DOCSLIB.ORG

Jeremy Clark

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Democracy Enhancing Technologies: Toward deployable and incoercible E2E elections by Jeremy Clark A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Doctor of Philosophy in Computer Science Waterloo, Ontario, Canada, 2011 Some rights reserved I hereby declare that I am the sole author of this thesis. This is a true copy of the thesis, including any required final revisions, as accepted by my examiners. I understand that my thesis may be made electronically available to the public. This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 Canada License. For more information, visit: http://creativecommons.org/licenses/by-nc-sa/2.5/ca/ ii Abstract End-to-end verifiable election systems (E2E systems) provide a provably correct tally while maintaining the secrecy of each voter’s ballot, even if the voter is complicit in demon- strating how they voted. Providing voter incoercibility is one of the main challenges of designing E2E systems, particularly in the case of internet voting. A second challenge is building deployable, human-voteable E2E systems that conform to election laws and conventions. This dissertation examines deployability, coercion-resistance, and their inter- section in election systems. In the course of this study, we introduce three new election systems, (Scantegrity, Eperio, and Selections), report on two real-world elections using E2E systems (Punchscan and Scantegrity), and study incoercibility issues in one deployed system (Punchscan). In addition, we propose and study new practical primitives for ran- dom beacons, secret printing, and panic passwords. These are tools that can be used in an election to, respectively, generate publicly verifiable random numbers, distribute the printing of secrets between non-colluding printers, and to covertly signal duress during authentication. While developed to solve specific problems in deployable and incoercible E2E systems, these techniques may be of independent interest. Supervisor • Urs Hengartner Committee & Examiners • Ian Goldberg • Alfred Menezes • Steve Schneider • Douglas R. Stinson iii Acknowledgements I would first like to thank my advisor, Urs Hengartner, for his guidance through my PhD. Urs was always keen on our research, motivating, and accommodating. I admire his sensibility toward solving real-world problems. Much of this dissertation would not have been the same without his thorough examination of the protocols, threat models, and their presentation. I would like to thank the rest of my committee, Ian Goldberg, Alfred Menezes, Steve Schneider and Doug Stinson for their corrections, suggestions, and prompts for clarification when it was most certainly needed. I had the pleasure to work with David Chaum on three of his projects: Punchscan, Scantegrity, and a forthcoming project. I learned a lot from David, both technically and on a range of other subjects. I also enjoyed the collaboration with the rest of the team: Rick Carback, Aleks Essex, Stefan Popovenuic, Ron Rivest, Emily Shen, Alan Sherman, Poorvi Vora, and Filip Zagórski. A special acknowledgement to Rick, who once suggested using panic passwords for internet voting. That suggestion motivated much of Part II of this dissertation. The CrySP lab was an excellent incubator for ideas and friendship. In particular, I would like to thank Aniket Kate and Greg Zaverucha. Both provided as much knowledge and assistance as they did entertainment and friendship. Thank you to the rest of lab as well and my friends in the broader Waterloo graduate community (sorry, too many people to name). I’d like to especially thank one person who intersects both Scantegrity and CrySP, as well as almost my whole academic career: Aleks Essex. Aleks is always the first person I bounce ideas off of and has been a great friend through many of my major