 Hi everyone, welcome to Online Voting Theory and Practice by Porter Adams and Emily Stam. We are at the DEFCON Crypto Village in August 2020. My name is Porter Adams. I am a software engineer at Blacktop Government Solutions and founder of Disappeared Digital. You can contact me at Twitter at Privacy Porter. I'm Emily. I'm a security research engineer at Allstate. I'm also the COO and co-founder of Cybersecurity Nonprofit or CSMP and you can find me on Instagram at Crypto.Emily. So I talk outline, we've got three major pieces, we're doing a quick intro now and then I will be talking about the practice of online voting and Emily will talk about the theory of online voting going into homomorphic encryption, mixed nets, and blind signatures. Scope of our talk, so we're talking about online voting, so not all election security, not even all voting, just online voting. So what do I mean by that? So one form of online voting is anything is called electronic voting or e-voting and that just refers to something that includes at least some electronics. So the United States, a lot of our voting systems already use e-voting by having computer screens that you can touch, but e-voting does not necessarily mean all online. Internet voting is what people would think of as like 100% online. Internet voting is when it's all gone fully digital and there's no need for in-person, anything in-person. So safety of voting machines, I'm just going to refer you to the DEF CON voting village. They do a lot of really great work over there. It's not the focus of our talk, we're going to be talking more about the internet voting side of things and how it would be possible to vote entirely online. So this is the biggest question I get is why can't we all vote from our phones? And it's a really great question and so we're going to spend some time explaining actual reasons why we can't yet. The advantage and why people want to vote from our phones in the first place, the first one is just the convenience factor. It's so much easier if I can sit at home and vote from my phone. It's also especially easier for overseas voters who if they currently have to vote by mail that can take a long time for their mail to get in and their votes may not even be counted by the time and so it's a lot easier for expats to vote from their phones. It also would hopefully improve voter turnout because it's a lot less effort to download an app on my phone and click some buttons than it is to show up at the polling station. That's human error. So we all remember the 2000 election with the hanging chads in Florida and not being able to determine which way the votes went. When we vote on a computer it's either a zero or one so it's pretty clear and doesn't leave room for human error when filling out the ballot. So let's talk a bit about usability. So even if we had a totally working mobile app that everyone like could download and use and was all safe and private which are concerns I'll get to later in the talk. In Finland in 2008 they had some issues with the user interface and what happened was people when they were going to vote they would see the screen they would tap through click all the candidates they wanted to vote for but at the bottom of the screen was a submit button and about 2 percent of voters did not see the submit button on the screen and therefore their votes were not counted and the Finland election 2008 is a user interface problem that would be a big issue if people tried to vote but mistakenly like didn't hit submit button that would be a concern even if everything else was safe and secure and working. The other case I want to bring up is Iowa in 2020 at the Democratic caucus had many problems with their mobile app that they tried to use to help tally up the votes we can learn a lot of lessons from that but one I want to highlight is that some people had trouble even downloading the app correctly and so even again if we had like all the security and privacy stuff worked out there's still some usability concerns with can people download the app can people use the app all of this kind of comes down to like comfort with electronics which a lot of us have here at like DEFCON but not everyone else in the world is as comfortable as we are with using these things. So here are some of the big concerns and security is by far the biggest one we need to make sure that our elections actually safe privacy is making sure like is it possible to even do a secret ballot online because we all know there's so much tracking and surveillance with what we do online that having actually private vote pretty tough so I'm going to try and answer both these questions and the remainder of my talk. So first security is it safe there is a huge attack service for anything that's going to be online some sort of mobile app and so let's just kind of go quickly over like all the different ways that would need to be like that could be a voting app could be attacked by and we would need if we wanted to do this in practice to sure up all of these things and make sure that none of these could happen. So if I was a hacker trying to attack a voting app I could install a back door either as you vote on the client side or when the votes are tallied on the server side I could create an exploit for the voting app itself or for the phone operating system or for the server code server operating system I could spy on votes by intercepting the connection maybe with a fake wireless access point or a key logger on person's device there's always social engineering you'd have to worry about with phishing app insider threat whoever like created the code for any of these pieces you have to watch out for and I was running the election and then just destructive attacks like a distributed denial