Real World Experiences with Bingo Voting and a Comparison of Usability

Transcription

1 Real World Experiences with Bingo Voting and a Comparison of Usability Michael Bär 1, Christian Henrich 1, Jörn Müller-Quade 1, Stefan Röhrich 2 and Carmen Stüber 1 1 Institut für Algorithmen und Kognitive Systeme / E.I.S.S., Universität Karlsruhe (TH), Karlsruhe, Germany [email protected],{henrich,muellerq,stueber}@ira.uka.de 2 Rohde & Schwarz SIT GmbH, Am Studio 3, Berlin, Germany [email protected] Abstract. A real-world experience with a verifiable voting scheme is described. The Bingo Voting scheme was employed in a complex election where students could vote in up to five out of 15 races, with the largest election having more than 70 candidates. Furthermore vote-splitting and cumulation were possible. Based on this real-world experience we compare the usability of Bingo Voting to the usability of Prêt à Voter, Punchscan and the scheme by Moran and Naor. Keywords: secure electronic voting, usability 1 Introduction This work presents the first practical experiences with the novel voting scheme Bingo Voting [1] as well as a comparison of Bingo Voting to other schemes that also provide verifiable elections. In January 2008 Bingo Voting was employed in a student parliament election at Karlsruhe University. This election comprised 15 different races with the largest having more than 70 candidates. Hence the main focus of this work is the usability of the scheme for a complex election. Furthermore we describe the additional security measures which had to be taken to ensure that only registered voters could vote, and vote only once. The correctness of an election with Bingo Voting relies on a trusted random number generator. Hence the necessary security assumptions and the interaction of the voter with the voting machine are different from other verifiable voting schemes. Based on theoretical considerations and our experience with the student parliament election we give a comparison of Bingo Voting with other verifiable voting schemes. Work done while the author was at Universität Karlsruhe (TH).

2 Concluding the paper we will state that in our opinion keeping the secrecy of an election is the most important problem for future research. 2 Related Work There are several approaches to the problem of constructing a voting system that not only provides fast tallying (for which all systems need a computer at some point) but also allows each voter to verify the tally. As an example we only name a few of a lot of proposals, from which we know that some practical experiences exist. The schemes mentioned will be compared in Section 5 with respect to usability. As examples for the class of paper-based systems we regard Punchscan as described in [2 4] and Prêt à Voter [5]. Both use a scanner to obtain an electronic version of the paper ballot, a part of which acts as a receipt. In contrast to this, the voting scheme by Moran and Naor [6] (and other schemes sharing the idea of Neff [7]) and Bingo Voting [1] use voting machines for casting the vote and producing a receipt. Most of the publications on voting schemes focus on cryptographic mechanisms and security properties. We want to add some real-world experience and usability considerations. 3 Description of Bingo Voting This section gives an introduction to the Bingo Voting scheme, details can be found in [1]. Bingo Voting relies on the assumption of a trusted random number generator with integrated display. With the help of such a device the scheme can assure correctness of the election results without any trust in other parts of the voting machine. If the voting machine itself is assumed to be trustworthy, it also provides coercion protection 3. Bingo Voting consists of three phases, which are summarized next. For the ease of description, this section assumes an election with a single voting machine where each of l eligible voters has one vote for one out of n candidates. More complex scenarios are possible, see Section Pre-voting phase Before the election starts, the voting machine creates l random numbers r1 i,..., ri l for each candidate P i and commits to (P i, rj i ) (called a dummy 3 Coercion protection in this work should hold even if the voter deviates from the protocol in order to prove a specific vote. Coercion protection implies the secrecy of votes.

3 vote for P i ). These commitments are shuffled and published on a public bulletin board together with a proof (e.g. based on randomized partial checking) that there are exactly l dummy votes for each candidate hidden in these commitments. 3.2 Voting phase During the election, a voter uses the voting machine to select her candidate. After this the trusted random number generator generates a random number, transfers it to the voting machine and displays it. The voting machine now prints a receipt, which for each candidate i contains a pair (P i, s i ) with the candidate s name P i and a random number s i. The random number for the voted candidate is the number generated by the trusted random number generator. The voter can check this. The other random numbers are dummy votes to which commitments were generated in the pre-voting phase (i.e. j : s i = rj i ). This is proven after the election. Once a dummy vote is written on a receipt it is marked as used and won t appear on another receipt. This can also be checked after the election as all receipts are published. 3.3 Post-voting phase After the election the following items are published on a public bulletin board: the number of votes for each candidate, all receipts issued by the voting machine, a lists of the unused pairs (P i, rj i ), i.e. dummy votes that are not used on any receipt, together with the unveil information for the corresponding commitment, a proof of the correctness of the result. The main part of the proof of correctness is to show that each unopened commitment to a dummy vote was used on exactly one receipt, and each receipt contains the correct number of dummy votes. Due to the published proofs and a simple comparison by each voter, correctness is guaranteed if the random number generator is uncorrupted. Coercion protection for an adversary who hasn t corrupted the voting machine or the list of dummy votes is guaranteed by the indistinguishability of dummy votes and random numbers generated during the voting process. For details about the proofs, assumptions and properties see the description in [1].

