There was a DEFCON Voting Village panel «If I can shop online, why can’t I vote online?» which I found extremely important to read or listen to. Not just for me, in fact, for anyone talking about electronic voting. Here is a transcript for those who prefer reading (or searching for keywords).
There was a DEFCON Voting Village panel «If I can shop online, why can’t I vote online?» which I found extremely important to read or listen to. Not just for me, in fact, for anyone talking about electronic voting. Here is a transcript for those who prefer reading (or searching for keywords).
The transcript has received minor editorial changes: Placeholders (“uh”, “you know”, …), repetitions, self-corrections, etc. have been removed in order to improve readability. Text in angle quotes («…») would be indirect speech in a written text; from the context, it is meant to be a summary/rephrashing of someone else’s statement, illustrated by a change of tone, not as a direct quote.
Chunks that are related to the organization of the panel and that are unrelated to the content have been removed for clarity.
Bold text and section headings have been added by me to help you navigate the arguments or point out what I believe are important take-home messages.
But now, let’s switch to the transcript:
Introduction
Susan Greenhalgh (00:08): I’m Susan Greenhalgh, I’m the senior advisor for election security at Free Speech For People. We are a national nonpartisan not-for-profit legal advocacy organization that works protect elections and democracy for all the people. We have a Proprogram which focuses on Election security and I’ve done a lot of work on internet voting for over 15 years studying the policies and practices and written several reports on it. I’m here to talk about this issue with our esteemed panel.
First starting with David Jefferson: Dr David Jefferson, who is a researcher from Lawrence Livermore Laboratories, retired. In 1999 to 2000, he was the co-chair of the California Secretary of State’s task force on internet voting. He’ll talk a little bit more about that. He was the one of the co-authors of the peer review that was done on the Department of Defense’s SERVE internet voting system in 2004, which ultimately resulted in the Department of Defense canceling the project. and he can talk a little bit about that. It was a 22 million dollar project that was ultimately shut down and he’s been writing, speaking, and testifying in opposition internet voting ever since. So that’s David.
Next we have Matt Blaze, professor at Georgetown University School of Computer Science and Law. He is also co-founder of the Village and he’s been working in election security for two decades and especially interested in the impact of complex software systems on security and reliability.
And Harri Hursti, also co-founder of the Defcon Voting Village. He is the OG in election security reviews, famously conducting the Hursti Hack back in the 2000s. He also was part of a team that reviewed the Estonian online voting system for security and traveled to Estonia to present the findings to people there.
So, we have an incredible panel and I will turn it over to David. Screenshot of David Jefferson’s talk. Click image to open the YouTube video at the beginning of his talk.
David Jefferson: Problem space
David Jefferson (03:12): So, first let me give you a summary up front of where I’m coming from. That which is, that it isn’t possible now or in the foreseeable future with any combination of technologies that we can envision today to secure an online voting system and so thus we shouldn’t be instituting internet voting anywhere in the U.S and we should really stop using it where it’s in use today.
National security
Voting of course is a national security issue: The legitimacy of democratic government depends on voting being secure and and open. So we really cannot open our voting systems to the to the various kinds of threats I’m about to describe to you, many of which would open our elections to manipulation by Foreign actors.
So let me talk about what internet voting is first of all. What we mean by that is any voting system in which voted ballots are transmitted over the Internet; maybe one hop of the communication is just over the internet, but if it’s if voted ballots are ever transmitted over the internet in the course of running an election, it’s an internet voting system. It doesn’t matter whether it’s by email or fax or web or mobile app: Any scheme, doesn’t matter what the protocol is, if it’s transmitted over the Internet, it’s going to be vulnerable to the kinds of threats I’m about to describe.
Attack vectors
So let’s talk about those threats. What are the threats that we’re talking about? There are many of them.
The first one is authentication related threats. When you vote online, of course you have to identify yourself, so that you can be checked that you’re registered and that you haven’t already voted. So you have to actually identify yourself. That will have to be done online also and an attacker can can mess with that system, so that it makes it too difficult for people to authenticate themselves and they get disenfranchised; or too easy for people to authenticate themselves and phony voters can vote. So authentication threats, number one.
Number two and perhaps the most insidious is client-side malware. You’re going to be voting from some device—a phone or a PC or other mobile device—and that device might be infected with malware. And that malware might have the purpose of interfering with your voting, either preventing you from voting or modifying your votes before your votes even get out of the device. Before they’re encrypted for transmission, your votes can be modified: You wouldn’t know it, the election officials wouldn’t know it. That’s a profound problem, the client malware problem.
The third problem: The third kind of attack would be network attacks; attacking routers or DNS or other parts of the internet infrastructure. Where even if your ballots are transmitted, in progress, they can still be stopped or redirected or otherwise interfered with.
There are spoofing attacks, where you’re tricked into voting to an incorrect site: A site which may look like the real site, but which is not. And and you think you voted, but you didn’t, and you don’t know whether your vote was transmitted or modified or just thrown away.
There are denial of service attacks, where the server that receives votes is overwhelmed with a lot of of fake ballots, sent to it by an attacker. It’s so overwhelmed that the service slows down. It may slow down to the point where voters get timeouts and they can’t vote at all; or the server just crashes.
There are server penetration attacks, where an attacker actually gains control remotely of the server that’s accepting the ballots and when he gains control he can do anything he wants.
Many of these attacks can be Insider-aided, but insiders would include election officials and programmers and so on. There are many variations of all of these attacks.
No strong defenses now, …
Now, there are no strong defenses to most of these attacks; there just are no strong defenses. There are ameliorations, there are ways of handling certain special cases of these attacks. But there are no general solutions with technology that we have today.
They rest on some profound problems in computer science which Matt is going to tell you about in the in the next talk. These are the same threats that we encountered 25 years ago when I was the chair of the California Secretary of State’s Internet Voting Task force and they’re why we recommended that California not Institute internet voting in 1999.