life events. The least likely person to ever read this is Clint Mansell but I feel indebted to his musical genius, and hope some of his creativity transferred to all the words I wrote as his scores swelled around me. I’d like to thank my family; in particular, my parents Marvin and Sharon and my brother Jonathan. As well, I’d like to thank new family: Subhash and family, Sindhu and family, and Shaan and Shunker. Last but not least, thank you to my wife Neha for her support, welcome distractions, tolerance, and encouragement. It is impossible to describe all direct and indirect ways she helped. This research was supported by the Natural Sciences and Engineering Research Council of Canada (NSERC) through an Alexander Graham Bell Canada Graduate Scholarship. iv Contents List of Tables xiii List of Figures xiv 1 Introductory Remarks 1 1.1 Background . .2 1.2 Contributions . .3 1.3 Organization . .6 2 Preliminaries 7 2.1 Election Technologies . .7 2.1.1 Elections in Canada . .9 2.2 Requirements . 10 2.2.1 Core Requirements . 10 2.2.2 Potential Requirements . 11 2.2.3 Deployability Requirements . 12 2.3 Cryptographic Primitives . 13 2.3.1 Mathematical Background . 13 2.3.2 Commitments . 13 2.3.3 Encryption . 15 2.3.4 Σ-Protocols . 17 2.3.5 Cryptographic Tests . 20 v I Booth Voting 22 3 Related Work on Booth Voting 23 3.1 Introductory Remarks . 23 3.2 Election Set-up . 24 3.2.1 Participants . 24 3.2.2 Phases . 24 3.2.3 Channels . 24 3.3 Protocols for Ballot Casting . 26 3.3.1 Anonymous Channels . 27 3.3.2 Homomorphic Secret Sharing . 28 3.3.3 Mix Networks Revisited . 30 3.3.4 Anonymous Channels and Blind Signatures . 31 3.3.5 Homomorphic Threshold Encryption . 32 3.3.6 Miscellaneous . 35 3.3.7 Deployment . 36 3.4 Protocols for Unaided Ballot Casting . 37 3.4.1 A Framework . 37 3.4.2 DRE-based E2E Systems . 38 3.4.3 Paper-based E2E Systems . 40 4 Deploying Punchscan and Scantegrity 45 4.1 Introductory Remarks . 45 4.2 Case Study: Punchscan . 46 4.2.1 Requirements . 46 4.2.2 The Election . 48 4.2.3 Lessons Learned . 50 4.3 Scantegrity: an E2E add-on . 51 4.3.1 Ballot Features . 51 4.3.2 Election Preparation . 52 vi 4.3.3 Election Day . 54 4.3.4 Posting and Tallying . 56 4.3.5 Auditing the Results . 56 4.3.6 Dispute Resolution . 59 4.4 Scantegrity Case Study . 60 4.4.1 Requirements . 60 4.4.2 Mock Election . 62 4.4.3 The Election . 63 4.4.4 Lessons Learned . 66 4.5 Open Problems . 68 4.6 Concluding Remarks. 69 4.7 Disclosure . 71 5 A Game-Theoretic Analysis of Coercion Contracts 72 5.1 Introductory Remarks . 72 5.2 Extensive Form of the Ballot Casting Process . 74 5.3 Contract-based Attacks . 75 5.3.1 Voter Coercion and Vote-Buying . 76 5.3.2 The MN Contract . 77 5.3.3 The BMR Contract . 79 5.3.4 The KRMC Contract . 79 5.3.5 The Optimal Contract . 80 5.4 Extending the Base Model . 83 5.4.1 Multiple-Candidate Contracts . 83 5.4.2 Reordering the Game . 84 5.4.3 Voter Types . 85 5.4.4 Money is an Object . 85 5.4.5 Coercion Contracts in other E2E Systems . 86 5.5 Concluding Remarks . 88 vii 6 Implementing Random Beacons with Financial Data 89 6.1 Introductory Remarks . 89 6.2 Related Work . 91 6.2.1 Public Randomness in Cryptography . 91 6.2.2 Public Randomness in Elections . 92 6.2.3 Cryptographic Elections . 92 6.2.4 Stock Market for Public Randomness . 93 6.3 Model and Assumptions . 94 6.3.1 Terminology . 94 6.3.2 Black-Scholes Model . 95 6.3.3 Market Manipulation . 96 6.3.4 Official Closing Price . 97 6.4 Entropy Estimates . 98 6.4.1 Historical Drift and Diffusion . 99 6.4.2 Monte-Carlo Simulation . 100 6.4.3 Entropy Estimation . 101 6.4.4 Experimental Results . 103 6.4.5 Portfolio Entropy . 105 6.5 Beacon Implementation . 106 6.5.1 Definitions . 107 6.5.2 Security Properties . 109 6.5.3 Protocol . 110 6.5.4 Security Analysis (Abstract) . 114 6.6 Concluding Remarks . ..
Recommended publications
  • Mechanics of Mobilecoin: First Edition

