civitas l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Civitas PowerPoint Presentation
Download Presentation
Civitas

Loading in 2 Seconds...

play fullscreen
1 / 53

Civitas - PowerPoint PPT Presentation


  • 206 Views
  • Uploaded on

Civitas Michael Clarkson Cornell Stephen Chong Harvard Andrew Myers Cornell IACR Board Meeting / CRYPTO August 19, 2008 Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. Civitas Features: Designed for remote voting, coercion resistance, verifiability

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Civitas' - benjamin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
civitas

Civitas

Michael ClarksonCornell

Stephen ChongHarvard

Andrew MyersCornell

IACR Board Meeting / CRYPTO

August 19, 2008

Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C.

civitas2
Civitas

Features:

  • Designed for remote voting, coercion resistance, verifiability
  • Supports plurality, approval, Condorcet methods

Status:

  • Paper in Oakland 2008
  • Publicly available: 21,000 LOC (Jif, Java, and C)
  • Prototype

…Suitable for IACR?

Clarkson: Civitas

security model
Security Model

No trusted supervision of polling places

    • Including voters, procedures, hardware, software
    • Voting could take place anywhere
  • Remote voting

Generalization of “Internet voting” and “postal voting”

Interesting problem to solve!

IACR 

Clarkson: Civitas

adversary
Adversary

Always:

  • May perform any polynomial time computation
  • May corrupt all but one of each type of election authority
    • Distributed trust

Almost always:

  • May control network
  • May coerce voters, demanding secrets or behavior, remotely or physically

Security properties:

Confidentiality, integrity, availability

Clarkson: Civitas

integrity
Integrity

Verifiability:

Including:

  • Voter verifiability: Voters can check that their own vote is included
  • Universal verifiability: Anyone can check that only authorized votes are counted, no votes are changed during tallying [Sako and Killian 1995]

The final tally is correct and verifiable.

IACR 

Clarkson: Civitas

confidentiality
Confidentiality

Voter coercion:

    • Employer, spouse, etc.
    • Coercer can demand any behavior (vote buying)
    • Coercer can observe and interact with voter during remote voting
  • Must prevent coercers from trusting their own observations

Clarkson: Civitas

confidentiality8
Confidentiality

> receipt-freeness> anonymity

Hierarchy: [Delaune, Kremer, and Ryan, CSFW 2006]

Coercion resistance:

The adversary cannot learn how voters vote, even if voters collude and interact with the adversary.

too weak for remote voting

IACR ?

Clarkson: Civitas

availability
Availability
  • We assume that this holds
  • To guarantee, would need to make system components highly available

Tally availability:

The final tally of the election is produced.

IACR ?

Clarkson: Civitas

jcj scheme
JCJ Scheme

[Juels, Catalano, and Jakobsson, WPES 2005]

  • Formally defined coercion resistance and verifiability
  • Constructed voting scheme
  • Proved scheme satisfies coercion resistance and verifiability

[Backes, Hritcu, and Maffei, CSF 2008]

  • Verified simplification in ProVerif

Clarkson: Civitas

civitas architecture
Civitas Architecture

registration teller

registration teller

registration teller

tabulation teller

ballot box

bulletinboard

ballot box

tabulation teller

ballot box

voterclient

tabulation teller

Clarkson: Civitas

registration

tabulation teller

ballot box

bulletinboard

ballot box

tabulation teller

ballot box

tabulation teller

Registration

registration teller

registration teller

registration teller

voterclient

Voter retrieves credential share from each registration teller;combines to form credential

Clarkson: Civitas

voting

registration teller

registration teller

registration teller

tabulation teller

bulletinboard

tabulation teller

tabulation teller

Voting

ballot box

ballot box

ballot box

voterclient

Voter submits copy of encrypted choice and credential (+ ZK proofs) to each ballot box

Clarkson: Civitas

resisting coercion
Resisting Coercion

Voters invent fake credentials

  • To adversary, fake  real
  • Votes with fake credentials removed during tabulation

Clarkson: Civitas

resisting coercion16
Resisting Coercion

Clarkson: Civitas

tabulation

registration teller

registration teller

registration teller

voterclient

Tabulation

tabulation teller

ballot box

bulletinboard

ballot box

tabulation teller

ballot box

tabulation teller

Tellers retrieve votes from ballot boxes

Clarkson: Civitas

tabulation18

registration teller

registration teller

registration teller

ballot box

ballot box

ballot box

voterclient

Tabulation

tabulation teller

bulletinboard

tabulation teller

tabulation teller

Tabulation tellers anonymize votes with mix network;eliminate unauthorized credentials;

decrypt remaining choices;

post ZK proofs

Clarkson: Civitas

civitas architecture19

Verifiability:Tellers post zero-knowledge proofs during tabulation

Coercion resistance:Voters can undetectably fake credentials

Civitas Architecture

registration teller

registration teller

registration teller

tabulation teller

ballot box

bulletinboard

ballot box

tabulation teller

ballot box

voterclient

tabulation teller

Clarkson: Civitas

protocols
Protocols

Leverage the literature:

