on the security of election audits with low entropy
play

On the Security of Election Audits with Low Entropy Randomness Eric - PowerPoint PPT Presentation

Oct 30, 2022 •243 likes •478 views

On the Security of Election Audits with Low Entropy Randomness Eric Rescorla ekr@rtfm.com EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 1 Overview Secure auditing requires random sampling The units to be

  1. On the Security of Election Audits with Low Entropy Randomness Eric Rescorla ekr@rtfm.com EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 1

  2. Overview • Secure auditing requires random sampling – The units to be audited must be verifiably unpredictable – Simple physical methods (dice, coins, etc.) are expensive • “Stretching”approaches – Randomness tables [CWD06] – Cryptographic pseudorandom number generators (CSPRNGs) [CHF08] • These techniques must be seeded with verifiably random values • Small (but natural) seeds give the attacker an advantage EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 2

  3. Formalizing the Problem: The Auditing Game Audit units Audit units (U) (U) Attacked Audited Attacked Audited (K) (V) (K) (V) V ∩ K = / 0 : Attacker wins V ∩ K � = / 0 : Attacker loses • Two players: Attacker and Auditor • U audit units ( U 0 , U 1 ,... U N − 1 ) • Attacker selects K ⊂ U to attack ( | K | = k ) – Selection is made before preliminary results are posted • Auditor selects V ⊂ U to audit ( | V | = v ) EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 3

  4. Auditing Game Strategy • If the auditor’s selections are random and i.i.d then: v − 1 ( N − i − k ) ∏ Pr(detection) = 1 − N − i i = 0 • No matter how the attacker chooses K • This is the auditor’s optimal strategy • What about intermediate cases? – Attacker has incomplete information about V EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 4

  5. Example: A Million Random Digits [RAN02] • Pick a random starting group and read forward – This process has log 2 ( # entries ) bits of entropy EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 5

  6. Random Number Tables Bias and Attacker Advantage • Random number tables aren’t the same as random numbers – The attacker knows the table – But not the starting point • Two effects give the attacker an advantage – Natural variation in the occurrences of each value – Clustering of values EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 6

  7. Natural Variation • Binomially distributed counts 0.025 • Expected value = T / N 0.020 Probability 0.015 0.010 0.005 0.000 160 180 200 220 240 Number of occurrences (n) EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 7

  8. Natural Variation • Binomially distributed counts 0.025 • Expected value = T / N 0.020 • Attacker selects k least frequent Probability 0.015 units 0.010 0.005 Area=k/N 0.000 160 180 200 220 240 Number of occurrences (n) EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 8

  9. Natural Variation • Binomially distributed counts 0.025 n_k • Expected value = T / N 0.020 • Attacker selects k least frequent Probability 0.015 units 0.010 • The k th least frequent unit ap- pears n k times 0.005 Area=k/N � � n : cdf ( n ) ≥ k n k = min 0.000 N 160 180 200 220 240 Number of occurrences (n) EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 9

  10. Auditing with Natural Variation • Total entries in table corresponding to k least frequent units † : n k ∑ T bad = N n ϕ ( n ) n = 0 • This is just a standard sampling problem – Each“good”sample removes approximately F entries: F = T − T bad N − k • Probability of detection of least frequent k units: v − 1 T − iF − T bad ∏ Pr(detection) = 1 − T − iF i = 0 † Semi-accurate approximation; see paper. EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 10

  11. Clustering Effects • We’re not really sampling the table randomly – We read entries in sequence – The order of the entries matters 0 0 0 0 0 0 0 0 0 0 0 2 3 4 5 1 6 7 8 9 1 1 1 1 1 1 1 1 1 1 0 2 3 4 5 1 6 7 8 9 6 7 8 9 2 3 4 5 6 7 0 2 3 4 5 1 6 7 8 9 8 9 2 3 4 5 6 7 8 9 0 2 3 4 5 1 6 7 8 9 2 3 4 5 6 7 8 9 2 3 0 2 3 4 5 1 6 7 8 9 4 5 6 7 8 9 2 3 4 5 0 2 3 4 5 1 6 7 8 9 6 7 8 9 2 3 4 5 6 7 0 2 3 4 5 1 6 7 8 9 8 9 2 3 4 5 6 7 8 9 0 2 3 4 5 1 6 7 8 9 2 3 4 5 6 7 8 9 2 3 0 2 3 4 5 1 6 7 8 9 4 5 6 7 8 9 2 3 4 5 0 2 3 4 5 1 6 7 8 9 A table constructed to minimize detection A table constructed to maximize detection EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 11

