TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Election security
1. PyCon India 2012 Opening Keynote David Mertz
What shall I talk about today?
The first part of this talk is largely administrative
– letting this audience know a bit about the
Python Software Foundation, its mission, and
accomplishments.
The larger, latter, section of this talk shall delve
into a technical topic that I find interesting:
making a secure, anonymous, and verifiable
voting system (in Python).
2. PyCon India 2012 David Mertz
Who am I?
A Director of the Python Software Foundation
(one of eleven).
Chair of PSF Trademarks Committee.
Chair of PSF Outreach and Education Committee.
Creator of the election system used by the PSF
(segue coming to topic of the main talk).
3. PyCon India 2012 David Mertz
More about me:
I used to be well known as author of the IBM
developerWorks column Charming Python and
Addison-Wesley book Text Processing in Python.
Now I work at a research lab called D. E. Shaw
Research who have built the world's fastest
supercomputer for doing molecular dynamics.
My academic publications include a number in
voting technologies (segue coming). Plus a
doctorate in Political Philosophy along the way.
DESRES has an office in Hyderabad, and we are hiring!
4. PyCon India 2012 David Mertz
The Python Software Foundation (PSF) is a non-
profit membership organization devoted to
advancing open source technology related to the
Python programming language.
It qualifies under the US Internal Revenue Code as a
tax-exempt 501(c)(3) scientific and educational
public charity, and conducts its business according
to the rules for such organizations.
http://www.python.org/psf/
http://www.python.org/psf/mission/
Let's start dry and factual
5. PyCon India 2012 David Mertz
The mission of the Python Software Foundation
is to promote, protect, and advance the Python
programming language, and to support and
facilitate the growth of a diverse and
international community of Python
programmers.
The PSF is composed of a membership elected by
prior members, who in turn elect a Board of
Directors to conduct the daily business of the
Foundation.
6. PyCon India 2012 David Mertz
PSF Finances
PyCon US 2012
Revenue: US$1395K (~75M Rs)
Profit: US$277K
st
Balances (as of May 31 2012)
Total equity: US$700K (~38M Rs)
Receivables: US$121K
Payables: US$27K
Net income: US$309K
The biggest PSF revenue source, by far, is PyCon US
7. PyCon India 2012 David Mertz
Things the PSF Does:
Protects the Intellectual Property in Python
(trademarks and copyrights).
Funds conferences & sprints (including a
contribution to PyCon India 2012).
Funds Python related projects (targeted
development; filling gaps in module coverage;
education and outreach efforts, etc).
Runs PSF projects (brochure; website redesign;
speed.python.org; sprints; awards; etc).
8. PyCon India 2012 David Mertz
Things the PSF Does Hereby:
We are honored to grant the Python Software
Foundation Community Service Award to
Kenneth Gonsalves, posthumously.
The Indian Python Software Society is
establishing a Kenneth Gonsalves Memorial
Award to be given to Python students. The PSF
is likewise pleased to provide seed funding of
US$3500 (~190K Rs) to IPSS for this award.
Certificate for family of Kenneth Gonsalves, if they are available
9. PyCon India 2012 A verifiable election system David Mertz
Segue time:
The rest of this talk is about voting systems. It
doesn't have anything to do with the PSF per se,
although the PSF has used the described method.
This talk doesn't really have much to do with
Python either. The systems presented and
implemented were written in Python, but you
could do it in a different programming language.
... for that matter, you could do most of it with
pencils and paper.
10. PyCon India 2012 A verifiable election system David Mertz
From time to time, the PSF conducts elections to
elect members, a Board of Directors, and to pass
motions of the membership.
There is a key property that we can rely on, that
makes it possible to provide some interesting
(theoretical) guarantees for these elections.
Namely, the identity – and email address – of
every eligible voter is known in advance and
centrally maintained.
11. PyCon India 2012 A verifiable election system David Mertz
What I do NOT advocate:
I hasten to observe that I do not support using
a system like the one I describe for public/
governmental elections.
