Fully Auditable Electronic Secret-Ballot Elections

Internet Technology

Berry Schoenmakers

“What could be easier than counting a bunch of votes!” is a natural thought when one ﬁrst thinks of the problem of electronic voting. It does not seem very hard either to build an Internet-based system which enables people to vote conveniently from their PCs, WAP phones, or other personal devices. The problem gets much more difﬁcult, however, if one wants to address ballot secrecy in a serious way. The challenge then is to guarantee voters’ privacy and integrity of the election result at the same time. In this paper we show how special-purpose cryptographic protocols help to achieve this goal.

Introduction code. Digital signatures can be used as a more advanced form of authentication, as we will see later on in this paper. The apparent simplicity of electronic voting systems is probably the reason for the large number of For Internet-based elections another simple security initiatives in this area. The Internet provides an ex- measure is to use a secure web server for collecting cellent environment for quick polls, which are easy the votes. In that case, the communication between to implement especially if people need not be pre- the voter’s client and the web server is protected vented from voting more than once. Cookies are by a protocol such as SSL (Secure Socket Layer). sometimes used by web servers to prevent inexpe- Once the communication between client and server rienced users from voting more than once, but this is protected by SSL, the information necessary for line of defense is easily circumvented: users may casting a vote (possibly including software such as simply remove the cookies, or set their browser to a Java applet) may be downloaded securely to the use ‘per-session cookies’ only—which is a good client, and the vote and authentication information idea anyway if one cares about privacy—and so on. may be uploaded securely to the server. The use Even inexperienced users will quickly realize that of SSL thus prevents the votes from being read or they should be able to cast multiple votes by using altered when traveling over the Internet. different computers. Recently, from March 7th to 11th 2000, the Ari- A more serious election will require people to first zona Democratic Party ran such an Internet-based register as a voter. The goal of the registration pro- election for its Presidential Preference Primary. The cess is to give each eligible person a unique iden- election involved several thousands of online voters, tity. Double voting is then prevented simply by ac- see [2]. The voting system has not been certified cepting at most one vote per identity. Clearly, there by the State of Arizona, however, since the election must also be a mechanism to authenticate the use was internal to the Democratic Party. For such a of such an identity. For this purpose a PIN code is system to be used in elections for public officials, sometimes used such that a vote is only accepted for such as the upcoming U.S. presidential elections in a given identity if it comes with the matching PIN November, the system needs to be certified by the

July 2000 5 states where it is used. Next consider the situation described in Table 2. A major impediment to government certiﬁcation of This time to encode a ‘no’ vote, the voter picks a

such Internet-voting systems is that these systems random natural number of a sufﬁciently large size

fail to satisfy the following two basic requirements: and sends to server and to server . For a

" #%$ ‘yes’ vote, the voter sends to server and Ballot Secrecy To protect the voters’ privacy, only

to server & . As a result, the individual views of the

the voter may know which vote he/she cast. & servers (columns " and in Table 2) contain no Even when the system is audited (or, moni- information about the individual votes. However, tored), all voters should have their privacy pro- by adding the totals for the columns we still get tected.

('*)*+*,-#.'*)*,*$0/21 , which is the desired election Auditability The election results should be veriﬁ- result. (Of course, it must be prevented that for in-

able to independent observers (or any interested

" #-$*1*+*, stance Alice sends ($*1*+*3 to server and party, for that matter). This means that it is pos- to server & , but we are not concerned with that in sible to check unambiguously that the published this example.) election result corresponds to the ballots cast by legitimate voters. We claim that achieving both of these properties at the same time is impossible when using a single Bulletin Board Model server (or rather a single party) to count the votes. Only by using multiple servers we are able to solve The example in the introduction shows the power this fundamental problem. of using multiple servers, or rather multiple talliers,

