Clash Attacks and the STAR-Vote System · Clash Attacks and STAR - Oct. 2017 15 Conclusion Clash...
Transcript of Clash Attacks and the STAR-Vote System · Clash Attacks and STAR - Oct. 2017 15 Conclusion Clash...
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 1
Clash Attacks and the STAR-Vote System
Olivier Pereira – Dan S. WallachRice University – UCLouvain
October 2017
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 2
Clash Attacks on Verifiability [KTV12]
Proposed for E2E verifiable voting systems
1. Find two voters voting in the same way
2. Corrupted voting system gives them identical receipts⇒ individual verification works!
3. Corrupted voting system creates different ballot for 2nd voterThat new ballot will not be verified by anyone!Total number of ballots remains correct
bid1
bid1
bid1, v1bid2, v2
ElectronicVote Records
CorruptedVoting System
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 3
Ballot Level Risk Limiting Audits
v1bid1 v2
bid2 v3bid3
I Records voter intent
I Produces VVPAT
I Includes unique ballot id
DRE
v1 v2 v3
Paperballots
Ballot Box
v∗1 , bid
∗1
v∗2 , bid
∗2
v∗3 , bid
∗3
ElectronicVote Records
RLA
RLA Process:I Pick random ballot, compare paper and e-record with same bidI Repeat until you can stop with high condidence in election resultI Very efficient: 1% election margin ⇒ picking ≈ 100 ballots is good
enough, even for a nation-wide election
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 4
Clash Attacks against Ballot-level RLA
Break the 1-on-1 bid link made for the RLA:
v1bid1
v1bid1
Voter-VerifiedPaper Records
v1, bid1v2, bid2
ElectronicVote Records
CorruptedDRE/Scanner/. . .
Could something like this work on real system designs?
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 5
Case Study: STAR-Vote [BBB+13]
As depicted in Discover Magazine:
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 6
The STAR-Vote Voter Experience
1. Enter choices:
I Standard tablet encrypts choices+ chain and replicate ciphertexts on all machines
I Thermal printer prints ballot
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 7
STAR-Vote Printed Ballot
Boarding-pass style:
National Election 2016
Question 1: YesQuestion 2: NoQuestion 3: Yes
NationalElection
2016
Your ballotfingerprint:54A2yt98db34
I Left-hand part checked by voter and castHigh-entropy ballot id bid used for audit against anonymizedelectronic records
I Right-hand part has current state of hash chain as take-home receiptChecking receipt online confirms content of electronic ballot box
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 7
STAR-Vote Printed Ballot
Boarding-pass style:
National Election 2016
Question 1: YesQuestion 2: NoQuestion 3: Yes
NationalElection
2016
Your ballotfingerprint:54A2yt98db34
I Left-hand part checked by voter and castHigh-entropy ballot id bid used for audit against anonymizedelectronic records
I Right-hand part has current state of hash chain as take-home receiptChecking receipt online confirms content of electronic ballot box
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 8
The STAR-Vote Voter Experience
2. Cast ballot :
I Only if voter is happy with printed ballot
I Can also decide to spoil ballot⇒ human readable part will be audited against electronic record
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 9
STAR-Vote Verifiability
Verification features in STAR-Vote:
E2E: Voter take-home receipt and ballot spoiling process can be matchedwith full hash chain published at the end of the election
RLA: Paper ballots can be matched with anonymized electronic voterecords
Can we mount clash attacks against STAR-Vote?
1. Can the E2E part of STAR-Vote spot clash attacks?
2. Can the RLA part of STAR-Vote spot clash attacks?
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 9
STAR-Vote Verifiability
Verification features in STAR-Vote:
E2E: Voter take-home receipt and ballot spoiling process can be matchedwith full hash chain published at the end of the election
RLA: Paper ballots can be matched with anonymized electronic voterecords
Can we mount clash attacks against STAR-Vote?
1. Can the E2E part of STAR-Vote spot clash attacks?
2. Can the RLA part of STAR-Vote spot clash attacks?
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 10
Clash Attacks against E2E part of STAR-Vote
Two scenarios:
Hash Machines Voters
vcA
hA
castcast cA
vc∗
hA
spoilspoil cA?
A
B
tim
e
Hash Machines Votersv
cA
hA
castv
c∗
hA
spoilspoil cA?
A
B
I Left scenario: Spoiling creates inconsistency in chainI Right scenario: A may compain that her ballot is spoiled
⇒ Cast-or-spoil mechanism of crucial importance⇒ Check full chain history, not just encryption of current ballot!
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 10
Clash Attacks against E2E part of STAR-Vote
Two scenarios:
Hash Machines Voters
vcA
hA
castcast cA
vc∗
hA
spoilspoil cA?
A
B
tim
e
Hash Machines Votersv
cA
hA
castv
c∗
hA
spoilspoil cA?
A
B
I Left scenario: Spoiling creates inconsistency in chainI Right scenario: A may compain that her ballot is spoiled
⇒ Cast-or-spoil mechanism of crucial importance⇒ Check full chain history, not just encryption of current ballot!
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 11
Clash Attacks against RLA part of STAR-Vote
v1bid1
v1bid1
Voter-VerifiedPaper Records
v1, bid1v2, bid2
ElectronicVote Records
CorruptedDRE/Scanner/. . .
Two ways to spot an issue:
1. Pick an electronic ballot with a bid that does not exist on paperMay be difficult: search for the paper ballot with a specific bid
2. Pick two paper ballots that have the same bidMay be difficult too: For a 1 million voter election with 1% margin,picking ≈ 100 ballots gives ≈ 0 probability of spotting duplicates
How many do we need to pick?
