Cryptographic methods for storing ballots on a voting machine l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 26

Cryptographic Methods for Storing Ballots on a Voting Machine PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Cryptographic Methods for Storing Ballots on a Voting Machine. John Bethencourt Carnegie Mellon University. Dan Boneh Stanford University. Brent Waters SRI International. Outline. Background DRE voting machines Desired properties Previous work History-hiding append-only signatures

Download Presentation

Cryptographic Methods for Storing Ballots on a Voting Machine

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Cryptographic methods for storing ballots on a voting machine l.jpg

Cryptographic Methods for Storing Ballots on a Voting Machine

John Bethencourt

Carnegie Mellon University

Dan Boneh

Stanford University

Brent Waters

SRI International

Outline l.jpg


  • Background

    • DRE voting machines

    • Desired properties

    • Previous work

  • History-hiding append-only signatures

    • Intuition

    • Simple construction

    • Efficient construction

  • Secure vote storage

    • Architecture

    • Evaluation and comparisons

Current dre voting machines l.jpg

Current DRE Voting Machines

  • Who knows what happens to your vote




Are current machines really vulnerable l.jpg

Are Current Machines Really Vulnerable?

  • You all know the answer

  • Code and hardware should be open to inspection

    • Companies claim they are proprietary secrets!

    • Let’s assume original software benign

  • Still, many vulnerabilities / blunders identified

    • Malicious code in machine could alter votes undetected

    • Easy to insert code with physical access to memory

    • Latest: easy to get physical access to memory card …

How to open a voting machine l.jpg

How to Open a Voting Machine

  • Locked door over memory card

    • Essentially all use same key!

    • Picture of key on website

  • Someone tried making a key from this

    • Just used a manual file

    • Didn’t have a machine to test it

  • Sent it to someone who had a Diebold AccuVote-TS

Securing voting machines l.jpg

Securing Voting Machines

  • OK, so machines horribly vulnerable

  • How can we do better?

  • Two main lines of research

    • Idea #1: cryptographic voting protocols of Chaum and others (completely untrusted machines)

    • Idea #2: just try to make machines more trustworthy

  • Idea #2: big problem, many aspects

    • Software verification

    • Hardware verification

    • Social aspects of procedures

  • This project: securing vote storage mechanism

Desired properties for vote storage l.jpg

Desired Properties for Vote Storage

  • Durable

    • Should be robust to system failures

  • Tamper-evident

    • Want to detect changes to stored ballots after they are recorded

  • History-independent

    • Stored votes must not reveal ordering

  • Subliminal-free

    • Malicious implementation or user must not be able to hide ordering in data structures somehow

Previous work write once storage on prom s l.jpg

Previous Work:Write-Once Storage on PROM’s

  • Tamper-evidence

… but swapping possible

Idea let s try to address that too l.jpg





Idea:Let’s Try to Address That too!

  • We’ll sign to prevent replacement

What if key compromised l.jpg



What if Key Compromised?

  • Maybe use some sort of forward secure techniques

Append only signatures l.jpg

Append-Only Signatures

  • Need special signatures

  • Validates a set of messages

  • No private key

  • Signature for one set can be used to sign new set after adding something

  • Must be hard to sign subset of X with signature on X

Append only signatures12 l.jpg

Append-Only Signatures

  • Generate signature on the empty set

  • Given a signature for some set X, generate a signature on X U {m}

  • Check if ¾ is a valid signature on the set

    {m1, m2, … mn}

Properties l.jpg


  • Correctness

    • After a sequence of Appends, signature should Verify on appropriate set

  • Append-only

    • While easy to sign a superset of X given a signature on X, should be hard to sign subset of X

  • Also need history-hiding for voter privacy

    • Signature must not reveal order messages added

    • Otherwise vote buying, coercion

    • Tension with append-only property

    • In particular, forward secure signatures can’t be used

History hiding append only signatures l.jpg

History-Hiding Append-Only Signatures

  • HHAOS can be built from any signature scheme

  • Simple construction for up to N messages

    • KeyGen: make N public/private key pairs, store as initial signature

    • Append: pick a random unused key pair, sign with the private key, then delete that private key

  • Weaknesses

    • Inefficient: O(N) space regardless of how many you have signed so far

    • Not subliminal-free due to random selection of key pair

Hhaos efficient scheme l.jpg

HHAOS: Efficient Scheme

  • Pairing based scheme similar to aggregate signature scheme of Boneh et al. 2003

Hhaos efficient scheme16 l.jpg

HHAOS: Efficient Scheme

  • Result of series of Appends:

Hhaos efficient scheme17 l.jpg

HHAOS: Efficient Scheme

  • Set finalization

    • Extension that “closes signature”

    • No further appends possible after finalization

    • Can be added to any HHAOS scheme

    • Verify must return false if “finalize” || k in signature and |M| not k

Hhaos efficient scheme18 l.jpg

HHAOS: Efficient Scheme

  • Properties

    • Correct

    • Append-only (under CDH in ROM)

    • History-hiding (actually history-independent)

    • But still not subliminal-free

Hhaos efficient scheme19 l.jpg

HHAOS: Efficient Scheme

  • But we can do untrusted rerandomize

    • Honest implementation: subliminal channels wiped

    • Malicious implementation: subliminal channels may remain, but cannot change validity of signature

    • Can do multiple times: if at least one honest, we’re OK

Architecture l.jpg


  • OK, back to storing votes

  • How, specifically, do we use this thing?

  • HHAOS scheme forms heart of Cryptographic Vote Storage Module (CVSM)

    • Stores ballots on removable flash memory

    • Stores signature in internal memory

Architecture21 l.jpg


Operation l.jpg


  • Initialization

    • Done at polling place or staging facility

    • CVSM stores initial signature

    • Outputs public key

    • Public key fingerprint communicated to tabulation facility

  • Voting

    • Each time ballot recorded on removable memory, signature updated

    • Old signature deleted

  • Canvassing / tabulation

    • At end of polling, Finalize run on signature

    • Signature copied to removable memory with ballots

    • Signature rerandomized at another machine

    • Taken to canvassing facility, rerandomized again

    • Signature checked against public key and votes counted

Evaluation integrity l.jpg

Evaluation: Integrity

  • → no tampering possible without detection

  • /→ can insert, but not remove, ballots at point of compromise

  • → arbitrary tampering without detection

Evaluation privacy and efficiency l.jpg

Evaluation: Privacy and Efficiency

[1] Tamper-evident, history-independent, subliminal-free data structures on PROM storage. D. Molnar, T. Kohno, N. Sastry, D. Wagner, 2006.

[2] Draft in submission. T. Moran, M. Naor, G. Segev, 2007.

Summary l.jpg


  • Pro’s

    • Replaced secure tracking of physical PROM with secure communication of public key

      • Public key fingerprint can be replicated and made public ahead of time

    • Efficient O(K) storage

    • Removed need for disposable memories

    • Maintained history-independence, robustness

  • Con’s

    • Untrusted rerandomize needed for subliminal-freedom

    • Slightly more difficult to understand

    • Slightly more code to be verified

Questions l.jpg


  • Login