  • El Gamal; distributed [Brandt]; non-malleable [Schnorr and Jakobsson]
  • Proof of knowledge of discrete log [Schnorr]
  • Proof of equality of discrete logarithms [Chaum & Pederson]
  • Authentication and key establishment [Needham-Schroeder-Lowe]
  • Designated-verifier reencryption proof [Hirt & Sako]
  • 1-out-of-L reencryption proof [Hirt & Sako]
  • Signature of knowledge of discrete logarithms [Camenisch & Stadler]
  • Reencryption mix network with randomized partial checking [Jakobsson, Juels & Rivest]
  • Plaintext equivalence test [Jakobsson & Juels]

Clarkson: Civitas

secure implementation
Secure Implementation

In Jif [Myers 1999, Chong and Myers 2005, 2008]

  • Security-typed language
  • Types contain information-flow policies
    • Confidentiality, integrity, declassification, erasure

If policies in code express correct requirements…

  • (And Jif compiler is correct…)
  • Then code is secure w.r.t. requirements

Clarkson: Civitas

civitas trust assumptions
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during registration.
  • Voters trust their voting client.
  • At least one of each type of authority is honest.
  • The channels from the voter to the ballot boxes are anonymous.
  • Each voter has an untappable channel to a trusted registration teller.

Clarkson: Civitas

civitas trust assumptions24
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during registration.
  • Voters trust their voting client.
  • At least one of each type of authority is honest.
  • The channels from the voter to the ballot boxes are anonymous.
  • Each voter has an untappable channel to a trusted registration teller.

Verifiability andCoercion resistance

Coercion resistance

Clarkson: Civitas

civitas trust assumptions25
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during registration.
  • Voters trust their voting client.
  • At least one of each type of authority is honest.
  • The channels from the voter to the ballot boxes are anonymous.
  • Each voter has an untappable channel to a trusted registration teller.

VER + CR

CR

Clarkson: Civitas

civitas trust assumptions26
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during registration.
  • Voters trust their voting client.
  • At least one of each type of authority is honest.
  • The channels from the voter to the ballot boxes are anonymous.
  • Each voter has an untappable channel to a trusted registration teller.

VER + CR

CR

Clarkson: Civitas

civitas trust assumptions27
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during registration.
  • Voters trust their voting client.
  • At least one of each type of authority is honest.
  • The channels from the voter to the ballot boxes are anonymous.
  • Each voter has an untappable channel to a trusted registration teller.

VER + CR

CR

Clarkson: Civitas

civitas trust assumptions28
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during registration.
  • Voters trust their voting client.
  • At least one of each type of authority is honest.
  • The channels from the voter to the ballot boxes are anonymous.
  • Each voter has an untappable channel to a trusted registration teller.

VER + CR

CR

Clarkson: Civitas

civitas trust assumptions29
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during registration.
  • Voters trust their voting client.
  • At least one of each type of authority is honest.
  • The channels from the voter to the ballot boxes are anonymous.
  • Each voter has an untappable channel to a trusted registration teller.

VER + CR

CR

Clarkson: Civitas

civitas trust assumptions30
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during registration.
  • Voters trust their voting client.
  • At least one of each type of authority is honest.
  • The channels from the voter to the ballot boxes are anonymous.
  • Each voter has an untappable channel to a trusted registration teller.

VER + CR

CR

Clarkson: Civitas

civitas trust assumptions31
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during registration.
  • Voters trust their voting client.
  • At least one of each type of authority is honest.
  • The channels from the voter to the ballot boxes are anonymous.
  • Each voter has an untappable channel to a trusted registration teller.

VER + CR

CR

Clarkson: Civitas

real world cost
Real-World Cost

Society makes a tradeoff on:

  • Cost of election, vs.
  • Security, usability, …

Current totalcosts are $1-$3 / voter [International Foundation for Election Systems]

We don’t know the total cost for Civitas.

Cost of cryptography?

Clarkson: Civitas

cpu cost for tabulation
CPU Cost for Tabulation

For reasonable security parameters,

CPU time is 39 sec / voter / authority.

If CPUs are bought, used (for 5 hours), then thrown away:

$1500 / machine ) $12 / voter

If CPUs are rented:

$1 / CPU / hr ) 4¢ / voter

Increased cost…Increased security

IACR ?

Clarkson: Civitas

summary
Summary

Civitas provides security:

  • Remote voting
  • Verifiability
  • Coercion resistance (strongest?)

Civitas provides assurance:

  • Security proofs
  • Explicit trust assumptions
  • Information-flow analysis of implementation (first?)