… and probably never
These threats haven’t really changed materially in the last 25 years and they may not change materially in the next 25 years; they are that intractable! Now, the problem is that all of these attacks that I mentioned can be automated and scaled up to massive scale. Depending upon technical details of the architecture of the voting system, the attacks can come from anywhere on Earth, including rival nation states or our own domestic partisans.
Attack detection/identification
Successful attacks may go completely undetected; but if they are detected, they may be completely uncorrectable without running the election over again.
The perpetrators of the attack may never be identified. But even if they are identified, they’re likely to be out of reach of U.S. law—as the 12 Russians, who are under indictment for interfering with the 2020 election are out of reach of U.S. law.
So the problems with Internet voting are profound and I’m going to now turn it over to Matt so he can talk more about that subject. Thank you! Screenshot from Matt Blaze talking. Click image to hear him talk.
Matt Blaze: IT security
Matt Blaze (09:27): So thanks, David! I just want to expand on what some of the stuff that David was talking about. He mentioned fundamental problems. And as a scientist or as an engineer, when somebody says, “that’s a theoretical problem,” we understand it to be different from when the general public uses the term “theoretical problem”.
A theoretical problem in normal life is one you don’t really have to worry about; a theoretical problem in science and engineering is the worst possible kind. Right, it’s the kind that is fundamental to the system; that it’s something that you cannot do anything about without either changing the assumptions or compromising on what the requirements are.
Fundamental, unsolvable problems
And there are two sets of fundamental problems:
The first set of fundamental problems are computer science problems and all of the problems in voting—in building a secure voting system—that we encounter from an engineering point of view, are problems that actually were around before voting was an application. People were even considering there is a fundamental theorem in computer science that essentially says, “it is impossible to compare a program with its specification and understand whether it meets it”. And this is not a problem that we simply haven’t worked hard enough to try to solve; it’s a problem that we know that we cannot solve. We will never be able to solve it! And what is the implication of that, is that general purpose complex software can never be assured to be completely correct. Now, that mostly doesn’t bother us for all sorts of applications of computing that we rely on for many things. In fact, the title of this panel «I can bank online; why can’t I vote online?» is an example of that. We rely on the same flawed computing systems for things like banking, so, why is it we’re able to get away with it? And the short answer is: We don’t. Right, bank fraud is enormously common; right, banks are robbed online all the time; there are identity theft and so on constantly.
The difference is a second set of fundamental problems which is the voting application itself has a set of incredibly stringent and in fact somewhat contradictory requirements for building a voting system. One of them is that your vote must be anonymous and it must be anonymous to the point where you can’t even voluntarily prove who you voted for. And that requirement exists to prevent people from being able to be coerced into voting a particular way or being able to sell their vote. And there’s a long history—even in the United States, prior to that requirement existing—of people having their franchise coerced away from them, because it’s possible to tell how someone voted. Banking transactions don’t have that requirement. A banking transaction is reversible. If money disappears from your bank account, it’s possible to be made whole again; but if your vote is changed, after it’s been cast, we don’t know whose it was. And you have no way as a voter of proving how your particular vote was cast in order to be able to correct that. And if that changed, you’d be able to prove how you voted.
Impossible reliability
So we have these two sets of fundamental problems clashing with each other: The first is, we don’t know how to build systems that are reliable enough to avoid problems like this; and the second is, voting requires us to build systems that avoid problems like this rather than correct them after the fact. And this combined with the fact that an online voting system requires using complex computer technology means that this is a problem that we won’t be able to solve no matter how hard we work at.
It’s not that we’re just not very smart, it’s that these problems are beyond human capacity.
Accepting the risks?
Where that leaves us is,
we have to recognize that online voting is intrinsically very risky,
that it will lead to elections that we will never be able to satisfactorily show were conducted without fraud, without hacking, and that the outcome is genuinely true.
And that will always be with us when we do it that way, unless we relax some very important requirements of voting systems.
So, by the way, I’m not the only one saying this. There was a report from the National Academy of Sciences called “Securing the Vote”, where the top experts in the field got together and produced what’s called a “consensus report”. It essentially makes a very strong statement: «This is something we do not know how to do» and recommends against it wholesale.
Conclusion
So, those who propose online voting systems are essentially proposing something that [according to] the consensus of scientists is impossible.
So, we should understand it in that context. So, thanks! Screenshot from Harri Hursti’s talk. Click image to see him talk.
Harri Hursti: False promises
Harry Hursti (15:35): So internet voting is a whack-a-mole. It keeps on coming back and the argument is very often, say, well, we have this excuse: Shall we do just a little bit of Internet vote?
There’s two reasons why that’s not a good idea:
First of all, all the votes are one pool. The idea that I can vote insecurely myself, and that wouldn’t disenfranchise other voters, is a logical fallacy. Because if there’s only one result and if I’m choosing to make my own vote insecure, I’m also making everybody else’s vote vulnerable.
But there’s even more profound reason. A lot of nations, including the United States and a lot of states in the United States, but other nations have the same principle: that all voters should be voting with same method. So, once you are enabling the door that let’s have a little bit of Internet voting, the next step is to say, now everybody has to vote with internet voting because we cannot have separate methods. The common ways we are hearing always to give an excuse: What are the special groups who need to vote over the internet?
And one of the these in America is called UOCAVA Voters, Uniformed and Overseas Voters Empowerment Act [Transcriber’s note: Merge between UOCAVA and MOVE]. So, they are mainly the boys and girls in the military and who have a problem of getting the ballots done on time; however, this same problem is everywhere else in the world. And the other part is why UOCAVA is—or military voters in general are—a very good target for saying, “let’s do internet voting,” because in a lot of nations, military voters are not guaranteed to have secret ballot; it’s a best-effort basis only. So military voters don’t enjoy the same legal protections as the general public. And that also enables you to have a little bit more relaxed voting system, because you don’t have to guarantee secret ballots.
