Swiss E-Voting Workshop September 6, 2010 TRANSPARENCY SECURITY 2 - - PowerPoint PPT Presentation

swiss e voting workshop september 6 2010 transparency
SMART_READER_LITE
LIVE PREVIEW

Swiss E-Voting Workshop September 6, 2010 TRANSPARENCY SECURITY 2 - - PowerPoint PPT Presentation

Jun 06, 2023 265 likes •727 views

Michael Clarkson Cornell University with Stephen Chong (Harvard) and Andrew Myers (Cornell) Swiss E-Voting Workshop September 6, 2010 TRANSPARENCY SECURITY 2 VERIFIABILITY PRIVACY 3 VERIFIABILITY PRIVACY Remote 4 KEY PRINCIPLE:

slide-1
SLIDE 1

Swiss E-Voting Workshop September 6, 2010 Michael Clarkson

Cornell University with Stephen Chong (Harvard) and Andrew Myers (Cornell)

slide-2
SLIDE 2

2

SECURITY TRANSPARENCY

slide-3
SLIDE 3

3

PRIVACY VERIFIABILITY

slide-4
SLIDE 4

Remote

4

PRIVACY VERIFIABILITY

slide-5
SLIDE 5

Mutual Distrust

5

KEY PRINCIPLE:

slide-6
SLIDE 6

VERIFIABILITY

6

Universal verifiability Voter verifiability

UV: [Sako and Killian 1994, 1995] VV: [Kremer, Ryan & Smyth 2010]

slide-7
SLIDE 7

PRIVACY

7

Coercion resistance

better than receipt freeness

  • r simple anonymity

RF: [Benaloh 1994] CR: [Juels, Catalano & Jakobsson 2005]

slide-8
SLIDE 8

ROBUSTNESS

8

Tally availability

slide-9
SLIDE 9

Civitas Security Properties

Original system:

  • Universal verifiability
  • Coercion resistance

Ongoing projects:

  • Voter verifiability
  • Tally availability

9

slide-10
SLIDE 10

10

JCJ Voting Scheme

[Juels, Catalano & Jakobsson 2005]

Proved universal verifiability and coercion resistance

Civitas extends JCJ

slide-11
SLIDE 11

11

Civitas Architecture

bulletin board voter client tabulation teller tabulation teller tabulation teller registration teller registration teller registration teller ballot box ballot box ballot box

slide-12
SLIDE 12

12

Registration

voter client registration teller registration teller registration teller

Voter retrieves credential share from each registration teller; combines to form credential

slide-13
SLIDE 13

Credentials

  • Verifiable
  • Unsalable
  • Unforgeable
  • Anonymous

13

slide-14
SLIDE 14

14

Voting

voter client ballot box ballot box ballot box

Voter submits copy of encrypted choice and credential to each ballot box

slide-15
SLIDE 15

Resisting Coercion: Fake Credentials

15

slide-16
SLIDE 16

16

Resisting Coercion

If the coercer demands that the voter… en the voter… Submits a particular vote Does so with a fake credential. Sells or surrenders a credential Supplies a fake credential. Abstains Supplies a fake credential to the adversary and votes with a real one.

slide-17
SLIDE 17

17

Tabulation

bulletin board tabulation teller tabulation teller tabulation teller ballot box ballot box ballot box

Tellers retrieve votes from ballot boxes

slide-18
SLIDE 18

18

Tabulation

bulletin board tabulation teller tabulation teller tabulation teller

Tabulation tellers anonymize votes; eliminate unauthorized (and fake) credentials; decrypt remaining choices.

slide-19
SLIDE 19

19

Civitas Architecture

bulletin board voter client tabulation teller tabulation teller tabulation teller registration teller registration teller registration teller ballot box ballot box ballot box

Universal verifiability:

Tellers post zero-knowledge proofs during tabulation

Coercion resistance:

Voters can undetectably fake credentials

slide-20
SLIDE 20

20

Protocols

– El Gamal; distributed [Brandt]; non-malleable [Schnorr and Jakobsson] – Proof of knowledge of discrete log [Schnorr] – Proof of equality of discrete logarithms [Chaum & Pederson] – Authentication and key establishment [Needham-Schroeder-Lowe] – Designated-verifier reencryption proof [Hirt & Sako] – 1-out-of-L reencryption proof [Hirt & Sako] – Signature of knowledge of discrete logarithms [Camenisch & Stadler] – Reencryption mix network with randomized partial checking [Jakobsson, Juels & Rivest] – Plaintext equivalence test [Jakobsson & Juels]

slide-21
SLIDE 21

21

Civitas Implementation

Component LoC Tabulation teller 5,700 Registration teller 1,300 Bulletin board, ballot box 900 Voter client 800 Other (incl. common code) 4,700 Low-level crypto and I/O (Java and C) 8,000 Total LoC 21,400

slide-22
SLIDE 22

Trust Assumptions

22

slide-23
SLIDE 23

23

Civitas Trust Assumptions

1.

“Cryptography works.”

2.

e adversary cannot masquerade as a voter during registration.

3.

Voters trust their voting client.

4.

At least one of each type of authority is honest.

5.

e channels from the voter to the ballot boxes are anonymous.

6.