  12. Simulation Studies • No good analytic model for clustering effect – Though some potential avenues • Easiest to study via simulation – Generate a random table (using CSPRNG) – Generate an attack set of size k – Determine which offsets will sample at least one element of K • Two kinds of attack sets – Random (should have expected statistics) – Randomly selected from least frequent 2 k units † • Results averaged over multiple tables (5–25) † This is heuristic. We don’t have a good algorithm here either. EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 12

  13. Example 1.0 0.8 Probability of Detecting Attack 0.6 0.4 0.2 Expected Under Attack 0.0 0 100 200 300 400 500 600 Number of Sampled Precincts 200,000 entries, 1000 precincts, 10 attacked EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 13

  14. The Attacker’s View: Modest Advantage • Still very likely to be detected – In the above example: about 4x more chance of success at 99% – Biggest gap around 80% nominal detection rate (71.4% actual) • Probably not enough to make or break an attack – But worth doing if you’re going to attack anyway EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 14

  15. The Auditor’s View: Higher Work Factor Detection Units to Audit Units to Audit Difference (under attack) † Probability (projected) (percent) 80% 148 190 28 90% 205 270 32 95% 258 340 32 99% 368 540 47 Required audit levels: 200,000 entries, 1000 precincts, 10 attacked precincts EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 15

  16. General Trends • More entries per unit decrease attacker advantage – Larger tables – Fewer units • Higher attack rates decrease attacker advantage – Need to select increasingly probable values EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 16

  17. A Big Table 1.0 0.8 Probability of Detecting Attack 0.6 0.4 0.2 Expected Under Attack 0.0 0 100 200 300 400 Number of Sampled Precincts 1,000,000 entries, 1000 precincts, 10 attacked precincts EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 17

  18. Permuted Tables 1.0 0.8 Probability of Detecting Attack 0.6 0.4 0.2 Expected Under attack (permuted) Under attack (random) 0.0 0 100 200 300 400 500 600 Number of Sampled Precincts 200,000 entries, 1000 precincts, 10 attacked precincts EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 18

  19. Potential Improvements • New tables – Bigger ( 10 7 entries?) – Permuted rather than random – Generated using a PRNG? • Existing tables – Individual addressing – Random offsets – Multiple starting points – All of these need analysis EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 19

  20. What about CSPRNGs? • CSPRNGs have big state spaces no matter what the seed size – Stronger than tables for the same seed entropy – Intuition: sequences don’t overlap • Cryptographic applications require very large seeds – Not necessary here – Need unpredictability, not unsearchability EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 20

  21. Security of PRNGs by Seed Size (nominal 99% level) 1.0 ● ● ● ● ● ● ● ● ● ● 0.8 ● Probability of Detecting Attack ● 0.6 0.4 ● 0.2 0.0 ● ● ● 5 10 15 Bits of entropy Probability of detection for PRNGs: 1000 precincts, 10 attacked EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 21

  22. Summary • Secure auditing requires verifiably unpredictable random values • Generating them directly seems expensive • Natural stretching approaches may not deliver their expected security • Not clear if randomness tables can be used safely • PRNGs appear safe with modest-sized seeds EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 22

  23. References [CHF08] Joseph A. Calandrino, J. Alex Halderman, and Edward W. Felten. In Defense of Pseudorandom Sample Selection. In Proceedings of the 2008 Electronic Voting Technology Workshop, 2008. http://www.usenix.org/events/evt08/tech/full_ papers/calandrino/calandrino.pdf . [CWD06] Arel Cordero, David Wagner, and David Dill. The role of dice in election audits—extended abstract. IAVoSS Workshop on Trustworthy Elections 2006 (WOTE 2006), June 2006. http://www.cs.berkeley.edu/~daw/papers/dice-wote06.pdf . [RAN02] RAND Corporation. A Million Random Digits with 100,000 Normal Deviates. American Book Publishers, 2002. EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Computational Complexity and Information Asymmetry in Election Audits with Low-Entropy Randomness

Computational Complexity and Information Asymmetry in Election Audits with Low-Entropy Randomness

Computational Complexity and Information Asymmetry in Election Audits with Low-Entropy Randomness Nadia Heninger Princeton University August 10, 2010 Computational complexity and information asymmetry in financial products [Arora,

649 views • 25 slides
Election Security and Integrity What is election security? What is election integrity? Election

Election Security and Integrity What is election security? What is election integrity? Election

Election Security and Integrity What is election security? What is election integrity? Election Security = Physical Security + Cybersecurity Physical Security Security plans Secure storage of voting machines and electronic pollbooks

341 views • 13 slides
Implementing Risk-Limiting Post-Election Audits in California J.L. Hall 1 , 2 L.W. Miratrix 3 P.B.

