 Good morning and greetings appropriate for any other time of the day from wherever you are logging in. This is the second part of the mass class from Professor Shubhashish Banerjee on the topic of electronic voting as part of the blockchains and electoral democracy project at Kharana. Even though you may be joining this one for the first time, I think we would recommend that you watch both sessions together to get a better introduction to the topic. And because in isolation, it might slightly be, it's going to be difficult to sort of understand and appreciate the amount of detail that has been covered across both these sessions. A few housekeeping notes before I hand it over to our host and moderator, Smar Makathri. We will be streaming this on YouTube. You can put questions on the YouTube chat or here. And we will be presenting it to our host and the speaker. You can use the raise hand function in Zoom to queue up your questions or remarks. If you prefer not to use the raise hand function, you can always put them in chat. We'll read them out for you. And yes, I think with that, there's no need to, for me at least to go in a whole lot of ordinary introductions. I'll hand it over to Smarri. And with that, he can take it forward. Thank you so much. Yes, thank you. Yeah, we're back. It's another week and we are continuing with our discussion about electronic voting systems. So I'm just going to keep it short so that we can get down to the actual meat of the matter. But in case you missed it last time, I do agree that it's a good idea to go back and watch the YouTube stream from last time. It was quite informative. But again, we have with us Professor Sopacius Banerjee, who teaches at the Department of Computer Science and Engineering at the Indian Institute of Technology in Delhi. And he's been involved in writing and educating and commenting on the intersection of technology in society and politics. And so what we're here to do today is dig a little bit deeper into the specifics of how to make these kinds of electronic voting systems reliable, if at all possible. This is not necessarily an easy thing to do as went through last time. There are many things that need to be guaranteed in order to make it all work. So hopefully we'll all emerge from this more enlightened than we we go into it. So I'll just hand it over to you, Sopacius. OK, thanks. Thanks, Marty. So let me start with sharing my screen. OK. And OK, so what I'll So I'll start with the electoral rules and do the voting part later. Because, you know, as a computer scientist, I would think that if I have to attack an election system, I would attack the electoral rules rather than the voting system. Electoral voting system is under public scrutiny. It's sort of out there for everybody to see whether electoral rules are something that can be attacked at leisure much before the election and just one person swing, deleting one person voters, unwanted voters from the electoral rules is enough to hack an election, not closely contested election. So. So there was a you know, when we did this report on elections, there was this wonderful report by and and sort of astonishing report by me, Ramani and Harsh Mandar, which talked about the disenfranchisement of the of the voters. Right. So apparently the voters from the. Marginalized communities, they find it hard to get onto the voting list. And they also find it hard to stay on the. So once they're on, they tend to get deleted and, you know, without notice, without following necessarily following the rules and they go to the polling station and figure out that their names are simply not there. So and and in India, probably in other places also, there are no standards about maintenance of the electoral side, the integrity of the electoral rule. So in some people are saying now that the electoral rule should be on blockchain and that is what maybe I'll address a little bit. Little bit in this talk. Now, in this talk, I will have to get into a little bit of cryptography, as I mentioned last time. So. If there is any difficulty at any point of time, please don't hesitate to just interrupt, just unmute yourself. OK, so democracy principles demand that the integrity of electoral rule should be publicly verified and they seldom are. So the electoral rule is usually downloadable from the ECI website in India, but they are not in a searchable form. They are typically given as images and to do anything with them is sort of sort of impossible. They are also not properly RTI, you know, so you cannot do an RTI file and RTI to ask the question that why was my name deleted or why was my address not updated. We'll be lucky if you get any answers. So what are the verifiable requirements typically that all applications for inclusion and updates on the electoral rules. By the voters or on their behalf, they should be particularly process. That there should be no serious relations from the electoral rules without notice and without citing reasons. And of course, re-duplication of an electoral rule is a crucial issue. And but this is not all. I mean, this is something that probably technology can address, but technology can't even address the problem of proactively identifying all eligible inclusion problems. So the person on the road, the person who sleeps on the street, the LGBTQ community persons. So so this is a social process to get people on to the electoral rule proactively, even if they don't apply. That's a process that computer science we cannot do an address. So we will talk about the middle part, the verifiability requirement and electoral rule attacks are not a myth. So there's this two reports that I read that came out roughly about the same time in March, 2019, that talked about the manipulation of electoral rules in two countries, very, very far apart on the other side of the of the and these are, I mean, I would recommend that you read both to understand the kind of attacks that go on. And they're not dissimilar, you know, one is a highly advanced country and one is Telangana, and yet the nature of the attacks are very similar. OK, so, you know, the solution that I have in mind, and this is not a standard, this is something that I just just thought, thoughts, you know, random thoughts that have occurred to my mind and published up. But these are, this is a proposal that we can discuss, right? So I think that, you know, the cryptographic tool that we can use is a tool that came much, much before blockchain, it predates blockchain for at least 20 years and it's pretty well understood in computer science and it's a concept of an app and only public bulletin board, right? And it has two properties. One is certified published, that anybody can determine that who has published the bulletin, it's an app and only bulletin board and sub-authority of ECI. So we are assuming here that only the Election Commission of India will publish or the sub-authorities and the identity can be verified. And the time of obligation up to a certain bound, you know, maybe within five minutes, within 10 minutes, the time of publication can be specified. And also we determine and the app and only public bulletin most board must have an unalterable history. And what does it mean? So this is called immutable in the language of blockchain or non-reproductive. So this shows that any reader can verify that at times T1 and T0, T1 greater than T0, the board at T0 is a prefix of the board at T1. It means that nothing has got deleted and or altered, but something has got added as time progresses since can only get added. That's happened only probably. And failure to determine either will indicate malfeasance in the process of the election commission of India or corruption. So this is a notion of a public bulletin board. It's a very well understood cryptographic system that is probably 30, 40 years old. So I am suggesting that you should, for electoral rules have two bulletin boards. So bulletin board plus one is a bulletin board of transaction records. And this should contain the sequence of all enrollment applications received and enrollment records generated by the registration officers. So this is enrollment and also all change and deletion records. So any request that has got generated in the system must be put up on the bulletin board in a way that it cannot be altered. And any processing that has been done on those applications with reasons given. So this is the bare minimum that you require to make it auditive. And this has to be unaltered. Once done, it's done, you cannot go back on. And the second one is derived from the first one is a bulletin board of electoral. So this is contained a self-contained bulletin board of the entire electoral role updated with all additions, deletions and changes to date, happened only where each entry is timestamped or digitally signed by a competent authority in these who has added that thing on the bulletin board who has deleted that thing on the bulletin board and linked to the first bulletin board. So the current electoral role can be computed publicly from the second bulletin board. So anybody should be able to compute the electoral role. And this is constituency-wise. So every constituency should maintain its own bulletin board. The blockchain proponents are, suggest something like that. They say that the think of the bulletin board as a blockchain. The blockchain is a hammer that has many, many other things other than a bulletin board. The bulletin board is a part of it. And I would argue that those additional things may sometimes make the problem more complicated and actually add insecurity to that. I'll come and discuss that in a little bit more detail. So the cryptographic building blocks that you're required to build a bulletin board are just very simple constructs. So all you require is a digital signature, public key-based signing system. So where sign and verify are two public functions. And a message can be signed with a secret key. That's a secret key. So the message can be signed with a secret key. And the signed signature is S. And given the message in the S, anybody can verify. Anybody who has the public key of the signing authority can verify that this is indeed is a signature of that message and the message has not been altered. So that's a standard notion of the digital signature. And the second notion that we require is a hash function is you've got a message, hash function is H and you get a small H which is called a hash. And a hash function is a one-way function which means that it is easy to go from the message to the hash but given the hash it is almost impossible to find the message, to construct the message. So you can go one way, you cannot invert the function. And the second property follows from the first, it's called collision resistant, which is to say that finding two different messages, message one and message two, such that the hashes are the same is computationally impossible. So when we say computationally difficult in computer science we mean that an adversary with bounded resources cannot do this. An adversary who has only access to a reasonable amount of computing will not be able to break a hash function. So or violate any one of the two properties. So it is impossible to construct a false message with the same hash and it is impossible to find the message given the hash. So these are the two main properties. So how does a public bulletin board work? A public bulletin board based construction works in the following way that a bulletin board has these components. IMA is a message, every bulletin I has a message as a timestamp has a writer's identification. This is the identity of the writer as a hash and has two signatures. So and it must satisfy the following invariant property that the hash at every stage must be computed by applying the hash function on the concatenation of the message, the timestamp, the writer identity and the previous hash. So this is something that is in computer science called a hash chain. So this is a hash chain. And the writer must sign the hash using the writer's secret key. And the bulletin board must sign the writer signature and the bulletin board timestamp. The bulletin board timestamp should be within a small delay of the writer's timestamp. So that is the requirement of the bulletin board. So given this hash chain by the property of the hash function, this bulletin board is tampered proofs. So nobody can once a message has gone on to the bulletin board, if the hash function is strong enough and then the hash function is not broken, it is almost, it is impossible to alter a message. So this makes an append only bulletin board. How is it different from a blockchain? It is different from a blockchain. Blockchain has got two constraints. One is the hash chain, every block is hashed in exactly this manner. But there is also, blockchain has multiple parties, party one, party two, party three, depending on whether the blockchain is