COMP3441 Lecture 11: Voting
Ron van der Meyden
(University of New South WalesSydney, Australia)
May 27, 2013
R. van der Meyden COMP3441 Lecture 11: Voting
Overview
I Voting Requirements
I Some vote manipulation history
I Vote Counting Schemes
I Paper Secret Ballots
I Voting Machines
I Voting Protocols
I Attacks on Voting Protocols
R. van der Meyden COMP3441 Lecture 11: Voting
Voting
A process whereby the preferences of a group of people(nation, state, electorate, party, organisation, shareholders) arecombined to make a decision on some matter, e.g.,
I Election: Which of a set of candidates is to represent theelectorate in parliament?
I Referendum: Should Australia become a republic or not?
I Approval: Should the CEO be remunerated asrecommended by the Board?
R. van der Meyden COMP3441 Lecture 11: Voting
Voting reflects multiple security engineering concerns
I Protecting an ideal system behaviour against deliberateattempts to perturb it
I Multiple interacting parties with differing interests: voters,election authorities, parties/candidates up for election
I Very high value asset: e.g., control of society & its assets,ability to make the rules
I High levels of mistrust, much history offraud/manipulation attempts
R. van der Meyden COMP3441 Lecture 11: Voting
Electoral Fraud/Manipulation Techniques
I Electoral Roll falsification (e.g., register dead people,babies)
I Multiple Voting
I Ballot Box Stealing
I Ballot Stuffing
I Vote Buying
I Voter Coercion
I Coercion of Electoral Officials
R. van der Meyden COMP3441 Lecture 11: Voting
Ballot Stuffing
R. van der Meyden COMP3441 Lecture 11: Voting
Gerry-Mandering
Cartoon from Boston Centinel, 1812, of an electoral districtconstructed to favour party of Mass. Governor Elbridge Gerry
Not unknown in Australia:http://en.wikipedia.org/wiki/Bjelkemander
R. van der Meyden COMP3441 Lecture 11: Voting
Not just history
Some recent news:
I (Oct 6, 2011) Bulgarian Nicola Yanakiev charged withvote-buying: possesses records of 100+ votes at EUR 50per vote
I (Sep 22, 2011) 65% of the voters on the roll inBalochistan (Pakistan) are fake
I (Sep 22, 2011) Taiwan prosecutors investigate claims ofvote-buying by legislator who holds barbecue party forvoters.
I (Sep 20, 2011) Kentucky county official sentenced to 1year gaol for buying votes for his own reelection.
R. van der Meyden COMP3441 Lecture 11: Voting
A more subtle variant?
(Oct 2, 2011) New York mayor Bloomberg in court caseagainst John Hagerty.
Bloomberg paid Hagerty $1M to provide “ballot security”.......a contentious practice that proponents claim ensurescorrectness of the vote, but is argued to actually be intendedto “intimidate minority voters by posting armed poll watchers”
(Hagerty used the money to buy a house instead!)
R. van der Meyden COMP3441 Lecture 11: Voting
Vote Counting Rules
Many different approaches in use!
When a vote is a choice of a single candidate:
I First past the post: candidate with the highest number ofvotes wins
I Multiple round:I Runoff: top two candidates progress to second roundI exhaustive ballot: in each round, candidate with the
least votes drops out
R. van der Meyden COMP3441 Lecture 11: Voting
Preferential voting: a vote is a ranking of candidates
I Instant runoff: candidate with least 1st preferenceseliminated, votes redistributed to second preference etc(until someone over 50%) (Australian Parliament)
I Single transferable vote (for electing multiple candidates):(fractional or random) excess votes for candidates thathave reached quota are redistributed according topreferences, then votes of lowest rank candidate areredistributed (Australian Senate)
I Copeland’s method: order candidates by the number ofpairwise victories, minus the number of pairwise defeats
I Many others...
These can yield diverse outcomes for the final decision,particularly in close races
R. van der Meyden COMP3441 Lecture 11: Voting
Voting System Security Requirements
Given a voting Rule R , even in the face of determined attacks,the system should satisfy
I Integrity: the outcome of the vote = R applied to the setof votes that the voters intended to cast⇒ integrity at each step:
intention → official record of vote → final count
I Verifiability: breaches of integrity can be detected
I Voter Privacy/Anonymity: It is not possible for anotherparty to determine how a particular voter voted.
I Receipt-Freedom: a voter cannot prove to another thatthey cast a particular vote.
