Pretty Good Democracy James Heather, University of Surrey

Slides:

Advertisements

Similar presentations

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.

Advertisements

Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.

I have a DREAM! (DiffeRentially privatE smArt Metering) Gergely Acs and Claude Castelluccia {gergely.acs, INRIA 2011.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Can voters check that their e-vote is cast as they intended and properly included in an accurate count? Vanessa Teague University of Melbourne

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

A Pairing-Based Blind Signature

ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.

James Heather, University of Surrey Peter Y A Ryan, University of Luxembourg Vanessa Teague, University of Melbourne.

On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark.

Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs)

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

Digital Signatures and Hash Functions. Digital Signatures.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Vanessa Teague Department of Computer Science and Software Engineering University of Melbourne Australia.

Self-Enforcing E-Voting (SEEV) Feng Hao Newcastle University, UK CryptoForma’13, Egham.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Cryptography. 2 Objectives Explain common terms used in the field of cryptography Outline what mechanisms constitute a strong cryptosystem Demonstrate.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

TrustMe: Anonymous Management of Trust Relationships in Decentralized P2P Systems Aameek Singh and Ling Liu Presented by: Korporn Panyim.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan.

Electronic Voting (E-Voting) An introduction and review of technology Written By: Larry Brachfeld CS591, December 2010.

Civitas Toward a Secure Voting System AFRL Information Management Workshop October 22, 2010 Michael Clarkson Cornell University.

Cryptographic Voting Protocols: A Systems Perspective By Chris Karlof, Naveen Sastry, and David Wagner University of California, Berkely Proceedings of.

On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)

Programming Satan’s Computer

Requirements for Electronic and Internet Voting Systems in Public Elections David Jefferson Compaq Systems Research Center Palo Alto, CA

KYUSHUUNIVERSITYKYUSHUUNIVERSITY SAKURAILABORATORYSAKURAILABORATORY Sakurai Lab. Kyushu University Dr-course HER, Yong-Sork E-voting VS. E-auction.

Key Management and Diffie- Hellman Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther.

Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University.

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David.

Masked Ballot Voting for Receipt-Free Online Elections Sam Heinith, David Humphrey, and Maggie Watkins.

6. Esoteric Protocols secure elections and multi-party computation Kim Hyoung-Shick.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

Andreas Steffen, , LinuxTag2009.ppt 1 LinuxTag 2009 Berlin Verifiable E-Voting with Open Source Prof. Dr. Andreas Steffen Hochschule für Technik.

WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.

R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats.

Evoting using collaborative clustering Justin Gray Osama Khaleel Joey LaConte Frank Watson.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

A remote voting system based on Prêt à Voter coded by David Lundin Johannes Clos.

Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.

Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.

Privacy and Anonymity Using Mix Networks* Slides borrowed from Philippe Golle, Markus Jacobson.

Lecture 23 Symmetric Encryption

Electronic Voting R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.

A Brief Introduction to Mix Networks Ari Juels RSA Laboratories © 2001, RSA Security Inc.

Secure Remote Electronic Voting CSE-681 Fall 2006 David Foster and Laura Stapleton Laura StapletonLaura Stapleton.

Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.

Fall 2006CS 395: Computer Security1 Key Management.

1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.

The Initial Bulletin Board Posting 1 st Batch2 nd BatchEmpty forms Envelopes are: Opaque Sealed Bubbles unfilled Serial numbered (numbers unique per batch)

Secure, verifiable online voting 29 th June 2016.

