Ben Hosp, Nils Janson, Phillipe Moore, John Rowe, Rahul Simha, Jonathan Stanton, Poorvi Vora

1

• Ben Hosp, Nils Janson, Phillipe Moore, John Rowe,
  Rahul Simha, Jonathan Stanton, Poorvi Vora
• bhosp, simha, jstanton, poorvi _at_gwu.edu
• Dept. of Computer Science
• George Washington University

2
Integrity during ballot casting paper receipts

• Challenge allow the voter to keep a record of
  her vote so
• she can determine that it has been counted
  correctly, yet
• not prove how she voted
• This record on paper, so computer problems will
  not destroy the record

3
CVV can do this, with, from the voters POV

• A voting system that will just work
• The only additional effort required of the voter
  is to pull a lever up or down arbitrarily.
• Caveat a non-negligible percentage of voters or
  their representatives must make the effort to
  check their ballot receipts.
• Based on a method by David Chaum

4
Election Goals

• Integrity Correct vote count.
• Anonymity I cant tell how you voted.
• Involuntary Privacy You cant prove to
  me how you voted.
• Voter Verifiability You, the voter, can verify
  the first two goals.
• Public Verifiability Anyone can verify the
  first three goals.
• Robustness If something goes wrong it can be
  detected and fixed

5
CVV Assumes

• A set of n independent trustees, all of whom do
  not collude (can be made k of n)
• Collusion can violate privacy without being
  detected
• Collusion cannot violate integrity without
  detection
• All n trustees are functional (can be made k of
  n)
• A nonfunctional trustee (or gt k nonfunctional
  trustees) can cause a denial of service attack

6
CVV Assumes

• A not necessarily trustworthy polling machine
• Cannot violate count integrity
• Can violate privacy (sees ballot)
• No collusion between authentication process and
  polling machine
• Collusion can lead to ballot stuffing
• Sufficiently large number of receipts checked
  by voter or authorized third party
• Requires process

7
poster
8
CVV is

• A prototype implementation of Chaums
  voter-verifiable voting system
• Using commonly available, low-cost hardware and
  OS platforms

9
Stage 2

• Demo 1 walk-through

10
The Voting ProcessBallot Casting

• The voter uses the voting booth machine to
  generate some image her vote.
• The booth prints out two layers
• which are random by themselves,
• but when overlaid, display the image.

11
Layer generation

• The layers are generated using two strings of
  random numbers
• Each created by adding trustee shares
• Each of size half of the number of image pixels
• One for the top layer, other for bottom
• Laid in staggered form on the two layers

R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
12
Layer generation

• Other half pixels on each layer are such that the
  overlay is the correct vote

?

Other vote
13
Different types of receipts

• Optical (additive) overlay Chaum
• Many other symbols by Jeroen van de Graf

14
The Voting ProcessReceipt Choice

• The voter chooses one layer for her receipt.
• Some other stuff is printed on the chosen
  layer.
• The unchosen layer is destroyed.
• The chosen layer is stored or transmitted
• It can be shown that the machine can cheat in
  only one of the two receipts if the overlay
  represents the vote.

15
The Voting ProcessReceipt Checking

• Receipts at counting station can all be checked,
  by a third party, for correctness.
• A voter can check her own receipt has reached the
  counting station or have it checked by a third
  party.
• Automated checking that a hard copy matches an
  image at counting station not yet implemented by
  CVV. Visual checking possible.

16
Cheating machine caught with probability half

• If the machine has cheated on a vote which has
  the check performed
• it will be detected with non-negligible
  probability (one-half?)
• this does not depend on the hardness of any
  problem using any computational model, but
• on the randomness of the voter choice
• Does not depend on voter trust of poll worker
  checks

17
The Complete Ballot

• The receipt/vote has the following fields
• The vote ID
• The encrypted image.
• Information for trustees required to decrypt
• the top layer.
• the bottom layer
• A signature of the vote ID
• info required by non-trustee to recreate above
  for chosen layer, but
• not unchosen one
• used to check commitments.
• A signature of the whole ballot to prevent false
  claims of uncounted votes

Pre choice


Post choice
18
The Complete Ballot

• The information on the ballot
• Can be used by anyone to verify that the ballot
  was correctly constructed, but
• Cannot be used to decrypt the ballot except by
  appropriate combination of trustees.

