Transcript slides
Civitas
Toward a Secure Voting System
Michael Clarkson
Cornell University
AFRL Information Management Workshop
October 22, 2010
Secret Ballot
Florida 2000:
Bush v. Gore
“Flawless”
12
Security FAIL
Analysis of an electronic voting system
[Kohno et al. 2003, 2004]
• DRE trusts smartcards
• Hardcoded keys and initialization vectors
• Weak message integrity
• Cryptographically insecure random
•
number generator
...
California top-to-bottom reviews
[Bishop, Wagner, et al. 2007]
•
•
•
“Virtually every important software security
mechanism is vulnerable to circumvention.”
“An attacker could subvert a single polling place
device...then reprogram every polling place device in
the county.”
“We could not find a single instance of correctly used
cryptography that successfully accomplished the
security purposes for which it was apparently
intended.”
Why is this so hard?
VERIFIABILITY
PRIVACY
17
VERIFIABILITY
…not just correctness
…even if everyone cheats
18
VERIFIABILITY
Universal verifiability
Voter verifiability
Eligibility verifiability
UV: [Sako and Killian 1994, 1995]
EV & VV: [Kremer, Ryan & Smyth 2010]
19
PRIVACY
…more than secrecy
…even if almost everyone cheats
20
PRIVACY
Coercion resistance
better than receipt freeness
or simple anonymity
RF: [Benaloh 1994]
CR: [Juels, Catalano & Jakobsson 2005]
21
ROBUSTNESS
Tally availability
22
ROBUSTNESS
VERIFIABILITY
PRIVACY
23
ROBUSTNESS
VERIFIABILITY
PRIVACY
Remote
(including Internet)
24
H.R. 2647 Sec. 589
Military and Overseas Voter Empowerment
Act
25
How can we vote
securely,
electronically,
remotely?
26
Cornell Voting Systems
• CIVS (ca. 2005) [Myers & Clarkson]
http://www.cs.cornell.edu/andru/civs.html
• Civitas 0.7 (ca. 2007) [Clarkson, Chong &
Myers]
http://www.cs.cornell.edu/projects/civitas
Published Oakland 2008 + 2 Masters projects
• Civitas 1.0 (started fall 2010) [Clarkson et
al.]
27
Cornell Voting Systems
• CIVS (ca. 2005) [Myers & Clarkson]
http://www.cs.cornell.edu/andru/civs.html
• Civitas 0.7 (ca. 2007) [Clarkson, Chong &
Myers]
http://www.cs.cornell.edu/projects/civitas
Published Oakland 2008 + 2 Masters projects
• Civitas 1.0 (started fall 2010) [Clarkson et
al.]
28
Security Properties
Original Civitas:
• Universal verifiability
• Eligibility verifiability
• Coercion resistance
Masters projects:
• Voter verifiability
• Tally availability
…under various assumptions
29
KEY PRINCIPLE:
Mutual Distrust
30
JCJ Voting
Scheme
[Juels, Catalano & Jakobsson 2005]
Proved universal verifiability
and coercion resistance
31
Civitas Architecture
registration
registration
teller
registration
teller
teller
tabulation teller
ballot box
ballot box
ballot box
voter
client
tabulation teller
bulletin
board
tabulation teller
32
Registration
registration
registration
teller
registration
teller
teller
tabulation teller
ballot box
ballot box
ballot box
voter
client
tabulation teller
bulletin
board
tabulation teller
Voter retrieves credential share from each registration teller;
combines to form credential
33
Credentials
• Verifiable
• Unsalable
• Unforgeable
• Anonymous
34
Voting
registration
registration
teller
registration
teller
teller
tabulation teller
ballot box
ballot box
ballot box
voter
client
tabulation teller
bulletin
board
tabulation teller
Voter submits copy of encrypted choice and credential
to each ballot box
35
Resisting Coercion:
Fake Credentials
36
Resisting Coercion
If the coercer demands
that the voter…
Then the voter…
Submits a particular vote
Does so with a fake credential.
Sells or surrenders a
credential
Supplies a fake credential.
Abstains
Supplies a fake credential to
the adversary and votes with a
real one.
37
Tabulation
registration
registration
teller
registration
teller
teller
tabulation teller
ballot box
ballot box
ballot box
voter
client
tabulation teller
bulletin
board
tabulation teller
Tellers retrieve votes from ballot boxes
38
Tabulation
registration
registration
teller
registration
teller
teller
tabulation teller
ballot box
ballot box
ballot box
voter
client
tabulation teller
bulletin
board
tabulation teller
Tabulation tellers anonymize votes;
eliminate unauthorized (and fake) credentials;
decrypt remaining choices.
