civitas toward a secure voting system
DESCRIPTION
Civitas Toward a Secure Voting System. Michael Clarkson Cornell University. AFRL Information Management Workshop October 22, 2010. Secret Ballot. Florida 2000: Bush v. Gore. “Flawless”. Security FAIL. Analysis of an electronic voting system [Kohno et al. 2003, 2004]. - PowerPoint PPT PresentationTRANSCRIPT
CivitasToward a Secure Voting System
AFRL Information Management Workshop October 22, 2010
Michael ClarksonCornell University
Secret Ballot
Florida 2000:Bush v. Gore
“Flawless”
12
Security FAIL
Analysis of an electronic voting system
[Kohno et al. 2003, 2004]
• DRE trusts smartcards• Hardcoded keys and initialization
vectors• Weak message integrity• Cryptographically insecure random
number generator• ...
California top-to-bottom reviews
[Bishop, Wagner, et al. 2007]• “Virtually every important software security
mechanism is vulnerable to circumvention.”• “An attacker could subvert a single polling
place device...then reprogram every polling place device in the county.”
• “We could not find a single instance of correctly used cryptography that successfully accomplished the security purposes for which it was apparently intended.”
Why is this so hard?
17
PRIVACYVERIFIABILITY
18
VERIFIABILITY…not just correctness
…even if everyone cheats
19
VERIFIABILITY
Universal verifiabilityVoter verifiability
Eligibility verifiability
UV: [Sako and Killian 1994, 1995]EV & VV: [Kremer, Ryan & Smyth 2010]
20
PRIVACY…more than secrecy
…even if almost everyone cheats
21
PRIVACY
Coercion resistance
better than receipt freeness or simple anonymity
RF: [Benaloh 1994]CR: [Juels, Catalano & Jakobsson 2005]
22
ROBUSTNESS
Tally availability
23
PRIVACYVERIFIABILITY
ROBUSTNESS
24
Remote
PRIVACYVERIFIABILITY
(including Internet)
ROBUSTNESS
25
H.R. 2647 Sec. 589Military and Overseas Voter
Empowerment Act
26
How can we vote securely,
electronically,remotely?
27
Cornell Voting Systems
• CIVS (ca. 2005) [Myers & Clarkson]http://www.cs.cornell.edu/andru/civs.html
• Civitas 0.7 (ca. 2007) [Clarkson, Chong & Myers]http://www.cs.cornell.edu/projects/civitasPublished Oakland 2008 + 2 Masters projects
• Civitas 1.0 (started fall 2010) [Clarkson et al.]
28
Cornell Voting Systems
• CIVS (ca. 2005) [Myers & Clarkson]http://www.cs.cornell.edu/andru/civs.html
• Civitas 0.7 (ca. 2007) [Clarkson, Chong & Myers]http://www.cs.cornell.edu/projects/civitasPublished Oakland 2008 + 2 Masters projects
• Civitas 1.0 (started fall 2010) [Clarkson et al.]
29
Security Properties
Original Civitas:• Universal
verifiability• Eligibility
verifiability• Coercion resistance
Masters projects:• Voter verifiability• Tally availability
…under various assumptions
30
Mutual DistrustKEY PRINCIPLE:
31
JCJ Voting Scheme
[Juels, Catalano & Jakobsson 2005]
Proved universal verifiability and coercion resistance
Civitas extends JCJ
32
Civitas Architecture
bulletinboard
voterclient
tabulation teller
tabulation teller
tabulation teller
registration teller
registration teller
registration teller
ballot boxballot boxballot box
33
Registration
voterclient
registration teller
registration teller
registration teller
bulletinboard
tabulation teller
tabulation teller
tabulation teller
ballot boxballot boxballot box
Voter retrieves credential share from each registration teller;combines to form credential
34
Credentials• Verifiable• Unsalable• Unforgeable• Anonymous
35
Voting
voterclient
ballot boxballot boxballot box
bulletinboard
tabulation teller
tabulation teller
tabulation teller
registration teller
registration teller
registration teller
Voter submits copy of encrypted choice and credential to each ballot box
36
Resisting Coercion:
Fake Credentials
37
Resisting CoercionIf the coercer demands that the voter…
Then the voter…
Submits a particular vote
Does so with a fake credential.