R. van der Meyden COMP3441 Lecture 11: Voting
Verifiability
I Individual: a voter can verify that their vote has beencounted as cast
I Public: anyone can verify that the votes cast have beencounted correctly
I End-to-end: all steps of the process can be verified(possibly through a mix of public-private checks)
R. van der Meyden COMP3441 Lecture 11: Voting
Voter Privacy/Anonymity
Defining this precisely requires some care:
Example: an election with three voters (Alice, Bob, Carol)each placing one vote for two candidates Yvonne and Ziggy.
Outcome: Ziggy wins by three votes to none. How did Alicevote?
Careful statement: Let V = {v1 . . . vn} be the n voters and letB = {b1, . . . , bn} be their n votes as cast. Based on thepublicly available evidence from the voting process, every pairof injective functions f , g : V → B should be equally likely asan association between the voters and the votes.
R. van der Meyden COMP3441 Lecture 11: Voting
Receipt Freedom
A vote buyer/coercer would like to get evidence that theperson whose vote they sought to buy/coerce voted as theywished.
A scheme is receipt free if the voter does not receive anyevidence that can be used to prove to another party how theyvoted.
Problem: This conflicts with voter verifiabilty, where receiptshelp a voter to check that their vote has been included in thecount.
R. van der Meyden COMP3441 Lecture 11: Voting
Example: Australia Paper Ballot Process
I Authentication process for registration/address changesto electoral roll
I proof of IDI personal reference
I Voting at multiple locations, no authentication of voters
I Line struck through name of voter on electoral roll beforeissuing ballot paper
I Voter marks ballot paper in pencil in private voting booth
I Voter places ballot paper in ballot box
I Ballot boxes opened and counted, observed by scrutineersfrom parties to election
R. van der Meyden COMP3441 Lecture 11: Voting
Example: Australia Paper Ballot Process
Security largely based on physical security and audit
E.g., protections against multiple voting, as self or others
I Integrity of electoral roll verified through comparison withother data sources, door-knocks by Electoral Commissionand political parties
I Copies of electoral roll from different voting boothscompared to detect multiple votes
I Electoral Commission/police investigation of multiplevotes
I Election invalidated if the extent of multiple voting isenough to have changed outcome
R. van der Meyden COMP3441 Lecture 11: Voting
Do Australian Paper Ballots satisfy the properties?
I Vote Integrity: yes, subject to physical security, verifiedchain of custody of ballot boxes
I Verifiability:I individual verifiability: not directly (no receipt received)I public verifiability: yes, security of ballots and count
verified by scrutineers
I Voter anonymity: yes, ballot marked in private, notlinkable to voter
I Receipt Freedom: no direct receipt, but, particularlysenate elections
R. van der Meyden COMP3441 Lecture 11: Voting
Italian Attack
I Used by mafia in Italian elections
I Ordering on low ranked candidates used to encode aunique identifier of the voter
I Allows coercer/vote buyer to verify that vote by aparticular voter is as instructed
I Led to abandonment of preferential voting in Italy
I (on the plus side, a voter can use it to verify their vote, ifballots are published!)
Australian Senate Ballot papers have a very large number ofcandidates, so are susceptible: e.g.,http://en.wikipedia.org/wiki/Candidates_of_the_
Australian_federal_election,_2010#New_South_
Wales_2
R. van der Meyden COMP3441 Lecture 11: Voting
Another form of receipt: photographic image of ballot paper(e.g., with mobile phone)
Coerced voter can defeat coercion by revising their vote afterphotographing
R. van der Meyden COMP3441 Lecture 11: Voting
Chain voting attack
1. Coercer obtains a single blank ballot paper
2. fills it according to their preference
3. gives to a coerced voter, with instructions to cast this astheir vote and return with a fresh blank ballot
4. go to step 2
R. van der Meyden COMP3441 Lecture 11: Voting
Voting machine technology
Particularly in US, public demands for fast counts has lead toadoption of voting machinesFederal Votes managed at State government level, largediversity of technologies:
I paper
I punched card
I optical card
I direct recording electronic voting machines
R. van der Meyden COMP3441 Lecture 11: Voting
Attacks on Voting Machines
I Voter Privacy attack on Dutch Nedap voting machineshttp://www.youtube.com/watch?v=B05wPomCjEY
I Princeton Virus attack on Diebold machinehttp://www.youtube.com/watch?v=kDEBMp6uwdc
I Man in the Middle hardware attack on Diebold VotingMachineshttp://www.youtube.com/watch?v=DMw2dn6K1oI
I Panel Tampering Attack on Sequoia Voting Machine (Sep2011)http://www.youtube.com/watch?v=6ClrHPShljM
R. van der Meyden COMP3441 Lecture 11: Voting
Responses
Demands by researchers that
I voting machines print a paper audit record that is verifiedby the voter
I software and hardware designs be open sourced to allowfor evaluation
Software used in ACT Government elections is open source:http://www.elections.act.gov.au/elections_and_
voting/electronic_voting_and_counting
Allowed ANU researchers to find a bug in counting softwarethat could have altered the outcome of an election.