39
Auditing
registration
registration
teller
registration
teller
teller
tabulation teller
ballot box
ballot box
ballot box
voter
client
tabulation teller
bulletin
board
tabulation teller
Anyone can verify proofs that tabulation is correct
40
Civitas Architecture
registration
registration
teller
registration
teller
teller
tabulation teller
ballot box
ballot box
ballot box
voter
client
tabulation teller
bulletin
board
tabulation teller
Universal verifiability:
Tellers post proofs during
tabulation
Coercion resistance:
Voters can undetectably
fake credentials
SECURITY PROOFS
41
Protocols
– El Gamal; distributed [Brandt]; non-malleable [Schnorr and
Jakobsson]
– Proof of knowledge of discrete log [Schnorr]
– Proof of equality of discrete logarithms [Chaum & Pederson]
– Authentication and key establishment [Needham-SchroederLowe]
– Designated-verifier reencryption proof [Hirt & Sako]
– 1-out-of-L reencryption proof [Hirt & Sako]
– Signature of knowledge of discrete logarithms [Camenisch &
Stadler]
– Reencryption mix network with randomized partial checking
[Jakobsson, Juels & Rivest]
– Plaintext equivalence test [Jakobsson & Juels]
42
Trust Assumptions
43
Trust Assumptions
1.
“Cryptography works.”
2.
The adversary cannot masquerade as a voter during
registration.
3. Voters trust their voting client.
4.
At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are
anonymous.
6.
Each voter has an untappable channel to a trusted
registration teller.
44
Trust Assumptions
1.
“Cryptography works.”
2.
The adversary cannot masquerade as a voter during
Universal verifiability
registration.
Coercion resistance
3. Voters trust their voting client.
4.
Coercion resistance
At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are
anonymous.
6.
Each voter has an untappable channel to a trusted
registration teller.
45
Trust Assumptions
1.
“Cryptography works.”
2.
The adversary cannot masquerade as a voter during
registration.
UV + CR
3. Voters trust their voting client.
4.
CR
At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are
anonymous.
6.
Each voter has an untappable channel to a trusted
registration teller.
46
Trust Assumptions
1.
“Cryptography works.”
2.
The adversary cannot masquerade as a voter during
registration.
UV + CR
3. Voters trust their voting client.
4.
CR
At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are
anonymous.
6.
Each voter has an untappable channel to a trusted
registration teller.
47
Trust Assumptions
1.
“Cryptography works.”
2.
The adversary cannot masquerade as a voter during
registration.
UV + CR
3. Voters trust their voting client.
4.
CR
At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are
anonymous.
6.
Each voter has an untappable channel to a trusted
registration teller.
48
Registration
In person.
In advance.
Con: System not fully
remote
Pro: Credential can be
used in
many elections
49
Trust Assumptions
1.
“Cryptography works.”
2.
The adversary cannot masquerade as a voter during
registration.
UV + CR
3. Voters trust their voting client.
4.
CR
At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are
anonymous.
6.
Each voter has an untappable channel to a trusted
registration teller.
50
Eliminating Trust
in Voter Client
UV: Use challenges
CR: Open problem
51
Trust Assumptions
1.
“Cryptography works.”
2.
The adversary cannot masquerade as a voter during
registration.
UV + CR
3. Voters trust their voting client.
4.
CR
At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are
anonymous.
6.
Each voter has an untappable channel to a trusted
registration teller.
52
Trust Assumptions`
1.
“Cryptography works.”
2.
The adversary cannot masquerade as a voter during
registration.
UV + CR
3. Voters trust their voting client.
4.
CR
At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are
anonymous.
6.
Each voter has an untappable channel to a trusted
registration teller.
53
Trust Assumptions
1.
“Cryptography works.”
2.
The adversary cannot masquerade as a voter during
registration.
UV + CR
3. Voters trust their voting client.
4.
CR
At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are
anonymous.
6.
Each voter has an untappable channel to a trusted
registration teller.
54
Untappable Channe
Minimal known assumption
for receipt freeness and coercion
resistance
Eliminate? Open problem.
(Eliminate trusted registration teller? Also open.)
55
Trust Assumptions
1.
“Cryptography works.”
2.
The adversary cannot masquerade as a voter during
registration.
UV + CR
3. Voters trust their voting client.
4.
CR
At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are
anonymous.
6.
Each voter has an untappable channel to a trusted
registration teller.
56
Trusted procedures?
57
Time to Tally
58
Tabulation Time
# voters in precinct = K, # tab. tellers = 4,
security strength ≥ 112 bits [NIST 2011–2030]
59
Summary
Can achieve strong security and transparency:
– Remote voting
– Universal (voter, eligibility) verifiability
– Coercion resistance
Security is not free:
– Stronger registration (untappable channel)
– Cryptography (computationally expensive)
60
Assurance
Security proofs (JCJ)
Secure implementation (Jif)
61
Ranked Voting
62
Open Problems
• Coercion-resistant voter client?
• Eliminate untappable channel in
•
•
registration?
Credential management?
Application-level denial of service?
63
http://www.cs.cornell.edu/projects/civitas
(google “civitas voting”)
Civitas
Toward a Secure Voting System
Michael Clarkson
Cornell University
AFRL Information Management Workshop
October 22, 2010