Another group is a very powerful lobbying group: The disabled voters and especially print disabled voters, so people who cannot read, cannot write, cannot hold a pen in their hand. There are a lot of devices, calling for example ballot marking devices, which are designed to access. But the idea is: Okay, well, let’s do that at home! Again, this whole path leads to a dual language, where a constant attempt is to call the voting not “internet voting”, but instead of calling it to be “electronic return of your ballot”. It’s the same thing. But the idea is, this is the way we sell the idea without getting into the trap of informing people that this is the bad idea again, internet voting.
Estonia
Internet voting has been claimed to be successful in Estonia. I went to Estonia with the professor Alex Halderman and a couple of other folks. We took a look in the system and it was a fairly decent high school project; that was the quality of the code.
However, there was a lot of interesting things in operations. For example, they rented the servers every year separately. So, from supply chain point of view, this one agency is renting three computers: That’s your target! The lowest bidder and you can poison all you want. There were a lot of designs in that area.
For example, they publish a video where a the code is signed cryptographically, so that the voters will know, this is an honest code. And they claim that this computer, where the video was taken, has never been connected to internet. But it had a µTorrent [Transcriber’s note: A BitTorrent Internet download software] and pirated movies and pirated films and online poker on the screen. So slightly suspicious that it might have been an intern.
Finland
In Finland, we tried internet voting or online voting. It was Kiosk Voting—but a system which can be used for internet loading too—in Three Counties and it was demonstrated that three and a half percent of the votes were lost and hence the election had to be reconducted, because three and a half percent in a what you call the Jefferson counting method means that it’s absolutely certain the last candidates in the city council will be [awarded to?] the wrong people.
«Young voters!»
The common excuse also is to claim that we need internet voting to activate young voters, young people who like mobile phones.
Estonia is a brilliant country from the point of view that they published age brackets. And when you look in Estonia, you see that the fastest growing group of Voters online is over 65 and the young voters are rejecting the idea of Internet voting. The same was [experienced] in Norway, so that the actual government public data doesn’t support the common wisdom that young voters would be activated by using internet voting.
«Understandable, verifiable»
Last but not least, I want to touch a very big topic. For example, in Europe and Germany, a lot of democracies have a rule that common person has to understand how votes are counted; and have to be able to verify the vote counting process with no special tools and education. Common man’s common knowledge has to be enough. Now, we are proposing very complex ideas like homomorphic encryption, blockchain, …
The joke in US is that the average age of poll workers [gets] one year older every year, because we don’t have enough young people coming to be a poll worker. But until we live in a Star Trek universe, where teenagers are casually talking about quantum mechanics: Who is going to be explaining to a 70 year old normal person, how homomorphic encryption works?
And in this today’s world, how could anyone believe that you could ever be getting normal people to accept these complex ideas, that even most of the experts don’t know how it works?
So let’s keep it simple. Thank you! Screenshot of Susan Greenhalgh’s talk. Click to hear her talk.
Susan Greenhalgh: History
Susan Greenhalgh (20:10): After hearing all of that, I’m guessing everyone probably thinks, «who would ever want to do internet voting for public governmental elections?»; but unfortunately, right now 32 states permit some subset of voters to vote online either by email, fax, or some sort of online portal. And there’s a lot of ballots coming back online! In the 2020 election, there were over 300 000 ballots cast online; and in some states with small margins, there were a significant number of ballots cast online. And this is a problem, because those ballots we know are not secure and they can’t be audited.
Trying to create
So, I want to talk a little bit about the policy in the history of how we got here and how it’s playing out today to understand our situation. As I mentioned in the intro, back in 2004, David was part of a security study that examined a system that was being put together by the Department of Defense to a military and overseas voters to vote online.
This was something that Congress tasked them to do this. They built a system, had a peer review of the security. The peer review said, this is not secure, you cannot ensure the legitimacy of ballots cast online. So the project was scrapped.
Standards first
Congress turned around and said: Okay, we’ll have NIST—National Institute of Standards and Technology—develop standards for a secure online voting system and then we’ll have the Department of Defense build to those standards. So NIST spent the later part of the 2000s and early 2010s studying the problem, writing several reports, and they came to the conclusion—that the scientists have all come to—that there’s this broad scientific consensus that these problems are really not solvable with the security tools that we have today.
And they wrote a statement saying, we don’t know how to write security standards, because we don’t know how to do internet voting securely. It’s not yet feasible, so we we’re not doing it. So Congress said «okay» a couple years later; because Congress moved slowly between 2014 and 2015. Congress repealed the directive to the Department of Defense to build an online voting system; essentially taking the federal government out of it.
We often hear: «Why isn’t the federal government studying it?» The answer is: They already did; asked and answered. So in the subsequent years we’ve seen more reports come out; in 2018, the National Academy study came out that Matt mentioned. There’s been numerous academic studies, there’s been some states have done their own studies.
Time and again, when the computer scientists and the security experts look at the problems, they realize that voting is not something that you can apply today’s security tools to, in a sufficient way to secure it. So, we’ve never come up with anyone that says, «Here this is a secure way to do it from a scientific perspective».
