Embed Size (px)
DESCRIPTION
A Brief Intro to Aperio and Eperio. Aleksander Essex University of Waterloo, *University of Ottawa SecVote 2010 Sept. 3, Bertinoro Italy. Aperio and Eperio. Aperio (Essex, Clark and Adams, WOTE08) Paper-based voting Verifiable w/o crypto - PowerPoint PPT Presentation
Citation preview
A Brief Intro to
Aperio and Eperio
Aleksander Essex
University of Waterloo, *University of Ottawa
SecVote 2010Sept. 3, Bertinoro Italy
Aperio and Eperio
• Aperio (Essex, Clark and Adams, WOTE08)
–Paper-based voting–Verifiable w/o crypto
• Eperio (Essex, Clark, Hengartner and Adams, EVT10)
–Electronic Aperio–Optical scan ballots–Verifiable with some crypto
Cryptoless E2E-style voting
• 3-Ballot – Hard to mark but easy to check– Numerous Attacks
• long ballots • short ballots (CEA07)• Etc
• Farnel/Twin– Easy to mark, easy to check but,– Need chain-of-custody to be secure
• If you had it, do you need ?
Aperio
• Easy to mark• Easy to tally• Some repetitive paperwork to verify• No CoC assumption
Aperio Ballot AssemblyWU, Carol
JONES, Alex
SMITH, Bob
Aperio Ballot Assembly
Sheets fused together (voter can’t see bottom sheets)
Reference Lists
450251556051…
Wu, Jones, SmithJones, Wu, SmithSmith, Wu, JonesWu, Jones, Smith…
WU, Carol
JONES, Alex
SMITH, Bob
Wu, Jones, Smith002
#923
WU, Carol
JONES, Alex
SMITH, Bob
#923
Wu, Jones, Smith002
#617
Commitments (tamper-evident envelopes)
AliceAlice AliceAlice
Voting
Casting
Counting
Σ
• Coin toss reveals either– Pink Ballot, Goldenrod Receipt, or,– Pink Receipt, Goldenrod Ballot
Decommitting Protocol
Alice
Alice
Alice
Alice
Alice
Alice
Alice
Alice
Checking Receipts
X X
002
WU, Carol
JONES, Alex
SMITH, Bob
WU, Carol
JONES, Alex
SMITH, Bob
WU, Carol
JONES, Alex
SMITH, Bob
WU, Carol
JONES, Alex
SMITH, Bob
XWU, Carol
JONES, Alex
SMITH, Bob
XWU, Carol
JONES, Alex
SMITH, Bob
X
Checking Tally
Cryptography in Elections
• Conflicting views:– Max-crypto
• Security at expense of simplicity
– No-crypto• Simplicity at expense of security
• Our goal:– Min-crypto
• Balance security and simplicity
Eperio• What it is
– E2E election verification protocol
• What it means for verification– Fewer cryptographic primitives– Smaller datasets– Faster execution– Fewer lines of code
BobAlice
AliceBob
#000 #001
x x
Pret-a-Voter style Ballots
Bubble ID Marked? Candidate
BobAlice
#000
Trustees* copy ballots into a table
Before the election….
*Done obliviously
Bubble ID Marked? Candidate
#000-1st Bob
#000-2nd AliceBobAlice
#000
Before the election….
Trustees* copy ballots into a table
*Done obliviously
Bubble ID Marked? Candidate
#000-1st Bob
#000-2nd Alice
#001-1st Alice
#001-2nd Bob
AliceBob
#001
Before the election….
Trustees* copy ballots into a table
*Done obliviously
Bubble ID Marked? Candidate
#000-1st Bob
#000-2nd Alice
#001-1st Alice
#001-2nd Bob
… … …
… … …And so on…
Before the election….
Bubble ID Marked? Candidate
#000-1st Bob
#000-2nd Alice
#001-1st Alice
#001-2nd Bob
… …
The Eperio Table:
Remember: it’s just the ballots in table-form.
