On the Security of Election Audits with Low Entropy Randomness Eric - - PowerPoint PPT Presentation

on the security of election audits with low entropy
SMART_READER_LITE
LIVE PREVIEW

On the Security of Election Audits with Low Entropy Randomness Eric - - PowerPoint PPT Presentation

Oct 30, 2022 243 likes •481 views

On the Security of Election Audits with Low Entropy Randomness Eric Rescorla ekr@rtfm.com EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 1 Overview Secure auditing requires random sampling The units to be

slide-1
SLIDE 1

On the Security of Election Audits with Low Entropy Randomness

Eric Rescorla ekr@rtfm.com

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 1

slide-2
SLIDE 2

Overview

  • Secure auditing requires random sampling

– The units to be audited must be verifiably unpredictable – Simple physical methods (dice, coins, etc.) are expensive

  • “Stretching”approaches

– Randomness tables [CWD06] – Cryptographic pseudorandom number generators (CSPRNGs) [CHF08]

  • These techniques must be seeded with verifiably random values
  • Small (but natural) seeds give the attacker an advantage

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 2

slide-3
SLIDE 3

Formalizing the Problem: The Auditing Game

Audit units (U) Attacked (K) Audited (V)

V∩K = / 0: Attacker wins

Audit units (U) Attacked (K) Audited (V)

V∩K = / 0: Attacker loses

  • Two players: Attacker and Auditor
  • U audit units (U0,U1,...UN−1)
  • Attacker selects K ⊂ U to attack (|K| = k)

– Selection is made before preliminary results are posted

  • Auditor selects V ⊂ U to audit (|V| = v)

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 3

slide-4
SLIDE 4

Auditing Game Strategy

  • If the auditor’s selections are random and i.i.d then:

Pr(detection) = 1−

v−1

i=0

(N −i−k) N −i

  • No matter how the attacker chooses K
  • This is the auditor’s optimal strategy
  • What about intermediate cases?

– Attacker has incomplete information about V

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 4

slide-5
SLIDE 5

Example: A Million Random Digits [RAN02]

  • Pick a random starting group and read forward

– This process has log2(#entries) bits of entropy

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 5

slide-6
SLIDE 6

Random Number Tables Bias and Attacker Advantage

  • Random number tables aren’t the same as random numbers

– The attacker knows the table – But not the starting point

  • Two effects give the attacker an advantage

– Natural variation in the occurrences of each value – Clustering of values

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 6

slide-7
SLIDE 7

Natural Variation

160 180 200 220 240 0.000 0.005 0.010 0.015 0.020 0.025 Number of occurrences (n) Probability

  • Binomially distributed counts
  • Expected value = T/N

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 7

slide-8
SLIDE 8

Natural Variation

160 180 200 220 240 0.000 0.005 0.010 0.015 0.020 0.025 Number of occurrences (n) Probability Area=k/N

  • Binomially distributed counts
  • Expected value = T/N
  • Attacker selects k least frequent

units

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 8

slide-9
SLIDE 9

Natural Variation

160 180 200 220 240 0.000 0.005 0.010 0.015 0.020 0.025 Number of occurrences (n) Probability Area=k/N n_k

  • Binomially distributed counts
  • Expected value = T/N
  • Attacker selects k least frequent

units

  • The kth least frequent unit ap-

pears nk times nk = min

  • n : cdf(n) ≥ k

N

  • EVT/WOTE 2009

On the Security of Election Audits with Low Entropy Randomness 9

slide-10
SLIDE 10

Auditing with Natural Variation

  • Total entries in table corresponding to k least frequent units†:

Tbad = N

nk

n=0

nϕ(n)

  • This is just a standard sampling problem

– Each“good”sample removes approximately F entries: F = T −Tbad N −k

  • Probability of detection of least frequent k units:

Pr(detection) = 1−

v−1

i=0

T −iF −Tbad T −iF

†Semi-accurate approximation; see paper.

