530 likes | 657 Views
Civitas. Michael Clarkson Cornell. Stephen Chong Harvard. Andrew Myers Cornell. IACR Board Meeting / CRYPTO August 19, 2008. Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. Civitas. Features: Designed for remote voting, coercion resistance, verifiability
E N D
Civitas Michael ClarksonCornell Stephen ChongHarvard Andrew MyersCornell IACR Board Meeting / CRYPTO August 19, 2008 Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C.
Civitas Features: • Designed for remote voting, coercion resistance, verifiability • Supports plurality, approval, Condorcet methods Status: • Paper in Oakland 2008 • Publicly available: 21,000 LOC (Jif, Java, and C) • Prototype …Suitable for IACR? Clarkson: Civitas
Security Model No trusted supervision of polling places • Including voters, procedures, hardware, software • Voting could take place anywhere • Remote voting Generalization of “Internet voting” and “postal voting” Interesting problem to solve! IACR Clarkson: Civitas
Adversary Always: • May perform any polynomial time computation • May corrupt all but one of each type of election authority • Distributed trust Almost always: • May control network • May coerce voters, demanding secrets or behavior, remotely or physically Security properties: Confidentiality, integrity, availability Clarkson: Civitas
Integrity Verifiability: Including: • Voter verifiability: Voters can check that their own vote is included • Universal verifiability: Anyone can check that only authorized votes are counted, no votes are changed during tallying [Sako and Killian 1995] The final tally is correct and verifiable. IACR Clarkson: Civitas
Confidentiality Voter coercion: • Employer, spouse, etc. • Coercer can demand any behavior (vote buying) • Coercer can observe and interact with voter during remote voting • Must prevent coercers from trusting their own observations Clarkson: Civitas
Confidentiality > receipt-freeness> anonymity Hierarchy: [Delaune, Kremer, and Ryan, CSFW 2006] Coercion resistance: The adversary cannot learn how voters vote, even if voters collude and interact with the adversary. too weak for remote voting IACR ? Clarkson: Civitas
Availability • We assume that this holds • To guarantee, would need to make system components highly available Tally availability: The final tally of the election is produced. IACR ? Clarkson: Civitas
JCJ Scheme [Juels, Catalano, and Jakobsson, WPES 2005] • Formally defined coercion resistance and verifiability • Constructed voting scheme • Proved scheme satisfies coercion resistance and verifiability [Backes, Hritcu, and Maffei, CSF 2008] • Verified simplification in ProVerif Clarkson: Civitas
Civitas Architecture registration teller registration teller registration teller tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box voterclient tabulation teller Clarkson: Civitas
tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box tabulation teller Registration registration teller registration teller registration teller voterclient Voter retrieves credential share from each registration teller;combines to form credential Clarkson: Civitas
registration teller registration teller registration teller tabulation teller bulletinboard tabulation teller tabulation teller Voting ballot box ballot box ballot box voterclient Voter submits copy of encrypted choice and credential (+ ZK proofs) to each ballot box Clarkson: Civitas
Resisting Coercion Voters invent fake credentials • To adversary, fake real • Votes with fake credentials removed during tabulation Clarkson: Civitas
Resisting Coercion Clarkson: Civitas
registration teller registration teller registration teller voterclient Tabulation tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box tabulation teller Tellers retrieve votes from ballot boxes Clarkson: Civitas
registration teller registration teller registration teller ballot box ballot box ballot box voterclient Tabulation tabulation teller bulletinboard tabulation teller tabulation teller Tabulation tellers anonymize votes with mix network;eliminate unauthorized credentials; decrypt remaining choices; post ZK proofs Clarkson: Civitas
Verifiability:Tellers post zero-knowledge proofs during tabulation Coercion resistance:Voters can undetectably fake credentials Civitas Architecture registration teller registration teller registration teller tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box voterclient tabulation teller Clarkson: Civitas
Protocols Leverage the literature: • El Gamal; distributed [Brandt]; non-malleable [Schnorr and Jakobsson] • Proof of knowledge of discrete log [Schnorr] • Proof of equality of discrete logarithms [Chaum & Pederson] • Authentication and key establishment [Needham-Schroeder-Lowe] • Designated-verifier reencryption proof [Hirt & Sako] • 1-out-of-L reencryption proof [Hirt & Sako] • Signature of knowledge of discrete logarithms [Camenisch & Stadler] • Reencryption mix network with randomized partial checking [Jakobsson, Juels & Rivest] • Plaintext equivalence test [Jakobsson & Juels] Clarkson: Civitas
Secure Implementation In Jif [Myers 1999, Chong and Myers 2005, 2008] • Security-typed language • Types contain information-flow policies • Confidentiality, integrity, declassification, erasure If policies in code express correct requirements… • (And Jif compiler is correct…) • Then code is secure w.r.t. requirements Clarkson: Civitas
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. Clarkson: Civitas