to distribute the tallying of the votes. The example

vote also shows that if both talliers collude they are still Alice yes 1 able to ﬁnd every voter’s vote. Therefore, the actual Bob no 0 system involves a larger number of talliers such that Carol yes 1 Diane no 0 we may trust at least some of them not to collude. total 2 For instance, we could have a representative of each Table 1: One server learns all the voters’ votes. (major) Dutch political party, representatives of or- ganizations such as the Consumentenbond, and so Let us consider a very simple example to provide on. In this way we achieve a form of distributed some intuition why using multiple servers is use- trust. ful. First consider the situation described by Ta- The idea of distributed trust is incorporated in the ble 1. Each voter must choose between ‘yes’ and bulletin board model, a paradigm for veriﬁable elec- ‘no’, which are encoded as 1 and 0, respectively. tions set forth by Benaloh et al. (e.g., see [7, 6, 4]). Since the server must check whether the voter is al- Another important aspect of the model is that the lowed to vote, the server learns the identity of the bulletin board is assumed to behave as a broadcast voter. And, since the server must be able to count channel such that everybody is able to see what is the votes, the server learns the individual votes as posted in the bulletin board. well. Hence, there is no privacy, unless we are will- To discuss the bulletin board model we distinguish

ing to trust this single server. four types of roles in the election process.

¢¡ ¤£

vote Ofﬁcers operate the bulletin board server itself. ¦¨

Alice yes ¥§¦©¨ Voters cast their votes by sending electronic ballots ¦ Bob no ¥§¦©

to the bulletin board. ¦ Carol yes ¥§¦

Talliers assist in computing the ﬁnal tally from all ¦

Diane no ¥§¦© ¦

total ¥ correctly submitted ballots. £ Table 2: Two servers ¢¡ and learn none of the voters’ Scrutineers check whether the ﬁnal tally corre- votes, unless they collude. sponds to the correctly submitted ballots.

6 XOOTIC MAGAZINE A person may play several roles during the same board. election. For example, each member of a nation’s 2. The officers freeze the contents of the voters’ parliament may play the role of voter, tallier, and sections on the bulletin board, and accumulate scrutineer at the same time. For large-scale elec- the valid ballots. tions, however, there are many more voters than tal- 3. The talliers produce their sub-tallies. liers, and the role of scrutineer is probably limited 4. The officers freeze the contents of the talliers’ to a small set of observers. Still, any interested party sections on the bulletin board. The final tally as other than the official observers is also able to play computed from the sub-tallies is also included. the role of scrutineer. 5. The scrutineers read the complete contents of Without going into cryptographic details at this the bulletin board, and check point, we may now outline the steps taken by a vot- 4 that all and only valid ballots are counted, ing system in the bulletin board model. and

Before an election is conducted, the following steps 4 that the valid sub-tallies correspond to the are executed. final tally published on the bulletin board. 1. The officers do all the necessary preparations for The tricky part is in the way the scrutineers can do the election: their job without compromising the privacy of the (a) One or several bulletin board servers are set individual votes. Note that, unlike in some other up. In particular, this includes the genera- systems, voters are not anonymous when they cast tion and certification of public keys for these their votes. Instead it is kept secret what they are servers. voting throughout the entire election. Since the vot- (b) The officers determine the deadlines for the ers have to identify themselves as part of the vot- various phases of the election. ing protocol it is easy to prevent double voting. (c) The officers determine the list of eligible Also one knows exactly who voted and who didn’t, voters. which is useful in countries like Belgium where (d) The officers determine the list of talliers. people get a penalty if they don’t cast a vote. (e) The above information is distributed to all relevant parties. 2. The talliers register their public keys with the Cryptographic Protocols bulletin board. To achieve privacy and auditability it does not suf- 3. Eligible voters register their public keys with the fice to combine some off-the-shelf digital signatures bulletin board. and (public key) encryption methods. We need to 4. The officers freeze the list of talliers and the list use some special-purpose protocols, which rely on of registered voters. more advanced cryptographic techniques such as Here, ‘freezing’ means to digitally sign and possi- verifiable secret sharing and zero-knowledge proofs bly time-stamp the contents. Only voters who ap- of knowledge. In this paper we will consider a pear on the frozen list of registered voters are able method based on homomorphic encryption, which to take part in the election. yields a particularly efficient system. The details Once the preparations are done, a typical election can be found in [9]. proceeds as follows. Clearly, several elections can be held in succession or even in parallel. Discrete Log Problem 1. Registered voters cast their votes by sending in their encrypted ballots. Each voter may cast For concreteness, we will consider the discrete log

