Civitas: Toward a Secure Voting System - [email protected]: Home
Civitas Toward a Secure Voting System
description
Transcript of Civitas Toward a Secure Voting System
![Page 1: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/1.jpg)
CivitasToward a Secure Voting System
AFRL Information Management Workshop October 22, 2010
Michael ClarksonCornell University
![Page 2: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/2.jpg)
![Page 3: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/3.jpg)
Secret Ballot
![Page 4: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/4.jpg)
![Page 5: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/5.jpg)
![Page 6: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/6.jpg)
![Page 7: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/7.jpg)
![Page 8: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/8.jpg)
![Page 9: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/9.jpg)
![Page 10: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/10.jpg)
Florida 2000:Bush v. Gore
![Page 11: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/11.jpg)
“Flawless”
![Page 12: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/12.jpg)
12
![Page 13: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/13.jpg)
Security FAIL
![Page 14: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/14.jpg)
Analysis of an electronic voting system
[Kohno et al. 2003, 2004]
• DRE trusts smartcards• Hardcoded keys and initialization
vectors• Weak message integrity• Cryptographically insecure random
number generator• ...
![Page 15: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/15.jpg)
California top-to-bottom reviews
[Bishop, Wagner, et al. 2007]• “Virtually every important software security
mechanism is vulnerable to circumvention.”• “An attacker could subvert a single polling
place device...then reprogram every polling place device in the county.”
• “We could not find a single instance of correctly used cryptography that successfully accomplished the security purposes for which it was apparently intended.”
![Page 16: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/16.jpg)
Why is this so hard?
![Page 17: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/17.jpg)
17
PRIVACYVERIFIABILITY
![Page 18: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/18.jpg)
18
VERIFIABILITY…not just correctness
…even if everyone cheats
![Page 19: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/19.jpg)
19
VERIFIABILITY
Universal verifiabilityVoter verifiability
Eligibility verifiability
UV: [Sako and Killian 1994, 1995]EV & VV: [Kremer, Ryan & Smyth 2010]
![Page 20: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/20.jpg)
20
PRIVACY…more than secrecy
…even if almost everyone cheats
![Page 21: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/21.jpg)
21
PRIVACY
Coercion resistance
better than receipt freeness or simple anonymity
RF: [Benaloh 1994]CR: [Juels, Catalano & Jakobsson 2005]
![Page 22: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/22.jpg)
22
ROBUSTNESS
Tally availability
![Page 23: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/23.jpg)
23
PRIVACYVERIFIABILITY
ROBUSTNESS
![Page 24: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/24.jpg)
24
Remote
PRIVACYVERIFIABILITY
(including Internet)
ROBUSTNESS
![Page 25: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/25.jpg)
25
H.R. 2647 Sec. 589Military and Overseas Voter
Empowerment Act
![Page 26: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/26.jpg)
26
How can we vote securely,
electronically,remotely?
![Page 27: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/27.jpg)
27
Cornell Voting Systems
• CIVS (ca. 2005) [Myers & Clarkson]http://www.cs.cornell.edu/andru/civs.html
• Civitas 0.7 (ca. 2007) [Clarkson, Chong & Myers]http://www.cs.cornell.edu/projects/civitasPublished Oakland 2008 + 2 Masters projects
• Civitas 1.0 (started fall 2010) [Clarkson et al.]
![Page 28: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/28.jpg)
28
Cornell Voting Systems
• CIVS (ca. 2005) [Myers & Clarkson]http://www.cs.cornell.edu/andru/civs.html
• Civitas 0.7 (ca. 2007) [Clarkson, Chong & Myers]http://www.cs.cornell.edu/projects/civitasPublished Oakland 2008 + 2 Masters projects
• Civitas 1.0 (started fall 2010) [Clarkson et al.]
![Page 29: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/29.jpg)
29
Security Properties
Original Civitas:• Universal
verifiability• Eligibility
verifiability• Coercion resistance
Masters projects:• Voter verifiability• Tally availability
…under various assumptions
![Page 30: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/30.jpg)
30
Mutual DistrustKEY PRINCIPLE:
![Page 31: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/31.jpg)
31
JCJ Voting Scheme
[Juels, Catalano & Jakobsson 2005]
Proved universal verifiability and coercion resistance
Civitas extends JCJ
![Page 32: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/32.jpg)
32
Civitas Architecture
bulletinboard
voterclient
tabulation teller
tabulation teller
tabulation teller
registration teller
registration teller
registration teller
ballot boxballot boxballot box
![Page 33: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/33.jpg)
33
Registration
voterclient
registration teller
registration teller
registration teller
bulletinboard
tabulation teller
tabulation teller
tabulation teller
ballot boxballot boxballot box
Voter retrieves credential share from each registration teller;combines to form credential
![Page 34: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/34.jpg)
34
Credentials• Verifiable• Unsalable• Unforgeable• Anonymous
![Page 35: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/35.jpg)
35
Voting
voterclient
ballot boxballot boxballot box
bulletinboard
tabulation teller
tabulation teller
tabulation teller
registration teller
registration teller
registration teller
Voter submits copy of encrypted choice and credential to each ballot box
![Page 36: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/36.jpg)
36
Resisting Coercion:
Fake Credentials
![Page 37: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/37.jpg)
37
Resisting CoercionIf the coercer demands that the voter…
Then the voter…
Submits a particular vote
Does so with a fake credential.