Sells or surrenders a credential
Supplies a fake credential.
Abstains Supplies a fake credential to the adversary and votes with a real one.
38
Tabulation
bulletinboard
tabulation teller
tabulation teller
tabulation teller
voterclient
registration teller
registration teller
registration teller
ballot boxballot boxballot box
Tellers retrieve votes from ballot boxes
39
Tabulation
bulletinboard
tabulation teller
tabulation teller
tabulation teller
voterclient
registration teller
registration teller
registration teller
ballot boxballot boxballot box
Tabulation tellers anonymize votes;eliminate unauthorized (and fake) credentials;
decrypt remaining choices.
40
Auditing
bulletinboard
voterclient
registration teller
registration teller
registration teller
Anyone can verify proofs that tabulation is correct
tabulation teller
tabulation teller
tabulation teller
ballot boxballot boxballot box
41
Civitas Architecture
bulletinboard
voterclient
tabulation teller
tabulation teller
tabulation teller
registration teller
registration teller
registration teller
ballot boxballot boxballot box
Universal verifiability: Tellers post proofs during tabulation
Coercion resistance:
Voters can undetectably fake credentialsSECURITY PROOFS
42
Protocols– El Gamal; distributed [Brandt]; non-malleable [Schnorr
and Jakobsson]– Proof of knowledge of discrete log [Schnorr]– Proof of equality of discrete logarithms [Chaum &
Pederson]– Authentication and key establishment [Needham-
Schroeder-Lowe]– Designated-verifier reencryption proof [Hirt & Sako]– 1-out-of-L reencryption proof [Hirt & Sako]– Signature of knowledge of discrete logarithms
[Camenisch & Stadler]– Reencryption mix network with randomized partial
checking [Jakobsson, Juels & Rivest]– Plaintext equivalence test [Jakobsson & Juels]
Implementation: 21k LoC
Trust Assumptions
44
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
45
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
Universal verifiability Coercion resistance
Coercion resistance
46
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
UV + CR
CR
47
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
UV + CR
CR
48
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
UV + CR
CR
49
RegistrationIn person.
In advance.
Con: System not fully remote
Pro: Credential can be used in
many elections
50
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
UV + CR
CR
51
Eliminating Trust in Voter ClientUV: Use challenges
CR: Open problem
52
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
UV + CR
CR
53
Trust Assumptions`1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
UV + CR
CR
54
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
UV + CR
CR
55
Untappable Channel
Minimal known assumption for receipt freeness and coercion
resistance
Eliminate? Open problem.(Eliminate trusted registration teller? Also open.)
56
Trust Assumptions1. “Cryptography works.”
2. The adversary cannot masquerade as a voter during registration.
3. Voters trust their voting client.
4. At least one of each type of authority is honest.
5. The channels from the voter to the ballot boxes are anonymous.
6. Each voter has an untappable channel to a trusted registration teller.
UV + CR
CR
57
Trusted procedures?
58
Time to Tally
59
Tabulation Time
# voters in precinct = K, # tab. tellers = 4, security strength ≥ 112 bits [NIST 2011–2030]
60
SummaryCan achieve strong security and
transparency:– Remote voting– Universal (voter, eligibility) verifiability– Coercion resistance
Security is not free:– Stronger registration (untappable channel)– Cryptography (computationally expensive)
61
AssuranceSecurity proofs (JCJ)
Secure implementation (Jif)
62
Ranked Voting
63
Open Problems• Coercion-resistant voter client?• Eliminate untappable channel in
registration?• Credential management?• Application-level denial of service?
http://www.cs.cornell.edu/projects/civitas
(google “civitas voting”)
CivitasToward a Secure Voting System
AFRL Information Management Workshop October 22, 2010
Michael ClarksonCornell University