Printed and published by the University of Newcastle upon Tyne, ... of Computer Security," a chapter in LNCS 2171, is based on lectures given at the FOSAD.
U N IVE RS ITY OF N EWCASTLE
University of Newcastle upon Tyne
COMPUTING SCIENCE
Verified Encrypted Paper Audit Trails P. Y. A. Ryan
TECHNICAL REPORT SERIES No. CS-TR-966
June, 2006
TECHNICAL REPORT SERIES No. CS-TR-966
June, 2006
Towards an Engineering Approach to Component Adaptation P. Y. A. Ryan Abstract Voter Verified Paper Audit Trails (VVPAT) have been proposed as a mechanism to try to make touch screen style voting devices more trustworthy, e.g., \cite{mercuri02:e-vote}. We propose an analogous mechanism in cryptographic schemes that use encrypted receipts and argue that such a mechanism can yield considerable benefits, significantly greater in fact than the benefits of VVPAT in conventional voting systems that use plaintext ballots.
© 2006 University of Newcastle upon Tyne. Printed and published by the University of Newcastle upon Tyne, Computing Science, Claremont Tower, Claremont Road, Newcastle upon Tyne, NE1 7RU, England.
Bibliographical details RYAN, P. Y. A.. Verified Encrypted Paper Audit Trails [By] P. Y. A. Ryan. Newcastle upon Tyne: University of Newcastle upon Tyne: Computing Science, 2006. (University of Newcastle upon Tyne, Computing Science, Technical Report Series, No. CS-TR-966)
Added entries UNIVERSITY OF NEWCASTLE UPON TYNE Computing Science. Technical Report Series. CS-TR-966
Abstract Voter Verified Paper Audit Trails (VVPAT) have been proposed as a mechanism to try to make touch screen style voting devices more trustworthy, e.g., \cite{mercuri02:e-vote}. We propose an analogous mechanism in cryptographic schemes that use encrypted receipts and argue that such a mechanism can yield considerable benefits, significantly greater in fact than the benefits of VVPAT in conventional voting systems that use plaintext ballots.
About the author Peter Ryan is a Professor of CSR. He is responsible for the security and privacy aspects of the DIRC program and is involved in the European MAFTIA project. Prior to joining the CSR, he conducted research in formal methods and information assurance at GCHQ, CESG, DERA, SRI Cambridge, the Norwegian Computing Centre Oslo and the Software Engineering Institute, Carnegie Mellon University. Before migrating into information assurance he was a theoretical physicist and holds a BSc in Theoretical Physics and a PhD in Mathematical Physics from the University of London for research in quantum gravity. He has published numerous articles; the most recent being "Mathematical Models of Computer Security," a chapter in LNCS 2171, is based on lectures given at the FOSAD 2000 Summer School. He is co-author of the book "Modelling and Analysis of Security Protocols," Pearson 2001.
Suggested keywords VERIFIED VOTING, ENCRYPTED BALLOT FORMS
Verified Encrypted Paper Audit Trails P Y A Ryan∗
Abstract Voter Verified Paper Audit Trails (VVPAT) have been proposed as a mechanism to try to make touch screen style voting devices more trustworthy, e.g., [3]. We propose an analogous mechanism in cryptographic schemes that use encrypted receipts and argue that such a mechanism can yield considerable benefits, significantly greater in fact than the benefits of VVPAT in conventional voting systems that use plaintext ballots.
1
Introduction
With simple touch screen voting devices, the absence of any form of audit trail to fall back on prompted many voting experts in the US to advocate the use of a Voter Verified Paper Audit Trail (VVPAT) mechanism, e.g., [3]. At the time of casting the vote, the voter gets to witness the generation of a paper record of their vote. This record is carefully handled to minimise threats of manipulation by either the voters or the officials. A well known implementation of this concept is the “Mercuri method”, [3], in which the voter sees a printout of their vote under glass. If they confirm that this is correct, the vote is electronically recorded and the paper copy is conveyed to an audit box. It is not the purpose of this note to examine whether such mechanisms really make touch screen voting significantly more trustworthy. Rather we will describe how a similar mechanism can be used in conjunction with a cryptographic voting system, such as Prˆet `a Voter, and argue that this delivers clear and significant benefits. In fact, used in conjunction with encrypted ballots, a paper audit trail mechanism works far more effectively ∗
Newcastle University
1
than when plaintext ballots are used. We call this mechanism a “ Verified Encrypted Paper Audit Trail”, VEPAT for short. It should be noted that this idea has been mentioned, in passing, in previous publications, e.g., [4]. However, we feel that the notion is sufficiently significant to warrant further elaboration in a small note.