R. van der Meyden COMP3441 Lecture 11: Voting
Chaum Mixnets
An approach to combining voter verifiability, voter anonymityand integrity:
I ballot paper is encrypted so that it does not reveal thevote (anonymity), voter receives a copy
I encrypted ballots are posted on a website, so voter cancheck their vote is included (voter verifiability)
R. van der Meyden COMP3441 Lecture 11: Voting
I encrypted votes are randomly shuffled by a sequence oftrustees as part of the decryption process, but the shuffleremains a secret (maintaining anonymity)
I the shuffle can be audited for correctness (with highprobability) (public verifiability) without revealing theconnection between encrypted and decrypted votes.(maintaining anonymity)
R. van der Meyden COMP3441 Lecture 11: Voting
R. van der Meyden COMP3441 Lecture 11: Voting
Decryption Mixnets
In decryption mixnets, each trustee T publishes a public key Kand retains a secret key K−1
Inputs to trustee are messages Ci = {ri ,Mi}K , where
I ri is random padding
I Mi is a message
Trustee decrypts, retains ri , shuffles the Mi and publishes theshuffle
Several levels of trustees with public keys K1, . . .Kn gives anonion:
{r1, {r2, {r3, . . .}Kn . . .}K2}K1
R. van der Meyden COMP3441 Lecture 11: Voting
Randomized Partial Checking
To verify that a trustee has correctly decrypted and shuffled(and not interfered with the votes):
I Independent auditor randomly selects half of themessages Ci
I Trustee required to reveal the message mapping Ci → Mj
and pad riI auditor verifies that {ri ,Mj}K = Ci
After two trustee phases, with in-edge audited iff out-edge notaudited, randomized Partial Checking verification reduces theset of possible sources for each output value to 1/2 of theinputs.
R. van der Meyden COMP3441 Lecture 11: Voting
R. van der Meyden COMP3441 Lecture 11: Voting
Repeat to further reduce attacker knowledge ...
R. van der Meyden COMP3441 Lecture 11: Voting
Useability
For this idea to be practically useable by (cryptographicallynaive) voters, the crypto aspects need to be turned intosomething they can understand.
Several approaches:
I Chaum: visual cryptography
I Ryan et al: (Pret a Voter) randomized ordering ofcandidates on ballot.
R. van der Meyden COMP3441 Lecture 11: Voting
Visual Cryptography
Invented by Shamir and Naor in 1994:
Plaintext (could be image) is spread across a number oftransparencies, when overlaid this reconstructs the (essenceof) the original
A demo:http://leemon.com/crypto/VisualCrypto.html
R. van der Meyden COMP3441 Lecture 11: Voting
In Chaum’s voting application
I one (randomly chosen) sheet (with random unique ID) iskept as voter receipt, and a copy is cast (the otherdiscarded)
I Voter verifies vote on bulletin board by overlaying withrecorded vote to check identity
R. van der Meyden COMP3441 Lecture 11: Voting
Pret a Voter
Abbot
Gillard
Brown
Rudd
Tenzin Gyatso X
Stalin
2G789KK3e5
R. van der Meyden COMP3441 Lecture 11: Voting
I Ballot has candidates in random order
I Ballot identifier is onion encryption of candidate order +nonces
I Voter receives copy of right half as receipt, verifies this isposted on bulletin board
I mixnet operations use nonces to shuffle candidate orderon ballots cast, while maintaining correspondence
R. van der Meyden COMP3441 Lecture 11: Voting
Security Properties
Privacy:
I Ballot as cast/posted on bulletin board does not identifyvoter or their vote
I mixnet, even after audit, (very probably) does not linkballot cast to final decrypted version
Breaching privacy would require
I Linking voter to ballot ID (e.g. steal/coerce receipt)
I Breach/corruption of sufficient trustees to form a chainto final unencrypted ballot
R. van der Meyden COMP3441 Lecture 11: Voting
Integrity & Verifiability
Voter Verifiability using receipts
Trustee audit gives probabilistic guarantee on chain todecrypted
Count can be publicly verified from publication of decryptedballots
R. van der Meyden COMP3441 Lecture 11: Voting
Receipt Freedom
Lack of linking of receipt and unecrypted ballot means receiptis not useful to coercer.