It is outside the scope of this talk fully to
explain why, but the constraints and
properties public elections need cannot be fit
into the model given in this talk without
compromising principles of democracy.
12. PyCon India 2012 A verifiable election system David Mertz
What can we (almost) guarantee? (part 1)
1. An election should be anonymous. No one
should be able to determine how any voter voted
(other than a voter herself).
Our system allows a notable weakening of this
condition by allowing a single, trusted Election
Administrator who can puncture anonymity. This
person is, therefore, required to be a disinterested
party.
This weakening is much of why our approach
does not work for public elections – no one can
be trusted to be sufficiently disinterested.
(continued ...)
13. PyCon India 2012 A verifiable election system David Mertz
What can we (almost) guarantee? (part 2)
2. An election should be collectively verifiable.
That is, every observer should be able to
determine that the tabulation is accurate, and
that no ineligible votes are included.
Moreover, each individual voter should be able to
determine that her own vote (or non-vote) is
accurately included in the collection of ballots.
(continued ...)
14. PyCon India 2012 A verifiable election system David Mertz
What can we (almost) guarantee? (part 3)
3. An election should be secure against
tampering. No malicious action by any voter
should be able to alter an election. Ideally, no
malicious action by an outside hacker should be
able to change anything either.
A crucial element here is that even the Election
Administrator cannot tamper with an election in
a way that is not detectable by observers and/or
eligible voters.
15. PyCon India 2012 A verifiable election system David Mertz
Things we do not guarantee:
The system described makes no effort to prevent
vote buying/coercion. For PSF elections we
assume that voters act free of undue influence.
The identity of eligible voters is a matter of public
record; again, this fits the PSF membership
model (but the count of voters would suffice).
In the event of a challenge to results or to the
conduct of an election, a challenger would need to
abandon anonymity, at least to auditors.
(All reasons why this doesn't match public elections)
16. PyCon India 2012 A verifiable election system David Mertz
The simplicity of how it works:
The basic concept is that each voter is assigned a
random ballot-id associated with her ballot, and
the mapping from eligible voters is known only to
the Election Administrator.
When an election is completed, the set of cast
ballots – each identified only by ballot-id – is
published. The code actually used in the last PSF
election is at:
http://gnosis.cx/psf/
17. PyCon India 2012 A verifiable election system David Mertz
Suppose that we have a list of eligible voters, e.g.:
Anand Chittipothu, anandology@gmail.com
Massimo DiPierro, massimo.dipierro@gmail.com
Jacob Kaplan-Moss, jacob@jacobian.org
David Mertz, mertz@gnosis.cx
Anand Pillai, abpillai@gmail.com
Vasudev Ram, vasudevram@gmail.com
Prabhu Ramachandran, prabhu@aero.iitb.ac.in
Guido van Rossum, guido@python.org
We know the identity of all the voters, and that they
number 8 total (the second fact can be inferred from
the first, of course).
(These happen to be PSF members either mentioned or likely in audience)
18. PyCon India 2012 A verifiable election system David Mertz
Generating ballot-id's is a very simple script:
#!/usr/bin/env python3
from random import randint, choice
from string import ascii_uppercase as uppercase
from time import asctime, strftime
out=open('Ballot-Map-'+strftime('%Y-%m-%d'),'w')
for person in open('Address_List.members'):
ballotID = choice(uppercase)+
choice(uppercase)+
"%0.3d" % randint(0,1000)
print(ballotID,"t",person, file=out)
(Finally some Python code!)
19. PyCon India 2012 A verifiable election system David Mertz
We have produced an annotated list of eligible
voters with random ballot-id's. Remember, this
mapping is maintained confidentially by the
Election Administrator and given to no one else:
QG996 Anand Chittipothu, anandology@gmail.com
VW195 Massimo DiPierro, massimo.dipierro@gmail.com
VE237 Jacob Kaplan-Moss, jacob@jacobian.org
TQ084 David Mertz, mertz@gnosis.cx
IN792 Anand Pillai, abpillai@gmail.com
SW003 Vasudev Ram, vasudevram@gmail.com
ZG441 Prabhu Ramachandran, prabhu@aero.iitb.ac.in
XD724 Guido van Rossum, guido@python.org
20. PyCon India 2012 A verifiable election system David Mertz
Another script, send-ballot-ids, was used to process
the generated file, e.g. Ballot-Map-2012-09-19, and
send ballots to voters; another step that may not be
obvious is important to prevent tampering.
