820 likes | 971 Views
Coercion-Resistant Remote Voting. JCJ and Civitas. Michael Clarkson Cornell University. SecVote Summer School September 3, 2010. Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. Remote Voting. Receipt Freeness.
E N D
Coercion-Resistant Remote Voting JCJ and Civitas Michael ClarksonCornell University SecVote Summer School September 3, 2010 Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C.
Receipt Freeness . Voters do not obtain information (a receipt) that proves how they voted. [Benaloh & Tuinstra 1994, Okamoto 1997, Delaune, Kremer & Ryan 2006, Jonker and Pieters 2006, Jonker and de Vink 2007, Backes, Hritcu & Maffei 2008, …]
Attacks • Randomization • Forced abstention • Simulation [Schoenmakers 2000, Juels, Catalano & Jakobsson 2005]
Coercion Resistance Coercer can observe and interact with voter during remote voting… …must prevent coercers from trusting their own observations… …must enable voters to lie to coercers.
Coercion Resistance The adversary cannot learn how voters vote, even if voters collude and interact with the adversary. (RF + defense against three attacks) [Juels, Catalano & Jakobsson 2005, Delaune, Kremer & Ryan 2006, Moran & Naor 2006, Backes, Hritcu & Maffei 2008, Küsters, Truderung & Vogt 2010]
JCJ Ari Juels, Dario Catalano & Markus Jakobsson.Coercion-resistant electronic elections. In Proc. Workshop in Privacy in the Electronic Society, 2005.
Civitas Michael Clarkson, Stephen Chong, Andrew Myers. Civitas: Toward a Secure Voting System.In Proc. IEEE Symposium on Security and Privacy, 2008.
JCJ Key techniques: • Coercion-resistant credentials • Plaintext equivalence test (PET)[Jakobsson & Juels 2000, MacKenzie, Shrimpton & Jakobsson 2002] Based on mix networks…
Mixnet Schemes • V → BB: sign(enc(vote; KT); kV) • Talliers: • check and remove signatures • mix votes • decrypt votes
JCJ V → BB: enc(cred; KT), enc(vote; KT) • Talliers: • Anonymize all submissions with mixnets • Remove submissions with unauthorized credentials • Decrypt votes
JCJ V → BB: enc(cred; KT), enc(vote; KT) Want voters to be able to fake credentials
Resisting Coercion Defeats randomization attacks Defeats forced abstention attacks Defeats simulation attacks
CredentialsDesired Properties • Verifiable • Unsalable • Unforgeable • Anonymous
JCJ Scheme bulletinboard Registrar Tallier Voter
JCJ Scheme Registrar Tallier R1 T1 bulletinboard R2 T2 R3 T3 Voter
Assumption 0 At least one of each type of authority is honest (Needed for CR, not for verifiability)
JCJ Phases: • Setup • Registration • Vote submission • Tabulation
Setup Registrar Tallier R1 T1 bulletinboard R2 T2 R3 T3 Voter
Setup • Agree on El Gamal group G • Generate Tallier’s public encryption key KT, distribute private key kT • Post KT on BB
Assumption 1 DDH (also RSA, random oracle) Civitas
Registration Registrar Tallier R1 T1 bulletinboard R2 T2 R3 T3 Voter
Registration • Registrar: authenticate V • Registrar: s ← G • Registrar → BB: enc(s; KT) • Registrar → V [untap.]: s s = private credential enc(s) = S = public credential
Registration • Registrar: authenticate V • Registrar: s ← G • Registrar → BB: enc(s; KT) • Registrar → V [untap.]: s Electoral roll: list of all public credentials, signed by Registrar s = private credential enc(s) = S = public credential
Assumption 2 Initial voter authenticationis correct & Untappable channel (In person registration?)
Registration How many registrars? How trusted? • One, trusted • Many, untrusted
Registration One, untrusted registrar: 4. Registrar → V [untap.]: s, DVP(“S encrypts s”, V)
DVP Designated Verifier Proof [Jakobsson, Sako & Impagliazzo 1996] DVP(Φ, A) proves in ZK that “Φ holds, or prover knows A’s private key”
Registration One, untrusted registrar: 4. Registrar → V [untap.]: s, DVP(“S encrypts s”, V) DVP ensures proof isn’t receipt
Registration Civitas Many, untrusted registrars: For each registrar Ri: • Ri: authenticate V • Ri: si ← G • Ri → BB: enc(si; KT) which is Si • Ri → V [unt.]: si, DVP(“Si encrypts si”, V) …
Registration Civitas …Voter calculates credential: s = ∏isi S = ∏iSi S= ∏iSi = ∏ienc(si) = enc(∏isi) = enc(s)
Faking Credentials Voter V: • Picks registrar Ri • Substitutes new ŝi for si • Invents DVP(“Si encrypts ŝi”, V)
Assumption 3 Trusted Ri (Need untappable channel only to that registrar.)
CredentialsDesired Properties • Verifiable ✓ • Unsalable ✓ • Unforgeable✓ • Anonymous
Vote Submission Registrar Tallier R1 T1 bulletinboard R2 T2 R3 T3 Voter
Vote Submission • V: select choice (candidate) c • V → BB [anon.]: enc(s; KT), enc(c; KT)
Assumption 4 Anonymous channel
Assumption 5 Voter client doesn’t leak credential & Voter client encrypts correctly
Assumption 5 Voter client doesn’t leak credential & Voter client encrypts correctly
Vote Submission • V: select choice (candidate) c • V → BB [anon.]: enc(s; KT), enc(c; KT) Problems: replay attacks, malformed choices
Vote Submission • V: select choice (candidate) c • V → BB [anon.]: enc(s; KT), enc(c; KT) Problems: replay attacks, malformed choices Solution: zero-knowledge proofs
Vote Submission • V: select choice (candidate) c • V → BB [anon.]: enc(s; KT), enc(c; KT), Pk,Pw Pk: signature of knowledge[Camenisch & Stadler 1997] Pw: 1-out-of-L reencryption proof [Hirt & Sako 2000]
Vote Submission • V: select choice (candidate) c • V → BB [anon.]: enc(s; KT), enc(c; KT), Pk,Pw Problem: scalability, reliability of BB
Vote Submission • V: select choice (candidate) c • V → BB [anon.]: enc(s; KT), enc(c; KT), Pk,Pw Problem: scalability, reliability of BB Solution: distributed ballot boxes Civitas
Vote Submission Registrar Tallier R1 T1 bulletinboard R2 T2 R3 T3 Voter