civitas toward a secure voting system michael clarkson cornell university coin (ca. 63 b.c.)...

CivitasCivitasToward a Secure Voting Toward a Secure Voting

SystemSystem

Michael ClarksonCornell University

Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C.

Stevens Institute of TechnologyMarch 30, 2009

Clarkson: Civitas 2

Civitas

Electronic voting system; 21,000 LOC

[Clarkson, Chong, and Myers, Oakland 2008]

Clarkson: Civitas 3

Evolution of Voting Technology

Clarkson: Civitas 4

Clarkson: Civitas 5

State of Secure Electronic Voting

Major commercial voting systems are insecure California reviews [Wagner, Wallach,

Blaze, et al.]

Academics are pessimisticSERVE report [Jefferson et al.]

Clarkson: Civitas 6

Security of Voting

Was your vote captured correctly? Was your vote counted correctly? Can the tally be independently

verified? Is your vote anonymous? Can anyone sell their vote? Can voters be coerced?

…

Clarkson: Civitas 7

Potential Threats

Outsiders Programmers Election officials Candidates and parties Employers, organizations, spouses, … Voters

…Voting systems have some of the strongest and hardest security requirements of any systems

Clarkson: Civitas 8

Civitas Security Model

No trusted supervision of polling places Including voters, procedures, hardware,

software Voting could take place anywhere

Remote votingGeneralization of “Internet voting” and “postal voting”

No unilateral trust in an election authority Instead, mutually distrusting set of authorities

Distributed trust

Clarkson: Civitas 9

Adversary

Corrupt all but one of each type of election authority

Perform any polynomial time computation Control network Coerce voters, demanding secrets or

behavior, remotely or physically

Security properties: Confidentiality, integrity, availability

Clarkson: Civitas 10

Integrity

Verifiability:

Including:Voters can check that their own vote is

included Universal verifiability: Anyone can audit

the election results; no votes added, changed, or deleted [Sako and Killian 1995]

The final tally is correct and verifiable.

The final tally is correct and verifiable.


Confidentiality

Voter coercion:Employer, spouse, etc.Coercer can demand any behavior

(abstain, sell)Coercer can observe and interact with

voter during remote voting

Must prevent coercers from trusting their own observations


Confidentiality

> receipt-freeness= CR interaction

> anonymity= RF collusion

The adversary cannot learn how voters vote, even if voters collude and interact

with the adversary.

The adversary cannot learn how voters vote, even if voters collude and interact

with the adversary.

Coercion resistance:

too weak


Availability

We assume that this holds To guarantee, would need to make

system components highly available, etc.

But it’s really about the votes

The final tally of the election is produced.The final tally of the election is produced.

Tally availability:


Building Civitas

Started with abstract voting protocol…[Juels, Catalano, and Jakobsson, WPES

2005]Extended design to improve security

and performance Implemented in security-typed language

(Jif)Evaluated security and performance


Civitas Architecture

bulletinboard

voterclient

tabulation teller

tabulation teller

tabulation teller

registration teller

registration teller

registration teller

ballot boxballot boxballot box


Registration

voterclient

registration teller

registration teller

registration teller

bulletinbulletinboardboard

tabulation tellertabulation teller



ballot boxballot boxballot boxballot boxballot boxballot box

Voter retrieves credential share from each registration teller;combines to form credential


Registration

voterclient

registration teller

registration teller

registration teller

credential share

credential


Properties of Credentials

VerifiableTeller must prove that share is good, but proof is

convincing only to voter Voter can’t sell share

AnonymousNo subset of shares reveals information about

credential Credentials can’t be linked to voters

UnforgeableCreating new credential requires participation of all

tellers Tellers can’t “stuff the ballot box”


Registration

voterclient

registration teller

registration teller

registration teller






JCJ: single trusted registrarCivitas: distributed trust Improved confidentiality and integrity


Voting

voterclient






registration registration tellerteller



Voter submits copy of encrypted choice and credential (plus proofs) to each ballot box


Properties of Votes

Anonymous Credentials are anonymous Submitted over anonymous channel

Replicated Votes can be deleted only if all ballot boxes

collude

Non-malleableNo one can construct “related” votes Votes can’t be changed or spoiled


Resisting Coercion

Voters substitute fake credentials To adversary, fake real Votes with fake credentials removed during

tabulation without revealing which are fake

For any behavior adversary demands…Voter complies, with fake credential

Voter needs untappable channel to a registration teller


Voting

voterclient









JCJ: no ballot boxesCivitas: distributed storage Votes highly available


Tabulation

bulletinboard

tabulation teller

tabulation teller

tabulation teller

votervoterclientclient





Tellers retrieve votes from ballot boxes


Tabulation

bulletinboard

tabulation teller

tabulation teller

tabulation teller






Tabulation tellers anonymize votes with mix network [Chaum 1981]


Mix Network

tabulation teller

tabulation teller

tabulation teller


Tabulation

bulletinboard

tabulation teller

tabulation teller

tabulation teller






Tellers eliminate unauthorized credentials;decrypt remaining choices;

post proofs


Properties of Tabulation

VerifiableTellers post zero-knowledge proofs during

tabulation

Coercion-resistantNo credentials (valid or fake) ever

revealedVoters can undetectably fake

credentials


Tabulation

bulletinboard

tabulation teller

tabulation teller

tabulation teller






JCJ: O(V2) Civitas: O(B2), B ¿ V Improved scalability


Blocks

Block is a “virtual precinct” Each voter assigned to one block Each block tallied independently of other blocks,

even in parallel

Tabulation time is: Quadratic in block size Linear in number of voters

If using one set of machines for many blocks Or, constant in number of voters

If using one set of machines per block


Civitas Architecture

bulletinboard

voterclient

tabulation teller

tabulation teller

tabulation teller

registration teller

registration teller

registration teller



Cryptographic Protocols

Leverage the literature: El Gamal; distributed [Brandt]; non-malleable [Schnorr and

