1 / 48

Civitas Toward a Secure Voting System

Civitas Toward a Secure Voting System. Michael Clarkson Cornell University. Stevens Institute of Technology March 30, 2009. Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. Civitas. Electronic voting system; 21,000 LOC [Clarkson, Chong, and Myers, Oakland 2008].

damon
Download Presentation

Civitas Toward a Secure Voting System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CivitasToward a Secure Voting System Michael ClarksonCornell University Stevens Institute of Technology March 30, 2009 Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C.

  2. Civitas • Electronic voting system; 21,000 LOC • [Clarkson, Chong, and Myers, Oakland 2008] Clarkson: Civitas

  3. Evolution of Voting Technology Clarkson: Civitas

  4. Clarkson: Civitas

  5. State of Secure Electronic Voting Major commercial voting systems are insecure • California reviews [Wagner, Wallach, Blaze, et al.] Academics are pessimistic • SERVE report [Jefferson et al.] Clarkson: Civitas

  6. Security of Voting • Was your vote captured correctly? • Was your vote counted correctly? • Can the tally be independently verified? • Is your vote anonymous? • Can anyone sell their vote? • Can voters be coerced? … Clarkson: Civitas

  7. Potential Threats • Outsiders • Programmers • Election officials • Candidates and parties • Employers, organizations, spouses, … • Voters …Voting systems have some of the strongest and hardest security requirements of any systems Clarkson: Civitas

  8. Civitas Security Model No trusted supervision of polling places • Including voters, procedures, hardware, software • Voting could take place anywhere • Remote voting Generalization of “Internet voting” and “postal voting” No unilateral trust in an election authority • Instead, mutually distrusting set of authorities • Distributed trust Clarkson: Civitas

  9. Adversary • Corrupt all but one of each type of election authority • Perform any polynomial time computation • Control network • Coerce voters, demanding secrets or behavior, remotely or physically Security properties: Confidentiality, integrity, availability Clarkson: Civitas

  10. Integrity Verifiability: Including: • Voters can check that their own vote is included • Universal verifiability: Anyone can audit the election results; no votes added, changed, or deleted [Sako and Killian 1995] The final tally is correct and verifiable. Clarkson: Civitas

  11. Confidentiality Voter coercion: • Employer, spouse, etc. • Coercer can demand any behavior (abstain, sell) • Coercer can observe and interact with voter during remote voting • Must prevent coercers from trusting their own observations Clarkson: Civitas

  12. Confidentiality Coercion resistance: > receipt-freeness= CR - interaction> anonymity= RF -collusion The adversary cannot learn how voters vote, even if voters collude and interact with the adversary. too weak Clarkson: Civitas

  13. Availability Tally availability: • We assume that this holds • To guarantee, would need to make system components highly available, etc. But it’s really about the votes The final tally of the election is produced. Clarkson: Civitas

  14. Building Civitas Started with abstract voting protocol… • [Juels, Catalano, and Jakobsson, WPES 2005] • Extended design to improve security and performance • Implemented in security-typed language (Jif) • Evaluated security and performance Clarkson: Civitas

  15. Civitas Architecture registration teller registration teller registration teller tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box voterclient tabulation teller Clarkson: Civitas

  16. tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box tabulation teller Registration registration teller registration teller registration teller voterclient Voter retrieves credential share from each registration teller;combines to form credential Clarkson: Civitas

  17. credential share credential Registration registration teller registration teller registration teller voterclient Clarkson: Civitas

  18. Properties of Credentials Verifiable Teller must prove that share is good, but proof is convincing only to voter • Voter can’t sell share Anonymous No subset of shares reveals information about credential • Credentials can’t be linked to voters Unforgeable Creating new credential requires participation of all tellers • Tellers can’t “stuff the ballot box” Clarkson: Civitas

  19. tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box tabulation teller Registration JCJ: single trusted registrarCivitas: distributed trust  Improved confidentiality and integrity registration teller registration teller registration teller voterclient Clarkson: Civitas