Each voter has an untappable channel to a trusted registration teller.

slide-24
SLIDE 24

24

Civitas Trust Assumptions

1.

“Cryptography works.”

2.

e adversary cannot masquerade as a voter during registration.

3.

Voters trust their voting client.

4.

At least one of each type of authority is honest.

5.

e channels from the voter to the ballot boxes are anonymous.

6.

Each voter has an untappable channel to a trusted registration teller. Universal verifiability Coercion resistance Coercion resistance

slide-25
SLIDE 25

25

Civitas Trust Assumptions

1.

“Cryptography works.”

2.

e adversary cannot masquerade as a voter during registration.

3.

Voters trust their voting client.

4.

At least one of each type of authority is honest.

5.

e channels from the voter to the ballot boxes are anonymous.

6.

Each voter has an untappable channel to a trusted registration teller.

UV + CR CR

slide-26
SLIDE 26

26

Civitas Trust Assumptions

1.

“Cryptography works.”

2.

e adversary cannot masquerade as a voter during registration.

3.

Voters trust their voting client.

4.

At least one of each type of authority is honest.

5.

e channels from the voter to the ballot boxes are anonymous.

6.

Each voter has an untappable channel to a trusted registration teller.

UV + CR CR

slide-27
SLIDE 27

27

Civitas Trust Assumptions

1.

“Cryptography works.”

2.

e adversary cannot masquerade as a voter during registration.

3.

Voters trust their voting client.

4.

At least one of each type of authority is honest.

5.

e channels from the voter to the ballot boxes are anonymous.

6.

Each voter has an untappable channel to a trusted registration teller.

UV + CR CR

slide-28
SLIDE 28

Registration

28

In person. In advance.

Con: System not fully remote Pro: Credential can be used in many elections

slide-29
SLIDE 29

29

Civitas Trust Assumptions

1.

“Cryptography works.”

2.

e adversary cannot masquerade as a voter during registration.

3.

Voters trust their voting client.

4.

At least one of each type of authority is honest.

5.

e channels from the voter to the ballot boxes are anonymous.

6.

Each voter has an untappable channel to a trusted registration teller.

UV + CR CR

slide-30
SLIDE 30

Eliminating Trust in Voter Client

30

UV: Use challenges, like in Helios CR: Open problem

slide-31
SLIDE 31

31

Civitas Trust Assumptions

1.

“Cryptography works.”

2.

e adversary cannot masquerade as a voter during registration.

3.

Voters trust their voting client.

4.

At least one of each type of authority is honest.

5.

e channels from the voter to the ballot boxes are anonymous.

6.

Each voter has an untappable channel to a trusted registration teller.

UV + CR CR

slide-32
SLIDE 32

32

Civitas Trust Assumptions

1.

“Cryptography works.”

2.

e adversary cannot masquerade as a voter during registration.

3.

Voters trust their voting client.

4.

At least one of each type of authority is honest.

5.

e channels from the voter to the ballot boxes are anonymous.

6.

Each voter has an untappable channel to a trusted registration teller.

UV + CR CR

slide-33
SLIDE 33

33

Civitas Trust Assumptions

1.

“Cryptography works.”

2.

e adversary cannot masquerade as a voter during registration.

3.

Voters trust their voting client.

4.

At least one of each type of authority is honest.

5.

e channels from the voter to the ballot boxes are anonymous.

6.

Each voter has an untappable channel to a trusted registration teller.

UV + CR CR

slide-34
SLIDE 34

Untappable Channel

34

Minimal known assumption for receipt freeness and coercion resistance Eliminate? Open problem.

(Eliminate trusted registration teller? Also open.)

slide-35
SLIDE 35

35

Civitas Trust Assumptions

1.

“Cryptography works.”

2.

e adversary cannot masquerade as a voter during registration.

3.

Voters trust their voting client.

4.

At least one of each type of authority is honest.

5.

e channels from the voter to the ballot boxes are anonymous.

6.

Each voter has an untappable channel to a trusted registration teller.

UV + CR CR

slide-36
SLIDE 36

Trusted procedures?

36

slide-37
SLIDE 37

Time to Tally

37

slide-38
SLIDE 38

38

Tabulation Time vs. Precinct Size

# voters in precinct = K, # tab. tellers = 4, security strength ≥ 112 bits [NIST 2011–2030]

slide-39
SLIDE 39

39

Summary

Can achieve strong security and transparency:

– Remote voting – Universal verifiability – Coercion resistance

Security is not free:

– Stronger registration (untappable channel) – Cryptography (computationally expensive)

slide-40
SLIDE 40

Assurance

40

Security proofs (JCJ) Secure implementation (Jif)

slide-41
SLIDE 41

Ranked Voting Methods

41

slide-42
SLIDE 42

42

Open Research Problems

  • Coercion-resistant voter client?
  • Eliminate untappable channel in registration?
  • Credential management?
  • Application-level denial of service?
slide-43
SLIDE 43

http://www.cs.cornell.edu/projects/civitas (google “civitas voting”)

slide-44
SLIDE 44

Swiss E-Voting Workshop September 6, 2010 Michael Clarkson

Cornell University with Stephen Chong (Harvard) and Andrew Myers (Cornell)