private or public. If the blockchain is public, then anybody can join as an authority in a blockchain. If the blockchain is permissioned or a private blockchain, then only a few people who are allowed can join. And these guys must agree using a very complicated consensus algorithm that what item should go on to the blockchain, right? So what gets added onto the blockchain is decided by a distributed consensus algorithm. That's the only way the blockchain is different from a public bulletin board that I described out here. Now, in this case, there is only one authority, right? It's an election authority. And so there is no question of a multiple consensus deciding what should be on. So that does not give us any security, right? So if the three election commissioners try to decide, they can collude and they can pool votes, right? So that's an insecure protocol. What is required out here and what is often not understood, it what should get onto the blockchain is determined by a receipt. So anytime there is an application, there has to be a searchable reference to an issued receipt. So once you have issued a receipt, once the election commissioner has issued receipt to a voter for any kind of an application, for enrollment or change application, then the election commissioner is obligated to put up an end. If a voter can produce a receipt for which no processing information is there on the bulletin board, then that is a malfeasance on the part of the election authority. So what gets added onto the bulletin board is determined by what receipts are issued by the application or what commitment. So anytime you use your receipt, you give a commitment that I'll process this application. I'll either accept it or reject it or do whatever and there has to be a corresponding entry. So if you can produce a receipt with a certain date and corresponding to which there is no processing and permission in the bulletin board, then that indicates malfeasance. So you don't really require complicated consensus or law. So this is a simple tool which can be used and you never need a blockchain for this and but amazingly for this problem, the internet is full of complicated blockchain based solutions. Privacy, a voter's list has an incredible privacy problem. There is a privacy versus public verifiability issue comes out in the most prominent way in a voter system, in an electoral role. So in an electoral role in a country like India where there needs are disclosed costs and religion, this is a nightmare issue. So election commission of India's response to this is to keep the electoral role as an unsearchable image as a big man. That does not give any privacy. Just to make that it is not searchable by ordinary means. There's an assumption which is of privacy which I think is incorrect. If you want privacy, I'm not saying that privacy is desirable. That's not for me to decide. That's not for a designer to decide. That's for the society and the parliament to decide. But if you want privacy, head is away. You can replace each message in a bulletin board with a hash. Subashish, just a quick question from the chat about whether the number of collisions is also required to be bounded. Of course, yes. The number of collisions in a hash has to be bounded. So I'm not getting into the properties of a hash function but there are many, many hash functions that do it. That are collision-resistant. Actually hash functions have got a problem that they get broken and newer hash functions come and they get broken so it's a cycle. So it's a game between the cryptographer and the attacker, it's a continuous game. But there are secure hash functions that are reasonably collision-resistant. And one can show that collisions can happen only with a negligible probability. That's sort of easy to show in cryptography. And for privacy, you know, so access to the unalterable messages, so the hashing, just probably replacing the message with hashes gives you the untemporable. And access to the unalterable messages can only be given to authorized entities. Representing political parties after authentication. Special auditors, now whether only special auditors should audit or whether it should be publicly audited, that is a question that needs to be asked in the parliament and decided. So then there was this question about remote offline migrants, 200 million migrants in India who do not vote. To my mind, the solution is again, take application from them, whether they want to vote from their home in Begusarai or they want to vote from Delhi. And they want to vote for which constituency, maintain status of all applications on public bulletin votes. Then reconcile across constituencies and publish final electoral rules. And then finally hold offline multirace polling stations at remote locations. For example, in Delhi, at a polling booth, you should hold a multirace polling, which means that all 542 constituencies in the country should be possible to vote from Delhi. And this is not internet voting. You should be able to go select which constituency you're voting for, cast your ballot, that's called multirace polling station voting. And post-election, the results can be uploaded and for counting. So I'll discuss that bit later. But this is what may appear to be a simple solution to maintainance of electoral rules, at least the part of it that can be technically addressed. And this does not require complicated consensus protocols and blockchains. So I will move on to voting. I'll stop here on electoral rules. But if there are questions, then we can maybe have a short discussion. Yeah, you want to do some questions on their electoral rules? Yeah, maybe we can take a couple of questions before I get on to voting. Yes, okay, that's actually a good idea. And I just wanted to add because of Nildara's question about the bounding conditions of the collisions, that it's a useful thing to know about the hashing functions that are, so what we'd call a cryptographic hash function. So a hash function that is useful for cryptographic purposes, that it'll have a uniform distribution on the image and that the image will be equal to the co-domain. That statistical property basically guarantees a certain bounding of the collision rate. So you typically have to show that the collision probability is a negative, right? It is less than I think it's specified at silent. We have a question from Anand. Yeah. Hi, so I have a question about how do you really make the stamp of proof? So let's say that the BI bulletin has been published. What stops from the officials to publish a BI dash the next day by making some changes to it? The assumption is that the authorities will not be able to not be able to forge the hash functions. They won't be able to compute the hash functions. They're not, let's say let's take B9 and then they did a B10 now, okay? If now they can create it. So B10 will have the hash of B9. True, got it, okay. Now what stops them from actually releasing another version of B10 using the same old hash the next day? Yeah, they can, it is up to them. So whatever they put up, the onus is on them to be answerable for that. The question is that whatever they have put up, they cannot go back and order. And if they're, whatever they have put up, don't explain what has happened to my application, right? It is publicly viewable. Anybody can figure out that they have not processed my application correctly, yeah. So as long as they give a commitment and a receipt, it is obligatory on their part to process it. They cannot hide anything, yeah. But my point is like even forking the chain that you have is still possible, because I can rewrite, I can... So you can fork it in, but whether you want to do that or not, you know, ultimately through this bulletins, you are explaining that you have processed my information correctly. So whatever you do fork or do whatever you want, ultimately the ECI has to give an explanation to everybody, which anybody in the public can. So if they've done something wrong, it is evident on the bulletins. So my point is like using the hash function here is not adding any value, because the other disk can fork and click in the new chain at any point. So there's no value actually using... You know, in whichever chain you take, all the precedent hashes are included. So H i contents H i minus one. So the hash invariance property has to be satisfied by every chain. Yeah. And if you fork a chain, even the new chain is not altered. You can fork as many chains as you want, but you cannot alter anything. No, too. I get the point. So I mean, unless someone is kind of having an archive of the chain that's been published, like a gadget that's kind of published and that's unalterable, okay? Something like that. The property is there. Without having something like that, having a chain, I don't see how it can affect it. So the assumption is anything that you have published, somebody has downloaded it. But whoever's downloaded what I have can be... Or you upload, you know, the election commission uploads to NIS. Anything that they have downloaded, you know, maybe Congress and BGP, they both download it. Yeah. So you need something like that. Yeah. So you have a third party wavefable agency where this goes there. And so unless you have a third agent, the agency that verifies and says that this has been altered. I mean, we don't, I mean, this alone doesn't seem to be. Yeah. So, you know, so every message is signed. So they cannot go back on their words. So somebody else should have a copy of the bulletin. Yeah, yeah. Somebody else has to download the bulletin board, period. So that's a minor point, you know? So that can be easily taken care of. It might also be useful to think of this in terms of if you are... One of the reasons for maintaining the hash is so that you can cheaply verify that nothing has changed. Right? Because if you have to maintain the entire database and then compare all of it every time, then that becomes expensive for large databases. Yes. And the hash chain gives you easy methods to verify it. Yeah. So this public bulletin board is a construct and computer science, which is very, very old. It's 40, 50-year old and has been used, you know? It's extensively used construct. And many times when people talk blockchain, what they really require is a public bulletin board. And, you know, they really don't want a blockchain. A blockchain is required for a cryptocurrency because... So unless you want a consensus on the ordering of the transactions, which you don't need in this case, you don't need a blockchain. All you need is a public bulletin board, which is a very simple construct and can be programmed like that. It's a trivial thing to do. Yeah. There's one more question here from Abhishek for maintaining an uploading of electoral rolls. On whom does the onus fall? Also, what happens to citizens voters who are not early tech adopters? Can there be any predictions as to when such a system can be put in place? So, you know, the block, this public bulletin board has to be maintained by an author. And you have to have a protocol that they upload to some three other sites that they don't control. Anytime they publish, they have to upload to three other sites that they don't control. So that requires a... So verification, you know, a public can verify for you. So you can... So of course, if you are unable to compute a hash, you can take it to Hasbik and Hasbik can verify for you. So, you know, you can bring it to IID Delhi and some students can verify for you. So the thing is, the public bulletin board is out there, downloadable by everybody in the world and anybody can verify. So you can go to your friend and ask the friend to verify. So, you know, if public bulletin board is putting it like publishing an Indian Express, so you can't go back on what you have published. That's the analogy. As long as you put your precedence for information and publish it every day in Indian Express, enough number of people have copies of it and it is impossible for you to go back and change your record. So simply put, that's the analogy. So two more questions and then I think we should move on and maybe take more questions on the whole afterwards. Is that okay? Yeah. So Aryan asks... Well, as it brings us to an interesting question about who owns the infrastructure of the blockchain, do we trust the existing government or any private entity doing so? And I think that just generally comes down to the trust in do we generally trust these information sources and can we just assume that somebody is checking all of the bulletins? So, you know, the notion of a public bulletin board is precisely because you don't have to trust anybody. See, you have to make a law so that it is the election authorator's responsibility to publish the public bulletin board. You know, they can publish it in whatever hardware, whatever software they want. You don't care as long as these hashes are correct