  20. registration teller registration teller registration teller tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box voterclient tabulation teller Voting Voter submits copy of encrypted choice and credential (plus proofs) to each ballot box Clarkson: Civitas

  21. Properties of Votes Anonymous • Credentials are anonymous • Submitted over anonymous channel Replicated • Votes can be deleted only if all ballot boxes collude Non-malleable No one can construct “related” votes • Votes can’t be changed or spoiled Clarkson: Civitas

  22. Resisting Coercion Voters substitute fake credentials • To adversary, fake  real • Votes with fake credentials removed during tabulation without revealing which are fake For any behavior adversary demands… Voter complies, with fake credential Voter needs untappable channel to a registration teller Clarkson: Civitas

  23. registration teller registration teller registration teller tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box voterclient tabulation teller Voting JCJ: no ballot boxesCivitas: distributed storage  Votes highly available Clarkson: Civitas

  24. registration teller registration teller registration teller voterclient Tabulation tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box tabulation teller Tellers retrieve votes from ballot boxes Clarkson: Civitas

  25. registration teller registration teller registration teller ballot box ballot box ballot box voterclient Tabulation tabulation teller bulletinboard tabulation teller tabulation teller Tabulation tellers anonymize votes with mix network [Chaum 1981] Clarkson: Civitas

  26. tabulation teller tabulation teller tabulation teller Mix Network Clarkson: Civitas

  27. registration teller registration teller registration teller ballot box ballot box ballot box voterclient Tabulation tabulation teller bulletinboard tabulation teller tabulation teller Tellers eliminate unauthorized credentials; decrypt remaining choices; post proofs Clarkson: Civitas

  28. Properties of Tabulation Verifiable Tellers post zero-knowledge proofs during tabulation Coercion-resistant No credentials (valid or fake) ever revealed • Voters can undetectably fake credentials Clarkson: Civitas

  29. registration teller registration teller registration teller ballot box ballot box ballot box voterclient Tabulation JCJ: O(V2)Civitas: O(B2), B ¿V  Improved scalability tabulation teller bulletinboard tabulation teller tabulation teller Clarkson: Civitas

  30. Blocks Block is a “virtual precinct” • Each voter assigned to one block • Each block tallied independently of other blocks, even in parallel Tabulation time is: • Quadratic in block size • Linear in number of voters • If using one set of machines for many blocks • Or, constant in number of voters • If using one set of machines per block Clarkson: Civitas

  31. Civitas Architecture registration teller registration teller registration teller tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box voterclient tabulation teller Clarkson: Civitas

  32. Cryptographic Protocols Leverage the literature: • El Gamal; distributed [Brandt]; non-malleable [Schnorr and Jakobsson] • Proof of knowledge of discrete log [Schnorr] • Proof of equality of discrete logarithms [Chaum & Pederson] • Authentication and key establishment [Needham-Schroeder-Lowe] • Designated-verifier reencryption proof [Hirt & Sako] • 1-out-of-L reencryption proof [Hirt & Sako] • Signature of knowledge of discrete logarithms [Camenisch & Stadler] • Reencryption mix network with randomized partial checking [Jakobsson, Juels & Rivest] • Plaintext equivalence test [Jakobsson & Juels] Clarkson: Civitas

  33. Civitas Security Assurance Design • JCJ proof of coercion resistance and verifiability • We extended proof • Backes et al. (CSF 2008) verification with ProVerif • Working to verify Civitas Implementation …leverages language-based security Clarkson: Civitas

  34. Secure Implementation In Jif [Myers 1999, Chong and Myers 2005, 2008] • Security-typed language • Types contain information-flow policies • Confidentiality, integrity, declassification, erasure If policies in code express correct requirements… • (And Jif compiler is correct…) • Then code is secure w.r.t. requirements Clarkson: Civitas