4 4 Implementation and Practical Experience Bingo Voting was employed in January 2008 at the election of the student parliament in Karlsruhe, Germany. We implemented a prototype that was primarily constructed to meet this election s requirements but can easily be adapted to other elections. The election of the student parliament has been a challenging experience because of its complexity. The election took place on five consecutive days and our voting device had to handle 15 different races simultaneously. Each student could take part in the election for the student parliament itself (which consisted of two elections) and one out of eleven student bodies. Female and foreign students could additionally elect representatives of women and foreign students respectively. Voters were able to do vote-splitting and vote cumulation. Furthermore, we wanted the scheme to allow everything that is also possible in a paper and ballot scheme. This includes partial and full abstention, casting invalid ballots and voting in different races on different days. 4.1 Overview over the prototype Our prototype was implemented in Java 1.6 and has approximately 8000 lines of code. The voting device we provided for the election of the student parliament was a standard personal computer with Linux as operating system. It was equipped with a chip-card reader for registration, a trustworthy random number generator, a mouse and a printer. For security reasons, it had no keyboard and no network connection during the election days, so the voter s input was given using a mouse only. Random number generators and chip-card readers for the election were provided by Reiner SCT. The random number generator consisted of a certified smart card in a smart-card reader with special firmware to display the random numbers directly on the smart-card reader. The smart cards used were cards designed for digital signatures with an integrated hardware-based random number generator, which meets high requirements. Ordinary memory cards were sufficient for the voter s registration at the voting device. Using memory cards helped us enabling voters to do different races on different days because the chip cards carried the information in which races a voter had voted. However, this required additional security considerations. Among other things, we had to prevent voters from forging valid chip cards, voting twice with the same chip card or obtaining valid chip cards by copying one.

5 Each chip card got a unique ID which was accepted only once and recorded by the voting device right after inserting the chip card. The voter s eligibility information was available on the chip card in form of one flag per race. Each time a voter finished voting for a race, a completion flag was set on the chip card indicating this. A voter was (theoretically) able to remove the card after starting the voting procedure for a race but before the completion flag was set. Therefore each chip card contained additional status bits that denoted if a voter had started voting for a race. This also enabled the poll workers to reconstruct during which part of the voting process the card was removed. If the status bits were in a wrong state during the voting process, the voting device was locked. To prevent forgery and to ensure the chip card s integrity, the contents of the chip cards were digitally signed with every write access. 4.2 The election of the student parliament Pre-voting phase The pre-voting phase was done several days before the election started. We used Pederson commitments [8] because of their useful properties. For the student parliament 72 candidates were nominated and each voter had nine votes to cast. So for this race we had to create (9 (72 + 2)) 666 dummy votes for each eligible voter (this includes the additional dummy votes for the abstention and invalid ballot candidates). The other races were a bit smaller with two to ten candidates and between one and ten votes per voter. We considered about 4000 eligible voters for the election of the student parliament and 1000 to 2000 eligible voters for each student body and the women s and foreign student s representative. Generating the appropriate number of dummy votes took about ten hours on two computers with two cores each. With optimal parallelisation the whole pre-voting phase probably could have been done within less than two hours. For the proofs of correctness the election authorities tossed several coins and the outcome was used as challenge. Using Fiat-Shamir heuristics was impractical as the proof for the largest race was (4000 voters 9 votes per voter 74 candidates 1024 bit per commitment) approximately 325 MByte for one instance. Voting Process Before entering the polling booth, the voter s eligibility was checked and a poll worker handed a valid chip card with a fresh ID and the eligibility information to the voter. In the polling booth, the voter inserted her chip card into the chipcard reader. The voting device accepted a chip card if and only if the chip