and the messages are down there on the list. Now, the correctness of this it just depends on independent parties having copies of this, right? So what are the standard independent parties who will be interested in this, the political parties who are contesting the election? They have a national interest in downloading this and keeping it interested, right? And if two political parties, political party one and political party two, they have downloaded and they have a contest about which is the correct bulletin board. Anybody can verify from the hashes and the signs. So that is unalterable and that's cryptographically secure. So the purpose of a bulletin board is to remove the trust requirement from it, right? So it's the, so from a trust requirement, you'll go to an obligation requirement. It's the obligation of the election commission of India to demonstrate that every application has been processed. Yeah. So I'll take one more question from YouTube. Can you please explain the protocol from the perspective of that we need to register a voter? Voters and sheet to come votes while leaving out who the voter voted for. So essentially write a confidential vote. I think this is probably what you're getting to. So it might be a bit too detailed. So for the electoral role, all you have to do is to go to an electoral office, file an application and get a receipt for it. That I have filed an application and you have accepted my application, right? And that's it. And with that application, you can search in the bulletin board for satisfaction. So whether your application has been processed. So that's all that the voter has to do. And a lot of this just harkens back to, what we were talking about last time about having a single national registry and how this bulletin board approach is essentially equivalent to doing just that in practice. Yes. So what I am saying is a bulletin board per constituency. And I have carefully avoided the national identity linkage. Deliverately so. Now that's an open question. How to link it with the national identity and how to do the duplication publicly on a bulletin board? It's a question. I have a lot of thoughts on it, but maybe for some other day. Yeah. Well, I guess we should move on to your next part and we'll get to more questions at the end. Sure. Thanks. And that is about verifiable voting, right? So again, I'll start with the declaration that I am not really recommended that you move to verifiable voting, right? Not at all. In fact, I have great hesitation in making that recommendation. I am making this presentation just to illustrate verifiable voting. Yeah. So just to recap, what did we discuss last time? That, you know, there is almost all jurisdictions require a voter verifiable vote. And the only thing that is considered safe in an election right now, according to law of most countries, including India, is this one, pressing voting in person with voter verifiable paperback. So India, so almost all of Europe, except Switzerland and countries like Estonia, all of the United States, they just operate in the first person. And US also does mail-in ballot, which is remote. So you use postal ballots to do it. So does India. And this is considered slightly unsafe because when you are doing a ballot, you know, when you are filling in the ballot and putting it in an envelope in your home, you can be coerced by your family members or God knows who else is there at your home who can coerce it. So this is considered more risky. So, internet and blockchain voting, you know, there is no way to resolve the quotient problem when you are doing an internet-based voting. So we discussed it in the last class. And there's been an enormous amount of material written by Ron Rivest and others to show that why this is not even a possibility and why blockchain voting is a strict no-no. And I will not get into that today. But I have posted a paper by the MIT folks on that. At DRU voting, we discussed last time that this is direct record electronic in an EVM. This also considered unsafe because there is no obvious way to prove who you voted for, whether the machine has recorded your intention correctly. That's an impossibility to prove. What India uses is somewhere in between the pressing voting and the dairy voting. It uses a DRE in a pressing can gives a VVPR. So it's an EVM plus VVPAT solution, which takes the DRE into the pressing voting thing. And at least it gives a VVPAT, so which is more acceptable. And as we have discussed in the last time, it will be acceptable if the VVPAT is fully voted. So what did we discuss in the last time for those who have missed it? We discussed that evidence-based election is auditability plus audit. So you first must have auditability. If you don't have auditability, then the election protocol is invalid. But just auditability does not give you evidence. You have to actually conduct an audit. So if I have to again write down the decision data, the first decision data is, of course, ballots increasing. Then we discussed this at length in the last class. So we said that we request software independence, which is to say that, this is not to say that you don't use software, but this is to say that if there is a change in the software, either willful change or an inadvertent change in the software or in the hardware, then that should be auditability. So that should not cause an undetectable change in the election order. So if the software has got changed, then that should always be detectable. And then we say that that should always be possible to catch it in an audit. So that's something that we call software independence. Almost all countries require you to have voter verifiable paper records. And these are the ballots. So because these are the ballots, so they cannot fall, as we discussed, into a sack behind a glass window, like it happens in India, right? That's not voter verifiable. A voter verifiable is that I can use my agency to cancel if I think that the EVM has not recorded my vote, right? And ultimately, the correct solution almost always, if I get the VBPR in my hand and put it in a box, right? That means I completely and totally agree with what has been confirmed by VBPR. So the Indian voting solution is not that and this requires a change. Then of course you require contestability. So if you say that the EVM has not recorded my vote correctly or if the VBPR has printed my vote wrong, right now the Indian system is not contested. I mean, you can shout, but you will never be able to prove that you're not lying, right? And they'll impose a 5,000 will be fine on you. And that is not correct. So of course you require contestability. And finally you require an audit. So if you look at the Indian system and all systems all over, they assume that the sack containing the voter verifiable paper record is untampered. That's an assumption. The custody chain of it is made trustworthy by traditional methods like putting seals, each candidate and each political party puts a seal on it and they follow it and then they ensure that it gets into the strong room correctly and the seal is never opened. And so if you assume that the voter verified paper record is untamperable, those sacks are untamperable, then you can use this VBPAT slips or VBPR slips to do an audit of the electronic account, right? So in India, we said that the audit procedure is not correct. That's what we discussed in the last class, that you don't do adequate statistical audit. But if you have the VBPR and if you assume that the VBPR is trustworthy, then potentially you can do an audit by depending on us, do a statistical audit, full manual audit by following a protocol, right? Sensible protocols. And that is the desire for all elections. So most of the current elections they use, they trust on VBPR and an audit of the VBPR. And that's what gives them software independence, sort of half and half software independence. Because what is the weak point out there? The weak point out there is that ensuring that the VBPRs have not been tampered, right? That some voter verified paper audit trails have not been thrown away and new ones have not got added in the transit. So what we will question today is can end-to-end public verifiability using cryptography help, right? So it turns out, or it is well known in computer science that you can use cryptographic technique to give guarantees for all of this, right? Almost perfect guarantees for all of this. And yet computer scientists and others don't recommend that they will use that. They are almost never used in any election. But many people think that it's just a matter of time that people at large will get more familiar with cryptography and cryptography will become more acceptable and they'll get used to solve all of these problems, including the trustworthiness of the VBPR trend. Whether that will happen or when that will happen, or whether it is desirable to happen is not for me to answer, right? I have always believed that it's a job of the computer scientists to operationalize and never to decide what should happen, right? But lay out the pros and cons that if this happens, then what are the risks, right? Correct. So that's what I'll do. I'll describe a prototypical cryptographic system that can take care of all of this and then throw that question open to all of you whether they should be used or not. So let me start by reviewing some popular E2E verifiable system, right? And because Mari asked the question of homomorphic computing, I'll start with the homomorphic computing system. And this is a very, very popular system called scratch and vote, very elegant. So this uses what is called a Preta voter style balance and this kind of balance were made popular by Preta voter. So, which is an old voting system. And what do you have? You have the candidates name in the left hand side of the ballot in a random order. You have the marking space in the right hand side of the ballot and typically the voter puts a tick. On the ballot, the mark set. Here set off from the middle, discards the left half, the left half is shredded in the polling booth. So nobody knows this. You go into the polling booth, put your tick mark and discard the left half. This ballot of course has to be a covered ballot. Then you go out of the polling booth and give the right half to an election officer who puts it in a scanner. So the right half is scanned. And note that the right half, the polling officer or nobody can determine who you voted for because all they know that is that you voted in the third position or the second position. Since the left half is gone, this is perfectly safe. And in homomorphic back end what you have is that they have an encryption of the standards. So this has got in this case there are four candidates. So this has got four sections of this QR code. We'll have four sections. The first section will encode the vector 1-0-0-0. The second will encode the vectors 0-1-0-0. The third will encode the vectors 0-0-1-0. And the fourth will encode the vector 0-0-0-1. And the encryption parameters are here under a scratch cover, which should normally be opened only for audit. So these are ballots that are kept outside a polling booth and before election starts, auditors, which should include candidates, representatives and members of the public, they can pick up a statistically significant sample from the ballot box, open up this and ensure for themselves that the encryption is correct. So you have to typically, if you have got n ballots, sampling order login ballots for correctness ensures that all ballots are correct with a very high profile. So once election commences, the assumption is that all ballots are correct. So that's a scratch and vote. I'll tell you that how the counting happens later. Then there are mixed-net based back ends. Mixed-net based back ends are very similar in principle, but instead of the encryption, you have a code out here, which is called an onion. Now, with this onion, this is a committed at the back end. So this ballot cannot be audited on the spot. But what can be done is that a login sample of ballots can be collected from the polling booth, assuming that they are correct, the polling can go home. And these ballots can be audited later. After election, you can audit that these, so these ballots are all committed before. So you can audit that every ballot that was picked up was correct, so which would in turn imply that every ballot that was used was also correct. And typically in these kinds of ballots, the left card is discarded after polling. The randomness of the right card is counted at the end as a take home receipt. So you take the right card as a receipt back home. Oh, sorry, I have to aim correctly. Okay, so in scratching vote in the homomorphic encryption, what is the protocol? This is by Adida and Revist. Adida has a voting company now, which is very famous. I have to ask him whether he's making money, but he makes electronic