  35. Civitas Policy Examples • Confidentiality: • Information: Voter’s credential share • Policy: “RT permits only this voter to learn this information” • Jif syntax: RT  Voter • Confidentiality: • Information: Teller’s private key • Policy: “TT permits no one else to learn this information” • Jif syntax: TT  TT • Integrity: • Information: Random nonces used by tellers • Policy: “TT permits only itself to influence this information” • Jif syntax: TT  TT Clarkson: Civitas

  36. Civitas Policy Examples • Declassification: • Information: Bits that are committed to then revealed • Policy: “TT permits no one to read this information until all commitments become available, then TT declassifies it to allow everyone to read.” • Jif syntax: TT  [TT commAvail ] • Erasure: • Information: Voter’s credential shares • Policy: “Voter requires, after all shares are received and full credential is constructed, that shares must be erased.” • Jif syntax: Voter  [Voter credConstT ] Clarkson: Civitas

  37. Civitas LOC Clarkson: Civitas

  38. Real-World Cost Tradeoff: cost of election vs. security, usability, … Current totalcosts are $1-$3 / voter [International Foundation for Election Systems] We don’t know the total cost for Civitas …Computational cost of advanced cryptography? Clarkson: Civitas

  39. Tabulation Time vs. Anonymity K = # voters, # tab. tellers = 4, security strength ≥ 112 bits [NIST 2011–2030], 3GHz Xeons Clarkson: Civitas

  40. parallel Tabulation Time vs. # Voters sequential K = 100 Clarkson: Civitas

  41. CPU Cost for Tabulation CPU time is 39 sec / voter / authority • If CPUs are bought, used (for 5 hours), then thrown away: $1500 / machine = $12 / voter • If CPUs are rented: $1 / CPU / hr = 4¢ / voter …for this extra cost, we get increased security Clarkson: Civitas

  42. Ranked Voting Methods Voters submit ordering of candidates: Examples: Condorcet, STV/IRV, Borda, … Clarkson: Civitas

  43. Ranked Voting Methods Low-order rankings create a covert channel • Coercion intrinsically possible 4! completions Clarkson: Civitas

  44. Civitas Voting Methods Civitas implements coercion-resistant: • Condorcet • Approval • Plurality Intuition: decompose ballot Clarkson: Civitas

  45. Summary Civitas is a remote voting system Civitas contributes to: • Protocols (theory of voting): • Distributed trust in registration for confidentiality • Distributed vote storage for availability • Introduced blocks (virtual precincts) for scalability • Articulated and analyzed trust assumptions • Efficient coercion-resistant Condorcet voting • Systems (practice of voting): • Developed full, concrete protocols • Implemented system • Studied performance Clarkson: Civitas

  46. Related Work Abstract voting schemes: [Baudron et al.; Benaloh; Benaloh and Tuinstra; Boyd; Chaum; Chaum, Ryan, and Schneider Chen and Burminster; Cohen and Fischer; Cramer, Gennaro, and Schoenmakers; Fujioka, Okamoto, and Ohta; Hirt and Sako; Iversen; Kiayias and Yung; Magkos et al.; Merrit; Neff; Niemi and Renvall; Sako and Killian; Ohkubo et al.; Ohta; Okamoto; Park et al.; Rivest] … • Implemented voting systems: • Adder [Kiayias, Korman, Walluck] • ElectMe [Shubina and Smith] • EVOX [Herschberg, DuRette] • Helios [Adida, Rivest] • Prêt à Voter [Schneider, Heather, et al.; Ryan; Chaum] • Punchscan [Stanton, Essex, Popoveniuc, et al.; Chaum] • REVS [Joaquim, Zúquette, Ferreira; Lebre] • Sensus [Cranor and Cytron] • VoteHere [Neff] • W-Voting [Kutyłowski, Zagórski, et al.] • Civitas: Strongest coercion resistance, first to offer security proofs or information-flow analysis Clarkson: Civitas

  47. Web Site http://www.cs.cornell.edu/projects/civitas • Technical report with concrete protocols • Source code of our prototype Clarkson: Civitas

  48. CivitasToward a Secure Voting System Michael ClarksonCornell University Stevens Institute of Technology March 30, 2009

More Related