Helios: Web-based Open-Audit Voting Ben Adida ben [email protected] Harvard University Abstract to envision a distant future, not one we should consider for practical purposes yet. The few implementations of Voting with cryptographic auditing, sometimes called open-audit elections that do exist [3, 2] have not had as open-audit voting, has remained, for the most part, a the- much of an impact as hoped, in large part because they oretical endeavor. In spite of dozens of fascinating pro- require special equipment and an in-person experience, tocols and recent ground-breaking advances in the field, thus limiting their reach. there exist only a handful of specialized implementations that few people have experienced directly. As a result, We present Helios, a web-based open-audit voting the benefits of cryptographically audited elections have system. Using a modern web browser, anyone can set remained elusive. up an election, invite voters to cast a secret ballot, com- We present Helios, the first web-based, open-audit pute a tally, and generate a validity proof for the entire voting system. Helios is publicly accessible today: any- process. Helios is deliberately simpler than most com- one can create and run an election, and any willing ob- plete cryptographic voting protocols in order to focus on server can audit the entire process. Helios is ideal for on- the central property of public auditability: any group can line software communities, local clubs, student govern- outsource its election to Helios, yet, even if Helios is ment, and other environments where trustworthy, secret- fully corrupt, the integrity of the election can be verified. ballot elections are required but coercion is not a serious concern. With Helios, we hope to expose many to the power of open-audit elections. Low-Coercion Elections. Voting online or by mail is typically insecure in high-stakes elections because of the 1 Introduction coercion risk: a voter can be unduly influenced by an at- tacker looking over her shoulder. Some protocols [13] Over the last 25 years, cryptographers have developed attempt to reduce the risk of coercion by letting voters election protocols that promise a radical paradigm shift: override their coerced vote at a later (or earlier) time. In election results can be verified entirely by public ob- these schemes, the privacy burden is shifted from vote servers, all the while preserving voter secrecy. These casting to voter registration. In other words, no matter protocols are said to provide two properties: ballot cast- what, some truly private interaction is required for coer- ing assurance, where each voter gains personal assur- cion resistance. ance that their vote was correctly captured, and universal With Helios, we do not attempt to solve the coercion verifiability, where any observer can verify that all cap- problem. Rather, we posit that a number of settings— tured votes were properly tallied. Some have used the student government, local clubs, online groups such as term “open-audit elections” to indicate that anyone, even open-source software communities, and others—do not a public observer with no special role in the election, can suffer from nearly the same coercion risk as high-stakes act as auditor. government elections. Yet these groups still need voter Unfortunately, there is a significant public-awareness secrecy and trustworthy election results, properties they gap: few understand that these techniques represent a cannot currently achieve short of an in-person, physically fundamental improvement in how elections can be au- observable and well orchestrated election, which is often dited. Even voting experts who recognize that open-audit not a possibility. We produced Helios for exactly these elections are “the way we’ll all vote in the future” seem groups with low-coercion elections. USENIX Association 17th USENIX Security Symposium 335 Trust no one for integrity, trust Helios for privacy. 2 Helios Protocol In cryptographic voting protocols, there is an inevitable compromise: unconditional integrity, or unconditional This section describes the Helios protocol, which is privacy. When every component is compromised, only most closely related to Benaloh’s Simple Verifiable Vot- one of those two properties can be preserved. In this ing protocol [5], which itself is partially inspired by the work, we hold the opinion that the more important prop- Sako-Kilian mixnet [16]. We claim no novelty, we only erty, the one that gets people’s attention when they under- mean to be precise in the steps taken by voters, adminis- stand open-audit voting, is unconditional integrity: even trators, and auditors, and we mean to provide enough de- if all election administrators are corrupt, they cannot con- tails for an able programmer to re-implement every por- vincingly fake a tally. With this design decision made, tion of this protocol. privacy is then ensured by recruiting enough trustees and hoping that a minimal subset of them will remain honest. 