voting protocols. And that's a startup. So these receipts that you have taken home are displayed on a public bulletin board, exactly of the type that I described. So every receipt, the election commission puts up on a public bulletin board. These are the voter IDs, Alice, Bridget, Carol, and so on, so put there the voter IDs. So anybody who has voted can take the receipt, use your code to look up the receipt on the bulletin board and ensure that the receipt is there on the bulletin board, that your vote is counted, your vote is recorded correctly, and your vote is being counted. And then the election commission does a public homomorphic counting on the bulletin board. So multiplying these encryptions, so in this case, you pick up the second encryption, in this case, you pick up the third encryption, in this case, you pick up the second encryption, in this case, you pick up the last encryption, multiply all of them, and the homomorphic, so you multiply the encryption, and that turns out to be an encryption of the summation. So that's the homomorphic property. So you do the computation in the encryption domain. So anybody in the public who knows how to write a program and download the bulletin board and put this computation, and this computation is exactly equivalent to this computation. So finally, the election authority provides a zero-knowledge proof that without revealing the encryption, the election authority gives a proof that the decryption has been done correctly. The final decryption of this tally has been done correctly. So this is a system that I believe was used in Maryland as a pilot and discarded, not because it did not work, but because the public did not quite understand what was going on. This sounded a little bit like magic to them, and magic cannot be allowed in an election. So this has not been tried since. And this is not compatible with the VVPR. This is not compatible with the VVPR for the reason that look the EVM, which is scanning the right part, doesn't get to know the vote. So it doesn't know what the vote is. That's an encrypted vote. So an EVM, because it doesn't know the vote, it cannot leak the vote, but the flip side is that it cannot even print the vote on a VVPR. So this is not at all compatible with the VVPR. What is the advantage? The advantage is that you do not require special EVMs. You can use an app on a cell phone as the EVM. That's also fine. So almost anything will work as an EVM, simple scanners, cell phones. The electoral officer's cell phone is a good enough EVM. So all you need to do is just to scan and upload to the public bulletin board. And he cannot not upload something because the receipt against ensures that a voter who turns out with the correct receipt signed receipt and doesn't find the receipt in the bulletin board, has a proof that something has gone wrong, the election has gone wrong. So is the authoritative responsibility to answer for every receipt that has been issued? So that received that accountability. And this is a system that probably cannot be hacked very easily. Inject here, because you have that formula for public homomorphic counting, it does seem that that scheme would be very sensitive to... So in the event of somebody injecting a message of some kind that was purposefully poisoned somehow. Yes. So I am not getting into the detail. They have got a poison checking method. But you essentially have one spoiled vote invalidate the entire election. And that's a sensitivity that you'd normally not want in a system. So they have a cover for it. They use a signing mechanism on top of this. It checks a grammar that every encryption is of a correct grammar. And you cannot inject a previous one. So the validity of each receipt is verified using another zero message. So I'm not getting into that detail. I'm just explaining in a rough concept. So for those details, you can read the original paper of Arrida and Rivista. This is considered a very safe scheme, but of course there are usability issues and hence nobody talks about it. This is sort of a more of an has become, has been relegated to an academic paper. But this gives an idea very strongly. And this is an election that cannot be tampered, cannot be forged publicly verifiable and all of that. There is a small attack possible. I'll discuss that attack later. The other popular voting schemes are, this is one's continuity. And instead of a homomorphic encryption, many of this voting protocol use a concept called mixed net. That's another cryptographic protocol. The ones with the onions, they use a mixed net. So what is an onion? The onion is, so a mixed net is a sequence of shufflers, shufflers and encryptors. So you, so these shufflers and encryptors, so this is like, what is a mixed net? So if you use the VPN or a proxy like Tor, that's a mixed net. So that hides the destination from the source. That gives you an animative between the destination and the source. So these shuffles and the encryption corresponding to the shuffles are publicly committed before the election. So each shuffle can be by a different organization. There can be different trustees that are responsible for the shuffles. So the first shuffle can be by trustee one, the second shuffle can be by trustee two. And each, so it's called an onion because the first shuffler puts his own encryption and the second shuffler encrypts the first encryption and so on so forth. So finally, when you decrypt, you have to peel off the onion or keep decrypting using the public key of each trustee. And finally, you get the decryption, right? And post voting, so you keep the mapping between candidates and the serial number the candidate order in the shufflers. And depending on the process that you get, you pass the process to the shuffler and at the end of this, you get a public bulletin board. So you have got a public bulletin board at the beginning of the shuffling where every voter can verify that her receipt is there. And then there is a public bulletin, final bulletin board with all the serial numbers are removed and you have got all the votes in clear text and anybody with a computer can download this public bulletin board and add the votes and get the output, right? So that there's been no cheating at any of the shuffler can be proved using zero-knowledge proofs using mixed ed encryption. So there is a paper by Lundin and Rayon in 2008 that showed that one of the mixed net schemes was made compatible with the VVPR. And this VVPR required, so the votes had to be encrypted on the VVPR slips and each VVPR slip at the counting station requires a decryption, which makes it a little unusable, right? So you have to take every VVPR slip and use an independent key to decrypt before you can do a VVPR audit at the counting station. Now that will make counting go on forever. The auditing will go on forever. And again, this paper was relegated to be one only of academic interest. I'm not sure that this mixed net based protocol is this one has ever been tried. Mixed nets without VVPRs have been tried in large elections in the United States. And at the pilot level, but they have not become popular. So those pilots were considered to be failures. So though you can give mathematical proofs that this is tamper free, convincing the public that it is the case is hard and the public doesn't even understand what is going on. So that's not considered to be a valid or the proper election. All right. And both of these are something that has been not used in India because India decided to move away from hand mark ballots. And I'm told that India's reason for moving away from hand mark ballots is that that significant percentage of our population is unlettered. And that results and these are people who have never held a pen or never held are not used to stamping. And they apparently did not put the stick in the right location. So they put the stick in between the two candidates or put the stamp in between the two candidates. And that resulted in a huge number of ballots getting wasted. So invalid ballot problem was incredibly high, especially in the rural consequences of India. And this is the reason why the election commission of India in the early 2000 decided not to use this paper ballots. They discarded this. So US does not use a DR, direct record electronic system at all. It's almost always a paper ballot and scanning system. So they are culturally more tuned to it. And that's the way it works. Most places that use a ballot is hand mark paper ballot. But India uses a DR system, which is direct record electronic. And making those verifiable, as I mentioned a little bit in the last class is much, much harder because the record is an intended guarantees. You know, the proofs that one has to give, they turn out to be particularly complicated. So there is one system by Adida and Ness and called Mark Fletcher. There the voter needs to get into a challenge response with the machine. And the voter has to repeatedly match five digit strengths in several times. So it's an interactive proof between the voter and the, it's an interactive cryptographic proof between the voter and the EVM. And you can guess that's not popular. So that's just a paper. Starboard on the other hand, it's a 19 author paper by Rivest and all those people are on this paper. This is a completely provable DRE protocol, which I will not describe. I'll describe something we have cooked up, similar to this. This has been deployed and tested in large elections in Germany and in pre-banning, actually post-banning. This was tested with the Supreme Court's permission I think in Sargruk and post-banning in Germany. And this was also tested in some US elections. This supports VVPR, but this requires the way that, the way that you give a proof to your voter that your vote has been recorded correctly is that you encrypt the vote, this is homomorphic encryption. So you encrypt the voter's vote and then the voter can challenge that, show me that you have encrypted my vote correctly. So this is called a cast or a cast false vote and challenge. So if at least 50% of the voters do a false cast and challenge, then you can show that with an overwhelming probability, this is correct for all voters. But, you know, casting false votes and challenging is a protocol, whether it is practical, whether voters would be able to follow this protocol or we'll understand the need for it. It is a big question. So for obvious reasons, cast or challenge protocols are not popular, it's a cryptographic construct that is considered to be slightly meaningless. And star vote is a great protocol, but it could not quite figure out how to get rid of this step. So this step comes out again because it's a DRE machine. You press a button for Congress and the machine, how does it prove that it is a recorded Congress inside? That's a problem, right? So that's a problem that requires solving and that problem is not easy to solve. So if this is with this background, I'll move on and try to build a solution that addresses all of this, right? And as we move along, we'll see that it is not easy. It will make the system somewhat complicated, right? And whether it is complicated enough or it's easy enough is a subjective decision. But at least technically all these problems can be addressed and that's what we will end up with to show. So I'll need some crypto basics, right? So I'll try to keep this very, very simple, but since it is crypto based, I couldn't figure out a way to avoid the basic crypto, right? So I'll need exactly two things. The first one is I'll need the notion of a commitment. So what's a commitment? A commitment is that you commit a value like X is equal to five, right? So you commit the value five to X and the metaphor is that you put it in a box, you commit the value, you put it in a box, you keep the key and give away the box, right? So your commitment is a secret. Nobody can peek inside the box and see that what you have committed. That's not possible. So this guy will have to keep on wondering what the number is forever. And you cannot change the value because you don't have the box. You've written the key, but you've given away the box. So you cannot change the value. So once you have committed, you have committed, right? There's no going back on. So that's the metaphor. At a later point of time, you can reveal the commitment and say that at the end of the protocol show that, look, check for yourself that I've committed five. So that's the notion of a commitment. Cryptographic commitments were invented around the 1980s by John. The other concept that I require again from the mid-80s is something called zero-knowledge proofs. And in zero-knowledge proof of knowledge, you prove that you give a mathematical proof, typically interactive, that you know something. Without revealing any information, even a bit of information about what you know, yet to give a convincing proof that you know the value of X. So you know the