6 card s data s signature was valid, its ID had not been used yet, its status bits were in a valid initial state and it contained the right device name. If one of the four conditions above was not fulfilled, the voting device displayed a message telling the voter that her chip card is invalid. After a few seconds the device returned to a normal state, waiting for a valid chip card to be inserted (the deviced only locked if an error during a voting process occurred). After registering successfully, the voter chose with which race to start. The computer then displayed the corresponding ballot where the voter could give her vote(s) to the candidate(s). Our prototype provided additional candidates for abstention and invalid ballot. Remaining votes were given to the abstention candidate. The invalid ballot candidate either got all or no votes since a ballot is either invalid or not. After distributing her votes, the voter could double-check her ballot on a confirmation screen. Then she could either return to the previous screnn to change her vote, or confirm, and therewith cast, her ballot. With the confirmation her votes were counted and the status bits on her chip card were set to a race completed state. Then the random number generator generated one fresh random number for each vote cast. The receipt was generated and printed and the voter was asked to compare the corresponding random numbers on her receipt with those on the random number generator s display. To support the voter a scheme of the receipt was displayed, indicating the positions of the fresh random numbers on the receipt. After checking the correctness of her receipt, the voter could go on with another race or end the voting process. The display of the random number generator was deleted automatically after a given time preventing the subsequent voter from learning the fresh random number(s) encoding the vote(s) of the previous voter. After leaving the polling booth the voter gave back her chip card to the poll workers who checked the completion flag for each race. Post-voting phase The computing time for the tally was about five minutes. For the post-election proofs again the Fiat-Shamir heuristic was too cumbersome and we chose the necessary challenges in cooperation with the election authorities. The proofs took about three hours and successfully showed the correctness of the election. 4.3 Experience The application of Bingo Voting in the election of the student parliament showed us that it is not sufficient to design a voting scheme that is good

7 in theory. When used in practice, a lot of additional difficulties come into play. Some voters removed their chip card too early, so it had an erroneous state. In all those cases we were able to retrace what happened without compromising secrecy and correctnes of the election. Using a chip-card reader that locks in the chip card would solve this problem. It would also speed up the voting process because most write accesses for changing the status bits could be omitted. Other improvements are possible. Using a touch screen instead of or in addition to a mouse would improve usability. What caused some inconvenience was that the voting process took several minutes. The problem was a rather slow receipt printer and the number of necessary write accesses to the chip card. Our receipt printer has now been replaced by a much faster one by now and the chip card problem can be solved as explained above. Many voters did not trust the random number generator we used because for them it was just a black box. A random number generator with a more transparent functionality (like e.g. Bingo Cages which gave the scheme its name) would gain the trust of more voters. As expected, a majority of the voters didn t bother checking any random numbers. This is acceptable since it is sufficient for the voting system that only some voters verify their receipt, as long as the voting device doesn t know who is going to do so. We saw that Bingo Voting is capable of handling elections up to a certain size and complexity without considerable loss of usability. Many students decided to use the voting device even though they could have used paper ballots, and most of them had no problems to cast their ballots. However, for a more representative evaluation of the usability and acceptance of the scheme, further studies should be made with a broader target group, including old people and people who are not used to using a computer. 5 A Comparison of Usability In this part we will compare the three verifiable voting schemes Prêt à Voter, Punchscan and the scheme by Moran and Naor to Bingo Voting, focusing on usability under realistic conditions. One aspect is the effort needed for the actual voting process, the other is the additional cost for the voter to ensure correctness.

8 One important question is at which point of the voting process the voter first gets into contact with the cryptographic mechanisms, i.e. when does she first experience a difference to the normal voting. There are studies that hint that voters may be influenced by the voting procedure, and that this influence is bigger if the voting scheme is more complicated [9 11]. Prêt à Voter As Prêt à Voter, like Punchscan, is a paper based system, the voter will not vote at a computer but cast a paper ballot. Prêt à Voter uses a special paper ballot on which the candidates are printed in a random order. In contrast, normal paper ballots have a fixed order of candidates. This may also pose a conflict with election laws that regulate the order of appearance of the candidates on the paper ballot. For Prêt à Voter the voter has to verify that this ballot is authentic and correct, i.e. the encrypted permutation printed on the ballot corresponds to the permutation used for the candidates so that the vote can be correctly reconstructed. This is normally done by presenting two ballots to the voter, who chooses one that is to be verified and uses the other for voting. There are two problems with this approach: First the number of paper ballots needed is doubled, and second the proof is either time-consuming or requires trust into an independent computer which may or may not be corrupted. Filling out the Prêt à Voter ballot may be more time consuming than it is for a normal paper ballot, as the order of appearance is random so the voter has to spend some time to find her candidate. When the voter has completed the voting process she goes to a poll worker and hands over the ballot upside-down without showing her vote. The poll worker removes the part with the names of the candidates and feeds it to the shredder. Now the remaining part is scanned (for electronic counting) and signed with a digital signature. If the ballot ID is protected by a scratch field it must be removed before scanning, but after shredding the part with the names of the candidates. This poses some practical problems as the poll worker assisting in shredding and scanning must verify that the scratch field is intact without seeing the whole ballot as this would reveal the vote. Punchscan Punchscan also uses a paper ballot consisting of two parts. Here the voter has to find her candidate (order of appearance may be random or fixed), read a character printed next to it and find the same character in the marking area. The top layer has holes through which

