Download
coercion resistant remote voting n.
Skip this Video
Loading SlideShow in 5 Seconds..
Coercion-Resistant Remote Voting PowerPoint Presentation
Download Presentation
Coercion-Resistant Remote Voting

Coercion-Resistant Remote Voting

143 Views Download Presentation
Download Presentation

Coercion-Resistant Remote Voting

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Coercion-Resistant Remote Voting JCJ and Civitas Michael ClarksonCornell University SecVote Summer School September 3, 2010 Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C.

  2. Remote Voting

  3. Receipt Freeness . Voters do not obtain information (a receipt) that proves how they voted. [Benaloh & Tuinstra 1994, Okamoto 1997, Delaune, Kremer & Ryan 2006, Jonker and Pieters 2006, Jonker and de Vink 2007, Backes, Hritcu & Maffei 2008, …]

  4. Attacks • Randomization • Forced abstention • Simulation [Schoenmakers 2000, Juels, Catalano & Jakobsson 2005]

  5. Coercion Resistance Coercer can observe and interact with voter during remote voting… …must prevent coercers from trusting their own observations… …must enable voters to lie to coercers.

  6. Coercion Resistance The adversary cannot learn how voters vote, even if voters collude and interact with the adversary. (RF + defense against three attacks) [Juels, Catalano & Jakobsson 2005, Delaune, Kremer & Ryan 2006, Moran & Naor 2006, Backes, Hritcu & Maffei 2008, Küsters, Truderung & Vogt 2010]

  7. JCJ Ari Juels, Dario Catalano & Markus Jakobsson.Coercion-resistant electronic elections. In Proc. Workshop in Privacy in the Electronic Society, 2005.

  8. Civitas Michael Clarkson, Stephen Chong, Andrew Myers. Civitas: Toward a Secure Voting System.In Proc. IEEE Symposium on Security and Privacy, 2008.

  9. Civitas LOC

  10. JCJ Key techniques: • Coercion-resistant credentials • Plaintext equivalence test (PET)[Jakobsson & Juels 2000, MacKenzie, Shrimpton & Jakobsson 2002] Based on mix networks…

  11. Mixnet Schemes • V → BB: sign(enc(vote; KT); kV) • Talliers: • check and remove signatures • mix votes • decrypt votes

  12. JCJ V → BB: enc(cred; KT), enc(vote; KT) • Talliers: • Anonymize all submissions with mixnets • Remove submissions with unauthorized credentials • Decrypt votes

  13. JCJ V → BB: enc(cred; KT), enc(vote; KT) Want voters to be able to fake credentials

  14. Resisting Coercion

  15. Resisting Coercion Defeats randomization attacks Defeats forced abstention attacks Defeats simulation attacks

  16. CredentialsDesired Properties • Verifiable • Unsalable • Unforgeable • Anonymous

  17. JCJ Scheme bulletinboard Registrar Tallier Voter

  18. JCJ Scheme Registrar Tallier R1 T1 bulletinboard R2 T2 R3 T3 Voter

  19. Assumption 0 At least one of each type of authority is honest (Needed for CR, not for verifiability)

  20. JCJ Phases: • Setup • Registration • Vote submission • Tabulation

  21. Setup Registrar Tallier R1 T1 bulletinboard R2 T2 R3 T3 Voter

  22. Setup • Agree on El Gamal group G • Generate Tallier’s public encryption key KT, distribute private key kT • Post KT on BB

  23. Assumption 1 DDH (also RSA, random oracle) Civitas

  24. Registration Registrar Tallier R1 T1 bulletinboard R2 T2 R3 T3 Voter

  25. Registration • Registrar: authenticate V • Registrar: s ← G • Registrar → BB: enc(s; KT) • Registrar → V [untap.]: s s = private credential enc(s) = S = public credential

  26. Registration • Registrar: authenticate V • Registrar: s ← G • Registrar → BB: enc(s; KT) • Registrar → V [untap.]: s Electoral roll: list of all public credentials, signed by Registrar s = private credential enc(s) = S = public credential

  27. Assumption 2 Initial voter authenticationis correct & Untappable channel (In person registration?)

  28. Registration How many registrars? How trusted? • One, trusted • Many, untrusted

  29. Registration One, untrusted registrar: 4. Registrar → V [untap.]: s, DVP(“S encrypts s”, V)

  30. DVP Designated Verifier Proof [Jakobsson, Sako & Impagliazzo 1996] DVP(Φ, A) proves in ZK that “Φ holds, or prover knows A’s private key”

  31. Registration One, untrusted registrar: 4. Registrar → V [untap.]: s, DVP(“S encrypts s”, V) DVP ensures proof isn’t receipt

  32. Registration Civitas Many, untrusted registrars: For each registrar Ri: • Ri: authenticate V • Ri: si ← G • Ri → BB: enc(si; KT) which is Si • Ri → V [unt.]: si, DVP(“Si encrypts si”, V) …

  33. Registration Civitas …Voter calculates credential: s = ∏isi S = ∏iSi S= ∏iSi = ∏ienc(si) = enc(∏isi) = enc(s)

  34. Faking Credentials Voter V: • Picks registrar Ri • Substitutes new ŝi for si • Invents DVP(“Si encrypts ŝi”, V)

  35. Assumption 3 Trusted Ri (Need untappable channel only to that registrar.)

  36. CredentialsDesired Properties • Verifiable ✓ • Unsalable ✓ • Unforgeable✓ • Anonymous

  37. Vote Submission Registrar Tallier R1 T1 bulletinboard R2 T2 R3 T3 Voter

  38. Vote Submission • V: select choice (candidate) c • V → BB [anon.]: enc(s; KT), enc(c; KT)

  39. Assumption 4 Anonymous channel

  40. Assumption 5 Voter client doesn’t leak credential & Voter client encrypts correctly

  41. Assumption 5 Voter client doesn’t leak credential & Voter client encrypts correctly

  42. Vote Submission • V: select choice (candidate) c • V → BB [anon.]: enc(s; KT), enc(c; KT) Problems: replay attacks, malformed choices

  43. Vote Submission • V: select choice (candidate) c • V → BB [anon.]: enc(s; KT), enc(c; KT) Problems: replay attacks, malformed choices Solution: zero-knowledge proofs

  44. Vote Submission • V: select choice (candidate) c • V → BB [anon.]: enc(s; KT), enc(c; KT), Pk,Pw Pk: signature of knowledge[Camenisch & Stadler 1997] Pw: 1-out-of-L reencryption proof [Hirt & Sako 2000]

  45. Vote Submission • V: select choice (candidate) c • V → BB [anon.]: enc(s; KT), enc(c; KT), Pk,Pw Problem: scalability, reliability of BB

  46. Vote Submission • V: select choice (candidate) c • V → BB [anon.]: enc(s; KT), enc(c; KT), Pk,Pw Problem: scalability, reliability of BB Solution: distributed ballot boxes Civitas

  47. Vote Submission Registrar Tallier R1 T1 bulletinboard R2 T2 R3 T3 Voter