2
Verified Encrypted Paper Audit Trail
For the purposes of this description we will use the Prˆet `a Voter scheme to illustrate the concept, but in fact any scheme using encrypted ballots would work. We refer the reader to [7], [1] for details of Prˆet `a Voter. Recall the key steps of the vote casting process for Prˆet `a Voter: the voter enters the polling station, chooses a ballot form at random, goes to the booth and makes her selection. She emerges from the booth with her encrypted receipt and approaches the vote casting desk. Here her identity and legitimacy is checked by the polling officials. Assuming that this is okay, a scan is made of the receipt and a digital copy is stored for eventual posting to a secure web bulletin board once the election has closed. To add a VEPAT mechanism to the above procedure we simply generate an additional paper copy of the receipt at the same time as the digital copy. The accuracy of this paper audit copy can be checked by the voter and officials overseeing the vote casting and they can witness this copy being deposited in a secure audit box. The lodging of the paper audit copy could follow the Mercuri method for example, but this may not be necessary given that the creation of the paper copy and depositing of it in the audit box can be witnessed by the voter and officials. So far this is very similar to the conventional VVPAT process. However there are some crucial differences. As the receipts are encrypted at the point of casting, the creation of the paper audit copy can be performed under the supervision of polling officials rather than having to be done by the voter in the isolation of the booth. The paper audit copy can thus be verified by both the voter and officials. Furthermore, in the event of a problem, i.e., the paper copy not being an accurate copy of the receipt, remedial action can be taken without jeopardizing the privacy of the vote. The fact that the receipts are encrypted also means that there is no problem keeping the audit trail in the form of a continuous, till receipt like, roll. With conventional VVPAT, this is problematic given that the record 2
of the votes are in the clear: anyone monitoring the order in which people enter the booth and having access subsequently to the audit trail could potentially correlate voters and votes. This usually means that VVPAT must be implemented in such a way as to ensure that the records of each individual vote is separated and shuffled, by for example cutting each ballot copy from the roll. This leads to technological problems and malfunctioning mechanisms etc. It also looses the major advantage of a till receipt: such an audit trail is extremely difficult to manipulate.
3
Benefits
Such a paper audit trail using encrypted receipts, such as those used in Prˆet `a Voter, provides a number of benefits. A robust, manipulation-resistant physical audit trail to which one could fall back in the event of the material on the WBB being called into question. Whilst it is true that for voter-verified schemes, the voters collectively hold a paper audit trail, it is clear that it would be difficult to invoke this as a fall-back in the event of serious problems. Firstly, some voters might not retain their receipts and, secondly, trying to gather together all voter held receipts would be unwieldy and impractical. An objection that is frequently raised against voter-verifiable schemes is that it is likely that the majority of voters would not bother to check their receipt on the WBB. Establishing likely levels of voter diligence is something that will require investigation, but, in ny event, having a VEPAT in place allows us to supplement voter checks by checks performed by independent auditing authorities. Thus, organizations like the Electoral Reform Society could routinely make checks of the correspondence between the audit trail and the receipts posted to the WBB. This would also help counter vote stuffing threats. The above observation also helps counter such threats as discarded receipts and receipts buying, see [2], [6], [5]. The threat here is that an adversary may be able to identify discarded receipts and so deduce that the corresponding receipts on the WBB can be altered without fear of detection. Alternatively, the adversary might be more pro-active and try to purchase receipts, as suggested by Rivest, [5]. With a VEPAT in place, even if receipts are discarded or purchased, there is still the possibility (or even certainty depending on how the checks are implemented) that their presence on the WBB will be checked by the organizations assigned to the task. 3
It is worth considering whether the idea should be taken even further and used to replace the voter retained receipts altogether. This would seem to be in violation of the principle of enabling the voters themselves to verify the inclusion of their vote in the tally. However, if a sufficient number of publicly respected and trusted independent (mutually hostile?) organizations were allowed access to the audits, this might provide a reasonable compromise. It is sometimes argued that if voters lack confidence in the ability of the encryption mechanism to protect the privacy of their vote they might be discouraged from voting or open to coercion. Indeed, a possible attack is exploit such concerns and claim (falsely) to be able to extract votes from receipts and use this to coerce gullible voters. Doing away with the voter retained receipts would avoid this objection. The opinion of the author is that it is better to address the confidence issue, but the question deserves to be raised and further discussed. Another approach to addressing this concern is the idea of enabling or enforcing ballot or receipt exchange, [5]. There do appear to be a number of problems with the approach but discussion of this is beyond the scope of this note.
4
Conclusions
We have proposed the idea of a Verified, Encrypted Paper Audit Trail (VEPAT) analogous to the VVPAT mechanism previously proposed for touch screen voting machines. We have argued that, when used in conjunction with schemes employing encrypted ballots, for example Prˆet `a Voter, such a mechanism is in fact significantly more effective than as originally conceived for use with plaintext ballots. This is due mainly to the fact that, in contrast to the original VVPAT concept, a VEPAT can be implemented using till-receipt style, continuous rolls, resulting in manipulation resistant audit trails. The possibility of replacing voter held receipts by a VEPAT mechanism along with rigorous checking of the correspondence between the audit trail and the WBB by publicly trusted organisations has been raised.
4
5
Acknowledgements
I should like to thank the members of the Newcastle Security Group and Ian Brown for useful comments.
References [1] D. Chaum, P.Y.A. Ryan, and S. Schneider. A practical, voter-verifiable election scheme. In European Symposium on Research in Computer Security, number 3679 in Lecture Notes in Computer Science. SpringerVerlag, 2005. [2] C. Karlof, N. Sastry, and D. Wagner. Cryptographic voting protocols: A systems perspective. In USENIX Security Symposium, number 3444 in Lecture Notes in Computer Science, pages 186–200. Springer-Verlag, 2005. [3] R. Mercuri. A better ballot box? IEEE Spectrum Online, October 2002. [4] B. Randell and P.Y.A. Ryan. Voting technologies and trust. IEEE Security & Privacy, 2005. To appear. [5] R. L. Rivest. The threeballot tem. http://theory.csail.mit.edu/ TheThreeBallotVotingSystem.pdf.
voting sysrivest/Rivest-
[6] P.Y.A. Ryan and T. Peacock. Prˆet `a voter: a systems perspective. Technical Report CS-TR-929, University of Newcastle upon Tyne, 2005. [7] P.Y.A. Ryan and S. A. Schneider. Prˆet `a voter with re-encryption mixes. In European Symposium on Research in Computer Security, number 4189 in Lecture Notes in Computer Science. Springer-Verlag, 2006.
5