ThreeBallot, VAV, and Twin

Untraceable Electronic Mail, Return addresses, and Digital Pseudonyms

ISI Day – 20th Anniversary

eVoting System Proposal

Ronald L. Rivest MIT ShafiFest January 13, 2019

Presentation transcript:

Pretty Good Democracy James Heather, University of Surrey Peter Y A Ryan, University of Luxembourg Vanessa Teague, University of Melbourne

Plan Security requirements for Internet voting Overview of PGD 1 Extensions to expressive voting schemes Protocol A (simple but slow) Protocol C (fast but big code sheets) Protocol B (fast and small code sheets, but complicated ack checking)

Internet voting

Security Requirements Verifiability, so that no-one can manipulate the output Only eligible voters vote Voters should get evidence that their vote was Cast as they intended Counted as cast Everyone gets evidence votes were properly tallied Privacy, so coercers can't manipulate the inputs Even if the voter tries to prove how they voted (receipt- freeness) Achieving both is hard, especially for remote voting Most solutions use a “Bulletin Board”, i.e. a public, authenticated broadcast channel with memory

Plan Security requirements Overview of PGD 1 Extensions to expressive voting schemes Protocol A (simple but slow) Protocol C (fast but big code sheets) Protocol B (fast and small code sheets, but complicated ack checking)

Background: Code Voting (Chaum ‘01) Each voter receives a code sheet, where each candidate gets a unique Vote Code and Ack Code Voter sends Vote Code, checks correct Ack Code Good: Authenticates server to voter Client can’t send wrong vote Bad: No protection against misbehaving server or tallier Code sheet must stay secret Candidate Vote Ack Red 4839 1894 Green 7846 6794 Chequered 3637 5484 Fuzzy 5468 2356 Cross 7893 6422

PGD 1.0 (first-past-the-post) Combines Code Voting with Verifiable tallying High privacy and integrity guarantees from untrusted voting clients Each voter gets a sheet of codes via a “secure” channel one Vote Code for each candidate one Ack They enter the code of their chosen candidate Check they got the correct Ack

PGD 1.0 Code sheet example Send 5468 to the Vote Server Who posts it, encrypted, to the bulletin board Expect Ack 28902 Candidate Vote Red 4839 Green 7846 Chequered 3637 Fuzzy 5468 Cross 7893 Ballot ID: 3884092844 Ack: 28902

PGD 1 security properties Integrity assumes secrecy of code sheet Codes authenticate the voter to the server Ack code authenticates the trustees to the voter Requires a threshold to decrypt and return it No intervening adversary can substitute another vote code Each vote is correctly registered If not more than a threshold of trustees collude Verifiable tallying on a bulletin board

PGD 1 security properties (cont'd) Privacy is guaranteed against an adversary who either Does not observe the voter’s outgoing messages, or Does not see the code sheet In particular, your computer doesn't learn how you voted Receipt-free, but not coercion-resistant

PGD 1 Ballot construction Codes are generated, encrypted, on the Bulletin Board Distributed construction produces, for each Ballot ID: Encrypted codes on the BB listed in a random (candidate) order So nobody knows which codes correspond to which cand’s, or even which are on the same sheet Described by an encrypted “onion” as in Prêt à voter Unencrypted codes for the code sheets Printing these out is the main privacy vulnerability

PGD1 Voting Submitted codes are encrypted by a Vote Server Matched to the code on the BB using a distributed Plaintext Equivalence Test By a set of trustees who share the election pub key This gives an index A threshold of trustees is needed to compute the Ack So receipt of the Ack proves a threshold of trustees got the vote Tallying is by standard techniques involving mixing and zero knowledge proofs on the bulletin board, see e.g. Prêt à voter.

PGD 1.0: Some important details The Vote Server has to prove it knows the contents of the encrypted code Otherwise it can post a random vote The code sheets have to be checked to ensure the candidate-code pairs match those on the bulletin board Open some random selection and use the others for voting

Summary: PGD (1.0) Good: Bad: A cheating client can’t mis-cast or drop the vote Unless they know the codes A coercer can’t find out the vote afterwards Unless they have both the code sheet and control of the device Verifiable tallying Bad: Coercer can steal the code sheet before the vote A colluding threshold of trustees can misrecord the vote Integrity depends on code secrecy