value of X without conveying any information other than the fact that you know the value of X, right? So nothing about X. So your adversary can clean no information about X whatsoever. So what are the examples? Examples are that you prove that you're of drinking age. And this is an example I use for teaching to IID students that you prove that you're of drinking age, but you don't reveal your age or don't show you any certificate or whatever, but give a mathematical proof that you are above X in an interactive manner, but don't reveal anything about any certificate or age. That could be a zero-knowledge proof. Or you could give a proof that you know two prime numbers P and Q. So you know the factorization of N, but without telling them what P and Q are. So factoring composites has been a challenge in computer science and we have not been able to find a good algorithm to this. In fact, there is no known algorithm to factor a number like 15 as 3 into 5. Of course, we can do it for small numbers, but for large numbers, something that has got say a thousand digits, we don't know how to solve this problem. So of course, multiplication is easy, but factoring is hard. So you can say that I know prime numbers P and Q says that N is equal to P and Q, but I won't tell you what P and Q are. That could be a zero-knowledge proof. Or C is an encryption of N, but I won't show you the encryption of Q. But I'll tell you that this is a ciphertext of a message M without showing you the key. Or this is a commitment for a message M, but I'll not show you the commitment but it will give you a proof that this is a commitment of this message. So these are all zero-knowledge proofs. These are incredibly powerful techniques called interactive proofs that were invented. And almost any statement that can be described in NP, which is by a non-retrognistic during machine and polynomial time, there is a zero-knowledge proof. And zero-knowledge proof exists. So almost any NP statement can be proved in zero-knowledge. That's a very, very powerful result by these gentlemen. So I won't get into the theory of zero-knowledge proof, but I'll use zero-knowledge proofs and see what I suspect. And I will require this notion of modular proofs. Let me see if I can explain this correctly. So we will be talking about these sets called Zn, which is a finite set of remainders when divided by n. So if I divide a number by n, the remainders cannot be greater than n. The remainders has to be in zero to n minus one. So these are the set of all remainders when divided by n. That's called Zn. And Zn supports two basic operations, addition and multiplication in the obvious way. So 11 plus 13, and if I divide that by 16, that is 24, when I divide by that by 16, the remainder is 8. So we say that 11 by plus 13 is equal to 8 in the mod 16 operation. Or 11 into 13 is 15 in the mod 16 operation. So this is how we do additions and multiplications and modular proofs. And why do we call it a group? So the group is a set like this with operations such as multiplication. And it is closed, which is to say that if I take any two elements from this set and do a multiplication, I get back an element at this set because I always divide by n and get back an element at this set. And if every element has an inverse element, then we say that this is a group. So there is a well-defined algebra. And a group is cyclic. If there is a special element, so that every other element can be obtained by raising that by powers of that element. So if that can happen, because every element of a group G can be written as G to the power X for some integer X, then we say that the group is cyclic and we say that G is a generator for this group. So this is any cryptographic operation that require a modular group of some sort. So we choose P is a prime. If P is a prime, then we can show that the multiplicative inverse exists and then this is a multiplicative group. And in cryptography, you almost always choose a group like Zp. And you choose large frames, P and Q, typically how large to, you know, for contemporary security, you choose P and Q to be, you know, three zero seven two bit modulus. Actually for technical reasons, we will be forced to work on electric curves, which are like modular groups. But I don't, you know, we require 1.8 bit for electrical, but let's just take the modular, forget the electricals. So we require P and Q to be large. So really, really large numbers. And we use a GUQ to be a unique cyclic subgroup of P. And we choose two generators, G and H for the group. So we choose a very large group, you know, of three zero seven two bits. And we choose two generators for it, G and H. And how are these chosen? Typically in cryptography, these are publicly chosen. Publicly chosen like you, the randomness to generate the group, you pick up from a hash of the first page of Indian Express. Pick up some public text or New York Times fourth page, first paragraph, right? Hash it and get the randomness. And anybody can generate this group members G and H. So it's publicly announced. And what is assumed is that the discrete logarithm of G and H is not unknown to anyone and nobody will be able to compute this. Actually, you can show that this problem is exactly the same as finding prime factors of a large composite, which nobody knows as I mentioned how to do. So nobody knows how to solve a discrete log. So the assumption is nobody will be able to compute the interrelationship of G and H but both are generators. So that's all the crypto that we require. So let us move on. And once we have this crypto, we need a specific form of a commitment. This is a very popular commitment in cryptography called the Pedersen commitment. And how do you compute it? Suppose you have got a message row from that group. You compute the commitment as G to the power row and H to the power R. Know that G and H are public generators. R is the key for the commitment. Rho is the message. So you compute the commitment as C. And this Pedersen commitment is perfectly hiding. Why? Because given C, all messages are equally probable. So C leaks no information about the message, none whatsoever. So that's what is called perfectly hiding. And Pedersen commitment is also computationally binding. What does it mean? It means that suppose C is made public by computing as the commitment of row to later to say that to change the message to a row dash with a new R dash will require you to solve the discrete lockdown. So to fake a commitment is almost impossible. So we are assuming that nobody has the computational power to be able to fake a commitment. So a commitment is computationally binding. Once given, the message is sealed forever. Nobody can change the message once a commitment is issued. And the commitment does not give any information about the message. And the Pedersen commitment is also additively homomorphic, which is to say that if C1 is a commitment for row one and C2 is a commitment for row two, then C1 star C2 is a commitment for row one plus row two. This is something that we will use out there. So I'll give illustrations of this. So it is not terribly important that you understand it completely, but you have to understand the notion of what a commitment is. A commitment is computed using this way. And a commitment once made cannot be changed. That's the take-home basis. That's a very minimum that you need to understand. So I'll give you three concocted protocol, completely untested, not even implemented. I'm not even sure that we are ever going to implement this. So these are just the results of some profitable discussions in IIT Delhi. But I thought that I'll explain these protocols in a sequence. We call it desi voting so that I'm able to illustrate what a voting system will look like. So the first version I'll use not a DRE, but a Freda voter style hand mark ballot. So the ballot will look like this, again, a random order of the candidates. Since desi voting, I should have used the names like Lallu, Kallu, Billu, perhaps. So I'm sorry about these Anglo-Saxon names, but yeah, so continuing with David, Bob, Alice, and Carol. So those come in random order. You've got a right-hand side for marking and you've got a left-hand side. And votes are 0 to M minus 1. So we are assuming that even if it's a multi-day election, the ballots for one election are not confused by ballots. So if you have multi-days, just have another table and the ballot for the next constituency in the separate. So that's how you can choose the race, which race you are voting for. But every vote is between 0 to M minus 1, represents an integer between 0 to M minus 1. So what is a voting process? So I made a mistake. It's not blinded RID, but they should be CRID, commitment for the RID. So every ballot has a random RID, which we call RID. So every ballot has a random RID, which is contained in the left part. And the commitments for the random RID and the commitments for these votes are in this QR code on the right-hand side. And this top half contains not the blinded RID, but the cryptographic commitment for the RID is contained in this QR code. This contains the RID and so on so forth, and this contains all the commitments. What is the voting protocol? The voter detaches the top right part, this part, and gives it to the polling officer for scanning. So each ballot is indexed by the CRID, not BRID. And I made a mistake out there, so read CRID. And the EVM scans the QR codes and the vote of the marked ballot and stores it indexed by CRID and prints the RID vote on a slip, on the VVPR slip. So it reads who you voted for. It scans the two half. It notes the RID from here, notes the CRID from here, and prints the VVPR slip. It is visible but not detachable. Then it asks the question that are you really happy? Did you really vote for Bob? Have I scanned it correctly? So you have at this stage an option of saying no or yes. And if you say no, then that has to be communicated to the polling officer and the polling agent setting outside through an independent channel, which does not go through the EVM. This can simply be shouting or lighting a bulb, another button to light a bulb out there, saying that whether you agree with what has been printed in VVPR or you disagree. So if you disagree, this VVPR, the word canceled is printed out here and it drops into a box. And if you agree, it just drops into a box. The voter takes the right-hand side, the remaining part of the right-hand side as a receipt back home. So this protocol, how will we prove it? I'll come to that later. But this obviously has some secretations. What are the secretations? Which will be considered unacceptable in a voting? First, the EVM gets to know your vote. So the EVM knows who you voted for because it has to print the vote out here. The EVM also knows the random ID and the commitment. It knows both. So you have taken away this as a receipt which has the CRID in the part of the receipt. So the EVM knows that the person with the receipt index by CRID has voted for Bob. So if the EVM leaks this information, then voter secrecy is completely lost. So this is something that cannot be considered acceptable in a voting protocol. Not in an EVM, this is not true because the EVM only knows your, in the Indian EVM that is used, it only knows your vote, but it cannot relate the vote to any kind of RID. So why am I relating it to RID so that I can give a proof later? But being able to give a proof later makes me compromise certain secrets information which may not be acceptable. But let's move on with this understanding. And then at the end of the polling, I put up all information on a public voting vote from the EVM. So you have got your RID in the QR code and you've got the commitment for all the candidates. In this case, since the ticket is in this position, you will pick up Bob. And you can match your receipt at the bulletin board which has got that CRID has voted for C Bob. So CRID is known to everybody. Your receipt you can give to your friend and the friend can go and verify. It is indeed on the bulletin board. And this signature by the PO ensures that the holder of the receipt CRID has indeed completed the voting according to the protocol. It did not cancel except in the voting and so on and so forth. So note that this CRID was detached and given to the PO. Once you have completed the polling, the PO signs this part and uploads either through the EVM or later to the bulletin board. Second bulletin board collected from the EVM where we have all the RIDs and the clear text boards. So all the RIDs in the clear text boards are consolidated in a second bulletin board. Note that the elements of the first bulletin board are receipts. So these cannot be linked to the second bulletin board. If these are linked to the second bulletin board, then everybody will know who the person with this receipt had voted for Karen and so on and so forth. So we give a proof in zero knowledge that the two