    Mechanics of Mobilecoin: First Edition

    Mechanics of MobileCoin: First Edition exploring the foundations of a private digital currency April 6, 2021, Preview (10/11) v0.0.39 koe1,2 DRAFT INFORMATION: This is just a draft, and may not always be available wher- ever it is currently hosted. The final version will be available at https://github.com/ mobilecoinfoundation. License: `Mechanics of MobileCoin: First Edition' is released into the public domain. 1 [email protected] 2 Author `koe' worked on this document as part of a private contract with, then as an employee of, MobileCoin, Inc. Abstract Cryptography. It may seem like only mathematicians and computer scientists have access to this obscure, esoteric, powerful, elegant topic. In fact, many kinds of cryptography are simple enough that anyone can learn their fundamental concepts. It is common knowledge that cryptography is used to secure communications, whether they be coded letters or private digital interactions. Another application is in so-called cryptocurrencies. These digital moneys use cryptography to assign and transfer ownership of funds. To ensure that no piece of money can be duplicated or created at will, cryptocurrencies usually rely on `blockchains', which are public, distributed ledgers containing records of currency transactions that can be verified by third parties [115]. It might seem at first glance that transactions need to be sent and stored in plain text format to make them publicly verifiable. In truth, it is possible to conceal a transaction's participants, as well as the amounts involved, using cryptographic tools that nevertheless allow transactions to be verified and agreed upon by observers [151]. This is exemplified in the cryptocurrency MobileCoin.
  • Perfectly Hiding Commitment Scheme with Two-Round from Any One-Way Permutation ∗

    Perfectly Hiding Commitment Scheme with Two-Round from Any One-Way Permutation ∗

    Perfectly Hiding Commitment Scheme with Two-Round from Any One-Way Permutation ¤ Chunming Tang1;y Dingyi Pei1 Zhuojun Liu2 Zheng-an Yao3 Mingsheng Wang4 1 School of Mathematics and Information Sciences, Guangzhou University, China(510006) 2 Key Laboratory of Mathematics Mechanization, AMSS, CAS, China(100080) 3 School of Mathematics and Statistics, Zhongshan University, China(510006) 4 State Key Laboratory of Information Security, Institute of Software, CAS China(100080) Abstract Commitment schemes are arguably among the most important and useful primitives in cryp- tography. According to the computational power of receivers, commitments can be classi¯ed into three possible types: computational hiding commitments, statistically hiding commitments and perfect computational commitments. The ¯st commitment with constant rounds had been constructed from any one-way functions in last centuries, and the second with non-constant rounds were constructed from any one-way functions in FOCS2006, STOC2006 and STOC2007 respectively, furthermore, the lower bound of round complexity of statistically hiding commit- n ments has been proven to be logn rounds under the existence of one-way function. Perfectly hiding commitments implies statistically hiding, hence, it is also infeasible to con- struct a practically perfectly hiding commitments with constant rounds under the existence of one-way function. In order to construct a perfectly hiding commitments with constant rounds, we have to relax the assumption that one-way functions exist. In this paper, we will construct a practically perfectly hiding commitment with two-round from any one-way permutation. To the best of our knowledge, these are the best results so far. Keywords: Cryptography, perfectly hiding commitments, one-way permutation, §-protocol.
  • Quantum Bit Commitment and Coin Tossing Protocols

