Introduction to Internet Voting - ETH Zarchiv.infsec.ethz.ch/people/michschl/material/evoting.pdf · 5Case studies 6Conclusions Michael Schläpfer 10/54. Motivation Requirements Threats

Motivation Requirements Threats Approaches Case studies Conclusions

Introduction to Internet VotingInformation Security, SS10

Michael Schläpfer

Information Security GroupETH Zurich

03 June 2010

Michael Schläpfer 1 / 54


Outline

1 MotivationWhat is voting?

2 Requirements

3 Threats

4 Approaches

5 Case studies

6 Conclusions



What is voting?

Aspects involved

LegalSocialTechnical

Security EngineeringSystem SecurityCryptographic ProtocolsFormal Methods inInformation Security. . .



What is voting?

The fundamental principles of democracy

Electronic voting must be embedded in and support democraticprocesses!

δημοκρατία - (demokratía) "rule of the people"Foundations

EqualityFreedom

Direct DemocracyElectionsInitiativesReferenda

Representative DemocracyElections



What is voting?

How to capture the free will?

Poll-site based votingOpen elections(“Landsgemeinde”)Anonymous elections(voting booth)

Absentee votingVia postal mail(Switzerland)Via Internet



What is voting?

General voting process

Figure: The phases of an election.



What is voting?

Why electronic voting?

Example

In the 2000 election, especially in the disputed recounts in Florida, there wereissues concerning the ambiguities and uncertainties that arose frompunch-card ballots, such as the hanging chads (incompletely punched holes).In 2004, the punch-card ballots were still widely used in some states. Forexample, most Ohio voters used punch-card ballots, and more than 90,000ballots cast in Ohio were treated as not including a vote for President; this"undervote" could arise because the voter chose not to cast a vote orbecause of a hanging chad.

Improve accuracyMaximize trust

Minimize costsSpeed up the tallying



What is voting?

Arguments for Internet voting(?)

Citizens living abroadSimplify voting processDecrease again the costsAdditional channelImprove voter turnoutBecause everything can be done over the Internet, really?



What is voting?

Isn’t this just like eBanking?

“And, we have already secure eBanking! Yes, but . . . ”

Maybe not as secure as you might thinkBuilt-in reality checks (Statistical analysis)Account statementsInsuranceNo anonymity

A recently stated opinion:

“. . . a secure internet voting system is theoretically possible, butit would be the first secure networked application ever createdin the history of computers.”



Outline

1 Motivation

2 RequirementsExisting requirements listsRequirements engineering

3 Threats

4 Approaches

5 Case studies

6 Conclusions



Existing requirements lists

EU recommendations 2004

List of requirements for electronic voting systems1

Based on legal perspectiveStarting point for the development of a seriousimplementation

Fine, but . . .

1http://www.coe.int/t/dgap/democracy/Activities/Key-Texts/Recommendations/

00Rec(2004)11_rec_adopted_en.asp


http://www.coe.int/t/dgap/democracy/Activities/Key-Texts/Recommendations/00Rec(2004)11_rec_adopted_en.asp

http://www.coe.int/t/dgap/democracy/Activities/Key-Texts/Recommendations/00Rec(2004)11_rec_adopted_en.asp


Existing requirements lists

Critics

Fine, but . . .Focussed on legal requirementsCreated by legal expertsSpecific implementations in mindPartly overspecifiedPartly underspecifiedContradictions

Examples can be found in:http://www.cs.nuim.ie/~mmcgaley/Download/evt_presentation.pdf


http://www.cs.nuim.ie/~mmcgaley/Download/evt_presentation.pdf


Requirements engineering

Recommended procedure

Abstract high-level principlesdefined by legal expertsAbstract general requirementswhich imply the principlesConcrete security requirementsas foundations for the design andimplementation of a system




Legal principles

Universal suffrage: Every eligible voter shall have ability tocast his free intention.Equal suffrage: Each vote shall have the same impact onthe result.Free suffrage: Voters shall be able to cast their intentionabsolutely free and without influence or pressure.Secret suffrage: Every measure shall be taken for voters’choices to remain secret.




Developing the general requirements

Democracy: Only authorized voters can vote and onlyonce.Privacy: Voter’s choice remains secret and cannot belinked to voter (anonymity) and voter cannot prove hischoice to any third party (receipt-freeness).Fairness: At no time during the election can anyintermediary result be obtained.Accuracy: System behaves correctly, i.e. every eligiblevote is used in the tally and cannot be altered or removed.No invalid vote is counted in the tally.Verifiability: Every step in the election is reproducible andcorrectness of entire election can be checked.




Example: Privacy refined

Secrecy: The votes remain secret, hence it is not possiblein any phase to gain information about an individual votersvote, not even for the organizing authority.Receipt-freeness: No information is given to the voter thatallows him to prove any information about his individualchoice to any third party. This includes proving what he didnot vote for or that he voted at all!. . .




Challenging requirementsAmongst others...