9 the second layer, lying underneath, displays the same characters that appear next to the candidates in a random order (one character per hole). The voter now marks the hole which shows the character corresponding to the candidate she wants to vote for. This results in a clear mark on both the upper and lower layer of the ballot. The procedure of finding the candidate, reading the character and then again finding the character may be challenging and time-consuming for some voters. The time needed increases significantly if there is a large number of candidates or if more than one vote can be distributed. Also the error rate of the voting procedure is probably affected. After the voter has marked her ballot she will go to a shredder, destroy one of the two layers and scan the other. If the ID of the ballot is protected by a scratch field for security reasons then this results in similar problems as Prêt à Voter. Voting Scheme by Moran and Naor Both Bingo Voting and the scheme by Moran and Naor use a computer to cast the vote. So naturally both schemes show significant difference to a traditional paper and ballot voting. However, compared to other voting machines the differences only become apparent to the voter after she has finished entering her vote into the computer. This might be realized using a touch screen and perhaps a special pen to reproduce the pen-and-paper voting procedure. After the voter has entered her vote Bingo Voting and the Moran-Naor scheme begin to differ. To produce a receipt the Moran-Naor scheme needs randomness for each entry which must be entered by the voter. Also the scheme only allows for one vote per receipt, so if a voter can distribute more than one vote for each one a receipt is required. Combined with the fact that for each receipt the voter has to enter sufficient randomness for each candidate this makes the voting process (actually the receipt generation) very time consuming and will probably lead to a low acceptance. Another problem is that the voter might enter low entropy randomness when asked for many random numbers. This could compromise the security of the voting scheme. Of course a trusted random number generator could be used to generate the required randomness, but this results in other problems. A short description of this idea can be found in [1]. Bingo Voting Like the scheme by Moran and Naor, Bingo Voting requires no special actions performed by the voter prior to the voting process, except that the voter gains access to a voting machine instead of

10 receiving a paper ballot. The computer used by the Bingo Voting scheme to cast the vote will, after the vote was entered and confirmed by the voter, call a trusted random number generator and receives a random number for each vote of the voter. Then a receipt is printed and the voter has to compare the random numbers on the display of the trusted random number generator with the random numbers printed next to her choice(s) on the receipt. For each possible choice there must be a random number on the receipt which limits the size of the election realizable with a reasonable paper and font size for the receipt. For each vote the voter has to make one comparison which also limits the elections as each vote increases the time needed for comparison. Comparison In comparison to Prêt à Voter and Punchscan the voting scheme by Moran and Naor and Bingo Voting have one big advantage as they force the voter to interact with the cryptographic mechanisms of the voting scheme only after she has made her choice. For Bingo Voting the additional steps after the vote was cast are only necessary to ensure correctness of the vote. The scheme by Moran and Naor needs randomness as input from the voter which makes the voting process more time consuming. As mentioned above this can be bypassed by using a random number generator as a source. In this case the minimal effort required for voting is the same as for Bingo Voting. Prêt à Voter and Punchscan both interfere with the voting process as both require special paper ballots. The voting process of Prêt à Voter requires the voter to find the candidate of her choice and mark the adjacent field. For Punchscan the voter has to find her candidate, find and remember the corresponding letter and finally find this letter and mark it with a marker. For a voter who is concerned about correctness of the election all four voting schemes provide means to ensure correctness with additional effort. For the scheme by Moran and Naor this effort is actual part of the voting process (if randomness is entered by the voter) or optional (if a random number generator is used). The big advantage of Moran and Naor is that their voting scheme does not need a pre-election phase. Unfortunately this is bought by a cumbersome and time consuming receipt generation. Bingo Voting has the advantage that the voter only has to compare random numbers in the voting booth. The main disadvantage of Prêt à Voter and Punchscan is that both use special ballots that normal voters are not used to, may conflict with existing legal requirements and require special handling during the shredding process. Besides the random order of the candidates,

