SeGng Weconsidervo0ngsystemswithendtoend (E2E)verifiability. - PowerPoint PPT Presentation

Jeremy
Clark,
Urs
Hengartner,
&
Kate
Larson 
 University
of
Waterloo 
 
 Not
So
Hidden
Informa0on: 
 Op0mal
contracts
for
undue
influence
in
E2E
vo0ng
systems 
 


SeGng
 We
consider
vo0ng
systems
with
end‐to‐end
 (E2E)
verifiability.
 The
correctness
of
these
systems
rely
on
 mathema0cal
assump0ons
instead
of
chain‐ of‐custody,
soQware,
or
hardware.

 (Custody
independence
 and
 soQware
 independence)
 2


Punchscan
 To
illustrate
the
idea
of
contracts,
we
focus
on
 one
system:
Punchscan
 Why
just
one?
 Why
this
one?
 3


Punchscan
 01-0031337 01-0031337 Alice
 Alice
 Y Bob
 Bob
 Z Z Y 4


01-0031337 01-0031337 Alice
 Alice
 Y Bob
 Bob
 Z Z Y 5


01-0031337 Alice
 Y Bob
 Z 6


01-0031337 Alice
 Y Bob
 Z Y
 Z
 7


01-0031337 Alice
 Y Bob
 Z Z
 Y
 8


01-0031337 01-0031337 Alice
 Alice
 Y Bob
 Bob
 Z Z Y 9


Contracts
 10


Alice
 X Bob
 Y X Y 11


Alice
 Alice
 X X Bob
 Bob
 Y Y Y X X Y 12


Alice
 Alice
 X X Bob
 Bob
 Y Y Y X X Y Alice
 Y Bob
 X X Y 13


Alice
 Alice
 X X Bob
 Bob
 Y Y Y X X Y Alice
 Alice
 Y Y Bob
 Bob
 X X X Y Y X 14


A
Simple
Fix
 Order
maders.
 If
the
voter
choose
top
or
bodom
prior
to
seeing
 the
ballot,
the
best
possible
contract
is
forced
 randomiza0on.
 This,
however,
does
increase
the
role
of
poll
worker
 procedure
in
the
security
of
the
system.
We
are
 aiming
for
custody‐independence.
 15


Ques0ons
about
Contracts
 What
tool
is
best
for
analysis?
 Of
the
exis0ng
contracts,
which
are
best?
 Can
we
define
the
best
possible
contract?
 What
if
we
have
more
than
2
candidates?
 What
if
voters
do
not
behave
correctly
and
 follow
the
contract?
 Is
the
contract
financially
sensible?
 16


Game
Theory
 17


18


19


Alice
 Alice
 Alice
 Alice
 X X Y Y Bob
 Bob
 Bob
 Bob
 Y Y X X X Y Y X X Y Y X Nature
 {XY,XY}
 {XY,YX}
 {YX,XY}
 {YX,YX}
 L,T
 u 0 ,
 1
 u 0 ,
 ‐1
 u 2 ,
 ‐1
 u 2 ,
 1
 L,B
 u 1 ,
 1
 u 0 ,
 ‐1
 u 1 ,
 ‐1
 u 0 ,
 1
 Voter
 R,T
 u 0 ,
 ‐1
 u 0 ,
 1
 u 0 ,
 1
 u 0 ,
 ‐1
 R,B
 u 0 ,
 ‐1
 u 1 ,
 1
 u 0 ,
 1
 u 1 ,
 ‐1
 20


Alice
 Alice
 Alice
 Alice
 X X Y Y Bob
 Bob
 Bob
 Bob
 Y Y X X X Y Y X X Y Y X Nature
 {XY,XY}
 {XY,YX}
 {YX,XY}
 {YX,YX}
 L,T
 u 0 ,
 1
 u 0 ,
 ‐1
 u 2 ,
 ‐1
 u 2 ,
 1
 L,B
 u 1 ,
 1
 u 0 ,
 ‐1
 u 1 ,
 ‐1
 u 0 ,
 1
 Voter
 R,T
 u 0 ,
 ‐1
 u 0 ,
 1
 u 0 ,
 1
 u 0 ,
 ‐1
 R,B
 u 0 ,
 ‐1
 u 1 ,
 1
 u 0 ,
 1
 u 1 ,
 ‐1
 21


Nature
 {XY,XY}
 {XY,YX}
 {YX,XY}
 {YX,YX}
 L,T
 u 0 ,
 1
 u 0 ,
 ‐1
 u 2 ,
 ‐1
 u 2 ,
 1
 L,B
 u 1 ,
 1
 u 0 ,
 ‐1
 u 1 ,
 ‐1
 u 0 ,
 1
 Voter
 R,T
 u 0 ,
 ‐1
 u 0 ,
 1
 u 0 ,
 1
 u 0 ,
 ‐1
 R,B
 u 0 ,
 ‐1
 u 1 ,
 1
 u 0 ,
 1
 u 1 ,
 ‐1
 22


