountofelectionserversisnotavailable.
42
Eligibility
• Theauthentication/registrationauthorityisequippedwiththealgorithmthatspecifiesthesetofeligiblevoters.– Digitalsignatures:eachvoterhasanID-cardwithanembeddedsigningkey(Estonia).
– Password-based:theauthenticationserver(s)maintainsacryptographichashtablewithallthepasswordsthatcorrespondtoeligiblevoters.
43
End-to-endverifiability
• Universallevel: Anypartycanverifythecorrectnessoftheelectiontranscript.
44
End-to-endverifiability
• Individuallevel: Thevotersobtainsomeauditdatainordertoverifythemselvesthattheirvoteswere:
• Cast-as-intended• Recorded-as-cast
• Tallied-as-recorded
45
UniversalVerifiability
• Everystepoftheelectionprocedureisassociatedwithacryptographicproofofitsexecution.
“Thisisaballotthatencryptsavalidelectionoption”
𝜋
46
UniversalVerifiability
• Everystepoftheelectionprocedureisassociatedwithacryptographicproofofitsexecution. “Allthecastballotsare
encryptionsofavalidelectionoption”
𝜋& 𝜋( 𝜋)
𝜋* … 𝜋5
47
UniversalVerifiability
• Everystepoftheelectionprocedureisassociatedwithacryptographicproofofitsexecution.
𝐸𝑛𝑐(𝑉&)
𝐸𝑛𝑐(𝑉()
𝐸𝑛𝑐(𝑉))
𝐸𝑛𝑐(𝑉*)
Mix-net
“Theoutputciphertextsareapermutationofexactlytheinputciphertexts”
𝐶& 𝐶( 𝐶) 𝐶*𝜋
48
UniversalVerifiability
• Everystepoftheelectionprocedureisassociatedwithacryptographicproofofitsexecution. “Thedecryptedresultsare
apermutationofexactlyalleligiblerecordedvotes”
YESNOYESNO
𝐶& 𝐶( 𝐶) 𝐶*𝜋𝜋
49
UniversalVerifiability
• Eachproofsatisfiessoundness(invalidstatementswillnotbeaccepted)andpreventsanymaliciouspartyfromleakinginformationabouttheassociatedsensitivedata(zero-knowledgeproofs).
• Thesequenceofcryptographicproofsconstitutesaverifiableelectiontranscriptthatispostedinapubliclyaccessiblewebsite(bulletinboard)forauditingwhilepreservingelectionprivacy.
50
IndividualVerifiability
• State-of-the-arte-votingsystemssupportelaborateverificationmechanismthatallowthevotertochallengethecorrectencodingoftheirvote.1. Ballotencryption:auditthevalidityofthevoting
devicebyrandomlycheckingthelocalcryptographicoperations.
2. Code-voting:auditthehonestoftheballotpreparationauthoritiesbyrandomlycheckingtheconsistencyoftheencodingoftheelectionoptions.
51
Accountability
• Thee-votingsystemshouldprovideamechanismprovidesundeniableevidenceofwhichentityisresponsibleforanincorrectexecution.
54
Accountabilityexample:authenticatedcommunication
• Thevotersignsherballot.• Thevotecollectionserverreplieswithasignatureonthereceiveddata.
𝜋SignVoter()SignServer()
55
Accountabilityexample:authenticatedcommunication
• Thevotersignsherballot.• Thevotecollectionserverreplieswithasignatureonthereceiveddata.
• Ifanauthorityisrealizedbyadistributedsubsystem,thenmaliciousnodescanbeblacklisted.
56
Accountabilityexample:postingonthebulletingboard
• Theauthoritiescommittothevalidityoftheirdata.– Theelectionpublickeyispostedpriortothevotingperiod.
– Theballotpreparationauthoritiesprovidecryptographicproofsofproperencodingoftheelectionoptions(Code-voting).
– Thetallyingauthoritiespostcryptographicproofsofcorrectdecryptionandelectiontally.
57
Addressinge-votingchallengesviacryptographictools
Accessibility
Integrity Privacy
Availability
Integrity Privacy
60
Theimportanceofthehumanfactor
• Cryptographictoolsprovideasolidbackground,butdonotsuffice.
• Activeparticipationofthestakeholdersiscrucial.– Verificationmechanismsaremeaninglessifnotevenasmallratioofvotersarewillingtoverify(oroutsourceverificationtoatrustedparty).
– Thetrusteesshouldauditthecorrectpublishingoftheelectionpublickeytoprotectvoters’privacy.
• Aformallyanalysed humanprotocolande-votingcryptographicdesignshouldbeside-by-side.