# HG changeset patch # User Christian Urban # Date 1412347025 -3600 # Node ID a97b828bf87f50d1e5914a5dc72a06d01b7267a4 # Parent 2cb42412f3fd9e7bb4e2647f446eef694d84f4c0 updated diff -r 2cb42412f3fd -r a97b828bf87f handouts/ho02.pdf Binary file handouts/ho02.pdf has changed diff -r 2cb42412f3fd -r a97b828bf87f handouts/ho02.tex --- a/handouts/ho02.tex Fri Oct 03 13:14:34 2014 +0100 +++ b/handouts/ho02.tex Fri Oct 03 15:37:05 2014 +0100 @@ -1,6 +1,6 @@ \documentclass{article} \usepackage{../style} - +\usepackage{../langs} \begin{document} @@ -249,6 +249,18 @@ easily possible. They managed to write a virus that infected the whole system by having only access to a single machine. +\begin{figure}[t] +\begin{center} +\begin{tabular}{c} +\includegraphics[scale=0.45]{../slides/pics/dre1.jpg}\; +\includegraphics[scale=0.40]{../slides/pics/dre2.jpg}\smallskip\\ +\includegraphics[scale=0.5]{../slides/pics/opticalscan.jpg} +\end{tabular} +\end{center} +\caption{Direct-Recording Electronic voting machines above; +an optical scan machine below.\label{machines}} +\end{figure} + What made matters worse was that Diebold tried to hide their incompetency and inferiority of their products, by requiring that election counties must not give the machines up for @@ -309,12 +321,115 @@ \noindent This brings us to the case of Estonia, which held in 2007 the worlds first general election that used Internet. -Again their solution made some good choices: +Again their solution made some good choices: for example +voter authentication is done via the Estonian ID card, +which contains a chip like credit cards. They also made most +of their source code public for independent scrutiny. Of +this openness means that people (hacker) will look at your +fingers and find code such as + +{\footnotesize\lstinputlisting[language=Python,numbers=none] +{../progs/estonia.py}} + +\noindent which can be downloaded from their github +repository.\footnote{\url{https://github.com/vvk-ehk/evalimine/}} +Also their system is designed such that Internet voting is +used before the election: votes can be changed an unlimited +amount of times, the last vote is tabulated, you can even +change your vote on the polling day in person. This is an +important security mechanism guarding against vote coercion, +which of course is an important problem if you are allowed to +vote via Internet. + +However, the weak spots in any Internet voting system are the +voters' computers and the central server. Unfortunately, their +system is designed such that they needs to trust the integrity +of voters’ computers, central server components and also the +election staff. In 2014, group of independent observers around +Alex Halderman were able to scrutinise the election process in +Estonia. They found many weaknesses, for example careless +handling of software updates on the servers. They also +simulated an election with the available software and were +able to covertly manipulate results by inserting malware on +the voters' computers. Overall, their recommendation is +to abandon Internet voting and to go back to an entirely +paper-based voting process. In face of state-sponsered +cyber-crime (for example NSA), Internet voting cannot be made +secure with current technology. They have a small video +clip with their findings at + +\begin{center} +\url{https://estoniaevoting.org} +\end{center} + +\noindent This brings us to the question, what could be a +viable electronic voting process in +\underline{\textbf{\emph{theory}}} with current technology? +In the literature one can find proposals such as + +\begin{enumerate} +\item Alice prepares and audits some ballots, then casts an + encrypted ballot, which requires her to authenticate to + a server. -%\subsubsection*{Questions} +\item A bulletin board posts Alice's name and encrypted + ballot. Anyone, including Alice, can check the bulletin + board and find her encrypted vote posted. This is to + make sure the vote was received by the server. + +\item When the election closes, all votes are shuffled and the + system produces a non-interactive proof of a correct + shuffling. Correct in the sense that one cannot determine + anymore who has voted for what. This will require a + zero-knowledge-proof based shuffling procedure. + +\item After a reasonable complaint period to let auditors + check the shuffling, all shuffled ballots are decrypted, + and the system provides a decryption proof for each + decrypted ballot. Again this will need a + zero-knowledge-proof-type of method. + +\item Perform a tally of the decrypted votes. + +\item An auditor can download the entire (shuffled) election + data and verify the shuffle, decryptions and tally. +\end{enumerate} -%Coming back to the question of why I use online banking, but -%prefer not to e-vote. +\noindent As you can see the whole process is not trivial at +all and leaves out a number of crucial details (such as how to +best distribute public keys). It even depends on a highly +sophisticated process called \emph{zero-knowledge-proofs}. +They essentially allow one to convince somebody else to know +a secret without revealing what the secret is. This is a kind +of cryptographiv ``magic'', like the Hellman-Diffie protocol +which can be used to establish a secret even if you can only +exchange postcards with your communication partner. We will +look at zero-knowledge-proofs in a later lecture in more +detail. + +The point of these theoretical/hot-air musings is to show that +such an e-voting procedure is far from convenient: it takes +much more time to allow, for example, for scrutinising whether +the votes were cast correctly. Very likely it will also not +pass the benchmark of being understandable to Joe Average. +This was a standard a court rules that needs to be passed in +the German election process. + +The overall conclusion is that an e-voting process involving +the Internet cannot be made secure with current technology. +Voting has just too high demands on integrity and ballot +secrecy. This is different from online banking where the whole +process is designed around authentication. If fraud occurs, +you try to identify who did what (somebody’s account got zero; +somewhere the money went). Even if there might be even more +gigantic sums at stake in online banking than with voting, +it can be solved. That does not mean there are no problems +with online banking. But with enough thought, they can +usually be overcome with technology we have currently. This +is different with e-voting: even the best have not come +up with something workable yet. + + %Why do I use e-polling in lectures? diff -r 2cb42412f3fd -r a97b828bf87f hws/hw02.pdf Binary file hws/hw02.pdf has changed diff -r 2cb42412f3fd -r a97b828bf87f hws/hw02.tex --- a/hws/hw02.tex Fri Oct 03 13:14:34 2014 +0100 +++ b/hws/hw02.tex Fri Oct 03 15:37:05 2014 +0100 @@ -36,9 +36,21 @@ \item[$\Box$] Each ballot has a unique ID. When a voter is given a ballot, the ID is recorded. When the voter submits his or her ballot, this ID is checked against the record. \end{itemize} +\item In the Estonian general election, votes can be cast via Internet + some time before the election day. These votes cast via Internet can + be changed an unlimited amount of times, the last vote is + tabulated. You can even change your vote on the polling day in + person. Which security requirement does this procedure address? + \item What is the main difference between online banking and e-voting? (Hint: Why is the latter so hard to get secure?) +\item Imagine, hypothetically, you have a perfectly secure Internet + voting system, by which I mean nobody can tamper with or steal votes + between your browser and the central server responsible for vote + tallying. What can still go wrong with such a perfectly secure + voting system, which is prevented in traditional elections with + paper-based ballots? \end{enumerate}