1 / 65

Civitas Toward a Secure Voting System

Civitas Toward a Secure Voting System. Michael Clarkson Cornell University. AFRL Information Management Workshop October 22, 2010. Secret Ballot. Florida 2000: Bush v. Gore. “Flawless”. Security FAIL. Analysis of an electronic voting system [Kohno et al. 2003, 2004].

obert
Download Presentation

Civitas Toward a Secure Voting System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CivitasToward a Secure Voting System Michael ClarksonCornell University AFRL Information Management Workshop October 22, 2010

  2. Secret Ballot

  3. Florida 2000:Bush v. Gore

  4. “Flawless”

  5. Security FAIL

  6. Analysis of an electronic voting system[Kohno et al. 2003, 2004] • DRE trusts smartcards • Hardcoded keys and initialization vectors • Weak message integrity • Cryptographically insecure random number generator • ...

  7. California top-to-bottom reviews[Bishop, Wagner, et al. 2007] • “Virtually every important software security mechanism is vulnerable to circumvention.” • “An attacker could subvert a single polling place device...then reprogram every polling place device in the county.” • “We could not find a single instance of correctly used cryptography that successfully accomplished the security purposes for which it was apparently intended.”

  8. Why is this so hard?

  9. VERIFIABILITY PRIVACY

  10. VERIFIABILITY …not just correctness …even if everyone cheats

  11. VERIFIABILITY Universal verifiability Voter verifiability Eligibility verifiability UV: [Sako and Killian 1994, 1995] EV & VV: [Kremer, Ryan & Smyth 2010]

  12. PRIVACY …more than secrecy …even if almost everyone cheats

  13. PRIVACY Coercion resistance better than receipt freenessor simple anonymity RF: [Benaloh 1994] CR: [Juels, Catalano & Jakobsson 2005]

  14. ROBUSTNESS Tally availability

  15. ROBUSTNESS VERIFIABILITY PRIVACY

  16. ROBUSTNESS VERIFIABILITY PRIVACY Remote (including Internet)

  17. H.R. 2647 Sec. 589 Military and Overseas Voter Empowerment Act

  18. How can we vote securely,electronically,remotely?

  19. Cornell Voting Systems • CIVS (ca. 2005) [Myers & Clarkson]http://www.cs.cornell.edu/andru/civs.html • Civitas 0.7 (ca. 2007) [Clarkson, Chong & Myers]http://www.cs.cornell.edu/projects/civitasPublished Oakland 2008 + 2 Masters projects • Civitas 1.0 (started fall 2010) [Clarkson et al.]

  20. Cornell Voting Systems • CIVS (ca. 2005) [Myers & Clarkson]http://www.cs.cornell.edu/andru/civs.html • Civitas 0.7 (ca. 2007) [Clarkson, Chong & Myers]http://www.cs.cornell.edu/projects/civitasPublished Oakland 2008 + 2 Masters projects • Civitas 1.0 (started fall 2010) [Clarkson et al.]

  21. Security Properties Original Civitas: • Universal verifiability • Eligibility verifiability • Coercion resistance Masters projects: • Voter verifiability • Tally availability …under various assumptions

  22. KEY PRINCIPLE: Mutual Distrust

  23. JCJ Voting Scheme [Juels, Catalano & Jakobsson 2005] Proved universal verifiability and coercion resistance Civitas extends JCJ

  24. Civitas Architecture registration teller registration teller registration teller tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box voterclient tabulation teller

  25. tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box tabulation teller Registration registration teller registration teller registration teller voterclient Voter retrieves credential share from each registration teller;combines to form credential

  26. Credentials • Verifiable • Unsalable • Unforgeable • Anonymous

  27. registration teller registration teller registration teller tabulation teller bulletinboard tabulation teller tabulation teller Voting ballot box ballot box ballot box voterclient Voter submits copy of encrypted choice and credential to each ballot box

  28. Resisting Coercion:Fake Credentials

  29. Resisting Coercion

  30. registration teller registration teller registration teller voterclient Tabulation tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box tabulation teller Tellers retrieve votes from ballot boxes

  31. registration teller registration teller registration teller ballot box ballot box ballot box voterclient Tabulation tabulation teller bulletinboard tabulation teller tabulation teller Tabulation tellers anonymizevotes;eliminate unauthorized (and fake) credentials; decrypt remaining choices.

  32. registration teller registration teller registration teller voterclient Auditing tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box tabulation teller Anyone can verify proofs that tabulation is correct

  33. Universal verifiability:Tellers post proofs during tabulation Coercion resistance:Voters can undetectably fake credentials Civitas Architecture registration teller registration teller registration teller tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box voterclient tabulation teller Security Proofs

  34. Protocols • El Gamal; distributed [Brandt]; non-malleable [Schnorr and Jakobsson] • Proof of knowledge of discrete log [Schnorr] • Proof of equality of discrete logarithms [Chaum & Pederson] • Authentication and key establishment [Needham-Schroeder-Lowe] • Designated-verifier reencryption proof [Hirt & Sako] • 1-out-of-L reencryption proof [Hirt & Sako] • Signature of knowledge of discrete logarithms [Camenisch & Stadler] • Reencryption mix network with randomized partial checking [Jakobsson, Juels & Rivest] • Plaintext equivalence test [Jakobsson & Juels] Implementation: 21k LoC

  35. Trust Assumptions

  36. Trust Assumptions • “Cryptography works.” • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller.

  37. Trust Assumptions • “Cryptography works.” • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. Universal verifiability Coercion resistance Coercion resistance

  38. Trust Assumptions • “Cryptography works.” • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. UV + CR CR

  39. Trust Assumptions • “Cryptography works.” • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. UV + CR CR

  40. Trust Assumptions • “Cryptography works.” • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. UV + CR CR

  41. Registration In person. In advance. Con: System not fully remote Pro:Credential can be used in many elections

  42. Trust Assumptions • “Cryptography works.” • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. UV + CR CR

More Related