Receipt-freeness: No information is given to the voter thatallows him to prove any information about his individualchoice to any third party. This includes the impossibility toprove what he did not vote for or that he voted at all.Individual verifiability: The voter is given a proof that hisvote has been recorded as intended, hence he is able tocheck this. Many researchers mention this requirement butleave open what to do when this check fails. Part of thisrequirement is also that the procedures to be taken in sucha case are defined as well.



Outline

1 Motivation

2 Requirements

3 ThreatsOverviewSecure platform problem

4 Approaches

5 Case studies

6 Conclusions



Overview

Sources and motivationsAmongst others

Script kiddies: Searching for the thrill and showing theirhacking skills.Political parties: Trying to improve their political influence.Criminals: Trying to influence the law for their own benefits.Foreign intelligence: Trying to control or to destabilize thepolitical system of a country.Globally operating companies: Trying to control the law fortheir own benefits and possessing multi-billion budgets.

Conclusion:

Attacker is possibly very powerful and skilled!



Overview

Two important threats

In the following, we focus on two specific threats.

. . .Voter coercion / Vote buying (Secrecy/Privacy)Modification of votes (Integrity). . .



Secure platform problem

An ideal world

Figure: A protocol between Alice and Bob.

Question:

Does this really reflect the Internet?




A dangerous world


Possible solution:

Encrypt and authenticate messages over the insecure channel.




Establish secure communication


Question:

But Alice and Bob do not communicate directly with each other,they use their computers, right?




A realistic setting

Figure: A protocol between Alice’s and Bob’s Computers.

Question:

What about malware on Alice’s and Bob’s computers?




An extremely dangerous world


Possible solution:

Encrypt the channel just as before.




How to establish a secure channel now?


Questions:

What are the computing capabilities of Alice and Bob?Is this really reasonable?



Outline

1 Motivation

2 Requirements

3 Threats

4 ApproachesIntegritySecrecy

5 Case studies

6 Conclusions



Integrity

IntegrityVoter verifiability

Idea:

The voter can check the correctness of every single stephimself!

Individual verifiability gives the voters the opportunity toverify that their individual ballot was processed correctly.Universal verifiability gives the electorate or even the entirepublic the opportunity to verify the correctness of anoperation or protocol phase, e.g. to verify the correctnessof the vote counting in the tallying phase.When every step is verifiable, the entire election isEnd-to-End verifiable (E2E).



Integrity

IntegrityAn overview of E2E verifiability

Individually verifiable:Cast as intendedRecorded as cast

Universally verifiable: Allother phases

Figure: Source: Ben Adida.



Integrity

IntegrityAn overview of E2E verifiability

We will see later how voterverifiability can be achieved!

Individually verifiable:Cast as intendedRecorded as cast

Universally verifiable: Allother phases

Figure: Source: Ben Adida.



Secrecy

Secrecy

Idea:

Trick your own platform!

Pre-encrypt all messages in advance (“mapping table”)Use a dedicated secure channel prior to the election toreceive the “mapping table”Enter pre-encrypted messages into the untrusted platformThe voter’s computing capability requirements are reducedto simply compare options in a mapping table!

We will see later how pre-encryption can be achieved in pratice!



Outline

1 Motivation

2 Requirements

3 Threats

4 Approaches

5 Case studiesCode Voting (Secrecy)Visual cryptography (Integrity)

6 Conclusions



Code Voting (Secrecy)

Key idea

Remember:

A secure channel from physical Alice to physical Bob!




Protocol functioningInitial proposal

1 Authority generates a code sheet(“mapping table”)

2 Code sheet is distributed over a dedicated(secure) channel

3 Alice chooses an option and enters thecorresponding code into her computer

4 Alice’s computer sends ballot to authority

Question:

How can Alice be sure that her vote wascorrectly received by the authority?




Protocol functioningRefined proposal

1 Authority generates a code sheet(“extended mapping table”)

2 Code sheet is distributed over a dedicated(secure) channel

3 Alice chooses an option and enters thecorresponding code into her computer

4 Alice’s computer sends ballot to authority

5 The authority sends back thecorresponding confirmation code

6 Alice compares the received confirmationcode with expected one




Security properties

E.g. 5-digit-codes(26 letters and numbers 1 to 9) result incode space size of 355 = 52′521′875 different codesAttacker can only guess what the code could stand for andis successful with a probability of 1

#options , but he cannotverify his guess anywayAssume the voter can choose from 10 options(candidates), then the attacker’s probability to correctlyguess another valid code is: 9

52′521′874

Ballot casting assurance possible through the use ofconfirmation codesVoter has to trust the authority (There are ways to minimizethe affordable trust!)




