Practical Electronic Voting Schemes

1
Practical Electronic Voting Schemes

• Peter Landrock
• ECC, Copenhagen 2005

2
The company

• Software house
• Established in 1986
• Spin-off from
• University of Aarhus
• World-Class Cryptographers
• - Vincent Rijmen, Ivan Damgaard

Cryptomathic provides secure electronic solutions
for web-banking, card issuing and advanced key
management with almost 20 years of experience.
3
Innovation beyond competiton

• World Economic Forum
• Nominated as one of the most innovative
• companies in Europe at Davos 2003

4
Company Ownership
5
Office Locations
Aarhus, DK Head Quarter R D
Cambridge, UK UK USA
Copenhagen, DK Scandinavia
Leuven, BE Benelux
Amaro, IT ECEO - Partner
Munich, DE Central Europe
6
Products and Offerings

• Products
• Custom Solutions
• Professional Services

7
Selected Products
8
The Switch from Manual Elections

• General idea behind Electronic Voting
• like manual voting - only much faster and
  cheaper, but
• is the voter able to verify that what he enters
  is actually what is recorded?
• can official monitoring verify that one vote is
  recorded correctly for each voter?
• can we trust the counting process?
• and
• is it socially acceptable?
• Well, lets start with the requirements

9
Requirements for an e-Voting Scheme

• Privacy
• only the final result is made public, no
  additional information about votes will leak.
• Robustness
• the result reflects all submitted and well-formed
  ballots correctly, even if some voters and/or
  possibly some of the entities running the
  election cheat.
• Universal verifiability
• after the election, the result can be verified by
  anyone.

10
How to meet these requirements?

• we obviously need cryptographic techniques
• but tamper resistant devices as well
• and we need to provide
• appropriate protocols and mechanisms to meet
  these requirements
• which we will be discussing
• digital signatures to identify voters

11
Specification

• This does NOT imply that we need an independent
  X.509 PKI system in place
• But we will assume we have an existing
  registration scheme in place
• otherwise there is no democracy in the first
  place!
• so we can send something out to a voter by mail,
  like a PIN-mailer
• which he may use for electronic registration
• at which stage a public key pair is generated for
  his use, and the private key is stored securely
  in a central server
• all using HSMs
• the private key never leaves the HSM controlled
  environment

12
Specification

• This registration could take place
• at home from the voters own work station
• or at a polling station
• where he presents a fairly traditional voting
  card received in the mail for proper
  identification and counting
• and uses an additional small slip with a PIN or
  similar to vote, as in the vote home scenario
• using the PIN for identification

13
Counting votes

• is easy in binary
• Example
• 5 candidates, 128 voters
• 40 bits voting ballot
• Candidate A 00000000...................00000001
• Candidate B 00000000.....0000000100000000
• ...
• Candidate E 000000010............................
  ..0
• The sum of the votes reveales how many votes each
  candidate obtained

14
Counting the votes

• Let alone the issues of anonymity etc.,
• adding up votes electronic could be virtually
  instant
• In order to meet some of all our requirements, it
  would be extremely useful with the following
  property
• Given any two votes, m1 and m2, and their
  encryption, P(m1), P(m2), assume
• P(m1)P(m2) P(m1m2),
• even better, if we can randomise to anonymise
  using individual random numbers ri for each vote,
  and we have the property
• P(m1,r1)P(m2,r2) P(m1m2,R)
• for some number R, then

15
e-Voting

• we call P(.,.) a homomophic public key if
• for any set of votes, there always exist some R
  (which will vary with the votes) with
• ?P(xi,ri) P(?xi,R)
• Now we have it (if such a function exist)!
• the voter
• cast his electronic vote x
• the application
• chooses a random number r and calculate P(x,r)
• signs and forwards SA(P(x,r))
• the authenticating server
• verifies the signature and forwards P(x,r) for
  counting
• the counting server
• calculates ?P(xi,ri) P(?xi,R) and descrypts to
  recover ?xi, while R is discharged
• the result is available less than 1 minute after
  the closing of the polling stations

16
Another cryptographic tool

• zero-knowledge
• it is actually possible to verify that a vote is
  the encryption of a correctly filled ballot
• without revealing anything else about the vote!
• this means that a votes cannot successfully
  include more than one legal vote in his ballot
• this involves commitment schemes
• but it is quite likely that politicians dont buy
  it ?