service where the app just goes down on the day we're all supposed to be voting. OK, so usually when I'm trying to explain all this to someone they always come up with but banks have mobile apps and this is a really smart point and so it's worth addressing why even though banks have mobile apps it's still very tough for a voting system to be on a mobile app. So what's the difference between a voting app and a banking app? First one's identity when you're banking basically anyone with your credit card info can go online order some stuff on Amazon but when you're voting we need to make sure that is really only you. In terms of security banking has the benefit of being able to detect fraud kind of later and afterwards whereas with an election if there's any sort of fraud going on we need to know about it immediately and privacy is one of the biggest differences where when it's just you and your bank talking and like your bank knows everything and you know all of your own stuff that's fairly easy to figure out just between the two of you but for voting we all have secret ballots which I'll get to in a little bit it makes it very challenging for my vote to stay secret while everybody else still trusting that votes were placed correctly and then lastly trust in banking like it's really just between you and the bank and other accounts like don't really affect you or like other people using your bank versus in a voting system in a voting app I need to trust all of the votes from everybody not just my own and so trust is very different for a voting app so the privacy challenges specifically of online voting first you got the secret ballot and so what does that mean more or less that I need to be anonymous when I vote so no one should be able to figure out based on like like no one should be able to figure out who I voted for and there shouldn't even be a way for me to prove it to anyone next to each other next to me or around me so no one can force me to vote a certain way it's very important for our elections voter registration is not exactly a privacy challenge it's like an identity thing but it's going to be kind of related so I include it here voter registration it needs I need to be very sure that like whoever is submitting the information this voting app is the person on the registration list and this counts against like double voting which on the internet is much more it would be much easier to happen where you could submit something twice and have it accidentally be double counted and trust is the big third privacy challenge where all votes must be trusted and typically to ensure that trust that means lots of visibility and so the big the challenge here overall is combining the secret ballots with trust and you have to somehow like include all the anonymity expected for voters while still having all the visibility needed for the overall election and everyone to trust the results and putting these two together digitally is actually extremely tough and will require some really cool math that Emily will talk about in the second half of this talk so it's cryptography for online voting is the answer it's going to solve all of our privacy concerns and I just want to say big thanks to cryptographer David Chom for inventing a lot of this stuff I know if you're at the crypto privacy village at Defcon and have not heard of David Chom before please look up some of this work he's done awesome stuff okay so how does Estonia vote online especially in the United States anytime this gets brought up it's like how is some other country doing it but we can't first steps identity and Estonia they all have a national ID card that includes a chip on it where they can create digital signatures from which essentially means their like government issued IDs can act as a form of identity on the internet so they can log in using these chips although I believe in the last two years they have switched from hardware chips to an authenticator app but this still stands that they have some sort of way of converting from your real life presence to your online presence secondly cryptography Estonia uses a combination of I think mixnets and homomorphic encryption specifically using El Gamal and Emily will explain what those are in the later half of this talk and in terms of trust Estonia has been voting online since I think 2005 and every year they keep making gradual improvements anytime security people go check out there's always something that's broken which isn't really surprised but Estonia has done a good job of fixing the things that are broken and over time it's the system's gotten a lot better and hopefully is is mostly safe from real threats they haven't had any giant accusations of election interference so either that means they haven't caught anyone interfering in their elections or they've actually been doing a good job in 2019 almost a quarter million Estonian Estonians voted online which is very impressive numbers and goes to show that this is like possible in the future if it is done slowly and correctly now one big thing to watch out for is cryptographic backdoors these are tough to catch so Switzerland has been doing online voting and some researchers looked into their mix net shuffle proof and found a naive implementation of the zero knowledge proofs inside of there which would have allowed for all of the votes to be changed by an attacker and so making sure that like every last inch of the app needs to be like very carefully done and especially when it comes to cryptography you need the person who's coding it to be aware of all of the cryptographic assumptions and make sure that they are coding in everything properly so let's look at voting cryptography around the world three big ones I want to point out are in Estonia Switzerland