Chain/ Italian attack still possible, as with other paperschemes.
R. van der Meyden COMP3441 Lecture 11: Voting
Other Possible Attacks
Count manipulator obtains receipts from exiting voters,
I buys them
I “We are doing vote checking as a public service, wouldyou like us to check your vote?”
can then undetectably alter ballots with these identifiers.
R. van der Meyden COMP3441 Lecture 11: Voting
Randomization Attack
Coercer requires coerced voters to vote for candidate at thetop of the paper.
(In effect, a vote for a random candidate.)
Increases influence of other votes.
R. van der Meyden COMP3441 Lecture 11: Voting
Three Ballot
A scheme proposed by Ron Rivest that does not requirecryptography:
I Voter receives three copies of ballot paper
I To vote FOR a candidate, mark that candidate TWICE
I To vote AGAINST a candidate, mark that candidateONCE
I No candidate should have 0 or 3 marks
I Checking machine verifies these rules have been followed
I Voter casts all three ballots, and retains a copy of one asa receipt
I Election authority publishes list of names of voters whovoted, and all votes cast
R. van der Meyden COMP3441 Lecture 11: Voting
A three-ballot paper
Mother Teresa
Hillary Clinton
Pauline Hanson
Nicole Kidman
Mother Teresa
Hillary Clinton
Pauline Hanson
Nicole Kidman
Mother Teresa
Hillary Clinton
Pauline Hanson
Nicole Kidman
235676879 54634856 94785673
R. van der Meyden COMP3441 Lecture 11: Voting
A vote for Nicole Kidman
Mother Teresa
Hillary Clinton
Pauline Hanson
Nicole Kidman
Mother Teresa
Hillary Clinton
Pauline Hanson
Nicole Kidman
Mother Teresa
Hillary Clinton
Pauline Hanson
Nicole Kidman
235676879 54634856 94785673
R. van der Meyden COMP3441 Lecture 11: Voting
Another vote for Nicole Kidman
Mother Teresa
Hillary Clinton
Pauline Hanson
Nicole Kidman
Mother Teresa
Hillary Clinton
Pauline Hanson
Nicole Kidman
Mother Teresa
Hillary Clinton
Pauline Hanson
Nicole Kidman
235676879 54634856 94785673
R. van der Meyden COMP3441 Lecture 11: Voting
Counting votes
If there are n voters, with k FOR candidate X, and n − kAGAINST candidate X, then X receives
2k + (n − k) = n + k
marks when the ballots are are counted.
So to calculate the number of voters FOR a candidate, justsubtract n.
Remark: Three-ballot does not work for preferential votecounting rules
R. van der Meyden COMP3441 Lecture 11: Voting
Security Properties of Three-Ballot
Privacy/Anonymity: Yes, as for paper ballots, provided linkingof voter to ballot identifiers not possible
I Voter randomly chooses ballot paper
I Checking machine/process can be trusted not to dolinking
I voter randomly adds ID number stickers after verification
R. van der Meyden COMP3441 Lecture 11: Voting
Integrity & Verifiabilty:
I Public can verify number of ballots is correct (size of listof voters = 3*no. of ballots?)
I Public can check count
I Individual voter can check their receipt counted is as cast.(1/3 chance of detecting ballot modifications by electionauthority)
R. van der Meyden COMP3441 Lecture 11: Voting
Receipt Freedom
Every possible marked (single) ballot paper can be constructedas the receipt, while still voting for the chosen candidate.
So the receipt contains no information about a voter voted.
BUT: a variant of the Italian attack is possible:
Three pattern attack: coercer/voter buyer requires the threeballots to be filled with a different unique pattern on each,checks that all three patterns appear on bulletin board.
R. van der Meyden COMP3441 Lecture 11: Voting
Other Attacks
Count manipulator obtains receipts from exiting voters,
I buys them
I “We are doing vote checking as a public service, wouldyou like us to check your vote?”
can then undetectably alter ballots with these identifiers.
Chain attack still possible, as with other paper schemes.
R. van der Meyden COMP3441 Lecture 11: Voting
Conclusion
These protocols add a level of verifiability to existing paperprocesses, at the cost of increased complexity to voters andelection authorities, and new points of vulnerability to besecured.
No system yet that perfectly addresses all security propertiesand all possible attacks.
An active area of research!
R. van der Meyden COMP3441 Lecture 11: Voting