19
The Vote-Decryption Process similar to a
regular MIX

• Random pixels were generated using a different
  seed for each trustee for top and bottom
• The seed of the chosen layer made available on
  the receipt for checking
• The other seed made available in nested encrypted
  form for the trustees to generate random part of
  unchosen layer

20
The Vote-Decryption Process

• Each trustee
• for each ballot
• extracts his seed
• incrementally regenerates the random numbers
  on the other layer
• adds his share to the ballot
• shuffles all the ballots
• passes on the ballots to the next trustee

21
Receipt Decryption
R
R
R
R
?

R
R
R
R
would have looked like
The other vote
22
The Auditor

• The first trustee is asked to reveal, to the
  public, a random half of his shuffle.
• The next trustee reveals the other half.
• And so forth
• no ballot can be completely traced through the
  shuffles.

23
The Auditor

• Each trustee provides
• A correspondence between input and output images
• A seed value
• Such that
• the encryption of the seed with his public key
  gives the encrypted information
• the difference between the output and input
  images of the revealed half of their shuffle was
  generated using the seed
• Cheating trustee caught with probability half for
  every vote cheated on

24
Reduce negative aspects of voter verification by

• Participation by
• major political interests
• public interest organizations
• as
• Trustees
• Third party working on behalf of voter to
• Check that receipt is on website
• Check that receipt was correctly generated
• (For this, need them to actively obtain receipts)
• Witnesses of trustee decryption process and audit

25
Reduce negative aspects of voter verification
by - II

• Process that includes encouraging voter
  verification when fraud detected or alleged
• If a voter claims his vote not counted, encourage
  enough voters to check their votes to determine
  extent of fraud/error
• If a displayed receipt does not check, check
  receipts in that precinct to determine extent of
  fraud/error

26
Current status of CVV

• Prototype implemented in Java
• Currently supports low-end ink jet printing
• Plan
• Open source release
• User-friendly ballots
• Pre-packaged election tool kit for third-party
  elections (e.g. student elections). Those
  interested please contact us.
• Construction of various other primitives for plug
  and play

27
More Next Steps

• Performance and Robustness Testing and
  Enhancements
• Trials in local and school elections
• for education and
• to test usefulness and acceptance of scheme
• With Political Science and Public Affairs Faculty
• Determine if there is a difference in acceptance
  along group lines
• Political parties
• Age
• Race
• Ability (among handicapped Braille overlay
  methods can be developed)

28
References and Acknowledgements

• David Chaum
• David Chaum, Secret-Ballot Receipts True
  Voter-Verifiable Elections, IEEE Security and
  Privacy, January-February 2004 (Vol. 2, No. 1)
• Poorvi Vora, David Chaums Voter Verification
  using Encrypted Paper Receipts,
  www.seas.gwu.edu/poorvi/Chaum/chaum.pdf
• Also on DIMACS website linked from talk abstract

29

• Extras

30
CVV - How it worksbased on Chaum
voter-verifiable voting system

• Voter votes. Obtains an encrypted receipt that
  even she cannot decrypt outside polling booth
• only all n trustees can decrypt it
• this can be modified to k of n trustees.
• We will describe later how she can be sure the
  polling machine did not cheat
• Voter checks for receipt on public website. If it
  is there, her vote has reached the counting
  station

31
CVV - How it works

• Possessor (voter or third party or anyone if
  receipt on website) can check if receipt is
  correctly generated.
• All votes at counting station are serially
  (partially) decrypted and shuffled by trustees
  (version of MIX)
• Final, unencrypted, shuffled votes are counted.
  Conditional count announced.
• Trustee decryption and shuffle is audited. Final
  count announced, election certified.