Cryptographic End-to-end Verifiability for Real-world Elections by Aleksander Essex A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Doctor of Philosophy in Computer Science Waterloo, Ontario, Canada, 2012 © Aleksander Essex 2012 I hereby declare that I am the sole author of this thesis. This is a true copy of the thesis, including any required final revisions, as accepted by my examiners. I understand that my thesis may be made electronically available to the public. iii Abstract In this dissertation we study the problem of making electronic voting trustworthy through the use of cryptographic end-to-end (E2E) audits. In particular, we present a series of novel proposals for cryptographic election verification with a focus on real-world practicality. We begin by outlining fundamental requirements of E2E election verifica- tion, important properties for a real-world settings, and provide a review of previous and concurrent related work. Our research results are then presented across three parts. In the first part we examine how E2E election verification can be made more procedurally familiar to real-world voters and election administrators. We propose and implement an E2E add-on for conventional optical-scan based voting systems, and highlight our experi- ences running an election using this system in a United States municipality. In the second part we examine how E2E election verification can be made more conceptually and procedurally simple for election verifiers/auditors. We present a non-cryptographic E2E system based on physical document security assumptions as an educational tool. We extend this system to a cryptographic setting to show how the procedures of cryptographic election verification can be completed with relatively tiny software code bases, or by using common-place programs such as a desktop spreadsheet. We then present an approach that allows verifiers to conduct cryptographic audits without having to plan for it prior to an election. In the third part we examine how the methods in the first part can be extended to provide a level of privacy/distribution of trust similar to that of classical cryptographic voting protocols, while maintaining the (comparatively) intuitive optical-scan interface. To that end, we propose a novel paradigm for secure distributed document printing that allows optical-scan ballots to be printed in a way that still lets voters check their ballots have been counted, while keeping their voting preferences secret from election officials and everyone else. Finally we outline how the results obtained in each of the three parts can be combined to create a cryptographically end-to-end verifiable voting system that simultaneously offers a conventional optical-scan ballot, ballot secrecy assured by a distribution of trust, and a simple, cryptographically austere set of audit procedures. v Acknowledgements I would like to say a very special thanks to my co-advisors Urs Hengartner and Carlisle Adams. Both gentlemen are superb advisors and I feel enormous gratitude for the countless ways in which they supported my personal and professional development over the years. I am honored to have had Rolf Haenni, Ian Goldberg, Alfred Menezes, and Doug Stinson examine this dissertation, and thank them for graciously lending their time and expertise to its improvement and completion. Special thanks to Jeremy Clark, a dear friend and long-time research collaborator. I believe Jeremy has come to know the crypto voting literature in greater detail than anyone else in the field, so it is with great appreciation that I have been able to spend countless hours discussing this work with him. Much of the work found in Part I was done with the Scantegrity team: Richard T. Carback, David Chaum, Jeremy Clark, Travis Mayberry, Stefan Popoveniuc, Ron Rivest, Emily Shen, Alan Sherman, Poorvi Vora, and Filip Zag´orski. Working with this group was a tremendous experience. Thanks to David Chaum for encouraging me to pursue a dissertation on trustworthy voting. Very