Efficient Receipt-Free Ballot Casting Resistant to Covert Channels - - PowerPoint PPT Presentation

▶

Feb 07, 2023 306 likes •639 views

Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff EVT / WOTE August 11th, 2009 Montreal, Canada Andy uses a voting machine to prepare a ballot. Andy wants to verify that the machine properly

SLIDE 1

Efficient Receipt-Free Ballot Casting Resistant to Covert Channels

Ben Adida

C. Andrew Neff

EVT / WOTE August 11th, 2009 Montreal, Canada

SLIDE 2

Andy uses a voting machine to prepare a ballot. Andy wants to verify that the machine properly encrypted the ballot.

SLIDE 3

Neff’s MarkPledge and Moran-Naor. Two Problems.

1) 2 ciphertexts per challenge bit (40-50) 2) machine can use ballot to leak plaintext.

SLIDE 4

MarkPledge2

efficient ballot encoding: 2 ciphertexts for any challenge length covert-channel resistance: no leakage via the ballot. voting machine is significantly simplified.

➡ simpler voting machine = less chance of errors.

SLIDE 5

Voter Experience

SLIDE 6

Voter Experience

Voter Check-in

Andy _________ Ben _________

SLIDE 7

Voter Experience

Voter Check-in

Andy _________ Ben _________

VHTI

SLIDE 8

Voter Experience

Hillary Barack John Bill

Voter Check-in

Andy _________ Ben _________

VHTI

SLIDE 9

Voter Experience

Hillary Barack John Bill

Voter Check-in

Andy _________ Ben _________

VHTI

SLIDE 10

Voter Experience

Hillary Barack John Bill

Barack 8DX5

Voter Check-in

Andy _________ Ben _________

VHTI

SLIDE 11

Challenge?

Voter Experience

Hillary Barack John Bill

Barack 8DX5

Voter Check-in

Andy _________ Ben _________

VHTI

SLIDE 12

Challenge?

Voter Experience

Hillary Barack John Bill

Barack 8DX5 VHTI

Voter Check-in

Andy _________ Ben _________

VHTI

SLIDE 13

Challenge?

Voter Experience

Hillary Barack John Bill

Barack 8DX5

Receipt

Hillary Barack John Bill MCN3 8DX5 I341 LQ21

Challenge

VHTI

Voter Check-in

Andy _________ Ben _________

VHTI

SLIDE 14

Challenge?

Voter Experience

Hillary Barack John Bill

Barack 8DX5

Receipt

Hillary Barack John Bill MCN3 8DX5 I341 LQ21

Challenge

VHTI

Voter Check-in

Andy _________ Ben _________

VHTI

SLIDE 15

Challenge?

Voter Experience

Hillary Barack John Bill

Barack 8DX5

Receipt

Hillary Barack John Bill MCN3 8DX5 I341 LQ21

Challenge

VHTI

Voter Check-in

Andy _________ Ben _________

VHTI

SLIDE 16

Special Bit Encryption

Hillary Barack John Bill

Encrypt a 0 or 1 for each candidate Special proof protocol

➡ for bit b=1 ➡ meaningful short strings

as part of the commitment

➡ short challenge strings

for real and simulated proofs

SLIDE 17

Special Bit Encryption

Hillary Barack John Bill

Encrypt a 0 or 1 for each candidate Special proof protocol

➡ for bit b=1 ➡ meaningful short strings

as part of the commitment

➡ short challenge strings

for real and simulated proofs

<ciphertexts>, "8DX5"

SLIDE 18

Special Bit Encryption

Hillary Barack John Bill

Encrypt a 0 or 1 for each candidate Special proof protocol

➡ for bit b=1 ➡ meaningful short strings

as part of the commitment

➡ short challenge strings

for real and simulated proofs

<ciphertexts>, "8DX5" "VHTI"

SLIDE 19

Special Bit Encryption

Hillary Barack John Bill

Encrypt a 0 or 1 for each candidate Special proof protocol

➡ for bit b=1 ➡ meaningful short strings

as part of the commitment

➡ short challenge strings

for real and simulated proofs

<ciphertexts>, "8DX5" "VHTI" reveal enc factors

SLIDE 20

Voter Experience (II)

Hillary Barack John Bill

1

SLIDE 21

Voter Experience (II)

Hillary Barack John Bill

1

<ciphertexts>, "8DX5" <ciphertexts>, <ciphertexts>, <ciphertexts>,

SLIDE 22

Voter Experience (II)

Hillary Barack John Bill

1

"VHTI" "VHTI" "VHTI" "VHTI" <ciphertexts>, "8DX5" <ciphertexts>, <ciphertexts>, <ciphertexts>,

SLIDE 23

<ciphertexts>, "MCN3" <ciphertexts>, "I341" <ciphertexts>, "LQ21"

Voter Experience (II)

Hillary Barack John Bill

1

"VHTI" "VHTI" "VHTI" "VHTI" <ciphertexts>, "8DX5"

