Adapting Helios for Provable Ballot Privacy David Bernhard, - - PowerPoint PPT Presentation

Adapting Helios for Provable Ballot Privacy

David Bernhard, Veronique Cortier, Olivier Pereira, Ben Smyth, Bogdan Warinschi September 2, 2011

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 1 / 26

Helios

Helios is a web-based voting system by B. Adida et al. Helios has been used in several universities (including here in Belgium) and by the IACR.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 2 / 26

Security

Cryptographic voting systems should have security properties: Privacy No-one can discover how anyone else voted. Verifiability Anyone can check that an election was conducted correctly. And others: robustness, fairness, usability, . . .

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 3 / 26

Attacking and Fixing Helios

2010 paper by Cortier and Smyth (CSF ’11): analysis of Helios in the applied pi-calculus.

◮ There are attacks against privacy. ◮ Helios can be adapted so that it meets a symbolic definition

• f security.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 4 / 26

Our Contribution

We define a cryptographic model for ballot privacy. We show how to secure Helios in this model.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 5 / 26

Overview of Helios

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 6 / 26

Helios

Bulletin Board Helios uses a bulletin board.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 7 / 26

Helios

Bulletin Board Voters choose their vote . . .

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 7 / 26

Helios

Bulletin Board . . . encrypt it, . . .

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 7 / 26

Helios

Bulletin Board . . . and send it to the board.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 7 / 26

Helios

Bulletin Board The board collects all votes.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 7 / 26

Helios

Bulletin Board The administrators decrypt and publish the result.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 7 / 26

Helios Ballots

A Helios ballot contains

◮ Ciphertexts of the vote(s). ◮ Zero-knowledge proofs of correctness.

vote ciphertext proof

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 8 / 26

An Attack on Helios

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 9 / 26

An Attack on Helios

Consider an election with two honest voters and one dishonest voter.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 10 / 26

An Attack on Helios

The dishonest voter waits for the honest ones to submit their ballots . . .

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 10 / 26

An Attack on Helios

. . . then copies voter 2’s ballot and casts it as his own.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 10 / 26

An Attack on Helios

Result – Yes: 2, No: 1 1 1 He can now discover how everyone else voted just by looking at the result!

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 10 / 26

Malleable Ballots

? We want to be sure an adversary cannot cast a ballot derived in any way from previous ones.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 11 / 26

Our Model for Ballot Privacy

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 12 / 26

Motivating Example

1 yes no yes: 1, no: 1 1 no yes yes: 1, no: 1 Aim: No adversary can distinguish.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 13 / 26

Ballot Privacy

Challenger Adversary We model security with a game between a challenger and the adversary.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 14 / 26

Ballot Privacy

Challenger Adversary Vote(v) The adversary can choose the votes for honest voters.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 14 / 26

Ballot Privacy

Challenger Adversary Vote(v) Ballot(b) The adversary can submit arbitrary ballots for dishonest

• voters. (Adaptive adversary.)

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 14 / 26

Ballot Privacy

Vote(v) Ballot(v) Vote(v) Ballot(ε) The challenger either creates honest voters’ ballots correctly or always adds ballots for ε.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 15 / 26

Ballot Privacy

Challenger Adversary vote ballot . . . correct result The challenger always returns the correct result (for the adversary’s inputs).

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 16 / 26

Ballot Privacy

Challenger Adversary vote ballot . . . correct result correct ballots

• r

ε ballots? The adversary must guess what the challenger did.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 16 / 26

Ballot Privacy

If the challenger chooses correct ballots, he is simulating the Helios protocol. If the challenger chooses ε ballots, his ballots are independent of the honest users’ votes.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 17 / 26

Ballot Privacy

1 yes no yes: 1, no: 1 1 no yes yes: 1, no: 1 Aim: No adversary can distinguish.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 18 / 26

Ballot Privacy

1 yes no yes: 1, no: 1 1 no yes yes: 1, no: 1 ε ε yes: 1, no: 1 ≈ Security model: cannot distinguish this case . . .

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 18 / 26

Ballot Privacy

1 yes no yes: 1, no: 1 1 no yes yes: 1, no: 1 ε ε yes: 1, no: 1 ≈ ≈ . . . or this case.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 18 / 26

Ballot Privacy

1 yes no yes: 1, no: 1 1 no yes yes: 1, no: 1 ε ε yes: 1, no: 1 ≈ ≈ ≈ Therefore, he cannot distinguish these two either.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 18 / 26

Securing Helios

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 19 / 26

Securing Ballots

To secure Helios, we use IND-CCA2 secure encryption. We must reject any ballot containing a repeated ciphertext.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 20 / 26

Voting-Friendly Encryption

IND-CCA2 secure encryption cannot be homomorphic – but we want to keep the rest of Helios’ functionality. New primitives: embedded and voting-friendly encryption. (Similar to Wikstr¨

• m’s submission secure encryption.)

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 21 / 26

Voting-Friendly Encryption

We propose using the Naor-Yung transformation: IND-CCA2 secure but keeps all existing functionality. The cost of a ballot increases by (very roughly) 50%. ElGamal π Naor-Yung “old” ballot

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 22 / 26

Conclusions

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 23 / 26

Conclusions

We give a cryptographic model for ballot privacy. We can adapt Helios to be secure and prove this.

◮ Reject ballots with repeated ciphertexts. ◮ Proof assumes IND-CCA2 security.

IND-CCA2 security and homomorphic encryption can be combined for voting.

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 24 / 26

Questions

Thank you for attending. Questions?

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 25 / 26

ESORICS 2011 Adapting Helios for Provable Ballot Privacy 26 / 26