11 Prêt à Voter is the voting scheme with the most similarities to traditional voting with paper ballots and the most flexible one. After receiving the receipt and leaving the voting booth the voter has to check whether her receipt was published correctly, and, if she wants, if all published proofs are valid. These checks after the voting process are very similar for all four voting schemes and have been omitted in the comparison. 6 Conclusion and Outlook Our experience with the real election and the comparison to other verifiable voting schemes show that Bingo Voting provides very good usability and is a serious alternative when verifiability is required. As stated above the correctness of an election can be ensured in a very convincing way by means of cryptography and IT security. The security assumptions necessary to ensure correctness are reasonable and can be checked in a very direct way. For the secrecy and coercion freeness of the election, however, additional security assumptions have to be made, security assumptions which are less convincing than a trusted random number generator or the existence of one way functions: It has to be assumed that the ballots are generated and printed in a trustworthy way. One has to trust the shredder to destroy ballot parts entirely and irreversably. The voting machines have to be trusted. These are only a few examples. An often heard argument is that we do not need to take great care to guarantee secrecy, because already a hidden camera could violate this. This argument is wrong from a practical point of view where an adversary gladly uses each advantage. One point which is often argued to improve secrecy is to distribute the voting authority over several institutions which interact via secure function evaluation techniques. But this is still not as convincing as the security assumptions needed for correctness, and often it is not a sufficient assumption. Finding security techniques which convincingly keep the secrecy and coercion freeness of votes is maybe the most important problem for future research. Acknowledgments We thank Reiner SCT for providing us with two random number generators and four chip-card readers for the election. We thank Björn Tackmann for assisting in preparing and realizing the election.

12 References 1. Bohli, J.M., Müller-Quade, J., Röhrich, S.: Bingo Voting: Secure and Coercion-Free Voting Using a Trusted Random Number Generator. In Alkassar, A., Volkamer, M., eds.: VOTE-ID Volume 4896 of Lecture Notes in Computer Science., Springer-Verlag (2007) Chaum, D.: Punchscan (2006) 3. Popoveniuc, S., Hosp, B.: An Introduction to Punchscan. Threat Analyses for Voting System Categories, A Workshop on Rating Voting Methods, VSRW 06 (2006) 4. Popoveniuc, S., Hosp, B.: An Introduction to Punchscan. IAVoSS Workshop On Trustworthy Elections, WOTE 2006 (2006) popoveniuc_hosp_punchscan_introduction.pdf, online version dated Chaum, D., Ryan, P.Y., Schneider, S.: A Practical Voter-Verifiable Election Scheme. In De Capitani di Vimercati, S., Syverson, P., Gollmann, D., eds.: Computer Security ESORICS Volume 3679 of Lecture Notes in Computer Science., Springer (2005) Moran, T., Naor, M.: Receipt-Free Universally-Verifiable Voting With Everlasting Privacy. In Dwork, C., ed.: Advances in Cryptology CRYPTO Volume 4117 of Lecture Notes in Computer Science., Springer (2006) Neff, C.A.: Practical high certainty intent verification for encrypted votes. Draft at (2004) 8. Pedersen, T.P.: Non-interactive and Information-Theoretic Secure Verifiable Secret Sharing. In Feigenbaum, J., ed.: Advances in Cryptology CRYPTO 91: Proceedings. Volume 576 of Lecture Notes in Computer Science., Springer (1991) Bederson, B.B., Lee, B., Sherman, R.M., Herrnson, P.S., Niemi, R.G.: Electronic voting system usability issues. In: CHI 03: Proceedings of the SIGCHI conference on Human factors in computing systems, New York, NY, USA, ACM (2003) Traugott, M.W., Hanmer, M.J., Park, W.H., Herrnson, P.S., Niemi, R.G., Bederson, B.B., Conrad, F.G.: The impact of voting systems on residual votes, incomplete ballots, and other measures of voting behavior (2005) 11. Herrnson, P.S., Niemi, R.G., Hanmer, M.J., Bederson, B.B., Conrad, F.G., Traugott, M.: The not so simple act of voting: An examination of voter errors with electronic voting (2007)