bulletin boards are in one-to-one correspondence. So for every entry in bulletin board one, there is one and only one entry in the bulletin board. So this proof is given in zero knowledge and construct the ZKP about the one-to-one correspondence. So anybody, any member of the public can verify that for every entry on the first bulletin board, there is an entry on the second bulletin board and these are all the receipts. And we assume that a statistically significant sample of the voters will verify that the receipts are present on the bulletin board one. So anybody can publicly compute the tally So this protocol ensures correctness. This protocol cannot be hacked. On this, you can hack a cryptographic commitment or you can hack the zero knowledge proof, which is considered to be next to impossible in cryptography. So this is an unhackable system. But of course, there is a possibility of leakage of information from the idea. So if the EVM leaks out information, for example, in some ultrasonic band, it keeps shouting that, look, look, this guy just voted for Congress. This guy voted for BJP, but this CRID voted for this. Since it has all the information, if it leaks it out, then the mapping between the two bulletin boards will become public. And that will be considered unacceptable in an election. So see that this brings out the problem that if you have to give a verifiable proof, you have to keep this RID information with you somehow and these commitments somehow. But moment you keep this information, there is a possibility that you will leak this information. And if you leak this information, then the voting becomes public. So this is another reason that you don't use cryptography, that your ability to keep this information secure must always remain a little patient, whether you can keep a machine like an EVM secure and that will not ever leak information, is almost always an untenable assumption. And hence, there's a certain amount of risk that using a protocol such as this. Okay, but let's move on. So what is the summary? It is end to end verifiable. The correctness is mathematically provable. Electronic votes are in one-to-one correspondence with the VBPR stuff. So verifiable it is not in question. This is strongly software independent. If at any stage any commitment is wrong, the proof won't, the ZKP will not work. So our receipt will not be found on a bulletin board. So this is strongly software independent because if you find that this receipt does not match, then you know which polling booth it has come from because the polling office's signature is there. And you have no other option but to do a repoll in that polling but you don't have to do a repoll everywhere. So you know exactly which entry does not match. So you can recover from an error by doing a repoll in a localized domain. So it's strongly software independent. It is susceptible to incorrect ballot marking. So if people don't mark their ballot correctly, that becomes an invalid vote. EVM gets to know all of these, RIDC, RIDN, the vote, and instead leak information. So that's a real danger. Now, the Preta voter is also vulnerable to a course attack, a randomization attack. Like for example, I could, you know, the neighborhood gundah can tell you that look, I want you to vote in the second position. Your receipt better has a tick mark here. Now, what does it mean? It means that if the coercer of the neighborhood gundah knows that you are unlikely to vote for his party, then he can ensure that your vote is randomized, right? That you vote for, he votes for your party with the probability one-fourth, for his choice with the probability one-fourth, and for somebody else with the probability half. So you can, you can, if you know that there's a person who comes from a community which is not likely to vote for you, then you can force them to vote for a random gundah. And that would be considered an attack which is not acceptable, right? That's a problem with actually all Preta voter kind of the system. So that's a big problem, right? So the variability is okay. There is a coercion attack that is possible and there is a clear secrecy problem. Okay, right? Okay, let us look at a DRE version of this protocol. So that is, they say voting two, I'll try to address some of this problem with our DRE system. Now, DRE system, I won't solve this problem, but I'll introduce more problems. What is the DRE problem? The DRE problem is that that you are now pressing a button instead of putting a tick. Now that immediately brings in a new problem of contestability, dispute resolution. So I have to give a proof that if you have pressed two, I have recorded two and I've not recorded three. So that makes the problem a little more difficult. Now the Indian EVM does not give the proof and hence it is not verifiable. So any verifiable system will have to give a proof that I have recorded your vote. So the ballot has changed a little bit. So it's not a ballot because now you're pressing a button. So it's a pre-ballot. So it's still a paper. This part has still the CRID, exactly the same for the pulling officer. This part has the commitment for the RID, which is CRID, and has a commitment to you for an offer station token to you. So I'll tell you what the offer station token is for. So you take the RID and you as random from ZQ, put it in the left QR code. These are the ballot sections, RID and you. In the right QR code, you put the commitment for the CRID and CU. And these numbers are a one-time pad so that corresponding to Alice, I have got B and these are W says that they are U plus V mod Q mod M. So these are numbers, cyclic numbers so that they offer scan to your vote. So corresponding to, so use VU to hide the vote B and note that this is perfectly hiding. Addition is a perfectly hiding operation in a modular arithmetic. So the number three corresponding to, that the number three corresponds to Bob cannot be found out unless I give you the one-time P. So it's completely hidden out there. So that's a valid. So what is the protocol now? The protocol is so that you take your ballot, pick up a ballot randomly, and by assumption all ballots are correct because they're all auditable. So you assume that the ballots are audited. Any ballot that you have picked up is a correct ballot. You go to the polling machine and the first thing you do is that you cast your vote. And moment you cast your vote, the EVM prints out a commitment for the vote. Using the publicly public parameters G and H it prints out a commitment for the vote. This is the partial receipt. It's printed, but you cannot still get asked it. So the first thing before EVM can seize your ballot, it gives you a commitment that this is the vote that I recorded. Then it says that, okay, put your ballot in the scanner. Please get it scanned. So you just get your ballot scanned and EVM then computes and prints W out here. So if you have cast for Bob and the W against Bob is three, the EVM independently computes from the U plus V that it is three. And ask you and also print out on the VVPR slip, the RID and Bob and says that do you agree that this is correct? The number three is correct and what I have printed on the VVPR is correct. So at this stage you can cancel in which case both this will be mock canceled and discarded and we'll be asked to vote again with a new ballot or you can say okay. And if you say okay, then this VVPR will drop into the VVPR sack. And you are given a proof. You are given a print out in a QR code that, you know, the sue is on your ballot already. So you are given a print out of the keys for RU plus IRV and you are given a proof that new star CV is a commitment for you plus V. Now since, so you are given a mathematical proof and so this is a proof is in the part of your receipt. You can take it back home and give it to anybody, give it to Hasgit if you trust them and say verify that the proof is correct. So what Hasgit can do from your receipt is that the receipt has CU. The, you know, the receipt that you take from the pre-ballot has CU. This has got CV. So Hasgit can do this multiplication. G and H are publicly verified. So it can verify that this indeed is a commitment for W which is U plus V with the key RU plus IRV. And note that it does not reveal U, it does not reveal V but it reveals the addition which is perfectly hiding. And this constitutes a proof that the commitment CV is correct because CU is correct by assumption by the audit of the ballot. That CU is a correct commitment. CU star CV is a correct commitment plus U plus V that Hasgit can verify for you and this in turn would imply that the commitment for V that the EVM has given you is also correct. So this is a proof for zero knowledge proof that your vote has been recorded correctly within the EVM and the election commission cannot ever go back on the vote. So if you don't accept it, then you have got a denial of service attack. So you keep pressing error, get a new ballot paper and do this a thousand times. Then somebody will have to evict you out of the polling booth for civil. So it's a partial dispute resolution. So they have to keep on giving you a second chance and if you keep saying that every time the EVM is doing wrong then you have to be timed out at some point in time but if you ever accept it then you cannot raise a dispute anymore then the EVM has given you a proof that it has recorded your vote correctly. The rest of the protocol remains so this is a way a DRE protocol can give you a proof that your vote has been recorded correctly. The rest of the protocol remains exactly the same. There are two bulletin boards, bulletin board one and bulletin board two. The risks are also the same. The EVM gets to know all your votes all your secrets. The EVM leaks information then you are gone. If the ballot leaks information then also you are gone. That compromises secrecy in a trivial way. But we have so far taken care of the verifiability problem and we have taken care of the problem that we can give a proof that we have recorded your vote correctly. So the only remaining problem is secrecy. That is something that I'll address in the third protocol. Give me another five minutes and I'll take care of the third version of this voting which will be secrecy preserved. So what is the protocol? I'll just describe it in one page. Covered ballot with five sections. Now I'm not drawing anything. The first section has the CRID for the polling officer signature. The second section has RID and U but this time not in clear text. This time it is encrypted. This is encrypted using a key which is at the back end with the election authority and it uses any encryption key any strong encryption screen to encrypt the pair RID and U to be exactly what it is. The third section has the mapping of candidate to the W and to a random symbol where the seed of the random number is generated from encryption of RID that itself can be a seed. So the random symbol think of the random symbol as something easy for the voter to match. Think of it as it can even be an emoticon, the smileys. So you have got the smiley library pick up against each candidate have a W and have an emoticon. A random emoticon seeded by encryption of this and the receipt contains the CRID the CV to W mapping RU plus RU and note that from this receipt this part of the receipt no information can be figured out simply because of the perfect hiding property of the commitment. So what is the protocol? The EVM scans the encrypted RID and U and the EVM scans this. Note that this time the EVM does not get to know your RID. It gets to know CRID but even if it leaks CRID know how because CRID is a part of the receipt and hence public and U. So RID and U are the secrets and that the EVM doesn't get to know it gets to know only the encryption program. So EVM does not get to know what is the random RID corresponding to this free ballot. So the voter does not select a vote the voter selects the number W which is against that candidate which is U plus B. So the voter selects W the EVM prints theta. How does the EVM print theta? Because the EVM has taken the random seat from the encryption RID. So it knows what symbol has gone against W. So it prints the corresponding emoticon theta. The voter matches the emoticon that EVM has printed against the one against the free ballot and the voter has at this stage has the option of not agreeing or agreeing. Not agreeing will require you to recast and if you agree the EVM already has a proof this constitutes of the RU plus RV gives you a proof that CU star CV has been committed using RU plus RV so that proof is already the voter has within. So the voter selects W on the seat 2 and gives out the seat 2 and EVM prints an encrypted version of RIDU and W on the VVPR. Now this protocol the EVM does not get to know the vote so the EVM does not get to know any ballot secrets so the EVM is just a just a collator so the EVM can be a cell phone and anybody