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 10

slide-11
SLIDE 11

Clustering Effects

  • We’re not really sampling the table randomly

– We read entries in sequence – The order of the entries matters

1 1 1 1 1 1 1 1 1 1 6 7 8 9 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 2 3 4 5

A table constructed to minimize detection

2 3 4 5 1 6 7 8 9 2 3 4 5 1 6 7 8 9 2 3 4 5 1 6 7 8 9 2 3 4 5 1 6 7 8 9 2 3 4 5 1 6 7 8 9 2 3 4 5 1 6 7 8 9 2 3 4 5 1 6 7 8 9 2 3 4 5 1 6 7 8 9 2 3 4 5 1 6 7 8 9 2 3 4 5 1 6 7 8 9

A table constructed to maximize detection EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 11

slide-12
SLIDE 12

Simulation Studies

  • No good analytic model for clustering effect

– Though some potential avenues

  • Easiest to study via simulation

– Generate a random table (using CSPRNG) – Generate an attack set of size k – Determine which offsets will sample at least one element of K

  • Two kinds of attack sets

– Random (should have expected statistics) – Randomly selected from least frequent 2k units†

  • Results averaged over multiple tables (5–25)

†This is heuristic. We don’t have a good algorithm here either.

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 12

slide-13
SLIDE 13

Example

100 200 300 400 500 600 0.0 0.2 0.4 0.6 0.8 1.0 Number of Sampled Precincts Probability of Detecting Attack Expected Under Attack

200,000 entries, 1000 precincts, 10 attacked

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 13

slide-14
SLIDE 14

The Attacker’s View: Modest Advantage

  • Still very likely to be detected

– In the above example: about 4x more chance of success at 99% – Biggest gap around 80% nominal detection rate (71.4% actual)

  • Probably not enough to make or break an attack

– But worth doing if you’re going to attack anyway

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 14

slide-15
SLIDE 15

The Auditor’s View: Higher Work Factor

Detection Units to Audit Units to Audit Difference Probability (projected) (under attack)† (percent) 80% 148 190 28 90% 205 270 32 95% 258 340 32 99% 368 540 47 Required audit levels: 200,000 entries, 1000 precincts, 10 attacked precincts

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 15

slide-16
SLIDE 16

General Trends

  • More entries per unit decrease attacker advantage

– Larger tables – Fewer units

  • Higher attack rates decrease attacker advantage

– Need to select increasingly probable values

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 16

slide-17
SLIDE 17

A Big Table

100 200 300 400 0.0 0.2 0.4 0.6 0.8 1.0 Number of Sampled Precincts Probability of Detecting Attack Expected Under Attack

1,000,000 entries, 1000 precincts, 10 attacked precincts

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 17

slide-18
SLIDE 18

Permuted Tables

100 200 300 400 500 600 0.0 0.2 0.4 0.6 0.8 1.0 Number of Sampled Precincts Probability of Detecting Attack Expected Under attack (permuted) Under attack (random)

200,000 entries, 1000 precincts, 10 attacked precincts

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 18

slide-19
SLIDE 19

Potential Improvements

  • New tables

– Bigger (107 entries?) – Permuted rather than random – Generated using a PRNG?

  • Existing tables

– Individual addressing – Random offsets – Multiple starting points – All of these need analysis

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 19

slide-20
SLIDE 20

What about CSPRNGs?

  • CSPRNGs have big state spaces no matter what the seed size

– Stronger than tables for the same seed entropy – Intuition: sequences don’t overlap

  • Cryptographic applications require very large seeds

– Not necessary here – Need unpredictability, not unsearchability

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 20

slide-21
SLIDE 21

Security of PRNGs by Seed Size (nominal 99% level)

  • 5

10 15 0.0 0.2 0.4 0.6 0.8 1.0 Bits of entropy Probability of Detecting Attack

Probability of detection for PRNGs: 1000 precincts, 10 attacked

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 21

slide-22
SLIDE 22

Summary

  • Secure auditing requires verifiably unpredictable random values
  • Generating them directly seems expensive
  • Natural stretching approaches may not deliver their expected

security

  • Not clear if randomness tables can be used safely
  • PRNGs appear safe with modest-sized seeds

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 22

slide-23
SLIDE 23

References

[CHF08] Joseph A. Calandrino, J. Alex Halderman, and Edward W. Felten. In Defense of Pseudorandom Sample Selection. In Proceedings of the 2008 Electronic Voting Technology Workshop, 2008. http://www.usenix.org/events/evt08/tech/full_ papers/calandrino/calandrino.pdf. [CWD06] Arel Cordero, David Wagner, and David Dill. The role of dice in election audits—extended abstract. IAVoSS Workshop on Trustworthy Elections 2006 (WOTE 2006), June 2006. http://www.cs.berkeley.edu/~daw/papers/dice-wote06.pdf. [RAN02] RAND Corporation. A Million Random Digits with 100,000 Normal Deviates. American Book Publishers, 2002.

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 23