    Quantum Bit Commitment and Coin Tossing Protocols

    Quantum Bit Commitment and Coin Tossing Protocols Gilles Brassard * Claude Crepeau t Departement d'informatique et de R.O. Laboratoire de Recherche en Informatique Universite de Montreal University de Paris-Sud C.P. 6128, succ. "A" Batiment 490 Montreal, Quebec CANADA H3C 3J7 91405 Orsay FRANCE 1 Introduction In the late 1960's a physicist, Stephen Wiesner, had the idea that the uncertainty principle could be used for cryptography (though he published his result much later [Wie83]). One of his ideas was that it would be possible to use a stream of polarized photons to transmit two messages in a way that would make only one of them readable at the receiver's choosing. This notion, which he called "multiplexing", is remarkably similar to the "one-out-of-two oblivious transfer" to be reinvented many years later [EGL83], and it even predates Rabin's notion of oblivious transfer [Rab81] by more than a decade. In the late 1970's, Wiesner's invention was brought back to life by the work of Charles H. Bennett and Gilles Brassard, which resulted in a CRYPTO '82 paper [BBBW82]. Subsequently, Bennett and Brassard used quantum cryptographic principles to implement basic cryptographic protocols, such as secret key exchange and coin tossing by telephone [BB84]. There has been recently much excitement in the field of quantum cryptography because a working prototype of the quantum key exchange channel has been successfully built at the IBM T. J. Watson Research Laboratory, Yorktown Heights [BBBSS90]. In recent times, the importance of cryptographic primitives has been brought to light by the work of many researchers whose goal is to characterize precisely the primitives sufficient for the implementation of various cryptographic protocols.
  • A New and Efficient Signature on Commitment Values

    A New and Efficient Signature on Commitment Values

    International Journal of Network Security, Vol.7, No.1, PP.101–106, July 2008 101 A New and Efficient Signature on Commitment Values Fangguo Zhang1,3, Xiaofeng Chen2,3, Yi Mu4, and Willy Susilo4 (Corresponding author: Fangguo Zhang) Department of Electronics and Communication Engineering, Sun Yat-Sen University1 Guangzhou 510275, P. R. China (Email: [email protected]) Department of Computer Science, Sun Yat-Sen University, Guangzhou 510275, P. R. China2 Guangdong Key Laboratory of Information Security Technology Guangzhou 510275, P. R. China3 School of IT and Computer Science University of Wollongong, Wollongong, NSW 2522, Australia4 (Received July 15, 2006; revised and accepted Nov. 8, 2006) Abstract user, it cannot be transferred to any one else, i.e. “non- transferability”. It is desirable that the overheads of com- We present a new short signature scheme based on a vari- munication and computation imposed by a credential sys- ant of the Boneh-Boyen’s short signatures schemes. Our tem to users and services must not heavily affect their short signature scheme is secure without requiring the performance. random oracle model. We show how to prove a commit- The studies of anonymous credential have gone through ted value embedded in our short signature. Using this several stages. After its introduction by Chaum, Brands primitive, we construct an efficient anonymous credential presented a public key based construction of anonymous system. credential in which a user can provide in zero knowledge Keywords: Anonymity, anonymous credentials, commit- that the credentials encoded by its certificate satisfy a ment, signature given linear Boolean formula [6]. This scheme allows only one show, namely, two transactions from the same user can be found performed by the same user.
  • One-Way Functions Imply Secure Computation in a Quantum World

    One-Way Functions Imply Secure Computation in a Quantum World

    One-Way Functions Imply Secure Computation in a Quantum World James Bartusek* Andrea Coladangelo† Dakshita Khurana‡ Fermi Ma§ Abstract We prove that quantum-hard one-way functions imply simulation-secure quantum oblivious transfer (QOT), which is known to suffice for secure computation of arbitrary quantum functionalities. Further- more, our construction only makes black-box use of the quantum-hard one-way function. Our primary technical contribution is a construction of extractable and equivocal quantum bit commit- ments based on the black-box use of quantum-hard one-way functions in the standard model. Instantiating the Crépeau-Kilian (FOCS 1988) framework with these commitments yields simulation-secure QOT. arXiv:2011.13486v2 [quant-ph] 13 Aug 2021 *UC Berkeley. Email: [email protected] †UC Berkeley. Email: [email protected] ‡UIUC. Email: [email protected] §Princeton University and NTT Research. Email: [email protected] 1 Contents 1 Introduction 3 1.1 OurResults ...................................... ......... 4 1.2 RelatedWork ..................................... ......... 6 1.3 ConcurrentandIndependentWork. .............. 6 2 Technical Overview 8 2.1 Recap: Quantum Oblivious Transfer from Commitments . .................. 8 2.2 Our Construction: A High-Level Overview . ................ 10 2.3 Making Any Quantum (or Classical) Commitment Equivocal ................... 11 2.4 An Extractability Compiler for Equivocal Commitments . .................... 13 2.5 Putting it Together: From Commitments to Secure Computation.
  • Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing

    Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing

    Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing Shai Halevi ? Silvio Micali MIT { Laboratory for Computer Science, 545 Technology Square, Cambridge, MA 02139 Abstract. We present a very practical string-commitment scheme which is provably secure based solely on collision-free hashing. Our scheme en- ables a computationally bounded party to commit strings to an unbounded one, and is optimal (within a small constant factor) in terms of interac- tion, communication, and computation. Our result also proves that constant round statistical zero-knowledge arguments and constant-round computational zero-knowledge proofs for NP exist based on the existence of collision-free hash functions. 1 Introduction String commitment is a fundamental primitive for cryptographic protocols. A commitment scheme is an electronic way to temporarily hide a value that cannot be changed. Such a scheme emulates by means of a protocol the following two- stage process. In Stage 1 (the Commit stage), a party called the Sender locks a message in a box, and sends the locked box to another party called the receiver. In Stage 2 (the De-commit stage), the Sender provides the Receiver with the key to the box, thus enabling him to learn the original message. Commitment-schemes are very useful building blocks in the design of larger cryptographic protocols. They are typically used as a mean of flipping fair coins between two players, and also play a crucial part in some zero-knowledge proofs and in various types of signature schemes. Commitment schemes can also be used in scenarios like bidding for a contract, where committing to a bid rather than sending it in the clear can eliminate the risk of it being \leaked" to the competitors.
  • Carback, R.T.: Security Innovations In

    Carback, R.T.: Security Innovations In

    APPROVAL SHEET Title of Thesis: Security Innovations in the Punchscan Voting System Name of Candidate: Richard T. Carback III Master of Science, 2008 Thesis and Abstract Approved: Alan T. Sherman Associate Professor Department of Computer Science and Electrical Engineering Date Approved: April 18th, 2008 Curriculum Vitae Name: Richard T. Carback III. Permanent Address: 2819 Manoff Rd, Halethorpe, MD 21227. Degree and date to be conferred: Master of Science, August 2007. Date of Birth: March 27, 1983. Place of Birth: Baltimore, Maryland. Secondary Education: Chesapeake High School, Pasadena, Maryland, 2001. Collegiate institutions attended: University of Maryland Baltimore County, Master of Science, Computer Science, 2008. Bachelor of Science, Computer Science, 2005. Major: Computer Science. Minor: None. Professional publications: • David Chaum, Richard Carback, Jeremy Clark, Aleksander Essex, Stefan Popoveniuc, Ronald L. Rivest, Peter Y.A. Ryan, Emily Shen, and Alan T. Sherman. Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes. Submitted to USENIX EVT 2008. • Russell A. Fink, Alan T. Sherman, and Richard Carback. TPM Meets DRE: Reducing the Trust Base for Electronic Voting using Trusted Platform Modules. Submitted to USENIX EVT 2008. • David Chaum, Aleksander Essex, Richard Carback, Jeremy Clark, Stefan Popoveniuc, Alan T. Sherman, and Poorvi Vora. Scantegrity: End-to- end voter verifiable optical-scan voting. Accepted for publication in IEEE Security and Privacy, volume May/June, 2008. • Stefan Popoveniuc, Jeremy Clark, Richard Carback, and Aleksander Essex. Securing optical-scan voting. Presented at Dagstuhl. To be published in Towards Trustworthy Election Systems in the Lecture Notes in Computer Science series by Spinger-Verlag, date unknown.
  • Ring Confidential Transactions