can write an app on a cell phone and give it to the polling officer where the polling officer's cell phone can work as an EVM the camera can work as a scanner a simple QR code scanner and no information can ever leak from the EVM think of it from the voter's perspective there is a lot of backend cryptography going on but what does the voter have to do the voter has to just take the ballot enter the polling booth select the number W against the candidate look up the number W against the candidate press that button on the EVM right the EVM will print an emoticon with the voter has to match against the ballot agree or disagree that is all the obligation on the voter and the voter walks out with the proof is the voter himself cannot verify but voter can take it to Hasgit to verify that the EVM has taken given a proof that the voter has been recorded correctly when you audit during VVPR there has to be a public description of all the RID and you right so you pick up a VVPR slip and all the all the VVPRs can be encrypted using the same key which you give to the counting station so the counting station needs to pick up a VVPR slip read the QR code decrypt find the vote from U and W so that U plus V is equal to W that's a small computation and look up the vote and the RID combination on the second bulletin vote so do a random sample of a logarithmic number of login number of votes and you have got a perfectly verifiable election right so you know all the proofs the theorems and so on so forth is routine they can be easily worked out mathematically a paper can be written published in a conference this is what a verifiable election will look like whether it should be used not used you know this is possible a ballot secrecy preserving verifiable election is possible in computer science whether it should be used or not ultimately should be the parliament's call it's what the society feels comfortable so with this you know I hope I have been able to bring out the issues and the complexities of the process so I'll stop here and I'm sure there will be lots of questions and doubts and I may try to answer this great thank you so Pasha so it was really detailed and interesting I do not doubt that there's a large number of questions about both the specific cryptographic elements but also details of your protocol I do wonder if well let's just start with this if anybody has any questions comments you can either put them in the Zoom chat if you're following on Zoom or in the YouTube chat if you're following on YouTube or you can raise your hand if you're on the call and we'll try to get as many questions as possible and they're already coming in but actually so we have Taha Ali who has joined us he is based in Pakistan and has been writing on the challenges I have read his articles he quoted our CC report and hence it was brought to my attention I read his articles with great interest and thought he wrote an article called how can we rebuild trust in voting I think this is actually an article you recommended because he asked exactly the same question whether verifiable scheme should be used in elections or not and he recommended that the question should be asked in Pakistan and taken slowly I think if I have read his article correctly that was his recommendation so I think that this talk is a partial answer to that yeah but perhaps if Taha wants to join in and give us a couple of comments or some insights into his work now would be a good time yeah alright hello everyone it's very nice to be here thank you for the invite I'll just start my camera see if it works I'll just close the slides sharing I'll just give a brief introduction to myself I have a background in information security I I did a post-doc at Newcastle University this is about six years ago and I actually worked on the project I was on was on end-to-end verifiable voting so my supervisor there Dr. Feng Hao he had actually developed his own system which was called DREI so I came back to Pakistan about five years ago and since then I've been trying to get some sort of research jump-started on this over here because this is a very neglected area I've found in fact this is the first conversation I've found so far in these five years where people have actually looked at how to develop this technology for the developing world because all these systems as you acknowledge you probably know very well by now they're adapted for western environments where you have a completely different environment created everyone has access to the internet it's a completely different ball game so this has been very very interesting for me I'm actually I wanted the question I had for you was you've described three protocols do you have anything written on these I would be very keen on getting something and studying these in detail properly and just sinking my teeth into these you know this is my PhD student he's writing it up and he's changing it every day he writes it up and he doesn't like and he changes it so I should be able to ask him to send you an internet question absolutely please so I'm now getting to the point where I have some access to I have a seat at the table in government deliberations and the election commission and so no one really knows about this technology yet but I'm in a position where I'm able to start the conversation and the the report that I cited the Indian report that was a very good introduction in the sense I really enjoyed the argument they made which was that Democratic that's me that was amazing that was very nice and this is an argument that we can relate to it's something that I haven't seen anywhere else so I was very very happy with that so Pakistan I don't know if you're following the news but there are some very aggressive attempts to ambitious attempts I should say to deploy electronic voting in Pakistan and I'm trying to somehow inject some sort of verifiability in some way maybe not the complete end-to-end cycle but just some small things here and there and come up with a roadmap where maybe in 8 years or 10 years we could have something resembling verifiability end-to-end verifiability and we're even trying to address some of the smaller questions adapt those for the developing world but it's it's a very big challenge and this is no one's looking into it apart from like I said you're the first people I've discovered who even have even thought about it so this is a very nice thing so you know if we are from the deposition so I am not I must say that I have not interacted with a large number of Indian voters to understand the cultural aspects at all but from the people who are deposed to the commission the general consensus seems to be that India needs a DRE it cannot be a paper ballot based system because paper ballot apparently forces you are holding a forcing a person to hold a pen and the person is not used so that's that itself is undemocratic so a button press is apparently good but that makes it difficult for E2E because most of the protocols that has come from USA in the demographic community are ballot paper based the E2E systems there are very few DRE protocols that are there so that's why we were trying a DRE protocol and probably it has ended up being too complicated it's not an easy thing to do so I don't foresee an E2E system being used in an Indian election in foreseeable future it is impossible to even start that conversation our election commission is not even willing to listen so so slightly more lucky here but yes please go on sorry yeah so I think our limited endeavor has been to say that okay keep on using the EVM which is fine but just make the EVM protocols up do the VVPAC correct do the counting correct and correlation correct E2E we will worry about later so that has been the limited endeavor of the commission but for a group like this I thought that E2E is something that I should do right no no this is very very good so I agree with you in the sense that it is not possible to have an end to end verifiable voting system in the near future it's the problems are too much and it's not just the technical problems it's also the social problems and the political problems and everything but what I'm again what I'm keen on is that so we are going to spend Pakistan is going to is planning to introduce machines in the next elections or very soon and we are going to be spending billions of rupees so that is a huge investment so at most what I would like is that we come up with some sort of system which can be easily upgraded to some sort of verifiable I mean it should have some sort of upgrade option or something like that so that if maybe five years down the road we do finally develop a system which is end to end verifiable then it should be easy to adjust I don't know how I mean I agree with you so what I like about starboard is that starboard and even scan technology too that they sort of integrate those techniques verifiable voting techniques with your standard and they so likewise so we also have so likewise there are lots of other things like you can have attestation techniques for these machines you can have lots of things so it's an ongoing thing and I will be very happy to have a separate conversation with you and this next one. I will be very happy to have this it would be very very nice I thought I was alone in looking at these questions and I am glad to see that there is I haven't even met anyone who has in this part of the world who has a solid crypto background I don't have a solid crypto background but this is very very interesting so I would be very keen to have a separate talk later on sometime and also to join in and view later later sessions of this forum and that would be very cool so thank you again for inviting me well thank you for coming and sharing your ideas with us and I think that's an interesting conversation to continue with. Just a reminder again to people who are watching that you can put in questions and comments through the various mediums we'll try to get through them all one thing I was thinking while listening to your talks to Pashi was there's an increasing sense I find in cryptographic communities that there may at some point in the future be significant challenges to either certain cryptographic primitives, certain hash functions, certain even for instance discrete logarithm problem being solved in some way and I was thinking could it be interesting to try to make sure that when you are building a cryptographic protocol for this kind of voting system that future failures in specific primitives would not lead to historical voting record being exposed so that is to say that you would the fact that the primitive that you relied on to guarantee the secrecy of the voting if you had some malicious actor who had collected all of the telling information that they could not go back and say aha we know that Pashi voted for this particular thing back in 2020 or what have you so so in my talk I use primitives that are computationally binding for example I get the hash function and the commitment the particular commitment that I use is a computationally binding commitment the computational binding property is considered to be a little unsafe in the cryptographic community because it assumes that you won't be able to factor or you won't be able to solve discrete log that does not work in a post quantum world so if you have quantum computing discrete log is no longer safe right so cryptography research is trying to solve the commitment problems and the hashing problem in a post quantum world also so this is called a forever safe cryptography right it looks extremely complicated to me I would say unusable at this point in time but you know as and when you have a post quantum commitment scheme ready you can replace the commitment scheme in this protocol with a post quantum commitment but yes I think that all your current scheme like RSA modules and so on they all are based on discrete log that nobody can solve discrete log so I think even before voting I think the first thing that goes is banking the stock exchange gives me enormous pleasure to even think of it right so they have to worry about the post quantum thing much before the voting voting system but yes that's a big concern that cryptography as we know it today relies too heavily on computational difficulty that is in danger with the quantum computer and Suman I think correctly points out that perfect forward secrecy could address the concerns and even a weaker form of that which would be simply making sure that you have upfront unlinkability before the tallying happens would be sufficient I think so there are many ways to skin this cat so to speak yeah you know you know to answer the last question your question that there are a certain school of thought and I think I agree with them that says that if you don't use cryptography and you use a VB back system that is sufficient now I don't know about the sufficiency but that has got some you