1 / 57

Civitas Verifiability and Coercion Resistance for Remote Voting

Civitas Verifiability and Coercion Resistance for Remote Voting. Michael Clarkson George Washington University. with Stephen Chong (Harvard) and Andrew Myers (Cornell). Virginia Tech NCR September 14, 2012. CONFIDENTIALITY. INTEGRITY. CONFIDENTIALITY. INTEGRITY. Remote.

ira
Download Presentation

Civitas Verifiability and Coercion Resistance for Remote Voting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CivitasVerifiability and Coercion Resistancefor Remote Voting Michael ClarksonGeorge Washington University with Stephen Chong (Harvard) and Andrew Myers (Cornell) Virginia Tech NCR September 14, 2012

  2. CONFIDENTIALITY INTEGRITY

  3. CONFIDENTIALITY INTEGRITY Remote (including Internet)

  4. KEY PRINCIPLE: Mutual Distrust

  5. INTEGRITY Universal verifiability Voter verifiability Eligibility verifiability UV: [Sako and Killian 1994, 1995] EV & VV: [Kremer, Ryan & Smyth 2010]

  6. Why Verifiability? • People: • Corrupted programmers • Hackers (individuals, …, nation-states) • Software: • Buggy code • Malware • Trustworthiness: fair elections are a basis of representative democracy

  7. CONFIDENTIALITY Coercion resistance better than receipt freenessor simple anonymity RF: [Benaloh 1994] CR: [Juels, Catalano & Jakobsson 2005]

  8. Why Coercion Resistance? • Protect election from improper influence • Protect people from fear of reprisal • Realize ideals of voting booth, remotely • Trustworthiness: fair elections are a basis of representative democracy

  9. AVAILABILITY Tally availability

  10. Security Properties Original system: • Universal verifiability • Eligibility verifiability • Coercion resistance Follow-up projects: • Voter verifiability • Tally availability …under various assumptions

  11. JCJ Voting Scheme [Juels, Catalano & Jakobsson 2005] Proved universal verifiability and coercion resistance Civitas extends JCJ

  12. Civitas Architecture registration teller registration teller registration teller tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box voterclient tabulation teller

  13. tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box tabulation teller Registration registration teller registration teller registration teller voterclient Voter retrieves credential share from each registration teller;combines to form credential

  14. Credentials • Verifiable • Unsalable • Unforgeable • Anonymous

  15. registration teller registration teller registration teller tabulation teller bulletinboard tabulation teller tabulation teller Voting ballot box ballot box ballot box voterclient Voter submits copy of encrypted choice and credential to each ballot box

  16. Resisting Coercion:Fake Credentials

  17. Resisting Coercion

  18. registration teller registration teller registration teller voterclient Tabulation tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box tabulation teller Tellers retrieve votes from ballot boxes

  19. registration teller registration teller registration teller ballot box ballot box ballot box voterclient Tabulation tabulation teller bulletinboard tabulation teller tabulation teller Tabulation tellers anonymizevotes;eliminate unauthorized (and fake) credentials; decrypt remaining choices.

  20. registration teller registration teller registration teller voterclient Auditing tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box tabulation teller Anyone can verify proofs that tabulation is correct

  21. Universal verifiability:Tellers post proofs during tabulation Coercion resistance:Voters can undetectably fake credentials Civitas Architecture registration teller registration teller registration teller tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box voterclient tabulation teller Security Proofs

  22. Protocols • El Gamal; distributed [Brandt]; non-malleable [Schnorr and Jakobsson] • Proof of knowledge of discrete log [Schnorr] • Proof of equality of discrete logarithms [Chaum & Pederson] • Authentication and key establishment [Needham-Schroeder-Lowe] • Designated-verifier reencryption proof [Hirt & Sako] • 1-out-of-L reencryption proof [Hirt & Sako] • Signature of knowledge of discrete logarithms [Camenisch & Stadler] • Reencryption mix network with randomized partial checking [Jakobsson, Juels & Rivest] • Plaintext equivalence test [Jakobsson & Juels] Implementation: 21k LoC

  23. Trust Assumptions

  24. Trust Assumptions • “Cryptography works.” • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller.

  25. Trust Assumptions Universal verifiability Coercion resistance • “Cryptography works.” • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. Coercion resistance

  26. Trust Assumptions • “Cryptography works.” • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller.

  27. Trust Assumptions • “Cryptography works.” • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller.

  28. Registration In person. In advance. Con: System not fully remote Pro:Credential can be used in many elections

  29. Trust Assumptions • “Cryptography works.” • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller.

  30. Eliminating Trust in Voter Client VV: Use challenges (like Helios, VoteBox) CR: Open problem

  31. Trust Assumptions • “Cryptography works.” • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller.

  32. Trust Assumptions` • “Cryptography works.” • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller.

  33. Trust Assumptions • “Cryptography works.” • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller.

  34. Untappable Channel Minimal known assumption for receipt freeness and coercion resistance Eliminate? Open problem. (Eliminate trusted registration teller? Also open.)

  35. Trust Assumptions • “Cryptography works.” • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller.

  36. Trusted procedures?

  37. Time to Tally

  38. Tabulation Time # voters in precinct = K, # tab. tellers = 4, security strength ≥ 112 bits [NIST 2011–2030]

  39. Summary Can achieve strong security and transparency: • Remote voting • Universal (voter, eligibility) verifiability • Coercion resistance Security is not free: • Stronger registration (untappable channel) • Cryptography (computationally expensive)

  40. Assurance Security proofs (JCJ, us) Secure implementation (Jif)

  41. Ranked Voting

  42. Open Problems • Coercion-resistant voter client? • Voter-verifiable voter client? • Eliminateuntappable channel in registration? • Credential management? • Usability? • Application-level denial of service?

  43. Technical Issues • Web interfaces • BFT bulletin board • Threshold cryptography • Anonymous channel integration

  44. http://www.cs.cornell.edu/projects/civitas (google “civitas voting”)

  45. CivitasVerifiability and Coercion Resistancefor Remote Voting Michael ClarksonGeorge Washington University with Stephen Chong (Harvard) and Andrew Myers (Cornell) Virginia Tech NCR September 14, 2012

  46. Extra Slides

  47. Adversary Always: • May perform any polynomial time computation • May corrupt all but one of each type of election authority • Distributed trust Almost always: • May control network • May coerce voters, demanding secrets or behavior, remotely or physically Security properties: Confidentiality, integrity, availability

  48. Paper • What paper does: • Convince voter that his vote was captured correctly • What paper does next: • Gets dropped in a ballot box • Immediately becomes insecure • Chain-of-custody, stuffing, loss, recount attacks… • Hacking paper elections has a long and (in)glorious tradition [Steal this Vote, Andrew Gumbel, 2005] • 20% of paper trails are missing or illegible [Michael Shamos, 2008] • What paper doesn’t: • Guarantee that a vote will be counted • Guarantee that a vote will be counted correctly

  49. Cryptography “The public won’t trust cryptography.” • It already does… • Because experts already do “I don’t trust cryptography.” • You don’t trust the proofs, or • You reject the hardness assumptions

  50. Selling Votes Requires selling credential… • Which requires: • Adversary tapped the untappable channel, or • Adversary authenticated in place of voter… • Which then requires: • Voter transferred ability to authenticate to adversary; something voter… • Has: too easy • Knows: need incentive not to transfer • Is: hardest to transfer

More Related