    Ring Confidential Transactions

    ISSN 2379-5980 (online) DOI 10.5195/LEDGER.2016.34 RESEARCH ARTICLE Ring Confidential Transactions Shen Noether,∗ Adam Mackenzie, the Monero Research Lab† Abstract. This article introduces a method of hiding transaction amounts in the strongly decentralized anonymous cryptocurrency Monero. Similar to Bitcoin, Monero is a cryptocur- rency which is distributed through a proof-of-work “mining” process having no central party or trusted setup. The original Monero protocol was based on CryptoNote, which uses ring signatures and one-time keys to hide the destination and origin of transactions. Recently the technique of using a commitment scheme to hide the amount of a transaction has been dis- cussed and implemented by Bitcoin Core developer Gregory Maxwell. In this article, a new type of ring signature, A Multilayered Linkable Spontaneous Anonymous Group signature is described which allows one to include a Pedersen Commitment in a ring signature. This construction results in a digital currency with hidden amounts, origins and destinations of transactions with reasonable efficiency and verifiable, trustless coin generation. The author would like to note that early drafts of this were publicized in the Monero Community and on the #bitcoin-wizards IRC channel. Blockchain hashed drafts are available showing that this work was started in Summer 2015, and completed in early October 2015.17 An eprint is also available at http://eprint.iacr.org/2015/1098. 1. Introduction Recall that in Bitcoin each transaction is signed by the owner of the coins being sent and these signatures verify that the owner is allowed to send the coins. This is entirely analogous to the signing of a check from your bank.
  • El Gamal Mix-Nets and Implementation of a Verifier

    El Gamal Mix-Nets and Implementation of a Verifier

    KTH Royal Institute of Technology School of Computer Science and Communication El Gamal Mix-Nets and Implementation of a Verifier SA104X Degree Project in Engineering Physics Erik Larsson ([email protected]) Carl Svensson ([email protected]) Supervisor: Douglas Wikstr¨om Abstract A mix-net is a cryptographic protocol based on public key cryptography which enables untraceable communication through a collection of nodes. One important application is electronic voting where it enables the construction of systems which satisfies many voting security requirements, including veri- fiability of correct execution. Verificatum is an implementation of a mix-net by Douglas Wikstr¨om. This report concerns the implementation of a verifier and evaluation of the implementation manual for the Verificatum mix-net. The purpose of the document is to enable third parties to convince themselves that the mix- net has behaved correctly without revealing any secret information. This implementation is a simple version of the verifier using the document and some test vectors generated by the mix-net. The document contains all information but there are still some possibilities for further clarification in order to make it comprehensible to a larger audience. Contents 1 Introduction 2 1.1 Verificatum . 2 1.2 Goals and Scope . 3 2 Background 3 2.1 El Gamal Cryptography . 3 2.1.1 Definition . 4 2.1.2 Security . 4 2.1.3 Properties . 5 2.2 Cryptographic Primitives . 6 2.2.1 Hash functions . 6 2.2.2 Pseudo Random Generators . 6 2.2.3 Random Oracles . 7 2.3 Mix Networks . 7 2.3.1 Overview . 7 2.3.2 El Gamal Mix-Nets .
  • Multiparty Routing: Secure Routing for Mixnets