Remember our concern to prevent tampering, even
by the Election Administrator? To address this, the
administrator commits to the exact set of ballot-id's
used, but doesn't actually reveal what they are. E.g.
she can publish this:
% cut -c-5 Ballot-Map-2012-09-26 | sort | shasum
b7f1ada5057273482db97eafecf4476c5b3fb6c7 -
(The 'sort' in there is no accident)
21. PyCon India 2012 A verifiable election system David Mertz
This “commitment” to ballot-id's is nuanced. The
full set of (purported) ballot-id's is published at the
end of the election (along with the full ballots).
If the Election Administrator had
not published this “commitment,”
she could stuff the ballot at the end
with newly invented ballot-id's
having the votes she desired.
With the commitment, eligible voters – who either
do or do not cast a ballot – can verify their vote
against the eventually published archive of ballots,
leaving no room for stuffed ballots.
22. PyCon India 2012 A verifiable election system David Mertz
The Election Administrator sends a personalized
ballot to each eligible voter that incorporates a
voter's ballot-id.
Within the voting period, some
or all of the eligible voters vote
by sending back their ballot (with
ballot-id) to the Election
Administrator (more is better,
but we cannot mandate 100%
participation by PSF members).
23. PyCon India 2012 A verifiable election system David Mertz
Email is a likely way to handle sending and
receiving personalized ballots, but it could be
physical papers or other internet protocols without
affecting the guarantees.
The system described does not
address message-level or
transport-level security. It
would be nice if every voter
installed GPG and published a
public key, but we could not
count on that within the PSF.
24. PyCon India 2012 A verifiable election system David Mertz
Note that the voting procedure and publication is
neutral as to the tabulation and voting rules used.
Ballots are just documents, and whether an
organization wants “first pass the post” or “ranked
preference” voting – and similar tabulation choices
– is open within this framework.
25. PyCon India 2012 A verifiable election system David Mertz
Collective Verification:
Every actual voter can verify that the ballot
matching their ballot-id contains the votes they
intended.
Every eligible but non-voter can also verify that
their ballot-id is excluded from the published
archive.
Every observer can verify that the ballot archive
contains a subset of the committed ballot-id's.
Every observer can check the tabulation of the
ballot archive independently.
26. PyCon India 2012 A verifiable election system David Mertz
The last several PSF elections were conducted using
the method described. Following the most recent
election, some voters expressed a preference for
using a web interface rather than sending text files
over email.
My colleague Massimo DiPierro developed such a
web interface with my assistance. His code is on
github and a live test version of it is at web2py.
● https://github.com/mdipierro/evote/
● http://tests.web2py.com/evote
●
27. PyCon India 2012 A verifiable election system David Mertz
Massimo's E-Vote uses the same general principles
as the system I have described thus far, but allows
creation of elections and casting votes purely within
web interfaces.
The code to implement E-Vote requires scaffolding
for an MVC web framework, and therefore uses
more code than the <100 lines in the PSF system (of
which <50 lines are essential), but E-Vote is still
quite compact and simple.
E-Vote is a bit more automated than the PSF
system, but it also offers slightly improved
guarantees.
28. PyCon India 2012 A verifiable election system David Mertz
Anyone may create an election at the demo URL for
E-Vote; sign-in uses OpenID. An administrator
creates a ballot using a markup format and enters
the email addresses of all eligible voters.