IACR 

Clarkson: Civitas

technical issues
Technical Issues
  • Web interfaces
  • Testing
  • BFT bulletin board
  • Threshold cryptography
  • Anonymous channel integration

IACR 

Clarkson: Civitas

research issues
Research Issues
  • Distribute trust in voter client
  • Eliminate in-person registration
  • Credential management
  • Application-level DoS

Clarkson: Civitas

web site
Web Site

http://www.cs.cornell.edu/projects/civitas

  • Technical report with concrete protocols
  • Source code of our prototype

Clarkson: Civitas

extra slides
Extra Slides

Clarkson: Civitas

paper
Paper
  • What paper does:
    • Convince voter that his vote was captured correctly
  • What paper does next:
    • Gets dropped in a ballot box
    • Immediately becomes insecure
      • Chain-of-custody, stuffing, loss, recount attacks…
      • Hacking paper elections has a long and (in)glorious tradition [Steal this Vote, Andrew Gumbel, 2005]
      • 20% of paper trails are missing or illegible [Michael Shamos, 2008]
  • What paper doesn’t:
    • Guarantee that a vote will be counted
    • Guarantee that a vote will be counted correctly

Clarkson: Civitas

cryptography
Cryptography

“The public won’t trust cryptography.”

  • It already does…
  • Because experts already do

“I don’t trust cryptography.”

  • You don’t trust the proofs, or
  • You reject the hardness assumptions

Clarkson: Civitas

selling votes
Selling Votes

Requires selling credential…

  • Which requires:
    • Adversary tapped the untappable channel, or
    • Adversary authenticated in place of voter…
  • Which then requires:
    • Voter transferred ability to authenticate to adversary; something voter…
      • Has: too easy
      • Knows: need incentive not to transfer
      • Is: hardest to transfer

Clarkson: Civitas

civitas loc
Civitas LOC

Clarkson: Civitas

civitas policy examples
Civitas Policy Examples
  • Confidentiality:
    • Information: Voter’s credential share
    • Policy: “RT permits only this voter to learn this information”
    • Jif syntax: RT  Voter
  • Confidentiality:
    • Information: Teller’s private key
    • Policy: “TT permits no one else to learn this information”
    • Jif syntax: TT  TT
  • Integrity:
    • Information: Random nonces used by tellers
    • Policy: “TT permits only itself to influence this information”
    • Jif syntax: TT  TT

Clarkson: Civitas

civitas policy examples47
Civitas Policy Examples
  • Declassification:
    • Information: Bits that are committed to then revealed
    • Policy: “TT permits no one to read this information until all commitments become available, then TT declassifies it to allow everyone to read.”
    • Jif syntax: TT  [TT commAvail ]
  • Erasure:
    • Information: Voter’s credential shares
    • Policy: “Voter requires, after all shares are received and full credential is constructed, that shares must be erased.”
    • Jif syntax: Voter  [Voter credConstT ]

Clarkson: Civitas

registration trust assumptions
Registration Trust Assumptions

One way to discharge is with in-person registration

    • Not an absolute requirement
      • Though for strong authentication, physical presence (“something you are”) is reasonable
    • Need not register in-person with all tellers

Works like real-world voting today:

    • Registration teller trusted to correctly authenticate voter
    • Issue of credential must happen in trusted “registration booth”
    • But doesn’t need to happen on special day

Con: System not fully remote

Pro: Credential can be used remotely for many elections

  • Reusing real-world mechanism, can bootstrap into a system offering stronger security

Clarkson: Civitas

voting client trust assumption
Voting Client Trust Assumption

Civitas voting client is not a DRE:

  • Voters are not required to trust a single (closed-source) implementation
  • Civitas allows open-source (re)implementations of the client
  • Voters can obtain or travel to implementation provided by organization they trust

Discharge? Distribute trust in client.

[Benaloh, Chaum, Joaquim and Ribeiro, Kutyłowski et al., Zúquete et al., …]

Clarkson: Civitas

blocks
Blocks

Block is a “virtual precinct”

  • Each voter assigned to one block
  • Each block tallied independently of other blocks, even in parallel

Tabulation time is:

  • Quadratic in block size
  • Linear in number of voters
    • If using one set of machines for many blocks
  • Or, constant in number of voters
    • If using one set of machines per block

Clarkson: Civitas

tabulation time vs anonymity
Tabulation Time vs. Anonymity

# voters = K, # tab. tellers = 4, security strength ≥ 112 bits [NIST 2011–2030]

Clarkson: Civitas

tabulation time vs voters

parallel

Tabulation Time vs. # Voters

sequential

K = 100

Clarkson: Civitas

ranked voting methods
Ranked Voting Methods

Voters submit ranking of candidates

  • e.g., Condorcet, Borda, STV
  • Help avoid spoiler effects
  • Defend against strategic voting
  • “Italian attack”

Civitas implements coercion-resistant Condorcet, approval and plurality voting methods

  • Could do any summable method

Clarkson: Civitas