Open issuesUsability

Security increases with the number of digits of the codesAt the same time usability decreases with the number ofdigits of the codesMeaningful tradeoff has to be foundFor elections, voters in Zurich can choose 34 candidatesout of hundreds: This leads to voter entering around 150digits in order to elect!There are ideas to improve usability (e.g. barcodes)



Visual cryptography (Integrity)

Outline

1 Motivation

2 Requirements

3 Threats

4 Approaches

5 Case studiesCode Voting (Secrecy)Visual cryptography (Integrity)

6 Conclusions




Overview

A Voter enters choice and getstwo receipts for which she isable to verify the correctnessof the encryption visually

B Voter chooses one receiptrandomly. This receipt ispublished on a bulletin board

C Talliers decrypt and mix theencrypted receipts




Key idea

Let = 1 and = 0Then we define a visualxor operation ⊕v such that:

1⊕v 1 = 00⊕v 0 = 01⊕v 0 = 10⊕v 1 = 1

Represent voter’s choiceas matrix of parity cells(visual representation of abit string)

Figure: Parity cells. (Source: David Chaum)

Figure: An example. (Source: David Chaum)




Protocol functioningPreliminaries

Controlled voting booth used

Voting machine holds threekeys for:

Signing BSN (bottom)Signing BSN (top)Overall signing theentire receipt

There exist two hashfunctions h and h′, where h ispublic and h′ (keyed) is onlyknown to authority and officialauditors (e.g. political parties)

Every tallier holds a privatekey and the correspondingpublic key is public




Protocol functioningEncryption

1 Voter’s choice representedas m × n-matrix BB is "checkerboarded" tobitstrings Bt and Bb oflength mn

2





2 2k pseudo random hash values v ti

and vbi of length mn

2 are generatedfrom the signed BSN (BallotSequence Number) using h

d ti = h′(v t

i ) and dbi = h′(vb

i )

W t :=⊕

16i6kd t

i and

W b :=⊕

16i6kdb

i

In parallel, the top doll Dt andthe bottom doll Db are createdfor later decryption.Dt :={v t

k , {· · · {vt2, {v

t1}pk1}pk2 · · · }pkk−1}pkk





3 Bt and Bb are encrypted bybitwise xor-ing with thecorresponding W :

Rt := Bt ⊕W t

Rb := Bb ⊕W b





4 Reverse "checkerboard" Bt

with W b and Bb with W t tothe top layer Lt and thebottom layer Lb

Represent the layers withvisual parity cells




Overview







Protocol functioningVote casting

Voter chooses layer randomly

Voting machine signs BSNwith the correspondingsigning key

Voting machine prints all thisinformation on the chosenlayer’s receipt

Voting machine signs withoverall signing key:

Chosen layer Lx

BSNSigned BSNDolls Dt and Db

Chosen receipt is scannedand published




Overview







Protocol functioningTallying

Remember:

D := {vk , {· · · {v2, {v1}pk1}pk2 · · · }pkk−1}pkk

h′ known to authority (talliers) and W :=⊕

16i6kh′(vi)




Security properties

Voter is able to:

Check the correctness of all thesignatures printed on receipt

Generate the k hash values vxi from

the signed BSN

Check the correctness of the doll Dx

printed on his layer by sequentiallyencrypting hash values vx

i with thepublic keys of the respective tallier i

Check that the published receiptindeed corresponds to his receipt

The tallying phase can be madeuniversally verifiable




Adaption to Internet voting

Voter needs an accurate printer that can print ontransparent foilsVoter needs a scannerComplicated procedure for home useUser is in possession of the entire receipt (both layers!)

Conclusion:

Not applicable for Internet voting!



Outline

1 Motivation

2 Requirements

3 Threats

4 Approaches

5 Case studies

6 ConclusionsFuture work



Future work

Conclusions

There are many open issues!

Future work involves:Analysis of latest proposalsFormal model of Internet voting protocols (withcompromising adversary)Finding attacks on existing protocolsImproving existing protocols (e.g. usability in code voting)Defining new modular proposals w.r.t the securityrequirements mentioned before



Future work

Further readings

D. Chaum. Secret-ballot receipts: True voter-verifiable elections.IEEE Security & Privacy Magazine, Citeseer,2004.http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.123.7870&rep=rep1&type=pdf

R. Oppliger. How to address the secure platform problem forremote internet voting. Sicherheit in Informationssystemen, vdfHochschulverlag AG,2002.http://pubs.esecurity.ch/sis_2002.pdf

J. Bryans and P. Ryan. A dependability analysis of the Chaumdigital voting scheme. University of Newcastle upon TyneTechnical Report Series CS-TR-809, 2003.http://www.cs.ncl.ac.uk/research/pubs/trs/papers/809.pdf


http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.123.7870&rep=rep1&type=pdf

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.123.7870&rep=rep1&type=pdf

http://pubs.esecurity.ch/sis_2002.pdf

http://www.cs.ncl.ac.uk/research/pubs/trs/papers/809.pdf

http://www.cs.ncl.ac.uk/research/pubs/trs/papers/809.pdf

Documents

Introduction to Internet Voting - ETH Zarchiv.infsec.ethz.ch/people/michschl/material/evoting.pdf · 5Case studies 6Conclusions Michael Schläpfer 10/54. Motivation Requirements Threats