Electronic Voting R Newman Topics Defining anonymity

Electronic Voting R. Newman

Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity Metrics for Anonymity Applications of anonymity technology

Voting Requirements Privacy Need anonymity to protect against retribution Need privacy to protect against coersion Authorization Need to ensure only enfranchised vote Need to prevent multiple voting Verifiability Need to make sure your vote was counted Need to be able to verify tally is correct Auditability is needed in case of disputes

Specific Requirements Data integrity and reliability - tamperproof Voter anonymity and data confidentiality Operator authentication Documentation and assurance Personnel integrity

Specific Reqs – the ”-ilities” System accountability System disclosability System availability System reliability Interface usability

Types of Voting Plurality Voting One vote per voter Candidate with most votes wins Plurality with Run-off Plurality voting selects top two candidates Top two candidates have second election Approval Voting Voters can approve of multiple candidates Candidate with most votes wins

More Types of Voting Instant Run-off Candidate with fewest votes eliminated Repeat until candidate with majority Pairwise Elimination Vote in tournament style Borda Voting Voters submit total order on candidates Candidate with most points wins Many more. .

Publically Verifiable Secret Sharing Basic versions assume: Honest distribution Threshold systems Honest reconstruction PVSS resists Dealer distributing incorrect shares Anyone can verify correctness Participants submitting incorrect shares

Generic Approach - Players Voters Register and vote Registrar Validate voters Distribute ballots Ballot Box – Vote Certifier Allow voters to post anonymous, verifiable ballots Tallyer Collect valid ballots Post verifiable results

Generic Approach - Phases Phase I – Registering Voter contacts Registrar, proves identity Registrar verifies identity, gives blank ballot Phase II – Voting Ballot box validates ballot, posts ballots Voter prepares ballot, submits to ballot box Public (including voters) verify ballots Phase III – Tallying Tallyer combines votes on ballots, publishes results Public verifies results

Registering Registrar gets list of valid voters Voter sends Registrar proof of identity along with blinded ballots Public key signature on message Registrar verifies voter’s identity and validity Verifies signature Checks that name is on list of valid voters Registrar signs blinded ballots Typically uses cut-and-choose to detect cheating Blinding removes association with voter

Voting Voter unblinds ballots Voter selects ballot with candidate of choice Voter anonymously sends ballot to Ballot Box verifies ballot Signature from Registrar Ballot Box posts ballot Voter can see that her ballot has been cast

Tallying Ballot Box closes polls when period is over Tallyer collects all valid ballots Tallyer computes results and posts Public can validate results

Registering – Alternative 1 Registrar gets list of valid voters Voter sends Registrar proof of identity Public key signature on message Registrar verifies voter’s identity and validity Verifies signature Checks that name is on list of valid voters Registrar sends Voter blank ballot Keeps digest of voters, ballots

Voting – Alternative 1 Voter marks signed ballot with choice(s) Voter sends blinded marked ballot to Certifier Voter signs blinded marked ballot Certifier validates ballot Does not know ballot number Checks signature vs. list of voters Signs blinded ballot Voter unblinds ballot, anonymously sends to Tallyer anonymously sends receipt to voter

Counting – Alternative 1 Tallyer counts valid votes Tallyer publishes results

Registering – Alternative 2 Registrar gets list of valid voters Voter sends Registrar proof of identity along with blinded public key PK used as a pseudonym Registrar verifies voter’s identity and validity Verifies signature Checks that name is on list of valid voters Registrar signs blinded public key Blinding removes association with voter Voter has registrar’s signature on PK certificate

Voting – Alternative 2 Voter produces ballot Uses proper format Signs balloot using pseudonym public key Voter sends signed ballot to Ballot Box Ballot sent anonymously BB can’t link ballot to sender or to signer BB verifies ballot Checks signature on ballot Checks that PK certificate signed by Registrar BB posts valid ballots

Tallying – Alternative 2 Tallyer closes election when time is up Tallyer combines validedated ballots Publishes results

Issues Obtaining marked ballot that is Not tied to the voter Verifiable Insuring that fraud cannot occur Voter can only vote once Nobody other than voter can use voter’s ballot Only valid voters can vote Auditability What about write-in ballots?