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 11
Clash Attacks against RLA part of STAR-Vote
v1bid1
v1bid1
Voter-VerifiedPaper Records
v1, bid1v2, bid2
ElectronicVote Records
CorruptedDRE/Scanner/. . .
Two ways to spot an issue:
1. Pick an electronic ballot with a bid that does not exist on paperMay be difficult: search for the paper ballot with a specific bid
2. Pick two paper ballots that have the same bidMay be difficult too: For a 1 million voter election with 1% margin,picking ≈ 100 ballots gives ≈ 0 probability of spotting duplicates
How many do we need to pick?
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 12
Bijection Audit
Purpose: Make sure that bid ’s are unique among paper ballots
Consider 1000 ballot boxes with 1000 ballots each, and 1% marginAssume bid must start with a public ballot box id ⇒ clashes are internalHow can clashes be spread?
Two extreme situations:
1. Make 1% of ballot boxes contain only 1 bid⇒ need to touch ≈ 100 ballot boxes to touch a problematic one
2. Make 1% = 10 duplicates bid ’s in each ballot box⇒ need to pick a large sample of ballots in a single box to spot themE.g., picking 100 ballots in a single box gives only ≈ 16% chancesAnd uneasy to spot a duplicate among 100 ballots
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 12
Bijection Audit
Purpose: Make sure that bid ’s are unique among paper ballots
Consider 1000 ballot boxes with 1000 ballots each, and 1% marginAssume bid must start with a public ballot box id ⇒ clashes are internalHow can clashes be spread?
Two extreme situations:
1. Make 1% of ballot boxes contain only 1 bid⇒ need to touch ≈ 100 ballot boxes to touch a problematic one
2. Make 1% = 10 duplicates bid ’s in each ballot box⇒ need to pick a large sample of ballots in a single box to spot themE.g., picking 100 ballots in a single box gives only ≈ 16% chancesAnd uneasy to spot a duplicate among 100 ballots
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 13
Bijection Audit
Searching for duplicates in a box:
I Pairwise comparison is expensive: O(n2)
I Sorting may be an overkill: O(n log n)
Grid based solution: O(n)
1. Print a 16× 16 grid
2. For each ballot:I Pick 1st digit as rowI Pick 2nd digit as columnI Write next 2 digits in box
Spots collisions on first 4 digitsPrompts comparison if collisionhappens
Example for bid = 2361181
1 2 4
1
3
4
2
3
61
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 13
Bijection Audit
Searching for duplicates in a box:
I Pairwise comparison is expensive: O(n2)
I Sorting may be an overkill: O(n log n)
Grid based solution: O(n)
1. Print a 16× 16 grid
2. For each ballot:I Pick 1st digit as rowI Pick 2nd digit as columnI Write next 2 digits in box
Spots collisions on first 4 digitsPrompts comparison if collisionhappens
Example for bid = 2361181
1 2 4
1
3
4
2
3
61
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 13
Bijection Audit
Searching for duplicates in a box:
I Pairwise comparison is expensive: O(n2)
I Sorting may be an overkill: O(n log n)
Grid based solution: O(n)
1. Print a 16× 16 grid
2. For each ballot:I Pick 1st digit as rowI Pick 2nd digit as columnI Write next 2 digits in box
Spots collisions on first 4 digitsPrompts comparison if collisionhappens
Example for bid = 2361181
1 2 4
1
3
4
2
3
61
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 14
Bijection Audit
Based on election margin p, repeat O(1/p) times:
Solution 1
1. Pick random ballot box
2. Apply linear grid based solution to rule out the presence of duplicatebid
or, Solution 2
1. Pick random ballot from random ballot box
2. Make a linear pass on that box to detect the presence of anotherballot with the same bid
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 14
Bijection Audit
Based on election margin p, repeat O(1/p) times:
Solution 1
1. Pick random ballot box
2. Apply linear grid based solution to rule out the presence of duplicatebid
or, Solution 2
1. Pick random ballot from random ballot box
2. Make a linear pass on that box to detect the presence of anotherballot with the same bid
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 15
Conclusion
Clash attacks can be detected by E2E and RLA components
I Quite effective on E2E, sheds new light on the importance of thecast-or-audit process and hash chains
I Much more demanding on RLA part: bijection audit likely to bemuch more expensive than ballot comparison audit
Other possible approaches:
I Ask independent auditors to scan voter receipts on exit, in search forduplicates
I Running the RLA by picking electronic record and searching forcorresponding paper might eventually be as effective as a bijectionaudit
Might be interesting to look at other deployed RLA procedures andsearch for possible clash attacks
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 15
Conclusion
Clash attacks can be detected by E2E and RLA components
I Quite effective on E2E, sheds new light on the importance of thecast-or-audit process and hash chains
I Much more demanding on RLA part: bijection audit likely to bemuch more expensive than ballot comparison audit
Other possible approaches:
I Ask independent auditors to scan voter receipts on exit, in search forduplicates
I Running the RLA by picking electronic record and searching forcorresponding paper might eventually be as effective as a bijectionaudit
Might be interesting to look at other deployed RLA procedures andsearch for possible clash attacks
UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 15
Conclusion
Clash attacks can be detected by E2E and RLA components
I Quite effective on E2E, sheds new light on the importance of thecast-or-audit process and hash chains
I Much more demanding on RLA part: bijection audit likely to bemuch more expensive than ballot comparison audit
Other possible approaches:
I Ask independent auditors to scan voter receipts on exit, in search forduplicates
I Running the RLA by picking electronic record and searching forcorresponding paper might eventually be as effective as a bijectionaudit
Might be interesting to look at other deployed RLA procedures andsearch for possible clash attacks