Implementing Risk-Limiting Post-Election Audits in California J.L. Hall 1 , 2 L.W. Miratrix 3 P.B.

Risk-Limiting Audits Defined Risk-Limiting Audits in CA Discussion Simpler Risk-Limiting Audits? Conclusions Implementing Risk-Limiting Post-Election Audits in California J.L. Hall 1 , 2 L.W. Miratrix 3 P.B. Stark 3 M. Briones 4 E. Ginnold 4

631 views • 23 slides
Bayesian Post-Election Audits Ronald L. Rivest and Emily Shen Viterbi Professor of EECS MIT,

Bayesian Post-Election Audits Ronald L. Rivest and Emily Shen Viterbi Professor of EECS MIT,

Bayesian Post-Election Audits Ronald L. Rivest and Emily Shen Viterbi Professor of EECS MIT, Cambridge, MA {rivest,ehshen}@mit.edu EVT/WOTE 2012 2012-08-07 1 Outline Post-Election Audits Bayesian Ballot-Polling Bayesian Comparison Audits

1.09k views • 75 slides
Auditors Conference Election Security Legislative Discussion Last years bill 2647/6412 had

Auditors Conference Election Security Legislative Discussion Last years bill 2647/6412 had

Auditors Conference Election Security Legislative Discussion Last years bill 2647/6412 had several parts Improve signature witness information Reorganize and improve post-election audits Update the recount process Protect the

433 views • 18 slides
Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of a discrete random variable. Properties: H(x) >= 0 Entropy Entropy Lesser the probability for an event, larger the entropy.

471 views • 21 slides
CS 410/510: Web Security Motivation Security issues are having a real impact 2016

CS 410/510: Web Security Motivation Security issues are having a real impact 2016

CS 410/510: Web Security Motivation Security issues are having a real impact 2016 election Stuxnet Snowden F-35 fighter Bangladesh heist Problem Example: Russian 2016 election hacking Influence election via fake news

556 views • 20 slides
Evidence-Based Elections: The Role of Risk-Limiting Audits Election Integrity in the Networked

Evidence-Based Elections: The Role of Risk-Limiting Audits Election Integrity in the Networked

Evidence-Based Elections: The Role of Risk-Limiting Audits Election Integrity in the Networked Information Era Georgetown Law Washington, DC Philip B. Stark 7 February 2020 University of California, Berkeley 1 Arguments that US elections

489 views • 33 slides
Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S) Entropy is o8en related to disorder but not strictly correct Entropy is a measure

351 views • 8 slides
Election Infrastructure Security: The How and Why of It Minnesota ta County ty A Auditor E

Election Infrastructure Security: The How and Why of It Minnesota ta County ty A Auditor E

Election Infrastructure Security: The How and Why of It Minnesota ta County ty A Auditor E Election Training Conference May ay 3, 2 2018 Contents Elect ction I Infr fras astructure Se Secu curity O Overview Cy Cyber ber a

550 views • 25 slides
Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Entropy Entropy Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1 Entropy Entropy and Information Joint Entropy Frank Keller Conditional Entropy School of Informatics University of Edinburgh

81 views • 4 slides
Entropy and Uncertainty Appendix C Computer Security: Art and Science, 2 nd Edition Version 1.0

Entropy and Uncertainty Appendix C Computer Security: Art and Science, 2 nd Edition Version 1.0

Entropy and Uncertainty Appendix C Computer Security: Art and Science, 2 nd Edition Version 1.0 Slide B-1 Outline Random variables Joint probability Conditional probability Entropy (or uncertainty in bits) Joint entropy

463 views • 17 slides
Leader Election Chapter 3 Observations Election in the Ring Election in the Mesh Election in

Leader Election Chapter 3 Observations Election in the Ring Election in the Mesh Election in

Leader Election Chapter 3 Observations Election in the Ring Election in the Mesh Election in the Hypercube Election in an arbitrary graph - Leader Election = Breaking Symmetry Getting into the restricted world with Unique Initiator so

512 views • 35 slides
Electronic Voting CS 161: Computer Security Prof. David Wagner April 25, 2013 Security Goals for

Electronic Voting CS 161: Computer Security Prof. David Wagner April 25, 2013 Security Goals for

Electronic Voting CS 161: Computer Security Prof. David Wagner April 25, 2013 Security Goals for an Election Integrity: No election fraud Transparency: Everyone especially the loser must be able to verify that the election was