only one valid ballot. A ballot is valid when it is problem for a group 576 obtained as a subgroup of

9;: = 8 well-formed and signed with the public key reg- order 8 of , where is a 1024-bit prime and is

istered with the voter’s section on the bulletin a 160-bit prime satisfying 8->?=@$ . Simply put, this

July 2000 7

Figure 1: The Bulletin Board

5 Q(RfgUB8

means that 6 is of the form , and setting its private key equal to

6JI

6JI and its public key equal to

C CED 5 /BA*$*CED¢CED CED¤F¤CHGHGHG CED

MO/fD G

8 D /L$ where D is an element of order , i.e., , and

multiplication is done modulo the prime = . By deﬁ-

Because of the hardness of the discrete log prob- MONP5

nition we thus have that for each 6 there exists M

lem, nobody will be able to ﬁnd given only .

QSRTVUW8 MX/TDZY a unique , , such that . We now

Encryption To encrypt a message h for a recipient

M D call the discrete log of w.r.t. , often denoted as

with public key M , one computes the ciphertext ]*^`_aM

@/\[ . ij

CHkml with

]*^ M

The discrete log problem is to compute [ for

ij i D

random M (and ﬁxed ), and is assumed to be in- D opCHMZoqhPlC tractable for the above setting. Note, however, that CHkJln/

exponentiation can be done efﬁciently, that is, given

QsRtr2U 8

where r is a random number, .

D =

we can efﬁciently compute modulo . For ex- Hence, an encryption consists of a pair of num-

D ample, to compute F we would successively com-

bers. Since the random number r must be fresh

D¢CED CEDZbCED¤c¤CED CED CED CED pute F , where the next for each message sent, subsequent encryptions value in each step is obtained by either multiplying will be different even if the same message is sent

the previous value with D or by squaring the previ- several times. ij ous value, doing all operations modulo = .

Decryption To decrypt the pair CHkJl the recipient

will use its private key as follows to obtain the

ElGamal Cryptosystem message h again:

The ElGamal cryptosystem is a simple method for j

kJu /fhPG public key encryption based on the hardness of the

discrete log problem [10]. We assume that =¢CH8 , and Homomorphic ElGamal Encryption D , as introduced in the previous section, are available as system parameters. We then have the fol-

A public key encryption algorithm v is called ho- lowing encryption method. momorphic if it satisﬁes the property that

Key Generation Each player in the system gener-

iez iez iez z

vnwyx Jly{§vnwyx la/Bvnwyx # lC ates a key pair by picking a random number ,

8 XOOTIC MAGAZINE

for any public key |(} and any messages and Practical Applications z

. Hence, if we ‘multiply’ two encrypted messages (for the same public key), the result is an encryption of the ‘sum’ of the original messages. (We note that in general it is a bad idea to use a homomorphic encryption algorithm.) We used a variant of this scheme as the voting engine for the InternetStem project, a small-scale

The ElGamal cryptosystem can be easily made ho- z K ‘shadow election’ held during the Dutch national

momorphic for encrypting votes N~A*Q*CH$ by set- i

ij elections in May 1998. The Seattle-based company

h/BDZ CHk l7/ D CHM DZ l

ting . Multiplying oJ i

ij VoteHere.net has been using homomorphic tech-

CHkE *l/ D CHM D l

oq and om we get: niques in all of their trials since October 1999, in-

cluding the Alaskan Republican Straw Poll for US

ij j ij j

l{ CHk l/ CHk k l

CHk President, which is the ﬁrst binding internet election

/ D CHM D l

oH `o oHE `o E

(see [1]).

