cryptographic methods for storing ballots on a voting machine
Download
Skip this Video
Download Presentation
Cryptographic Methods for Storing Ballots on a Voting Machine

Loading in 2 Seconds...

play fullscreen
1 / 26

Cryptographic Methods for Storing Ballots on a Voting Machine - PowerPoint PPT Presentation


  • 62 Views
  • Uploaded on

Cryptographic Methods for Storing Ballots on a Voting Machine. John Bethencourt Carnegie Mellon University. Dan Boneh Stanford University. Brent Waters SRI International. Outline. Background DRE voting machines Desired properties Previous work History-hiding append-only signatures

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Cryptographic Methods for Storing Ballots on a Voting Machine' - lala


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cryptographic methods for storing ballots on a voting machine

Cryptographic Methods for Storing Ballots on a Voting Machine

John Bethencourt

Carnegie Mellon University

Dan Boneh

Stanford University

Brent Waters

SRI International

outline
Outline
  • Background
    • DRE voting machines
    • Desired properties
    • Previous work
  • History-hiding append-only signatures
    • Intuition
    • Simple construction
    • Efficient construction
  • Secure vote storage
    • Architecture
    • Evaluation and comparisons
current dre voting machines
Current DRE Voting Machines
  • Who knows what happens to your vote

?

?

?

are current machines really vulnerable
Are Current Machines Really Vulnerable?
  • You all know the answer
  • Code and hardware should be open to inspection
    • Companies claim they are proprietary secrets!
    • Let’s assume original software benign
  • Still, many vulnerabilities / blunders identified
    • Malicious code in machine could alter votes undetected
    • Easy to insert code with physical access to memory
    • Latest: easy to get physical access to memory card …
how to open a voting machine
How to Open a Voting Machine
  • Locked door over memory card
    • Essentially all use same key!
    • Picture of key on website
  • Someone tried making a key from this
    • Just used a manual file
    • Didn’t have a machine to test it
  • Sent it to someone who had a Diebold AccuVote-TS
securing voting machines
Securing Voting Machines
  • OK, so machines horribly vulnerable
  • How can we do better?
  • Two main lines of research
    • Idea #1: cryptographic voting protocols of Chaum and others (completely untrusted machines)
    • Idea #2: just try to make machines more trustworthy
  • Idea #2: big problem, many aspects
    • Software verification
    • Hardware verification
    • Social aspects of procedures
  • This project: securing vote storage mechanism
desired properties for vote storage
Desired Properties for Vote Storage
  • Durable
    • Should be robust to system failures
  • Tamper-evident
    • Want to detect changes to stored ballots after they are recorded
  • History-independent
    • Stored votes must not reveal ordering
  • Subliminal-free
    • Malicious implementation or user must not be able to hide ordering in data structures somehow
previous work write once storage on prom s
Previous Work:Write-Once Storage on PROM’s
  • Tamper-evidence

… but swapping possible

idea let s try to address that too

Private

Key

Public

Key

Idea:Let’s Try to Address That too!
  • We’ll sign to prevent replacement
what if key compromised

Public

Key

What if Key Compromised?
  • Maybe use some sort of forward secure techniques
append only signatures
Append-Only Signatures
  • Need special signatures
  • Validates a set of messages
  • No private key
  • Signature for one set can be used to sign new set after adding something
  • Must be hard to sign subset of X with signature on X
append only signatures1
Append-Only Signatures
  • Generate signature on the empty set
  • Given a signature for some set X, generate a signature on X U {m}
  • Check if ¾ is a valid signature on the set

{m1, m2, … mn}

properties
Properties
  • Correctness
    • After a sequence of Appends, signature should Verify on appropriate set
  • Append-only
    • While easy to sign a superset of X given a signature on X, should be hard to sign subset of X
  • Also need history-hiding for voter privacy
    • Signature must not reveal order messages added
    • Otherwise vote buying, coercion
    • Tension with append-only property
    • In particular, forward secure signatures can’t be used
history hiding append only signatures
History-Hiding Append-Only Signatures
  • HHAOS can be built from any signature scheme
  • Simple construction for up to N messages
    • KeyGen: make N public/private key pairs, store as initial signature
    • Append: pick a random unused key pair, sign with the private key, then delete that private key
  • Weaknesses
    • Inefficient: O(N) space regardless of how many you have signed so far
    • Not subliminal-free due to random selection of key pair
hhaos efficient scheme
HHAOS: Efficient Scheme
  • Pairing based scheme similar to aggregate signature scheme of Boneh et al. 2003
hhaos efficient scheme1
HHAOS: Efficient Scheme
  • Result of series of Appends:
hhaos efficient scheme2
HHAOS: Efficient Scheme
  • Set finalization
    • Extension that “closes signature”
    • No further appends possible after finalization
    • Can be added to any HHAOS scheme
    • Verify must return false if “finalize” || k in signature and |M| not k
hhaos efficient scheme3
HHAOS: Efficient Scheme
  • Properties
    • Correct
    • Append-only (under CDH in ROM)
    • History-hiding (actually history-independent)
    • But still not subliminal-free
hhaos efficient scheme4
HHAOS: Efficient Scheme
  • But we can do untrusted rerandomize
    • Honest implementation: subliminal channels wiped
    • Malicious implementation: subliminal channels may remain, but cannot change validity of signature
    • Can do multiple times: if at least one honest, we’re OK
architecture
Architecture
  • OK, back to storing votes
  • How, specifically, do we use this thing?
  • HHAOS scheme forms heart of Cryptographic Vote Storage Module (CVSM)
    • Stores ballots on removable flash memory
    • Stores signature in internal memory
operation
Operation
  • Initialization
    • Done at polling place or staging facility
    • CVSM stores initial signature
    • Outputs public key
    • Public key fingerprint communicated to tabulation facility
  • Voting
    • Each time ballot recorded on removable memory, signature updated
    • Old signature deleted
  • Canvassing / tabulation
    • At end of polling, Finalize run on signature
    • Signature copied to removable memory with ballots
    • Signature rerandomized at another machine
    • Taken to canvassing facility, rerandomized again
    • Signature checked against public key and votes counted
evaluation integrity
Evaluation: Integrity
  •  → no tampering possible without detection
  • /→ can insert, but not remove, ballots at point of compromise
  •  → arbitrary tampering without detection
evaluation privacy and efficiency
Evaluation: Privacy and Efficiency

[1] Tamper-evident, history-independent, subliminal-free data structures on PROM storage. D. Molnar, T. Kohno, N. Sastry, D. Wagner, 2006.

[2] Draft in submission. T. Moran, M. Naor, G. Segev, 2007.

summary
Summary
  • Pro’s
    • Replaced secure tracking of physical PROM with secure communication of public key
      • Public key fingerprint can be replicated and made public ahead of time
    • Efficient O(K) storage
    • Removed need for disposable memories
    • Maintained history-independence, robustness
  • Con’s
    • Untrusted rerandomize needed for subliminal-freedom
    • Slightly more difficult to understand
    • Slightly more code to be verified
ad