Policy before Possibility
Yet, in that early 2000s period of time and even the late 90s, there was a reasonable expectation that we were going to have a secure online voting system from the Department of Defense. So States passed laws to allow electronic ballot return. By 2010, I think 29 or 30 States already had electronic ballot return laws in place. So that was before NIST came up with their statement saying, «we can’t write security standards for this», and before the bulk of the scientific research that’s so conclusive had come out by. So, in the mid 2010s, we’d seen a kind of a slowdown in the movement for online voting; but now we’re in the middle of an aggressive push once again to have people vote online and that’s coming mainly from two places:
1. Bradley Tusk
First, there’s a guy named Bradley Tusk who is an Uber multi-millionaire: Made a bunch of money for Uber and he helped change their policies. Not a tech guy, he’s a policy guy. He helped change state laws to allow Uber ride share policies around the country. He also was responsible for changing state laws to allow sports betting on the FanDuel app. So he knows what he’s doing as far as changing state laws. And he’s decided that he’s going to save American democracy by getting everybody to vote on their phones by 2028, he said that on his podcast. He has also said, that he will do anything unethical—short of committing a crime—to get everyone voting on their phone. So, he’s hired lobbyists, he’s got public relations people, and he’s introducing bills in different states around the country to allow people to vote online: Starting with subsets of military and overseas voters for states that don’t already have it, and then to expand it to voters with disabilities, to expand it to First Responders who may be displaced, and then ultimately with the goal of getting everybody to vote online.
Despite Federal warnings
One of the most definitive scientific studies that we saw—or I shouldn’t call it a study, it was a risk assessment, that came from the Department of Homeland SecurityCISA, FBI, NIST, and EAC in 2020, which warned States: «You don’t probably want to do this, because those ballots will be high risk of compromise, manipulation, deletion, or privacy violations. Any ballots cast online via any method, even with security tools in place.»
State legislation lobbies
So even with this security, all this guidance coming from the federal agencies: Those federal agencies can’t go into the States and lobby. They put out their risk assessment, hope the states look at it. Instead, it’s left to organizations like our organization. We work with Verified Voting, with Brennan Center, with Public Citizen. These are all groups. We are very deeply committed to ensuring access for all voters. We—my organization—actually takes legal actions to ensure people’s access to the ballot. But we also want to protect that ballot and make sure that the election is secure. So that’s why we are going in and raising these security concerns in the state legislatures and trying to keep States from introducing more bills to spread online voting.
In the last year and a half, we saw bills introduced in California, Washington, Maryland, Wisconsin, Michigan, Illinois, Georgia, New York, New Jersey, and Washington D.C.
That’s one aspect of the push for online voting.
2. Vendors
There’s another aspect that comes from the vendors. Because this is an industry that is not regulated at all, the systems that are being sold commercially don’t undergo any sort of public testing that anyone else can review. The vendors make claims of security or claims about the way the system operates that are unfounded, baseless. Our organization has written letters to Attorneys General, arguing that these could constitute false claims in deceptive marketing and could be actionable and asking for investigations. But there’s nothing to counter it, other than us bringing up the other side of it. So the vendors are also lobbying in state legislatures and promising State lawmakers that these systems can be secured.
And that’s another aspect of it.
Confidence in elections
So this is an ongoing problem that we’re going to continue to see, because of these two forces pushing online voting at a time when we really need to have auditable systems, transparent systems, secure systems, that we can ensure that all people can have confidence in the results of an election and not expand an system that we know is insecure.
«Theranos of voting»
Internet voting has been globally referred to as the «Theranos of voting» and I think that’s actually a very apt analogy. I don’t know if you’re familiar with the story: Theranos is the blood company that was founded that went to a billion dollars; and they were going to take a tiny pinprick of blood and be able to run a complete screen of every task that you could ever possibly need and know your entire health history. And it would be cheap and everyone would be able to do it at CVS or Walgreens.
And it was a great idea, who doesn’t want that? But the problem is: The science didn’t let you do it! You needed more blood to be able to run certain tests. The blood needed to be centrifuged, and separate out the cells, and reagents put in there. You can’t do it all, but the idea is so great, everybody wants to do it!
Yes, it would be really great if we could all vote on our phones, but the science isn’t there!
So I’m going to wrap with that and and we’re going to go to questions. Screenshot of the Q&A session. Click image to watch the session.
Q&A
Auditing?
Susan Greenhalgh (31:01): David, I was speaking about the importance of auditing elections, especially that everyone should have confidence. We don’t want to just trust elections, we want to verify elections. How can you audit an online voting system or can you audit an online voting system?
David Jefferson (31:32): You hand mark the ballot and there is no question that the ballot actually reflects the voter’s intent. That hand marked ballot becomes a contemporaneous record of the voter intent. So that if those ballots are later counted by machine—and the software in those machines is full of bugs and is full of malware, and so the counts are wrong as produced by a machine—you can always go back, in fact, you should always go back to the original hand-marked paper ballots and audit the machine results using an RLA (a risk-limiting audit), for example, as was discussed apparently yesterday.
And therefore you can determine that the machine counts were wrong and you can correct the outcome of the election.
Now, with any kind of online voting system, if you are voting from your phone or your personal computer, there is no indelible contemporaneous record of what the voter’s actual intent was. There is no record from which to audit the election.
So, it’s really not possible to audit an online election and that’s just another reason why we shouldn’t be doing it.
Digital «voter-verified paper ballots» aren’t
Susan Greenhalgh (33:16): One of the things we see the vendor say, is that «we produce a voter-verified paper ballot, our system isn’t online voting, it isn’t internet voting». Oe of the the CEOs of one of the vendors told a radio show that «We don’t use the term “internet voting”, because it’s a loaded term; we say “electronic ballot returns”.» So it’s a little bit of this smoke and mirrors.
And that they produce a voter verified paper ballot: Well, a lot of times, the digital record is sent to the elections office and then it’s printed there. But obviously that paper ballot has never been verified by the voter, because it’s the digital record that was sent. But to say, «it’s a voter verified paper ballot», is highly misleading at best, so you don’t have a voter verified paper ballot to audit the election.
Eliminating vote secrecy?
Audience Member (34:16): You folks were talking about the kind of combating requirements of a secret ballot and a technically secure ballot. I vote for Mickey Mouse every year, I don’t care who knows that. From a purely technical perspective, if you omit the requirement of secrecy, does online voting become much more viable?