special thanks to Poorvi Vora for all her guidance and support. I also wish thank the good people of Takoma Park, especially Director of Elections Anne Seargent and City Clerk Jesse Carpenter. Their remarkable vision has greatly advanced the cause of trustworthy voting. Finally, a very heartfelt thanks to my family. In particular I owe a significant amount to my wife Anna. Despite the hardships and uncertainties of post-graduate life, she en- couraged me to follow a dream. I remain eternally grateful for a leap of faith she made with me to change universities part way through. As in the words of Frost, it has made all the difference. Special thanks to my parents Chris and Sheran, and parents in-law Shirley and Ed, who went above and beyond to help us through that tumultuous time. I could not have completed this work without their love and support. This research was supported in part by a Natural Sciences and Engineering Research Council of Canada (NSERC) Alexander Graham Bell Canada Graduate Scholarship. vii Contents List of Tables xvii List of Figures xx Preface xxi 1 Introduction 1 1.1 Problem Statement . .2 1.2 Thesis Statement . .3 1.3 Contributions . .4 1.3.1 Organization and Outline of Contributions . .4 1.3.2 Contributions in Context . .6 2 Preliminaries and Related Work 9 2.1 Preliminaries . .9 2.1.1 End-to-end Correctness Proofs . 10 2.1.2 Requirements for Ballot Secrecy . 10 2.1.3 Privacy-preserving Receipts . 11 2.1.4 Practical Requirements for Verifiable Elections . 12 2.1.5 Limitations of End-to-end Verification . 13 2.1.6 Document Security Primitives . 14 2.1.7 Cryptographic Preliminaries . 16 2.2 Related Work . 18 ix 2.2.1 Early Previous Work . 18 2.2.2 Transitional Work: Voting Unassisted . 21 2.2.3 Concurrent Work . 22 2.2.4 Real-world Deployment . 25 I Interface Improvements for Voters and Election Officials 27 3 Scantegrity 29 3.1 Introductory Remarks . 29 3.2 Voter Experience . 30 3.3 The Switchboard . 31 3.3.1 Auditing the Switchboard . 32 3.4 System Architecture . 35 3.5 Resolving Disputes . 36 3.6 Implementation . 38 3.7 Concluding Remarks . 39 4 Scantegrity II 41 4.1 Introductory Remarks . 41 4.2 Scantegrity II Procedures . 43 4.2.1 The Vote Casting Procedure . 43 4.2.2 Election Audit Procedures . 47 4.2.3 Dispute Resolution Process . 48 4.3 Cryptographic Proof of Tally . 49 4.3.1 Ballot Definition . 49 4.3.2 Roles . 49 4.3.3 Functions . 50 4.3.4 Trusted Computation Platform . 53 4.3.5 Protocol . 54 x 4.3.6 Correctness Proofs . 61 4.4 Security Analysis . 63 4.4.1 Assumptions . 64 4.4.2 Manipulation Attacks . 65 4.4.3 Identification Attacks . 67 4.4.4 Disruption Attacks . 68 4.5 Invisible Ink . 69 4.5.1 Invisible Ink Threat Model . 70 4.5.2 Invisible Ink Assumptions . 71 4.5.3 Procedures For Printing With the Inks . 72 4.6 Concluding Remarks . 73 5 Scantegrity in Practice at Takoma Park, MD 75 5.1 Introductory Remarks . 75 5.2 The Setting . 76 5.2.1 About Takoma Park . 77 5.2.2 Agreement with the City . 77 5.2.3 Timeline . 78 5.3 Scantegrity Overview . 79 5.4 Implementation . 83 5.4.1 Cryptographic Backend . 84 5.5 The Election . 89 5.5.1 Preparations Prior to Election Day . 89 5.5.2 Election Day . 92 5.5.3 After the Election . 93 5.6 Surveys and Observations of Voter Experiences . 96 5.7 Discussion and Lessons Learned . 99 5.8 Concluding Remarks . 100 xi II Technical Simplifications for Election Auditors 103 6 Aperio 105 6.1 Introductory Remarks . 105 6.2 Basic Paper Scheme . 106 6.2.1 Ballot Format . 106 6.2.2 Initial Setup . 107 6.2.3 Print Audit Selections . 110 6.2.4 Voting . 110 6.2.5 Election Outcome . 110 6.2.6 Decomitting . 111 6.2.7 Receipt Audit . 111 6.2.8 Tally Audit . 112 6.2.9 Print Audit . 112 6.3 Security Analysis . 113 6.3.1 A Positive Assertion of Security . 113 6.3.2 Prevented Attacks . 114 6.4 Privacy . 116 6.4.1 Prevented Attacks . 117 6.5 Concluding Remarks . 117 7 Eperio 119 7.1 Introductory Remarks . 119 7.1.1 Motivation . 120 7.2 The Eperio Protocol . 121 7.2.1 Protocol Sketch . 121 7.2.2 Entities . 122 7.2.3 Functions . ..