In case of InternetStem, the voting clients were z

z implemented as Java applets, downloaded through which is an ElGamal encryption of # . SSL to a browser on a PC. Of course, voting clients running on smart cards, PDAs, mobile phones, and set-top boxes are also possible. Instead of simple Overview of the Voting Scheme yes/no ballots, the system also supports other types of ballots in which the voter must pick one or sev- The two main stages for an election are now as fol- eral candidate out of a list of candidates, or where lows: the voter has to make a choice on a scale of -2 to +2

Voting Each voter submits a ballot of the form for instance. For this type of ballots the voting client

ij i z

CHk l(/ D CHM D l

o o© , where is the desired must be able to do a bunch of modular exponentia- vote. tions in a reasonable time (say, less than one sec- Tallying The product of all submitted ballots, ond), which is no problem on a PC, on a smart card

with crypto co-processor, and so on. For large-scale i

ij elections, the voting server must also be optimized

to do the exponentiations as fast as possible, possibly using dedicated accelerator boards, which are commonly used to speed up web servers handling a is computed. The talliers jointly decrypt the lot of SSL trafﬁc. product, which yields the sum of the votes,

z We are now also negotiating the contract for an EU

, as the desired tally. project called CyberVote (IST-1999-20338), which We have deliberately omitted some of the (harder) will start in the fall of 2000. The consortium con- details, which can be found in [9]. Namely, in the sists of

voting stage, the voter must also provide a proof of 4 MATRA Systemes` & Information (France),

validity that shows that the encrypted vote is indeed 4

K British Telecom Laboratories (UK),

in A*Q*CH$ (and not 4 or -123 for example) without 4 revealing any information on the actual value of z . NOKIA Research Center (Finland), For this we use an efﬁcient zero-knowledge proof of 4 Eindhoven University of Technology (Nether- knowledge. And, in the tallying stage, decryption is lands), done jointly by the talliers in such a way that the 4 Katholieke Universiteit Leuven (Belgium), talliers can not cheat. For this we use a threshold 4 City of Mairie d’Issy-les-Moulineaux (France), version of the ElGamal cryptosystem. 4 Free Hanseatic City of Bremen (Germany),

A scrutineer is able to verify all of the steps in the 4 City of Stockholm and Kista Borough Council protocol. (Sweden).

July 2000 9 The goal of the project is to build the system around for further reading, some of which are available at a voting engine based on protocols as considered in http://www.win.tue.nl/berry/papers.html. this paper.