Matt Blaze (34:37): Sure, all sorts of problems get easier, if you reduce the requirements. The requirement for a secret ballot doesn’t exist just because a bunch of technologists said it should. The requirement for secret ballot evolved over centuries of U.S law; and centuries of experience with fraud in democracies, based on coercing votes from people.
We could—as a society—decide to eliminate the secret ballot and maybe we decide that we want to. But I think a poor reason to eliminate the secret ballot is simply to accommodate some future voting technology, that finds it an inconvenient requirement.
I think it’s very important to understand here: These requirements didn’t come from us, these requirements are not requirements that the technologists invented. These are requirements that society has decided are important properties for voting systems. We can discuss whether those requirements are good or not, but that discussion had nothing to do with technology, it’s a democracy requirement.
Perpetual motion machines
When I hear about internet voting, I find it helpful to substitute in my head «perpetual motion machine». If we had perpetual motion machines, it would be great! It would solve our energy problems.
Everybody agrees perpetual motion machines would be terrific! Unfortunately, a bunch of killjoy physicists tell us that we’ll never be able to have them. If you believe the killjoy physicists, it would be a bad idea to create policy on the assumption that we’re about to build a perpetual motion machine, because we’re really not. And internet voting has many, many of the same properties there.
Praise for secret ballots
David Jefferson (36:42): I want to praise the secret ballot requirement: The secrecy of the ballot is the strongest defense by far we have against voter coercion, vote retaliation, and vote buying and selling. Without the secret ballot, our elections could be irredeemably corrupted by those effects.
Internet voting is racist
Audience Member (37:10): I have more of a comment that I’d love to get our moderator’s response on here. What really worries me more than anything about online voting is much more lower tech, actually, it’s that if it goes large scale it’s subject to phishing attacks. You could have very large-scale voter suppression with fake emails coming from secretaries of State, apparently, and you go and you lose your vote and maybe you get your identity theft too. Now, phishing campaigns can be just 19, 20 % effective; targeted they can be 70 % effective and who’s going to get targeted in a voter suppression campaign? The same people who always get targeted: Communities of color! So, I think this whole issue very quickly becomes a racial justice issue, honestly, and that’s that’s not even getting into the stuff you all have been talking about, that I firmly agree with.
Susan Greenhalgh (38:13): My comment is: I agree. I don’t have much more to add that was very well put!
Biometrics
Audience Member (38:21): Just a quick question regarding authentication and biometric data: So can your team speak to the benefits of that? I know that the TSA for example is using biometric data for authentication purposes for international travel; comparing your passport photo to your face while you check in. Obviously, having biometric data stored by the government maybe isn’t the best idea; you could do something like hashing or something different like that. But can you speak to the advancements of biometric data and how they pertain to online voting in the future?
Matt Blaze (39:00): There are two unfortunate properties about Biometrics. The first is they are tied to you as an individual; you can’t change them if they’re compromised. So if something happens to your biometric data and other people learn about what it is, they know it and you’re stuck. That means that effectively supervised biometric authentication—you go into the kiosk, there’s a guard, you put your fingerprint on a reader—might be okay, because they know that you’re not bringing some equipment in, to fake what the fingerprint is. But unsupervised biometric authentication—I’m using my phone, it reads my biometric, and sends that data somewhere—is something that’s always going to be subject to compromise. So Biometrics solve some problems for in-person authentication that work very poorly in the online context.
Vote by phone isn’t secret
Audience Member (40:12): I think another issue that isn’t really considered, is the fact that, for instance, if Bea is going to vote with her cell phone and she’s asleep, I can just pick up her cell phone, unlock it with her face and vote on it. Or Bob over there wants me to vote for Pinkie Pie, so he gives me a thousand dollars to go vote for Pinkie Pie. We still have that problem in our regular elections and those are small little votes. But there’s no privacy.
If you have a partner that’s very controlling and they’re trying to force you to vote for somebody: When you walk into that voting booth by yourself and you close that curtain, you can vote for whoever you want. You lose that a hundred percent when you do online voting and vote by phone or any of this. Great for American Idol, not great for elections.
Remote (postal) voting
Audience Member (41:19): I have a general question about remote voting which is not electronical, such as postal voting, which is used in many countries to support for example disabled voters or voters who are otherwise unable to go to the polling station. And postal voting has many risks of the kind that you mentioned, such as the risk of coercion or the risk of not knowing that the ballot that arrived was actually marked by a legitimate voter. So given all this, what kind of secure enough options would you recommend for remote voting?
Matt Blaze (41:50): It’s important not to confuse online voting with the general problem of remote voting. Remote voting exists everywhere in the United States at least as a special case for absentee ballots: People who can’t travel and so on. It’s generally done on paper and by mail.
That has some of the same problems as online voting, but not all of them. It leaves us with the one-on-one coercion problem, that if you’re sent a paper ballot, it is possible you could be coerced by a partner or an employer to vote in a particular way. But that has to be done on a retail level, ballot by ballot.
In an online voting system, that same type of compromise can be done centrally: A piece of malware, that’s spread by a phishing or any of the other ways that malware spreads, can be used to wholesale compromise many, many different ballots.
So, my suggestion is that to accommodate voters who can’t travel, we stick to the paper-by-mail method and not introduce methods that also add the wholesale fraud and wholesale abuse vector. But even by mail, voting does compromise some of the properties of the secret ballot; and we have to be very careful when we scale that up.