and then Moscow has some local elections that are online and Estonia uses a combination of homomorphic encryption and mix nets same thing for Switzerland and Moscow is using homomorphic encryption and blind signatures so not too many like countries of places around the world have an online option right now there are a lot more countries that have tried doing this and quit Belgium Finland France Germany Ireland Kazakhstan Netherlands Norway are on the list and the reasons for for quitting are mostly either every security person says it's not very safe or the voter trust in an online system is just not very high and one of the most important things for an election is that voters do trust the system and so even if online voting is safe if the voters all think that it's not safe then it's not a good idea to offer an internet voting option all right so now I'll talk about the cryptography behind the scheme all right so now talk about the cryptography behind the scenes that makes online voting possible so some of the considerations we have the first is security so preventing attacks preventing adversaries from tampering with the election and being able to detect faulty voters and centers second is robustness so no small set of servers should be able to disrupt the election accuracy the result should reflect the way people actually voted verify ability we should be able to verify that the votes are accurate in particular individuals should be able to verify that their vote was counted correctly confidentiality keeping votes secret is crucial usability for all ages and speed and efficiency including casting the votes processing them and counting them so there are three types of cryptographic protocols I'll cover in this talk homomorphic encryption mixed networks and blind signatures so first homomorphic encryption so homomorphic encryption is computation on encrypted data so this form of encryption actually allows us to do computations on the data when it's in its encrypted state there's been a lot of research into this area and it's very promising because generally our cryptography when we have our data and it's encrypted we can't use that data in any way the only way we can actually make use of it is to decrypt it back into its original form but with homomorphic encryption we can actually perform computations on the encrypted data so this means we could outsource data to cloud environments for processing all while encrypted we could perform data analysis again while data remains in its encrypted form and in particular with election voting we could obtain a tally of the encrypted votes without actually having to decrypt the individual votes maintaining privacy the entire time so to give a little bit more of the mathematics of the scheme so homomorphic the term actually comes from a math term called homomorphism which is a math that preserves some structure so that's what you can kind of think of homomorphic encryption as doing it preserves some underlying structure enough to perform functions on it so you have a message you encrypt that message you perform a function on it and then you decrypt it and that would be the same thing as if you apply the function directly to the message and there's different types of homomorphic encryption generally they are categorized based on what kinds of computations you can perform whether it's just partial whether it's addition multiplication but we even have fully homomorphic encryption and that actually can perform arbitrary gates and depth meaning really arbitrary computations the only practical and secure fully homomorphic encryption implementations currently are based off of lattices so lattice cryptography it's this new relatively new form of cryptography that is beginning a lot of attention recently partially because it's quantum secure cryptography meaning that it's secure against quantum computers and it's actually most of the finalists and the post quantum cryptography NIST competition are lattice based and lattice cryptography has some very strong security assumptions especially compared to our classical cryptography like RSA it's also very flexible and efficient generally the main downside is that it has large key sizes but depending on the scheme they're not even always that much larger than RSA so lattice cryptography is very important for the fully homomorphic encryption but we'll also touch on it when we come back to blind signatures so I just wanted to mention what that is and so now we'll turn back to homomorphic encryption and voting in particular so how does it help so we can tally the votes in the encrypted state which means we take all the votes in in their encrypted state add them together and then decrypt the result and because of the homomorphic encryption we get the same result as if we decrypted them separately and added them together so this allows voters to maintain their privacy there's also a protocol that allows us to allows voters to verify their votes and even if we don't use homomorphic encryption in the election we can still use it for ballot comparison so ballot comparison is very important in the election process to inspire voter confidence by comparing ballots and the electronic records and the way we can use homomorphic encryption is this in this is that we can actually do this comparison on the votes in their encrypted state so we would inspire voter confidence without actually giving any information about the votes and how this done now is the votes are anonymous but even still with anonymous but not tying them back to the individuals you can still find patterns so it would be more secure if they were in their encrypted state so next I'll talk about mixed networks so mixed networks also called mixed nets are routing protocols that use