901 views • 62 slides
Electronic Voting CS 161: Computer Security Prof. David Wagner April 18, 2016 Security Goals for

Electronic Voting CS 161: Computer Security Prof. David Wagner April 18, 2016 Security Goals for

Electronic Voting CS 161: Computer Security Prof. David Wagner April 18, 2016 Security Goals for an Election Integrity: No election fraud Transparency: Everyone especially the loser must be able to verify that the election was

1.13k views • 65 slides
Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Outline Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the Technion) Huffman coding Arithmetic coding Lempel-Ziv coding 2 Entropy Definitions Alphabet : A finite set containing at least

402 views • 10 slides
Control-based continuation From models to experiments David Barton Engineering Mathematics,

Control-based continuation From models to experiments David Barton Engineering Mathematics,

26 April 2017 Control-based continuation From models to experiments David Barton Engineering Mathematics, University of Bristol Control-based continuation 26 April 2017 Motivation A favourite quote: Classification of mathematical problems

691 views • 53 slides
Cada Da - Welsh Meeting Template Social Language Learning Program - Template - Monday - Dydd

Cada Da - Welsh Meeting Template Social Language Learning Program - Template - Monday - Dydd

Web Meeting SET UP Cada Da - Welsh Meeting Template Social Language Learning Program - Template - Monday - Dydd Llun July 15 - UTC 15:30 [Wales 4:30pm, Argentina 12:30pm, Eastern US 11:30am] Launch Meeting and Countdown Time Zone Converter

1.81k views • 65 slides
Dis iscl closures I have no relevant financial relationships with the organizer of todays

Dis iscl closures I have no relevant financial relationships with the organizer of todays

1/11/2018 Dis iscl closures I have no relevant financial relationships with the organizer of todays event. Alaska Board of Pharmacy Employed by Walmart. Richard Holt, BS Pharm, PharmD, MBA Vice-Chair I am a member of the Alaska

425 views • 9 slides
Ubiquitous and Mobile Computing CS 525M: RiskRanker: Scalable and Accurate Zero day Android

Ubiquitous and Mobile Computing CS 525M: RiskRanker: Scalable and Accurate Zero day Android

Ubiquitous and Mobile Computing CS 525M: RiskRanker: Scalable and Accurate Zero day Android Malware Detection Martti Peltola Computer Science Dept. Worcester Polytechnic Institute (WPI) Introduction/Motivation: What was the main problem

366 views • 23 slides
Prefrontal cortex as a Meta-reinforcement learning system Matthew Botvinick DeepMind, London UK

Prefrontal cortex as a Meta-reinforcement learning system Matthew Botvinick DeepMind, London UK

Prefrontal cortex as a Meta-reinforcement learning system Matthew Botvinick DeepMind, London UK Gatsby Computational Neuroscience Unit, UCL Mnih et al, Nature (2015) Mnih et al, Nature (2015) Yamins & DiCarlo, 2016 Schultz et al, Science

535 views • 49 slides
Public Meeting #3 October 9, 2014 Tonights Schedule 6:00 6:30 pm Open House 6:30 7:00

Public Meeting #3 October 9, 2014 Tonights Schedule 6:00 6:30 pm Open House 6:30 7:00

Route 1 Multimodal Alternatives Analysis Public Meeting #3 October 9, 2014 Tonights Schedule 6:00 6:30 pm Open House 6:30 7:00 pm Presentation 7:00 8:00 pm Share your ideas 2 Agenda 1. Purpose of the study 2. What weve

948 views • 60 slides
Observing the Bursting Universe with LIGO: Status and Prospects Erik Katsavounidis LSC Burst

Observing the Bursting Universe with LIGO: Status and Prospects Erik Katsavounidis LSC Burst

Observing the Bursting Universe with LIGO: Status and Prospects Erik Katsavounidis LSC Burst Working Group 8 th GWDAW - UWM Dec 17-20, 2003 Bursts: what we are searching for Sources: known and unknown phenomena emitting short transients of

525 views • 14 slides
Quadratic relations for periods of connections Claude Sabbah Joint work with Javier Fresn

Quadratic relations for periods of connections Claude Sabbah Joint work with Javier Fresn

Quadratic relations for periods of connections Claude Sabbah Joint work with Javier Fresn (CMLS, Palaiseau) and Jeng-Daw Yu (NTU, Taipei) Centre de mathmatiques Laurent Schwartz CNRS, cole polytechnique, Institut polytechnique de Paris

556 views • 7 slides

More recommend