Plan Security requirements Overview of PGD 1 Extensions to expressive voting schemes Protocol A (simple but slow) Protocol C (fast but big code sheets) Protocol B (fast and small code sheets, but complicated ack checking)

Extending PGD to STV, Borda etc Each voter lists the candidates in their order of preference Obvious extension: send off the codes in order of preference Doesn’t work because a cheating device can rearrange them

Plan Security requirements Overview of PGD 1 Extensions to expressive voting schemes Protocol A (simple but slow) Protocol C (fast but big code sheets) Protocol B (fast and small code sheets, but complicated ack checking)

Idea A: Incremental Code sheet has a Vote Code and Ack Code for each candidate Send in Vote Codes in preference order, wait for the Ack Code before sending the next Vote Code Very secure but very slow Cheating device can’t manipulate the vote

Plan Security requirements Overview of PGD 1 (previous work) Extensions to expressive voting schemes (this work) Protocol A (simple but slow) Protocol C (fast but big code sheets) Protocol B (fast and small code sheets, but complicated ack checking)

Idea C: 2 dimensional table Each voter receives a code for each candidate, for each preference One Ack Candidate 1st 2nd 3rd 4th Red 3772 5839 4892 0934 Green 4909 5345 1223 2225 Chequered 9521 5893 3333 3209 Fuzzy 7387 3455 3352 3409 Ballot ID: 3884092844 Ack: 28902

Idea C (cont’d)‏ Candidate 1st 2nd 3rd 4th Red 3772 5839 4892 0934 Green 4909 5345 1223 2225 Chequered 9521 5893 3333 3209 Fuzzy 7387 3455 3352 3409 Ballot ID: 3884092844 Ack: 28902 To vote Chequered, Fuzzy, Green, Red: Send 9521, 3455, 1223, 0934 Expect return Ack 28902

Idea C: pros and cons Voting in one step; Ack returns in one simple step As strong a defence against cheating client as PGD 1.0 Device can’t change vote without knowing codes Same privacy guarantee as PGD 1.0 Single ack implies receipt-freeness even if the coercer observes ack return

Plan Security requirements Overview of PGD 1 Extensions to expressive voting schemes Protocol A (simple but slow) Protocol C (fast but big code sheets) Protocol B (fast and small code sheets, but complicated ack checking)

Idea B: Return Ack codes in ballot order Each voter receives A list of candidate codes in a random, secret order A list of preference-ack codes in preference order The voter sends the candidate codes in preference order and receives the preference-ack codes in the order the candidates appear on their code sheet

Example Preference Pref-Ack Code 1st K 2nd T 3rd C 4th W Ballot ID: 3884092844 Candidate Vote Code Red 3772 Green 4909 Chequered 9521 Fuzzy 7387 Ballot ID: 3884092844 Pref-Ack W C K T To vote Chequered, Fuzzy, Green, Red: Send 9521, 7387, 4909, 3772 Expect return pref-acks W,C,K,T

Idea B: security properties Integrity: A cheating client (who doesn’t know the meaning of the preference codes) can swap two preferences undetectably only if it knows which two positions on the code sheet they correspond to. Not great if there are only 2 candidates Privacy is guaranteed against an adversary who either Does not observe the voter’s communications, or Does not see the code sheet

Idea B: pros and cons Voting in one step; Ack returns in one (complicated) step (Somewhat) weaker defence against cheating client than PGD 1.0 Because if the device can guess or discover the candidates’ ballot positions, it can swap the votes (Somewhat) weaker privacy than PGD 1.0 Because if an attacker observes the code sheet and the pref-ack return they can learn the vote

Conclusion Manipulating democracy is an ancient art Attackers are often insiders Electronic systems offer more opportunities PGD does a decent job of addressing many of the threats Especially untrusted client machines But there are more features to add before fielding in real elections Coercion-resistance Guaranteed Code Sheet secrecy