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. Verifiability andCoercion resistance Coercion resistance Clarkson: Civitas
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. VER + CR CR Clarkson: Civitas
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. VER + CR CR Clarkson: Civitas
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. VER + CR CR Clarkson: Civitas
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. VER + CR CR Clarkson: Civitas
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. VER + CR CR Clarkson: Civitas
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. VER + CR CR Clarkson: Civitas
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. VER + CR CR Clarkson: Civitas
Real-World Cost Society makes a tradeoff on: • Cost of election, vs. • Security, usability, … Current totalcosts are $1-$3 / voter [International Foundation for Election Systems] We don’t know the total cost for Civitas. Cost of cryptography? Clarkson: Civitas
CPU Cost for Tabulation For reasonable security parameters, CPU time is 39 sec / voter / authority. If CPUs are bought, used (for 5 hours), then thrown away: $1500 / machine ) $12 / voter If CPUs are rented: $1 / CPU / hr ) 4¢ / voter Increased cost…Increased security IACR ? Clarkson: Civitas
Summary Civitas provides security: • Remote voting • Verifiability • Coercion resistance (strongest?) Civitas provides assurance: • Security proofs • Explicit trust assumptions • Information-flow analysis of implementation (first?) IACR Clarkson: Civitas
Technical Issues • Web interfaces • Testing • BFT bulletin board • Threshold cryptography • Anonymous channel integration IACR Clarkson: Civitas
Research Issues • Distribute trust in voter client • Eliminate in-person registration • Credential management • Application-level DoS Clarkson: Civitas
Web Site http://www.cs.cornell.edu/projects/civitas • Technical report with concrete protocols • Source code of our prototype Clarkson: Civitas
Extra Slides Clarkson: Civitas
Paper • What paper does: • Convince voter that his vote was captured correctly • What paper does next: • Gets dropped in a ballot box • Immediately becomes insecure • Chain-of-custody, stuffing, loss, recount attacks… • Hacking paper elections has a long and (in)glorious tradition [Steal this Vote, Andrew Gumbel, 2005] • 20% of paper trails are missing or illegible [Michael Shamos, 2008] • What paper doesn’t: • Guarantee that a vote will be counted • Guarantee that a vote will be counted correctly Clarkson: Civitas
Cryptography “The public won’t trust cryptography.” • It already does… • Because experts already do “I don’t trust cryptography.” • You don’t trust the proofs, or • You reject the hardness assumptions Clarkson: Civitas
Selling Votes Requires selling credential… • Which requires: • Adversary tapped the untappable channel, or • Adversary authenticated in place of voter… • Which then requires: • Voter transferred ability to authenticate to adversary; something voter… • Has: too easy • Knows: need incentive not to transfer • Is: hardest to transfer Clarkson: Civitas
Civitas LOC Clarkson: Civitas
Civitas Policy Examples • Confidentiality: • Information: Voter’s credential share • Policy: “RT permits only this voter to learn this information” • Jif syntax: RT Voter • Confidentiality: • Information: Teller’s private key • Policy: “TT permits no one else to learn this information” • Jif syntax: TT TT • Integrity: • Information: Random nonces used by tellers • Policy: “TT permits only itself to influence this information” • Jif syntax: TT TT Clarkson: Civitas
Civitas Policy Examples • Declassification: • Information: Bits that are committed to then revealed • Policy: “TT permits no one to read this information until all commitments become available, then TT declassifies it to allow everyone to read.” • Jif syntax: TT [TT commAvail ] • Erasure: • Information: Voter’s credential shares • Policy: “Voter requires, after all shares are received and full credential is constructed, that shares must be erased.” • Jif syntax: Voter [Voter credConstT ] Clarkson: Civitas
Registration Trust Assumptions One way to discharge is with in-person registration • Not an absolute requirement • Though for strong authentication, physical presence (“something you are”) is reasonable • Need not register in-person with all tellers Works like real-world voting today: • Registration teller trusted to correctly authenticate voter • Issue of credential must happen in trusted “registration booth” • But doesn’t need to happen on special day Con: System not fully remote Pro: Credential can be used remotely for many elections • Reusing real-world mechanism, can bootstrap into a system offering stronger security Clarkson: Civitas
Voting Client Trust Assumption Civitas voting client is not a DRE: • Voters are not required to trust a single (closed-source) implementation • Civitas allows open-source (re)implementations of the client • Voters can obtain or travel to implementation provided by organization they trust Discharge? Distribute trust in client. [Benaloh, Chaum, Joaquim and Ribeiro, Kutyłowski et al., Zúquete et al., …] Clarkson: Civitas
Blocks Block is a “virtual precinct” • Each voter assigned to one block • Each block tallied independently of other blocks, even in parallel Tabulation time is: • Quadratic in block size • Linear in number of voters • If using one set of machines for many blocks • Or, constant in number of voters • If using one set of machines per block Clarkson: Civitas