Susan Greenhalgh (43:37): I’ll just add that there have been solutions that have been implemented: When the Military and Overseas Voter Empowerment Act was passed, it required that all Counties or States send ballots to Military and overseas voters 45 days before the election. It also stipulated, that they had to make the option available to send the blank ballot electronically. Blank ballots can be sent with reasonable acceptable security electronically, because they don’t have the vote, they don’t have the secret valued piece of data, on them; everybody knows what’s going to be on the blank ballot. So, you get your blank ballot in 45 days and then still have 45 days. The military have access to expedited free postal mail return that is provided to everyone in the military.
I mentioned there’s 32 states that currently allow electronic ballot return, 18 that do not. There are several states that don’t allow electronic ballot return, that have higher rates of participation for military and overseas voters, because they have robust communications in place: They’re making sure that they get the information to those voters. So, I don’t think that we can make a correlation that electronic ballot return is going to increase participation for those voters based on that information.
Voter outreach
Audience Member (45:03): Military ballots and voting is always kind of interesting on all the campaigns I’ve worked on. Generally, each county is autonomous and how they vote in it. You’re talking about military and state. I’m really a novice, I really don’t know what I’m doing on this one. So, you’re saying the states have better things in place. So, how does that work with the counties being autonomous and how they do their voting?
Susan Greenhalgh (45:45): It actually depends State-by-State, because some States run their UOCAVA outreach to those voters or military and overseas. The outreach of those people at the state level and some places do it at the county level; meaning that the county officials have to email the ballot or send the ballot to the people; or some places, they do it from the state level. So it really depends on the state: You have to go State by State.
Ballot marking machines vs. secrecy
Audience Member (46:20): I think it’s important for people to be careful not to generalize your personal experience of voting and think that’s how it is throughout the United States. It’s easy to make blanket statements that don’t apply. So, for instance, with respect to voting by mail: If you live in the state of Georgia, the only way to be able to do a hand-marked paper ballot is, if you vote by mail. The only way to have ballot secrecy is, if you vote by mail. Because, if we go into a precinct, we have ballot marking devices that are huge. They’re upright, they’re lit up, and anyone can see how you’re voting. So if you want ballot secrecy and hand-mark paper ballots in the state of Georgia, you have to be able to vote by mail. And the other thing to be aware of in the state of Georgia, is that the Secretary of State controls all counties. So, we’re required to do everything the same way throughout the entire State; it’s not county-by-county decisions. So I just want to caution people: Don’t generalize based on your own experience, because across the United States there are very different circumstances.
The transcript ends here, but some relevant information follows, for those wishing to dig deeper.
Cybersecurity and Infrastructure Security Agency (CISA): Election Infrastructure Cyber Risk Assessment, 2020-07-28. Enumeration and quantification of risks related to internet voting; also mentioned above.
Cybersecurity and Infrastructure Security Agency (CISA): Risk Management for Electronic Ballot Delivery, Marking, and Return, undated (but before 2020-05-08). Essentially a summary of the risk assessment above, referenced in the Guardian article; scanned, labelled as “draft”.
Estonia
Märt Põder: Do voting machines dream of digital democracy?, 2023-10-17. Slides of his presentation in Zurich on the Estonian electronic voting system (including: how he might have stolen the election, but didn’t; that results differ greatly between internet and paper votes.)
James Walker: Swiss Post puts e-voting on hold after researchers uncover critical security errors, The Daily Swig, 2019-04-05. Sarah Jamie Lewis and others discovered bugs hidden deep in the hard-to-understand cryptographic core of the Scytl/Swiss Post eVoting system. (As of 2023, it is again in use in Swiss elections/votes. Many more articles not available in English.)
Patrick Seemann: eVoting: No risk, have fun?, DNIP, 2023-09-04. According to the Swiss eVoting risk assessment, the risk is now lower. Without any substantial changes to the system. A critique (in German 🇩🇪).
Technology
Homomorphic Encryption and Blockchain are mentioned here (and elsewhere), as potential solutions to Internet voting aka eVoting. If you want to understand these technologies, here are some pointers:
Marcel Waldvogel: Hitchhiker’s Guide to the Blockchain, 2022-04-09. Blockchain technology explained. Here, the link to my statement about electronic voting and blockchain.
Evoting hat in der Schweiz eine bewegte Geschichte hinter sich: Nachdem sowohl der Kanton Genf als auch die Post nach ersten Versuchen ihre Software wieder
Major challenges in computer and information security are the advent of quantum computers and the need to trust your data to (cloud) service providers. New cryptography is supposed to help, but they look daunting. At their core, however, they are just children’s riddles. An introduction to Lattice cryptography and Learning With Errors.
Two big challenges are faced by information security:
Cryptographers are afraid that quantum computers may be able to break existing public-key cryptography easily, a few years from now. As public-key cryptography is at the heart of almost every information security mechanism, something needs to be done. And for secrets which should remain secret for many years or decades, we need solutions now. These solutions are called Quantum-safe or Post-Quantum cryptosystems.
Cloud computing, smart cards and the Internet of Things have a common problem: You may need to process data on platforms which are in the hands of someone else. Trust in those devices and their owners or operators is necessary, but there is no way to test whether they are violating your trust. It would be great if sensitive data would not need to be processed on these systems, if instead, they could operate on encrypted versions of the data. This is the promise behind (Fully) Homomorphic Encryption: Performing mathematical operations on the encrypted data, with the results remaining encrypted; essentially, the holy grail for trustworthy computing.
When trying to learn about Quantum-resistant cryptography or Homomorphic Encryption, the terms Lattice-based Cryptography and Learning With Errors quickly pop up. However, the descriptions I was able to found on the Internet try to discourage any normal reader from understanding it: As presented by those in the know, the math looks scary and complex; achieving magic looks trivial by comparison.
However, at their core, they are just coordinate systems and children’s riddles.
So, let me give you an intuition into how they work, explained even for those who hate math. And conclude with what that means.