Trustees shuffle rowsBubble ID Marked? Candidate
#001-2nd Bob
#003-2nd Bob
#007-1st Bob
#029-2nd Alice
#001-1st Bob
… …
Trustees mask columns
Bubble ID Marked? Candidate
#001-2nd Bob
#003-2nd Bob
#007-1st Bob
#029-2nd Alice
#001-1st Bob
… …
Cryptographically committed and published
Bubble ID Marked? Candidate
#001-2nd Bob
#003-2nd Bob
#007-1st Bob
#029-2nd Alice
#001-1st Bob
… …
Bubble ID Marked? Candidate
#001-2nd Bob
#003-2nd Bob
#007-1st Bob
#029-2nd Alice
#001-1st Bob
… …
Bubble ID Marked? Candidate
#001-2nd Bob
#003-2nd Bob
#007-1st Bob
#029-2nd Alice
#001-1st Bob
… …
Bubble ID Marked? Candidate
#001-2nd Bob
#003-2nd Bob
#007-1st Bob
#029-2nd Alice
#001-1st Bob
… …
Many independent shuffled copies
created
More instances scales security assurance
Bubble ID Marked? Candidate
#000-1st Yes Bob
#000-2nd No Alice
#001-1st Yes Alice
#001-2nd No Bob
… … …
#000
#001
x
x
Ballots recorded by scanner
During the election…
Bubble ID Marked? Candidate
#001-2nd No Bob
#003-2nd Yes Bob
#007-1st Yes Bob
#029-2nd No Alice
#001-1st Yes Alice
… … …
After the election: Bubble ID Marked? Candidate
#000-1st Yes Bob
#000-2nd No Alice
#001-1st Yes Alice
#001-2nd No Bob
… … …
Trustees fill in middle columns
Bubble ID Marked? Candidate
#001-2nd Yes Bob
#031-2nd Yes Bob
#001-1st Yes Alice
#029-2nd No Alice
#021-1st Yes Bob
… … …
After the election:Bubble ID Marked? Candidate
#000-1st Yes Bob
#000-2nd No Alice
#001-1st Yes Alice
#001-2nd No Bob
… … …
Trustees fill in middle columns
The Audit ChallengeBubble ID Marked? Candidate
#001-2nd No Bob
#003-2nd Yes Bob
#007-1st Yes Bob
#029-2nd No Alice
#001-1st Yes Bob
… … …
Bubble ID Marked? Candidate
#001-2nd Yes Bob
#003-2nd Yes Bob
#007-1st Yes Bob
#029-2nd No Alice
#001-1st Yes Bob
… … …
Bubble ID Marked? Candidate
#001-2nd No Bob
#003-2nd Yes Bob
#007-1st Yes Bob
#029-2nd No Alice
#001-1st Yes Bob
… … …
Bubble ID Marked? Candidate
#001-2nd No Bob
#003-2nd No Bob
#007-1st Yes Bob
#029-2nd Yes Alice
#001-1st No Bob
… … …
• Challenge• Public coin toss• One column from each instance challenged
• Response• Trustees post decommitments
Checking receipts
Bubble ID Marked? Candidate
#001-2nd Yes Bob
#003-2nd Yes Bob
#007-1st Yes Bob
#029-2nd No Alice
#001-1st Yes Bob
… … …
Checking receipts
Bubble ID Marked? Candidate
#007-1st Yes Bob
#006-2nd Yes Bob
#042-1st Yes Bob
#029-2nd No Alice
#007-2nd No Bob
… … …
Bubble ID column decommitted
Checking receipts
Bubble ID Marked? Candidate
#007-1st Yes Bob
#006-2nd Yes Bob
#042-1st Yes Bob
#029-2nd No Alice
#007-2nd No Bob
… … …
Voter looks up receipt. Checks for match.
#007
x
Bubble ID Marked? Candidate
#001-2nd No Bob
#003-2nd Yes Bob
#007-1st Yes Bob
#029-2nd No Alice
#001-1st Yes Bob
… … …
Tally audit
Bubble ID Marked? Candidate
#001-2nd No Bob
#003-2nd Yes Alice
#007-1st Yes Alice
#029-2nd No Bob
#001-1st Yes Bob
… … …
Candidate column decommitted
Tally audit
Bubble ID Marked? Candidate
#001-2nd No Bob
#003-2nd Yes Alice
#007-1st Yes Alice
#029-2nd No Bob
#001-1st Yes Bob
… … …
Tally like any election
Tally audit
+
Bubble ID Marked? Candidate
#001-2nd No Bob
#003-2nd Yes Alice
#007-1st Yes Alice
#029-2nd No Bob
#001-1st Yes Bob
… … …
Bubble ID Marked? Candidate
#001-2nd No Bob
#003-2nd Yes Bob
#007-1st Yes Bob
#029-2nd No Alice
#001-1st Yes Bob
… … …
Repeat as necessary…
Bubble ID Marked? Candidate
#007-1st Yes Bob
#006-2nd Yes Bob
#042-1st Yes Bob
#029-2nd No Alice
#007-2nd No Bob
… … …
Bubble ID Marked? Candidate
#001-2nd No Alice
#003-2nd Yes Bob
#007-1st Yes Bob
#029-2nd Yes Alice
#001-1st No Bob
… … …
Review
Bubble ID Marked? Candidate
#001-2nd No Bob
#003-2nd Yes Bob
#007-1st Yes Bob
#029-2nd No Alice
#001-1st Yes Bob
… … …
•Eperio table instance •Just a copy of ballots•Independently shuffled•Committed•Published
•Columns•Right + middle = tally•Left + middle = receipt info
How is Eperio different?
• Table structure• Commitment scheme• Implementation options
What does this mean?
• Speed (10-100x faster)• Data download (10-100x smaller)• Small code size (50 lines of Python)
Bubble ID Marked? Candidate
004 B X Bob
008 B X Alice
007 A X Alice
002 A Bob
004 A Alice
008 A Bob
002 B X Alice
007 B Bob
Table structure: a comparison
Eperio
Verification in a spreadsheet!Bubble ID Marked? Candidate
004 B X Bob
008 B X Alice
007 A X Alice
002 A Bob
004 A Alice
008 A Bob
002 B X Alice
007 B Bob
Bubble ID Marked? Candidate
004 B X Bob
008 B X Alice
007 A X Alice
002 A Bob
004 A Alice
008 A Bob
002 B X Alice
007 B Bob
OpenSSL OpenSSL
Implementation options (for audits)
Custom code Small script + Encryption utility
Spreadsheet + Encryption utility
Spreadsheet all-in-one?
Eperio
Eperio
eperio.orgFind out more at