17
Ingenious!?

• if EVERYBODY votes electronically, yes
• but the choice is political
• it could save some embarrassment, though, here
  and there ?
• Applications in the near future
• closed groups of users who already communicate
  together electronically
• e.g. organisations as IEEE
• stock holders in large companies (e.g. IBM)
• Anyway, lets see how it works

18
homomorphic encryption

• We start with an ElGamal encryption scheme
• Let E be an elliptic curve, P a generator of a
  large cyclic group of prime order
• Let Q xP be a public key, where x is the
  private key
• Represent a message m by the point M in E and
  encrypt as (rPMrQ)
• Decryption of a ciphertext (UV) takes place by
  computing (xU,V-xU)
• This system is semantically secure under the
  generalized DH assumptiono far so good

19
homomorphic encryption

• We now need to combine this idea with the vary
  basic naïve counting method we described earlier
• Example
• assume there are s candidates and less than t
  voters
• Choose a point B such that the order of B is at
  least ts
• Let candidate j be represented by the point tj-1B
• this means that any ballot vote to be encrypted
  is of the form tj-1B, j 1,2,,s
• the sum of all the votes will be equal to
• M t1Bt2tB..tsts-1B (S tjtj-1)B, where tj is
  the number of votes for candidate j

20
homomorphic encryption

• So given M (t1t2t..tsts-1)B,
• how do we find t1, t2,..,ts?
• By solving the discrete log problem!
• Well!? ? ?
• This is easily done by choosing B wisely for most
  schemes
• example Suppose t 32 mill lt225 and s2
• then the order of B is bounded by 250.

21
Some references

• R.Cramer, R.Gennaro, B.Schoenmakers
• A Secure and Optimally Efficient Multi-Authority
  Election Scheme,
• Proceedings of EuroCrypt 97,
• I. Damgård and M. Jurik
• A Generalisation, a Simplification and some
  Applications of Paillier's Probabilistic
  Public-Key System
• Proc. of Public Key Cryptography 2001
• P.Pallier
• Public-Key Cryptosystems based on Composite
  Degree Residue Classes,
• Proceedings of EuroCrypt 99,
• I. Damgård, J. Groth and G. Salomonsen
• The Theory and Implementation of an Electronic
  Voting System
• Secure Electronic Voting, Advances in Information
  Security, Vol. 7 Gritzalis, Dimitris (Ed.)

22
Voting using HSMs/SMS
(1) User logs on to vote
(2) e-Vote web server requests user to vote
(3) Key-server request one-time SMS
(5) Initiate vote and sign
(4) Auth-server forwards one-time SMS to
User and Key-Server
Back-end
Key Server
User
HSM
e-Vote Web server
Authenticator Server
HSM
23
Voting using HSMs/Tokens,..
(5) User initiate Voting and signing

• User logs on to e-Vote WS
• generating one-time PW

(3) Key Server request verification of
one-time PW
(2) e-Vote web server request user to vote
(4) Authenticator verifies one-time PW
Back-end
Key Server
User
HSM
e-Vote Web server
Authenticator Server
HSM
24
Using tamper resistant HSMs

• is an alternative to e.g. using
• zero-knowledge techniques
• mix-nets
• the HSM will only allow legal votes before it
  signs on behalf of the voter
• By using independent servers for
• user authentication
• signing and voting
• we can effectively prevent all fraud

25
Detecting cheating

• If citizens vote at polling stations
• all this could be combined with a touch screen
  for voting
• printing a ballot for traditional voting
• for all or a small randomly chosen sample
• and an electronic vote as just described
• Samples could then be matched with the
  corresponding electronic votes
• and basic statistics would tell us how many we
  need to check for an acceptable confidence level
• Consider an example

26
Detecting cheating

• By having ballots printed voters are provided
  with the service that
• they can see what they have voted on paper, and
  they have the same level of certainty as at a
  manual election,
• their vote will count, provided that a manual
  recount actually takes place.
• Almost no information is gained by checking a few
  votes in a district. The only action that makes
  sense is to make total recounts in a selection of
  districts.
• However, if say a manual recount takes place in
  10 of the districts, this gives a 10 chance of
  catching the manipulation of votes in a
  particular district for a particular election.

27
Detecting cheating

• Consequently quite comprehensive recounting is
  necessary in order to ensure that the mechanism
  works as intended
• not only by revealing attempted frauds, but also
  by preventing attempts of fraud from happening by
  acting as a deterrent.
• Our approach here allows the following core
  properties
• Electronic votes may contain encrypted
  information identifying the election district and
  the manual vote.
• The electronic votes are detached from the
  identities of the voters and then decrypted.
• We can pick a random sample of all the electronic
  votes of an arbitrary size.
• Say that we want to ensure with 99 probability
  that at most 1 of the electronic votes are
  tampered with, i.e. contain different choices
  than the ones entered by the voters.
• Then we pick 459 random electronic votes. For
  each of those, if at least 1 of the electronic
  votes contain different choices than the
  corresponding manual votes, it has less than a
  99 chance of passing the test of being compared
  to the corresponding manual vote.
• Consequently there is a probability of less than
  0.99459 0.009921 that all of them pass the test.

28
Detecting cheating

• For the ultimate case,
• a general election in the US say,
• by manipulating 459 votes out of maybe 100
  million votes and causing the rather simple
  procedure to happen in 459 randomly chosen
  election districts, you actually get quite
  confident that no large scale fraud takes place
  with the electronic votes
• had this been implemented in 2000, the world
  migth have looked different.

29
Conclusion

• We have described practical voting schemes
• which have been tested in pilots
• They require instant key generation upon
  registration
• without requiring PKI in place
• which for million of voters would be
• practically impossible using RSA
• quite trivial using ECC
• and we can make it as secure as we want
• at low cost