a chain of proxy servers mixes to take in messages from senders and send them to receivers in some random order additionally they use encryption at each state and it makes it harder to trace and you can also think of it as being kind of like a Russian doll some nested encryption going through so there's two types there's the decryption mix net so that's where you do all the encryption in the beginning and then you partially decrypt and mix at each stage there's also re-encryption where you re-encrypt and mix at each stage and do do the full decryption at the last round and there's also shuffle and decrypt proofs for verifications as well so lastly we'll talk about blind signatures so just to recall a digital signature provides authenticity so verifying that you're talking to the person you think you are verifying a known sender and integrity verifying that the message you're receiving has not been altered in transit maliciously or accidentally so how it works is one party signs the message and creates a signature with a private key and then the other party will verify that with a public key so with blind signatures it's a digital signature where the message is masked or blinded and then sent and then signed so blind signatures can then be verified against the original message the same way digital signatures are the key difference is that with blind signatures the person signing them doesn't know the contents of the message so voting is actually a common analogy with blind signatures so imagine you have a voter and they complete an anonymous ballot which they then place in an envelope with their credentials they hand that envelope to an official who signs it and the signature of the official imprints through the envelope onto the ballot and they return that envelope to the voter the voter then places the ballot in a different unmarked envelope before submitting it so now the message was correctly and sufficiently signed by an official without the official having to know the contents of the message so it provided the authenticity and integrity but maintain the confidentiality so to talk a little bit more about the scheme in a less analogous way what actually happens so a user has some message D and they blind the message to get a new message D star and that's what they send to the signer the signer then uses the private key to generate a signature Sigma star for that message D star and returns it to the user the user can then create from Sigma star a valid signature Sigma corresponding to their original message so any recipient can now validate this signature Sigma as they would any other signature and the signer gets no information about the contents of the message or the actual signature and there's different mathematics behind blind signatures there are RSA based options I don't I wouldn't recommend using these because with where we are right now if we're implementing new technology we want to be looking as far ahead as possible and in the long run RSA is not secure against quantum computers and just as not secure compared to these other types of schemes but there's also some attacks on the RSA based blind signatures so I am mostly gonna focus on the lattice and the multivariate base so the lattice based blind signatures again they're post-quantum secure and they rely on similar problems similar types of schemes as those that are finalists in the NIST post-quantum cryptography competition so we have a lot of faith in these lattice based schemes and we can create blind signatures from them additionally multivariate there's a scheme called the rainbow scheme that's a finalist in the NIST post-quantum cryptography signature schemes competition so again leads to be post-quantum secure and we can turn this scheme into a blind signature scheme and there's a lot of benefits to multivariate cryptography such as having very fast and short signatures and this diagram just kind of shows how the rainbow scheme works essentially you have a message W the hashed message and you recursively obtain inverses of these functions to get the signature Z and then that signature Z can be verified by using the public key function and just applying that to see if you get the correct message back with blind signatures there's just an extra some extra steps in this process you use a special function called R that actually by using that you create the blind aspect of it and then you use use zero knowledge proofs at the end as well as part of the verification proof so a little bit more complicated but again very similar mathematics so in summary we talked about homomorphic encryption so computation on encrypted votes which allows us to tally the votes in their encrypted form and it can use different types of cryptography but lattice base is one that is post-quantum secure and very flexible then we talked about the mixed networks protocol where you have a nested series of encryption or re-encryptions and shufflings and this way you cannot determine which person the vote came from and there's also a range of underlying public key cryptography mathematics that I didn't go over but the protocol itself is fairly flexible and finally we talked about blind signatures so this is where you create a valid signature without knowing the contents of the message so you're verifying authenticity and integrity of a vote while maintaining confidentiality of a voter and we talked about lattice and multivariate based schemes to summarize everything is it possible theoretically yes eventually cryptographers will help us get it right as long as security people is it ready in practice not yet in the United States let's start small scale and maybe eventually we'll be able to have more voters vote from their phones so thank you thank you for coming to the talk