Voters are each sent a custom link incorporating a
UUID associated with their individual ballot:
To: david.mertz@gmail.com
Subject: Simple Election
Date: Fri, 21 Sep 2012 16:12:21 +0000
Link to vote:
https://tests.web2py.com/evote/default/vote/21/
voter-B110C66787DC459BA72BA74D422684FE
29. PyCon India 2012 A verifiable election system David Mertz
After voting at the prior link:
30. PyCon India 2012 A verifiable election system David Mertz
While these ballots use ballot-id's, as with the
previous code, in E-Vote the mapping between the
UUID/URL for voting and the stored ballot-id is not
retained after the URL is used. What a ballot-id still
does, however, is make each ballot unique, even if it
contains the same vote(s) as another ballot.
Discarding the UUID/ballot-id association obscures
voter identity. While a malicious Election
Administrator who controlled the code could still
covertly store the mapping, if a trusted third party
hosts the code, the Election Administrator cannot
access that mapping.
31. PyCon India 2012 A verifiable election system David Mertz
The most interesting thing on a completed E-vote
ballot is probably its signature. This is generated
using RSA public-key cryptography:
# Pure-Python RSA module: http://stuvel.eu/rsa
import rsa, base64
def sign(text, privk_pem):
privkey = rsa.PrivateKey.load_pkcs1(privk_pem)
signature = base64.b16encode(
rsa.sign(text,privkey,'SHA-1'))
return signature
32. PyCon India 2012 A verifiable election system David Mertz
The public key that may be used to verify a signature
is published. In fact, it is contained in the “Ballot
Verification Code” link on the ballot:
% cat ballot-verification.py
# This program allows you to verify your ballot
# using the RSA algorithm.
import base64, rsa
# this is the ballot to verify
ballot = """<h2>Simple Election</h2>
<input checked="checked" value="1"/>yes
<input value="2"/>no
<input value="3"/>abstain
<pre>ballot-21-000001</pre>
""".strip()
(continued...)
33. PyCon India 2012 A verifiable election system David Mertz
Continuing the verification code...
# this is the ballot RSA signature
signature = base64.b16decode("5E5CD5...2330B4")
# this is the election public key
pk_pem = """-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAIlKHjsPqghsAvQhqGY8DZxoGIyRUkk6OlEhJUoDqCmF2rpeR9u4u3z+
MMNaWIO4iVsPQnO1JFYJr5Zim1TokLyvz+1HglYRlwW9yLMZjz/tUOFhTPu8zvq4
dHBXF47rIS5Cv4ravS5sB0zG7fQN6znWrHOO961yJSiL1KWtL/jfAgMBAAE=
-----END RSA PUBLIC KEY----- """
# this is the code that verifies the signature
public_key = rsa.PublicKey.load_pkcs1(pk_pem)
if rsa.verify(ballot,signature,public_key)==None:
print 'valid'
else:
print 'invalid'
34. PyCon India 2012 A verifiable election system David Mertz
Putting a signature on each ballot “commits” the
Election Admin (who is code, really) more strongly
than did the commitment of the ballot-id list.
A voter can save her signed ballot (and/or the
verification script above) which prevents the
Election Administrator from being able to deny
receiving the ballot. Only the election private-key
could have signed the ballot, and only the Election
Administrator (via the software) has that key.
This model doesn't work in email, since it is a
completed ballot that gets signed, not the blank.
35. PyCon India 2012 A verifiable election system David Mertz
Each voter can make sure her own ballot is
included, as before. As well, every observer can
independently verify the signatures on each ballot.
E-Vote handles non-voters by generating a “blank”
ballot for each eligible voter who did not participate,
and sends them a notice that is similar to that
received by voters when they vote.
36. PyCon India 2012 A verifiable election system David Mertz
A picture of my cat:
Every technical talk needs a cute kitten, right?
(Python pose?)
37. PyCon India 2012 A verifiable election system David Mertz
Wrap-up / Questions?
● This talk describe two variations on a voting system
that enforces properties of Anonymity, Collective
Verifiability, and Security Against Tampering.
● There are other properties that one might hope for,
but these strike me as more-or-less the right ones
for an online, explicit-membership organization like
the PSF.
● If we have time, I'd love feedback on my ideas (or
catch me in the hallways).