    Multiparty Routing: Secure Routing for Mixnets

    Multiparty Routing: Secure Routing for Mixnets Fatemeh Shirazi Elena Andreeva Markulf Kohlweiss Claudia Diaz imec - COSIC KU Leuven imec - COSIC KU Leuven Microsoft Research imec - COSIC KU Leuven Leuven, Belgium Leuven, Belgium Cambridge, UK Leuven, Belgium Abstract—Anonymous communication networks are impor- re-mailer, Freenet [5], [6] used for anonymous file-sharing, and tant building blocks for online privacy protection. One approach DC-Nets [7] that can be deployed for broadcast applications to achieve anonymity is to relay messages through multiple such as group messaging. routers, where each router shuffles messages independently. To achieve anonymity, at least one router needs to be honest. The goal of ACNs is to anonymize communications by In the presence of an adversary that is controlling a subset relaying them over multiple routers. There are three main types of the routers unbiased routing is important for guaranteeing of anonymous routing in terms of how routers are chosen to anonymity. However, the routing strategy also influenced other form the path. factors such as the scalability and the performance of the system. One solution is to use a fixed route for relaying all messages First, in deterministic routing, the paths are predetermined with many routers. If the route is not fixed the routing decision by the system configuration. Chaum’s original ACN pro- can either be made by the communication initiator or the posal [1] considered a sequence of mixes organized in a intermediate routers. However, the existing routing types each cascade. Systems that adopted the cascade network topology have limitations. For example, one faces scalability issues when in their designs include JAP [8], and voting systems, such as increasing the throughput of systems with fixed routes.
  • An Implementation of Dual (Paper and Cryptographic) Voting System

    An Implementation of Dual (Paper and Cryptographic) Voting System

    Tel Aviv University Raymond and Beverly Sackler Faculty of Exact Sciences The Blatavnik School of Computer Sciences An Implementation of Dual (Paper and Cryptograhic) Voting System Submitted as a partial fulfillment of the requirements towards the Master of Science degree by Niko Farhi The research work has been conducted under the supervision of Prof. Amnon Ta-Shma March 2013 Abstract This thesis reports on the design and implementation of a cryptographic voting system, named Wombat. The system is designed to retain the ”look and feel” of standard paper- based plurality voting, while enhancing security using methods from modern electronic voting literature. To achieve this, the system executes two voting processes in parallel: one is electronic and end-to-end verifiable, while the other is paper based and emulates more traditional processes (to which the voters are accustomed). Consistency between the two processes is enforced by means of a new specially-tailored paper ballot format. In addition, this work examines the practicality of the Wombat protocol through im- plementation and field testing in two student council elections with over 2000 voters and party premiership elections with almost 900 voters. During these field test the usabilty, performance and voter satisfaction was examined. Overall, voters trusted the system and found it comfortable to use. Parts of this work were presented in EVote2012. ii Acknowledgments I wish to thank my advisor, Prof. Amnon Ta-Shma for his patience with me. I also wish to thank Mr. Ben Riva for providing aid when it was needed. iii Contents Abstract ii Acknowledgments iii 1 Introduction 1 1.1 ThesisOutline................................
  • The Scantegrity Voting System and Its Use in the Takoma Park Elections

    The Scantegrity Voting System and Its Use in the Takoma Park Elections

    The Scantegrity Voting System and its Use in the Takoma Park Elections David Chaum Richard T. Carback Jeremy Clark Aleksander Essex Travis Mayberry Stefan Popoveniuc Ronald L. Rivest Emily Shen Alan T. Sherman Poorvi L. Vora John Wittrock Filip Zagórski 1 Introduction The Scantegrity project began with a simple question: is it possible to design a voting system offering the strong security properties of cryptographic end-to-end (E2E) election verification with the intuitive look and feel of a paper optical-scan ballot? This chapter recounts a decade-long research effort toward answering this question, from the design of Scantegrity’s precursor Punchscan, all the way to the first governmental election run by an E2E voting system. The main focus of this chapter is on the Scantegrity II voting system (hereafter referred to as simply Scantegrity) and its use in the municipal elections of Takoma Park, MD in 2009 and 2011. To our knowledge, the Takoma Park election of 2009 was the first use of an E2E-verifiable voting system in an in-person secret-ballot governmental election anywhere in the world, as well as being the first governmental election held in the United States to run on open-source software. We also describe the Punchscan voting system and its use in the 2007 election of the the University of Ottawa Graduate Students Association/Association Étudiant(e)s Diplômé(e)s (GSAÉD), which, to our knowledge, is the first time an E2E voting system was used in a binding election.1 Additionally, this chapter describes the remote voting system Remotegrity and accessible Scantegrity variant Audiotegrity, and their use in the 2011 Takoma Park election.