Adversary
 Nature
 {XY,XY}
 {XY,YX}
 {YX,XY}
 {YX,YX}
 L,T
 u 0 ,
 1
 u 0 ,
 ‐1
 u 2 ,
 ‐1
 u 2 ,
 1
 L,B
 u 1 ,
 1
 u 0 ,
 ‐1
 u 1 ,
 ‐1
 u 0 ,
 1
 Voter
 R,T
 u 0 ,
 ‐1
 u 0 ,
 1
 u 0 ,
 1
 u 0 ,
 ‐1
 R,B
 u 0 ,
 ‐1
 u 1 ,
 1
 u 0 ,
 1
 u 1 ,
 ‐1
 23


Adversary
 Voter
 Nature
 {XY,XY}
 {XY,YX}
 {YX,XY}
 {YX,YX}
 L,T
 u 0 ,
 1
 u 0 ,
 ‐1
 u 2 ,
 ‐1
 u 2 ,
 1
 L,B
 u 1 ,
 1
 u 0 ,
 ‐1
 u 1 ,
 ‐1
 u 0 ,
 1
 Voter
 R,T
 u 0 ,
 ‐1
 u 0 ,
 1
 u 0 ,
 1
 u 0 ,
 ‐1
 R,B
 u 0 ,
 ‐1
 u 1 ,
 1
 u 0 ,
 1
 u 1 ,
 ‐1
 24


25


What
percent
of
the
0me,
on
average,
will
u0lity
 maximizing
voters
cast
a
vote
for
Alice?
 • Forced
Randomiza0on:
50.0%
 • MN
(Moran,
Naor
07):
54.2%
(or
62.5%)
 • BMR
(Bohli,
Muller‐Quade,
Rohrich
07):
62.5% 

 • KRMC
(Kelsey,
Regenscheid,
Moran,
Chaum
09):
75.0%
 26


Op0mal
Contract
 KRMC
has
the
best
proper0es
but
is
it
the
best
 contract
possible?
Yes
(for
two
candidates).
 What
if
there
are
more
than
2
candidates?
We
 provide
an
algorithm
for
genera0ng
op0mal
 contracts
of
any
number
of
candidates.
 KRMC
improved
on
the
previous
contracts
by
 adding
a
second
level
of
u0lity.
Could
we
not
 improve
further
by
adding
more
levels
of
u0lity?
 No.

 27


28


29


✓ 
 30


✓ 
 ✓ 
 31


✓ 
 ✓ 
 ✓ 
 32


✸ 
 ✓ 
 ✓ 
 33


34


✓ 
 ✓ 
 ✓ 
 ✓ 
 35


✓ 
 ✓ 
 ✓ 
 ✓ 
 ✓ 
 36


✓ 
 ✓ 
 ✓ 
 ✓ 
 ✓ 
 n/n
 1/n
 1/n
 37


Advantage
vs.
Number
of
Candidates
 38


What
if
voters
are
not
u0lity‐maximizing?
 We
model
voters
of
four
types:
 ‐ Always
vote
for
Alice
 ‐ Always
vote
for
Bob
 ‐ Follow
the
contract
to
receive
highest
payoff
(“u0lity
 maximizing”)
 ‐ Always
vote
contrary
to
the
adversary
(“vengeful”)
 39


Coercion
vs.
Vote
Buying?
 The
language
of
u0li0es
abstracts
away
the
difference:
 u0li0es
could
be
possible
(vote
buying)
or
nega0ve
 (coercion).
 However
vote
buying
is
voluntary
while
coercion
is
 involuntary:
we
must
this.
For
example,
vengeful
voters
 only
mader
for
coercion.
 40


Influence
of
vote
type
in
coercion
 How
many
coopera0ve
voters
are
needed
to
counter‐ act
the
influence
of
one
vengeful
voters
in
coercive
 contracts?
 • MN:
at
least
6.1
 • BMR:
at
least
4
 

 • KRMC:
0
(any
cooperate
voters
add
votes
for
Alice)
 41


Influence
of
Voter
Type
in
Buying
 With
vote‐buying
contracts,
the
voters
who
did
not
 change
their
vote
due
to
the
contract
may
s0ll
 coincidentally
meet
the
condi0ons
of
the
contract
 and
request
payment.
 How
much
does
the
adversary
actually
pay
and
how
 does
that
relate
to
how
many
votes
are
actually
 being
bought?
 42


We
provide
some
analysis
and
a
general
u0lity
equa0on.
 Example
numbers:
For
op0mal
2‐candidate
contracts,
assume
 Alice
voters
and
Bob
voters
make
up
45%
of
the
electorate
 each.
The
remaining
10%
will
vote
according
to
the
contract
 for
€10.
 
The
contract
becomes
profitable
when
a
vote
gained
is
worth
 at
least
€89
for
the
adversary.

 For
3
candidates
and
similar
split,
the
number
increases
to
€96.
 43


Future
Work
 • A
general
framework
for
elimina0ng
contracts
 is
leQ
for
future
work
 • Elimina0ng,
or
moving
forward,
voter
choices
 helps
in
this
specific
case
 • Screening
techniques
could
improve
contracts
 44


45