Jakobsson] Proof of knowledge of discrete log [Schnorr] Proof of equality of discrete logarithms [Chaum & Pederson] Authentication and key establishment [Needham-Schroeder-

Lowe] Designated-verifier reencryption proof [Hirt & Sako] 1-out-of-L reencryption proof [Hirt & Sako] Signature of knowledge of discrete logarithms [Camenisch &

Stadler] Reencryption mix network with randomized partial checking

[Jakobsson, Juels & Rivest] Plaintext equivalence test [Jakobsson & Juels]


Civitas Security Assurance

Design JCJ proof of coercion resistance and

verifiability We extended proof

Backes et al. (CSF 2008) verification with ProVerif

Working to verify Civitas

Implementation…leverages language-based security


Secure Implementation

In Jif [Myers 1999, Chong and Myers 2005, 2008]Security-typed languageTypes contain information-flow policies

Confidentiality, integrity, declassification, erasure

If policies in code express correct requirements…(And Jif compiler is correct…)Then code is secure w.r.t. requirements


Civitas Policy Examples

Confidentiality: Information: Voter’s credential share Policy: “RT permits only this voter to learn this information” Jif syntax: RT Voter

Confidentiality: Information: Teller’s private key Policy: “TT permits no one else to learn this information” Jif syntax: TT TT

Integrity: Information: Random nonces used by tellers Policy: “TT permits only itself to influence this information” Jif syntax: TT TT


Civitas Policy Examples

Declassification: Information: Bits that are committed to then revealed Policy: “TT permits no one to read this information

until all commitments become available, then TT declassifies it to allow everyone to read.”

Jif syntax: TT [TT commAvail ]

Erasure: Information: Voter’s credential shares Policy: “Voter requires, after all shares are received

and full credential is constructed, that shares must be erased.”

Jif syntax: Voter [Voter credConst T ]


Civitas LOC

Component Approx. LOC

Tabulation teller 5,700

Registration teller 1,300

Bulletin board, ballot box

900

Voter client 800

Other (incl. common code)

4,700

Total Jif LOC 13,400

Low-level crypto and I/O

(Java and C)

8,000

Total LOC 21,400

Policy Distinct annotati

ons

Confidentiality

20

Integrity 26


Real-World Cost

Tradeoff: cost of election vs. security, usability, …

Current total costs are $1-$3 / voter [International Foundation for Election Systems]

We don’t know the total cost for Civitas…Computational cost of advanced

cryptography?


Tabulation Time vs. Anonymity

K = # voters, # tab. tellers = 4, security strength ≥ 112 bits [NIST 2011–2030],

3GHz Xeons


Tabulation Time vs. # Voters

K = 100

sequential

parallel


CPU Cost for Tabulation

CPU time is 39 sec / voter / authority If CPUs are bought, used (for 5 hours),

then thrown away:$1500 / machine = $12 / voter

If CPUs are rented:$1 / CPU / hr = 4¢ / voter

…for this extra cost, we get increased security


Voters submit ordering of candidates:

Examples: Condorcet, STV/IRV, Borda, …

Ranked Voting Methods

Vanilla 4

Chocolate 1

Strawberry 3

Cookie dough 2

Mint chocolate chip

5


Ranked Voting Methods

Low-order rankings create a covert channel

Coercion intrinsically possible

Vanilla X

Chocolate X

Strawberry X

Cookie dough X

Mint chocolate chip

1

4! completions


Civitas Voting Methods

Civitas implements coercion-resistant:CondorcetApprovalPlurality

Intuition: decompose ballot


Summary

Civitas is a remote voting system

Civitas contributes to: Protocols (theory of voting):

Distributed trust in registration for confidentiality Distributed vote storage for availability Introduced blocks (virtual precincts) for scalability Articulated and analyzed trust assumptions Efficient coercion-resistant Condorcet voting

Systems (practice of voting): Developed full, concrete protocols Implemented system Studied performance


Related Work

Abstract voting schemes:[Baudron et al.; Benaloh; Benaloh and Tuinstra; Boyd; Chaum; Chaum, Ryan, and Schneider Chen and Burminster; Cohen and Fischer; Cramer, Gennaro, and Schoenmakers; Fujioka, Okamoto, and Ohta; Hirt and Sako; Iversen; Kiayias and Yung; Magkos et al.; Merrit; Neff; Niemi and Renvall; Sako and Killian; Ohkubo et al.; Ohta; Okamoto; Park et al.; Rivest]

… Implemented voting systems:

Adder [Kiayias, Korman, Walluck] ElectMe [Shubina and Smith] EVOX [Herschberg, DuRette] Helios [Adida, Rivest] Prêt à Voter [Schneider, Heather, et al.; Ryan; Chaum] Punchscan [Stanton, Essex, Popoveniuc, et al.; Chaum] REVS [Joaquim, Zúquette, Ferreira; Lebre] Sensus [Cranor and Cytron] VoteHere [Neff] W-Voting [Kutyłowski, Zagórski, et al.] Civitas: Strongest coercion resistance, first to offer

security proofs or information-flow analysis


Web Site

http://www.cs.cornell.edu/projects/civitas

Technical report with concrete protocols

Source code of our prototype

CivitasCivitasToward a Secure Voting Toward a Secure Voting

SystemSystem

Michael ClarksonCornell University

Stevens Institute of TechnologyMarch 30, 2009

civitas toward a secure voting system michael clarkson cornell university coin (ca. 63 b.c.)...

Documents

availability slide

performance slide

trust slide

loc clarkson

civitas4 slide

weak slide

postal voting

software voting