know what is the difficulty is that you cannot ever bring the VB back in one to one correspondence with electronic you know you can match them as a set but you cannot do one to one correspondence and now if the set does not match so if your VB back say the election does not verify and if your VB back does not meet the electronic count you have no other option but to do a reelection in the polling which by the way India has been avoiding they just declared the elections they don't match and they declare the elections but ideally you should do a re-poll in that polling so which means so those are the risks of not having verified the other risk is a little bit of you know the trustworthiness of the custody chain that if you take this VB back in a sack and put it in a strong room and open it one month later how do you know it has not been tampered with and you know most computer scientists and cryptographers would think that the VB back is the trustworthiness of the custody chain VB back is the weakest link in the election but the society doesn't seem to think so you know the society is perfectly happy with sealing the sack and putting it in a trunk and sealing the trunk and putting paper seals on it and so on so in a democracy if people are happy with it that is what should work in my opinion ultimately the electorate should be happy that the election outcome is correct whatever be the method it does not have to be mathematically proved so right now I ask these questions of the people who deposed to our commission and they seem to think there is nothing wrong with the sealing the sack and trusting the custody chain right and nobody seems to think that that is a problem that is not a problem you don't need to you are good with traditional trunk safety methods so just to put this into perhaps a bit of a contention there is so when you are doing things say traditional paper pencil balloting you know there is a tendency to pretend that that is not a cryptographic protocol now I think that in fact it is it is just a highly informal and really leaky one but it is one that is sufficient and so saying we are not using cryptography is in a way a bid to say we are not going to formally specify what the system does yes you know I am not sure that whether you can call it cryptography but it is definitely an administrative process that you don't understand yeah the word cryptography means specific things I for one definitely don't understand that what keeps this VVPAT sleep safe you know these are very complex protocols this requires form 17 C form 20 the various forms that you need to fill up this guy signs that guy signs and so on so forth so if you ask them at the end of the day can you prove that this is correct you know nobody seems to answer that question but they all seem to believe that if you sign up all these forms and you hand out these forms and you take seal it up then that's a correct protocol now ultimately I have come to the conclusion that I am growing old I am realizing that correctness need not be mathematical correctness is ultimately what people believe in and if they believe in those forms and the sign and the administrative processes then so wait no and in this country people seem to have enormous faith but so there was a comment from actually from Suman from Suman earlier about when using cell phones at any part of the voting process we are opening up to the denial of service attacks signal jamming and I think we could expand that comment to also just talk about the device itself being hijacked or somehow compromised so cell phone was a loose piece of the word I am saying any simple device that has got a processor and a camera and can run an app and it does not even have to be online it has to be actually offline so what I am saying is that if you have a software independent process just by the very fact that the software independent you don't have to design special hardware or software if the software does something wrong it will become a bit your election will not verify so and why your cell phone or any device of that type any microprocessor that you can pick up together with the camera because that device will not even get to know the vote it will just collect some information and pass on some information and if it passes it wrongly that will get caught so it cannot leak any information so anything that is doing it can make it public without any causing any harm so the ask from the device is reduced if you use an E2E system which is verifiable and software independent otherwise you have to get into a massive process of hardware certification which itself leads to a very complex kind of cryptograph I think that the problem is largely unsolved it also eliminates the biggest concern that people tend to have with these kinds of problems which is exactly that the device itself cannot be trusted you are just saying we don't care if the device is trustworthy the only thing we care about is verifiably transmit information Sankarshan's comment here kind of brings us back to where we were a moment ago about rituals of correctness interesting concept it makes me think of just in general how faith in any society or any government is very much based on just do people feel okay with things and if that fails to a sufficient degree then uprisings happen or revolutions or what not so generally speaking as long as everybody is more or less happy everything is going to be fine completely Summan puts in another question aren't we getting there and we require an EVM to provide a good enough pseudo random number generator and support a high enough quality hash algorithm no really because you don't the random number generator in the protocol that I presented is not a part of the EVM the random number comes from an encryption function or a hash function you just pick up the randomness from somewhere and the randomness is required to do in our protocol 3 is very very deterministic computation and very simple computation it is just scanning and recording and passing it on it doesn't have to compute a hash function it just has to compute a commitment you know which is sort of trivial to do and so that is a low order polynomial time complexity can be done in a low end microprocessor also so from the EVM I think that in the computer science community when you design a protocol you always try to reduce the ask from the hardware a good cryptographic protocol is one that does not have any ask from the hardware though the more interesting question is that then what do you do at the back end because in the back end you have to keep all the secrets you know because you are giving zero knowledge proof so you need to have all the secrets in the back end so there is a lot of security assumption at the back end not at the front end the front end has to be nothing the back end you require enclaves computation you know you require either secure multiparty computation which is a cryptographic protocol or you have to have a regulator put the election commission of India's software under a regulatory oversight and do some kind of trusted computing environment with remote attestation there is no other way so you have to trust the hardware there but then the hardware in the trusted computing environment domains have made a lot of problems and you can remotely check that a software with a pre-computed signature is the one that is running and nobody has altered or tampered that computer so companies like Intel and IBM they are producing hardware that gives you that can so that gives you the regulator a lot of choice to enforce an untamperable secure computation I believe that ultimately at some level that hardware will be required you cannot probably do it entirely with cryptographic some secret keys will have to be maintained cryptographic assets will have to be maintained in a trusted computing environment and I think in the cryptographic community understands and they say that somewhere at the core at the heart of it there is a hardware trust that is required but it is better at the back end than at the front getting a trusted computing environment on your smartphone has not happened we will use it as an Intel server I think it is that is running on bare metal you cannot do it on a virtual machine but on a bare metal machine with so I think trusted computing is an approximation of trust available on smartphones as we talked about last time with inside the SIM card inside the SIM card I am not entirely convinced because I think the SIM cloning is a problem but I think that what you require is something like Intel's SCX software guard extension so even that is hacked through side channel but Intel is coming up with better and better ones but is just like trusted computing environments are available on the smartphones these processors also have it except that Apple does not give you access to it they keep it for themselves but these also have trusted computing environments that only Apple can touch and nobody else can touch and they don't expose the remote attestation but there is no reason why that should not be possible so I believe that sooner or later trusted computing environment with remote attestation has to come on smartphones so otherwise you cannot beat the privacy problem security problem at all ever it cannot be done with cryptographic there has to be trusted computing no verifiable trusted computing environment in your cell phones it is there on the big servers but it has to also come on cell phones I am not seeing any more questions I think maybe we do one last ask if anybody has any comments to make speak now or forever hold your peace I do think compared to last week we were talking about laying the groundwork a lot for this session more down to earth things this was too technical I guess this was very technical I have been thinking about these things and reading about these things for many years and yet I struggled a little bit so I will have to go back I couldn't figure out a way to do the cryptography a cryptographic protocol without the cryptography so what I will do is I will mail the slides to some questions and if there are questions I can always take them on and email absolutely and I think at least for myself I expect some others might feel the same way the what you are presenting it isn't necessarily intractable to think about it, it takes a while to process afterwards you need familiarity yeah exactly so if that is all maybe I will just thank you for an excellent session it has been very informative and it gave me a lot to think about so if you want to make a final comment otherwise I will handle it I am good I think some questions hasn't been announced yes so some questions yes I did get much to announce next week's session but I will come to that I know we have gone longer than usual but this was required and I know we are framing this session as technical but I also think that to be able to understand the topic correctly we need this foundation and we need to process this over a period of time to be able to understand and examine issues arising out of technologies being introduced ad hoc it is not just India to cross the subcontinent and in other places there is this great criticism around technology especially when it comes to electoral democracy I think this is a conversation that will continue so a couple of things that I wanted to line up one is we are going to have more of these sessions and we are looking for two things one feedback obviously the other thing is if any of the participants both here and on the YouTube stream feel that we should include other experts from various domains please to reach out to us and we will sort of build our network and have conversations that are equally enriching because when we learn from experts and when we share ideas we will be able to understand this topic in more detail so that's one the second thing is please join the telegram group for Kharana even though sometimes it's silent there are days when there's a whole lot of discussions so that was the second pitch the third one of course is the session that's coming up next next week same time on Saturday we will be talking with Kannan who is going to provide us with an interesting concept of how it all works out in the field let's say you are actually a returning officer or involved directly as an administrator in elections how does all of that work out what are the challenges what are the guidelines that they receive and so forth I'm not going to do anything more than teaser provide that teaser please look out for the announcement of the talk that's coming up and I would hope that all of you will be able to make time next week of course Saturday afternoons and evenings are very precious but you still chose to be here we deeply appreciate that the transcripts for these two sessions would be posted as soon as we can get through it and that provides a basis for lot more other conversations that will spring up