SLIDE 24

<ciphertexts>, "MCN3" <ciphertexts>, "I341" <ciphertexts>, "LQ21"

Voter Experience (II)

Hillary Barack John Bill

1

"VHTI" "VHTI" "VHTI" "VHTI" reveal enc factors reveal enc factors reveal enc factors reveal enc factors <ciphertexts>, "8DX5"

SLIDE 25

<ciphertexts>, "MCN3" <ciphertexts>, "I341" <ciphertexts>, "LQ21"

Voter Experience (II)

Hillary Barack John Bill

1

"VHTI" "VHTI" "VHTI" "VHTI" reveal enc factors reveal enc factors reveal enc factors reveal enc factors

MCN3 8DX5 I341 LQ21

<ciphertexts>, "8DX5"

SLIDE 26

MarkPledge & Moran-Naor

BitEnc(1) 0 0 1 1 0 0 ... Pledge 1 ...

unique

BitEnc(0)

that fits the challenge

1 1 0 0 1 ... Challenge 1 1 ... 0 0 1 1 ... Reveal

SLIDE 27

Markpledge 2

different bit encryption

➡ isomorphic to ➡ operation is rotation (matrix mult.)

Designate 1-, 0-, and T-vectors

➡ any pair of a 1-vector and 0-vector

bisected by a test vector

➡ dot-product with test vector.

SO(2, q) (α, β) ∈ Z2

q , with α2 + β2 = 1

SLIDE 28

Same pattern emerges

BitEnc(1) 0 0 1 1 0 0 ... Pledge 1 ...

unique

BitEnc(0)

that fits the challenge

1 1 0 0 1 ... Challenge 1 1 ... 0 0 1 1 ... Reveal xi yi i xC,yC xCxi + yCyi

xi,yi chal m0,i

MarkPledge MarkPledge2

SLIDE 29

Covert Channel

Raised by Karloff, Sastry & Wagner If the voting machine chooses the random factor, it can embed info Can we make the voting machine fully deterministic given a voter ID and a selection in a given race?

SLIDE 30

Covert Channel

Pre-generate ciphertexts with trustees Rotate them on voter selection

1 1 1 1 2, r'1 1, r'2 4, r'3

Voting Machine Trustee #1 Trustee #2 Trustee #3

7 = 2 mod 5

r'1 + r'2 + r'3 Ballot #42

Bulletin Board

Ballot #42 Ballot #42

SLIDE 31

Why is this receipt-free?

What can the coercer ask the voter to do that affects the ballot / receipt? Only the challenge, which is selected before the voter enters the booth. All proofs will look the same, whether real or simulated.

SLIDE 32

Efficient Receipt-Free Ballot Casting Resistant to Covert Channels

Andy uses a voting machine to prepare a ballot. Andy wants to verify that the machine properly encrypted the ballot.

Neff’s MarkPledge and Moran-Naor. Two Problems.

1) 2 ciphertexts per challenge bit (40-50) 2) machine can use ballot to leak plaintext.

MarkPledge2

efficient ballot encoding: 2 ciphertexts for any challenge length covert-channel resistance: no leakage via the ballot. voting machine is significantly simplified.

Voter Experience

Voter Experience

Voter Experience

Voter Experience

Voter Experience

Voter Experience

Barack 8DX5

Voter Experience

Barack 8DX5

Voter Experience

Barack 8DX5 VHTI

Voter Experience

Barack 8DX5

VHTI

Voter Experience

Barack 8DX5

VHTI

Voter Experience

Barack 8DX5

VHTI

Special Bit Encryption

Encrypt a 0 or 1 for each candidate Special proof protocol

Special Bit Encryption

Encrypt a 0 or 1 for each candidate Special proof protocol

Special Bit Encryption

Encrypt a 0 or 1 for each candidate Special proof protocol

Special Bit Encryption

Encrypt a 0 or 1 for each candidate Special proof protocol

Voter Experience (II)

Hillary Barack John Bill

1

Voter Experience (II)

Hillary Barack John Bill

1

Voter Experience (II)

Hillary Barack John Bill

1

Voter Experience (II)

Hillary Barack John Bill

1

Voter Experience (II)

Hillary Barack John Bill

1

Voter Experience (II)

Hillary Barack John Bill

1

MCN3 8DX5 I341 LQ21

MarkPledge & Moran-Naor

Markpledge 2

different bit encryption

Designate 1-, 0-, and T-vectors

Same pattern emerges

Covert Channel

Raised by Karloff, Sastry & Wagner If the voting machine chooses the random factor, it can embed info Can we make the voting machine fully deterministic given a voter ID and a selection in a given race?

Covert Channel

Pre-generate ciphertexts with trustees Rotate them on voter selection

Why is this receipt-free?

What can the coercer ask the voter to do that affects the ballot / receipt? Only the challenge, which is selected before the voter enters the booth. All proofs will look the same, whether real or simulated.

Questions?