References Conclusion [1] http://VoteHere.net. As argued in this paper care must be taken in [2] http://election.com. designing electronic voting systems. For paper- based elections it was at least in principle possi- [3] Masayuki Abe. Universally verifiable mix-net ble (with the help of human observers) to guaran- with verification work independent of the num- tee the voters’ privacy and the integrity of the tally. ber of mix-servers. In Advances in Cryptology— In [14] it was pointed out more extensively that EUROCRYPT ’98, volume 1403 of Lecture Notes in Computer Science, pages 437–447, Berlin, 1998. paper-based elections may be considered transpar- Springer-Verlag. ent, while there is a more or less complete lack of transparency for Internet-based elections. [4] J. Benaloh. Verifiable Secret-Ballot Elections. PhD thesis, Yale University, Department of Computer Therefore, rather than trying to mimic paper-based Science Department, New Haven, CT, September elections in the digital world, we argue that special- 1987. purpose cryptographic protocols need to be em- ployed which solve the fundamental problem of [5] J. Benaloh and D. Tuinstra. Receipt-free secret- achieving ballot secrecy and auditability at the same ballot elections. In Proc. 26th Symposium on The- time. These protocols may look a bit intimidating to ory of Computing (STOC ’94), pages 544–553, New York, 1994. A.C.M. the uninitiated. But as with digital signatures, where one may apply a certain formula to check the valid- [6] J. Benaloh and M. Yung. Distributing the power ity of a signature, a scrutineer similarly applies a of a government to enhance the privacy of vot- formula to the contents of the bulletin board to ver- ers. In Proc. 5th ACM Symposium on Principles of ify its validity. Distributed Computing (PODC ’86), pages 52–62, New York, 1986. A.C.M. We note that since all the steps to be executed by the bulletin board itself are verifiable, it does not really [7] J. Cohen and M. Fischer. A robust and verifiable matter who is actually performing the role of the cryptographically secure election scheme. In Proc. 26th IEEE Symposium on Foundations of Com- bulletin board. An important consequence is that puter Science (FOCS ’85), pages 372–382. IEEE the computers and the software doing the bulk of Computer Society, 1985. the work need not be trusted, which makes the system much more flexible and scalable. Similarly, as [8] R. Cramer, M. Franklin, B. Schoenmakers, and a consequence of using a verifiable voting engine, it M. Yung. Multi-authority secret ballot elections with linear work. In Advances in Cryptology— becomes much easier to address some of the other EUROCRYPT ’96, volume 1070 of Lecture Notes problems we have ignored in this paper. For in- in Computer Science, pages 72–83, Berlin, 1996. stance, on top of the voting engine one may put dif- Springer-Verlag. ferent mechanisms for identifying voters, one may use different methods for storing the encrypted bal- [9] R. Cramer, R. Gennaro, and B. Schoenmakers. A secure and optimally efficient multi-authority lots in a redundant way (such that elections do not election scheme. In Advances in Cryptology— fail if some voting servers crash), one may distribute EUROCRYPT ’97, volume 1233 of Lecture Notes the computational work over different places, and so in Computer Science, pages 103–118, Berlin, 1997. on: the particular way these subproblems are han- Springer-Verlag. dled does not affect the secrecy of the ballots nor [10] T. ElGamal. A public-key cryptosystem and a the integrity of the final tally. signature scheme based on discrete logarithms. Naturally we have skipped over many details in this IEEE Transactions on Information Theory, IT- paper. See the references and the references therein 31(4):469–472, 1985.

10 XOOTIC MAGAZINE [11] K. Sako and J. Kilian. Secure voting using par- [13] B. Schoenmakers. A simple publicly veriﬁ- tially compatible homomorphisms. In Advances in able secret sharing scheme and its application to Cryptology—CRYPTO ’94, volume 839 of Lecture electronic voting. In Advances in Cryptology— Notes in Computer Science, pages 411–424, Berlin, CRYPTO ’99, volume 1666 of Lecture Notes in 1994. Springer-Verlag. Computer Science, pages 148–164, Berlin, 1999. Springer-Verlag. [12] K. Sako and J. Kilian. Receipt-free mix-type voting scheme—a practical solution to the implementa- [14] B. Schoenmakers. Compensating for a lack tion of a voting booth. In Advances in Cryptology— of transparency. In Proceedings of the Tenth EUROCRYPT ’95, volume 921 of Lecture Notes in Conference on Computers, Freedom & Privacy Computer Science, pages 393–403, Berlin, 1995. (CFP2000), pages 231–233, New York, 2000. Springer-Verlag. ACM.

About the Author

Berry Schoenmakers is an Assistant Professor at Eindhoven University of Technology (Netherlands), where he specializes in cryptography. Currently, he is also a member of the Technical Advisory Board of VoteHere.net, a Seattle-based worldwide supplier of highly secure Internet voting solutions. Formerly, he worked with DigiCash (now eCash Technologies) and held a post-doctoral position in David Chaum’s crypto group at CWI, the National Research Institute for Mathematics and Computer Science in the Netherlands. He received his MS and PhD degrees in Computing Science from Eindhoven University.

July 2000 11