You know coordinate systems from blueprints, maps, you name it. They are easy:
The coordinate axes are orthogonal to each other (and parallel to the edges of the sheet or screen)
The measurement system (or spacing) along the coordinate axes is the same (e.g., x coordinate 1 is at the same distance from the origin than y coordinate 1, just in a different direction)
The coordinate systems are linear (i.e., the distance from 0 to 1 is the same as from 3 to 4)
Left: A “normal” two-dimensional coordinate system with orthogonal, linear and proportional axes, labeled X and Y, as almost any coordinate system we will deal with in real life. Adding two vectors (arrows) of length 1 aligned to the axes, A and B, allows us to follow a series of these arrows to the destination. Right: For example, to get to the point indicated by the middle red arrow, at X coordinate 2 and Y coordinate 1, we follow twice the step indicated by arrow A (dark blue) and once the step indicated by arrow B (cyan). In math terms, the distance between the origin and the point at (2, 1) is 2*A+1*B. This all seems natural, because we are used to it and they are made to be easy on us. The lattices used for encryption will just add a few twists to them, which we will introduce.
Twisting the vectors
That was easy. You may even have wondered why we talk about that at all. So let’s look at slightly different vectors A and B: Left: Our vector A is no longer aligned to the X axis. Right: But we still can reach any integer coordinate (marked by the green dots) using an integer multiple of A and B vectors. The same point at coordinate (2, 1) can now be reached by following twice along the distance and direction of A and then following once in the reverse direction of B. In math terms, that point is at 2*A–1*B. The new coordinate system is a slight nuisance, but still easy to handle. (In fact, using a simple formula, any (x, y) coordinate pair can be easily transformed into the number of A’s and B’s to add.)
In the same spirit, let’s continue twisting the vectors further: Left: The vectors are now almost aligned. Right: We can still address our three points (and in fact, any integer coordinate pair) using a weighted sum of our two basis vectors, A and B. For example, the point at (–2, –2) can be reached by first following A once forward, the twice B backward, then again once A forward, resulting in 2*A–2*B. (The A-B-B-A order in the figure is just to keep the intermediaries inside the drawing; they can be arbitrarily reordered.) This point is easily reachable, the point at (2, 1) which we reached using three steps each in the previous examples, would now require a stunning 17 steps. With these two almost-aligned basis vectors, it becomes hard to determine the number of A and B steps to take. Some might be reminded of the complexity to move to a given location with a knight on a chess board.
Not all points are valid
In the previous section, all integer coordinates were reachable, because the vector pairs were carefully selected to enable this. Choosing vectors randomly would rarely result in this property. For example, after a slight variation of the second set of vectors above, only every second point is reachable, checkerboard-style. After doubling the length of B (left) or turning B as well (right), every other point in the coordinate systems becomes unreachable. As hard as you try, you will never get to any of the hollow points. (The right-hand image might remind you of the reachable squares of the black bishop in chess.) By choosing longer vector lengths, you will generally create even sparser lattices. (This is a general rule. Let’s gloss over how to guarantee a certain sparseness; but it involves things like the relationships between the prime factors of the vectors’ coordinates.)
More dimensions
So what happens when we make these vectors more complicated, both in their sheer number (and thus, also their number of dimensions) and their length? It becomes even harder.
Humans can easily deal with two, sometimes three dimensions. Switching to dozens or even hundreds of dimensions and having longer vectors makes it very hard to determine:
which coordinates are reachable at all,
how this coordinate can be reached, and, especially,
The latter property is known as the closest vector problem and is at the heart of Lattice-based cryptography.
Lattice-based cryptography
The closest vector problem is hard to solve for a complex set of basis vectors. However, if you have a simple set of basis vectors, as we started off in the first few examples, it becomes easy to solve. Having such a pair of complex and simple problems is at the heart of public-key cryptography.
So in essence, Lattice-based public-key cryptography works as follows:
Alice creates a set of simple basis vectors in a high-dimensional space, which does not cover all of the space (think of a checkerboard with most squares white; black ones only few and far between, with no visible pattern to their placement). This is her private key, in which the closest vector problem is easy to solve.
Alice also creates a second set of basis vectors, each vector built by weighted addition of many of her simple vectors. This is her public key, where it is still easy to create a valid point, but it is hard to determine whether a given point is valid or not (and where it is also hard to solve the closest vector problem).
Alice publishes her public key and keeps her private key private (just as with any other public-key cryptosystem).
Bob, wishing to encrypt a message to Alice, uses her public vectors to encode the message. For example, he could use the first byte of the message to multiply the first public basis vector with, the second byte for the second vector, and so on. Summing up all vectors will lead to a valid lattice point.
Bob then slightly and randomly moves that encrypted data point, such that it is off-lattice now.
He then sends that message to Alice.
Any eavesdropper will only know the public, complicated, basis vectors and will be unable to solve the closest vector problem.
However, Alice, with access to the private key, can solve the closest vector problem easily and therefore reverse-engineer (1) the actual data point and (2) what factors Bob used to multiply the basis vectors with, and thus the bytes of the message.
(In case you wonder: As is common in cryptography, these operations are all done in modular arithmetic.)
Learning with Errors
As a riddle (without errors)
A mother has two children. The girl is twice the age of the boy. Together, they have are 18 years old. How old are the children?
Simple children’s riddle, which can be solved using linear equations.
The riddle can be solved by trial and error, or using a set of linear equations, where B is the age of the boy and G is the age of the girl:
2*B – G = 0 B + G = 18
After solving this linear system for B and G, we get G=12 and B=6. Here, we learned the age of the children without errors.
Properties of linear equation systems
That was easy. In general, linear equations are easy: With enough equations, they can be solved in a well-defined, straightforward manner, even if you increase the number of variables into the millions or billions.
“Enough equations” generally means that the number of equations need to be at least equal to the variables. (Equations that can be formed by weighted addition of other equations don’t count—i.e., those that are linear dependent on others—as they do not add new information.)