2.1 Vote Preparation & Casting In the spirit of simplicity, and because it is difficult to explain to users how privacy derives from the acts of The key auditability feature proposed by Benaloh’s Sim- multiple trustees, Helios takes an interesting approach: ple Verifiable Voting is the separation of ballot prepara- there is only one trustee, the Helios server itself. Pri- tion and casting. A ballot for an election can be viewed vacy is guaranteed only if you trust Helios. Integrity, of and filled in by anyone at any time, without authentica- course, does not depend on trusting Helios: the election tion. The voter is authenticated only at ballot casting results can be fully audited even if all administrators – time. This openness makes for increased auditability, in this case the single Helios sever – is corrupt. Future since anyone, including an auditor not eligible to vote versions of Helios may support multiple trustees. How- (e.g. someone from a political organization who has al- ever, exhibiting the power of universal verifiability can ready voted), can test the ballot preparation mechanism. be achieved with this simpler setup. The process is as follows between Alice, the voter, and the Ballot Preparation System (BPS): 1. Alice begins the voting process by indicating in Our Contribution. In this work, we contribute the which election she wishes to participate. software design and an open-source, web-based imple- mentation of Helios, as well as a running web site that 2. The BPS leads Alice through all ballot questions, anyone can use to manage their elections at http: recording her answers. //heliosvoting.org. We do not claim any cryp- 3. Once Alice has confirmed her choices, the BPS en- tographic novelty. Rather, our contribution is a combina- crypts her choices and commits to this encryption tion of existing Web programming techniques and cryp- by displaying a hash of the ciphertext. tographic voting protocols to provide the first truly acces- sible open-audit voting experience. We believe Helios 4. Alice can now choose to audit this ballot. The BPS provides a unique opportunity to educate people about displays the ciphertext and the randomness used to the value of cryptographic auditability. create it, so that Alice can verify that the BPS had correctly encrypted her choices. If this option is se- lected, the BPS then prompts Alice to generate a Limitations. While every major feature is functional, new encryption of her choices. Helios is currently alpha software. As such, it requires Firefox 2 (or later). In addition, some aspects of the user 5. Alternatively, Alice can choose to seal her ballot. interface, especially for administrative tasks, require sig- The BPS discards all randomness and plaintext in- nificant additional polish and better user feedback on er- formation, leaving only the ciphertext, ready for ror. These issues are being actively addressed. casting. 6. Alice is then prompted to authenticate. If success- ful, the encrypted vote, which the BPS committed This Paper. In Section 2, we briefly review the Helios to earlier, is recorded as Alice’s vote. protocol, based on the Benaloh vote-casting approach [5] and the Sako-Kilian mixnet [16]. In Section 3, we cover Because we worry little about the possibility of co- some interesting techniques used to implement Helios in ercion, Helios can be simpler than the Benaloh system a modern Web browser. Section 4 covers the specifics of that inspired it. Specifically, the BPS does not sign the the Helios system and its use cases. We discuss, in Sec- ciphertext before casting, and we do not worry about Al- tion 5, the security model, some performance metrics, ice seeing the actual hash commitment of her encrypted and features under development. We reference related vote before sealing. (The subtle reasons why these can work in Section 6 and conclude in Section 7. lead to coercion are explained in [6].) 336 17th USENIX Security Symposium USENIX Association USENIX Association 17th USENIX Security Symposium 337 the same A and B, the value of x would be easily solv- c1 d1 able, thus indicating that this is a proof of knowledge of the discrete log and that log (y) = log (β/m). c2 d g α 2 As this protocol is HVZK with overwhelming proba- . M . bility of catching a cheating prover, it can be transformed . safely into non-interactive form using the Fiat-Shamir heuristic. We do exactly this in Helios to provide for dN non-interactive proofs of decryption that can be posted cN publicly and re-distributed by observers. � d1 d� 2.4 The Whole Process 2 The entire Helios protocol thus unfolds as follows: M� . 1. Alice prepares and audits as many ballots as she wishes, ensuring that all of the audited ballots are � consistent. When she is satisfied, Alice casts an en- dN crypted ballot, which requires her to authenticate.