Sells or surrenders a credential
Supplies a fake credential.
Abstains Supplies a fake credential to the adversary and votes with a real one.
![Page 38: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/38.jpg)
38
Tabulation
bulletinboard
tabulation teller
tabulation teller
tabulation teller
voterclient
registration teller
registration teller
registration teller
ballot boxballot boxballot box
Tellers retrieve votes from ballot boxes
![Page 39: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/39.jpg)
39
Tabulation
bulletinboard
tabulation teller
tabulation teller
tabulation teller
voterclient
registration teller
registration teller
registration teller
ballot boxballot boxballot box
Tabulation tellers anonymize votes;eliminate unauthorized (and fake) credentials;
decrypt remaining choices.
![Page 40: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/40.jpg)
40
Auditing
bulletinboard
voterclient
registration teller
registration teller
registration teller
Anyone can verify proofs that tabulation is correct
tabulation teller
tabulation teller
tabulation teller
ballot boxballot boxballot box
![Page 41: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/41.jpg)
41
Civitas Architecture
bulletinboard
voterclient
tabulation teller
tabulation teller
tabulation teller
registration teller
registration teller
registration teller
ballot boxballot boxballot box
Universal verifiability: Tellers post proofs during tabulation
Coercion resistance:
Voters can undetectably fake credentialsSECURITY PROOFS
![Page 42: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/42.jpg)
42
Protocols– El Gamal; distributed [Brandt]; non-malleable [Schnorr
and Jakobsson]– Proof of knowledge of discrete log [Schnorr]– Proof of equality of discrete logarithms [Chaum &
Pederson]– Authentication and key establishment [Needham-
Schroeder-Lowe]– Designated-verifier reencryption proof [Hirt & Sako]– 1-out-of-L reencryption proof [Hirt & Sako]– Signature of knowledge of discrete logarithms
[Camenisch & Stadler]– Reencryption mix network with randomized partial
checking [Jakobsson, Juels & Rivest]– Plaintext equivalence test [Jakobsson & Juels]
Implementation: 21k LoC
![Page 43: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/43.jpg)
Trust Assumptions
![Page 44: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/44.jpg)
44
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
![Page 45: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/45.jpg)
45
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
Universal verifiability Coercion resistance
Coercion resistance
![Page 46: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/46.jpg)
46
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
UV + CR
CR
![Page 47: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/47.jpg)
47
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
UV + CR
CR
![Page 48: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/48.jpg)
48
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
UV + CR
CR
![Page 49: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/49.jpg)
49
RegistrationIn person.
In advance.
Con: System not fully remote
Pro: Credential can be used in
many elections
![Page 50: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/50.jpg)
50
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
UV + CR
CR
![Page 51: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/51.jpg)
51
Eliminating Trust in Voter ClientUV: Use challenges
CR: Open problem
![Page 52: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/52.jpg)
52
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
UV + CR
CR
![Page 53: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/53.jpg)
53
Trust Assumptions`1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
UV + CR
CR
![Page 54: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/54.jpg)
54
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
UV + CR
CR
![Page 55: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/55.jpg)
55
Untappable Channel
Minimal known assumption for receipt freeness and coercion
resistance
Eliminate? Open problem.(Eliminate trusted registration teller? Also open.)
![Page 56: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/56.jpg)
56
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
UV + CR
CR
![Page 57: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/57.jpg)
57
Trusted procedures?
![Page 58: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/58.jpg)
58
Time to Tally
![Page 59: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/59.jpg)
59
Tabulation Time
# voters in precinct = K, # tab. tellers = 4, security strength ≥ 112 bits [NIST 2011–2030]
![Page 60: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/60.jpg)
60
SummaryCan achieve strong security and
transparency:– Remote voting– Universal (voter, eligibility) verifiability– Coercion resistance
Security is not free:– Stronger registration (untappable channel)– Cryptography (computationally expensive)
![Page 61: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/61.jpg)
61
AssuranceSecurity proofs (JCJ)
Secure implementation (Jif)
![Page 62: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/62.jpg)
62
Ranked Voting
![Page 63: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/63.jpg)
63
Open Problems• Coercion-resistant voter client?• Eliminate untappable channel in
registration?• Credential management?• Application-level denial of service?
![Page 64: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/64.jpg)
http://www.cs.cornell.edu/projects/civitas
(google “civitas voting”)
![Page 65: Civitas Toward a Secure Voting System](https://reader035.fdocuments.us/reader035/viewer/2022062315/5681528c550346895dc0b10c/html5/thumbnails/65.jpg)
CivitasToward a Secure Voting System
AFRL Information Management Workshop October 22, 2010
Michael ClarksonCornell University