More information may not necessarily be better: If a third equation, “3*B + G = 100”, were to be added, this equation would conflict with the other two, as 3*12 + 6 = 42, which obviously does not equal 100. However, each of the three pairs would have a valid solution. In this case, they would be vastly different from each other.
For cryptography (with errors)
With these conflicts, we are on the right track toward a cryptographic puzzle. The basic idea behind learning with errors is as follows:
Have a set of linear equations
Increase the number of variables to be huge (into the many thousands or even millions)
Add more valid equations, significantly beyond the number of variables. (They will automatically be linear combinations of the initial set, not adding additional information.)
And now the magic part: Slightly jiggle the constants
A riddle with turtles
A mother turtle has two children. The girl is twice the age of the boy. Together, they are 180 years old. How old are the children?
Slightly more complicated children’s riddle, which can still be solved using linear equations (or, guessing)
The ages are ten times those of the human children, but otherwise things stay the same. We also add a third equation which agrees with the other two equations. (It automatically is a linear combination of the first two. In this case, twice the first equation plus seven times the second equation equals three times the third equation.)
However, now we slightly change the right-hand sides of the equation, adding or subtracting a small number: All of the equations now still almost match the girl and boy ages of 120 and 60 years, respectively, but no pair of equations matches the exact numbers or even just the third equation. Picking any pair of equations, however, gives a good estimate of the real result. With these approximations, you can perform further calculations and, as long as we are careful, the results will be close to the correct results as well. But we will never know the exact numbers. (And rounding to the nearest multiple of ten only works in this toy example.)
Learning-with-errors based public-key cryptography
To build a public-key cryptosystem, the correct values of the variables can be used as the private key and the jiggled equations as the public key. Same as in the Lattice above, the cryptographic operations are done in modular arithmetic. The lower equation a linear combination of the equations above. In this case, the sum of 5 times the first, 3 times the second, and (–1) times the third equation.
Alice chooses a modulus and creates private and public keys; she publishes the public keys and the modulus (let’s assume it to be M=89).
For each encrypted bit that Bob wants to send to Alice, Bob creates a new, unique equation as a random, non-trivial linear combination of a subset of the equations forming the public key. (For example, the lowest equation in the image above.)
To communicate a bit with a value of zero, Bob transmits this base equation as-is (of course, modulo M, so the the 131 would turn into 131 mod 89=42).
To communicate a bit with a value of one, Bob transmits base equation modified by adding roughly half the modulus, again modulo M (half of M would be roughly 44, so 42+44=86 would be transmitted as the right-hand side of the equation).
When receiving an equation, Alice can easily compute the correct value for the right-hand side of the equation from the left-hand-side coefficients (5 and –8, in the case of the linear combination created above). The correct result here would be 120 (=5*120–8*60); modulo M that would be 31.
When the difference between the transmitted and the correct value is small (in this case, 42–31=11), the equation is decrypted into a bit valued 0; if the difference is high (close to ½M), the equation is decrypted into a bit valued 1.
Given the right parameters, this decryption is easy for Alice and impossibly hard for anyone else; exactly how we want public-key cryptography to be like.
Many current (“classical”) public-key algorithms (RSA, Diffie-Hellman, ECC, …) rely on it being hard to find the (large) prime factors of a composite number. A powerful quantum computer running Shor’s Algorithm would be able to factor these numbers quickly and thus break public-key cryptography. As data encrypted today might still need to remain safe even when powerful quantum computers will be available (at least several years from now), such data need to stop using these “classical” public-key algorithms.
The goal of homomorphic encryption is to separate the provisioning of computing power from the right to access the data in the clear: Calculations on (encrypted) data can be performed on a computer without the computer needing to decrypt and re-encrypt the data. In fact, without the computer even having the key (and thus the ability) to decrypt the data.
One of the earliest cryptosystems which allowed some simple forms of homomorphic encryption was RSA. In “textbook RSA“, (modular) multiplication can be performed on the encrypted data. For most application, this “malleability” is undesirable and needs to be actively prevented by making sure that the decryption of a homomorphically-multiplied message has an illegal format.
Lattice-based cryptosystems are much better suited for homomorphic encryption, as they can support multiple operations, not just multiplication. But the property of malleability remains, so in the encrypted state, almost any operation could be performed on the encrypted data. You still have to trust that the right operations were performed when using the decrypted result.
Learning With Errors does not currently seem usable for FHE.
Conclusion
You learnt the basics of two cryptographic primitives that will be important in the future. And you learnt two applications. So you are well prepared for the future. I hope you enjoyed the minimum math! (If you insist on these two topics being explained with just a little bit more math, read on and watch the linked videos.)
They are great and provide some additional information.
I would like to thank DALL•E 2 for the teaser image it created using the prompt “Post-Quantum Encryption without text”. Yes, it seems that “without text” was ignored, as it does not seem to understand the concept of “text” at all, and fails to recognize that it does not recognize (part of) the prompt, as image generation AI seems to be prone to do. Also, the concept of negation (“without”) seems to be hard for AI; but then again, it is hard for humans: You might remember experimenting with “do not think of a pink elephant” in your childhood. And failing to not think of a pink elephant…
Left: A “normal” two-dimensional coordinate system with orthogonal, linear and proportional axes, labeled X and Y, as almost any coordinate system we will deal with in real life. Adding two vectors (arrows) of length 1 aligned to the axes, A and B, allows us to follow a series of these arrows to the destination.
Left: Our vector A is no longer aligned to the X axis.
Left: The vectors are now almost aligned.
After doubling the length of B (left) or turning B as well (right), every other point in the coordinate systems becomes unreachable. As hard as you try, you will never get to any of the hollow points. (The right-hand image might remind you of the reachable squares of the black bishop in chess.)
The lower equation a linear combination of the equations above.
