Civitas A Secure Remote Voting System Michael Clarkson, Stephen Chong, Andrew Myers Cornell University Dagstuhl Seminar on Frontiers of Electronic Voting.

Slides:



Advertisements
Similar presentations
Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.
Advertisements

Pretty Good Democracy James Heather, University of Surrey
Course summary COS 433: Crptography -Spring 2010 Boaz Barak.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark.
Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs)
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
Civitas Toward a Secure Voting System Michael Clarkson Cornell University Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. Stevens.
Civitas Verifiability and Coercion Resistance for Remote Voting Virginia Tech NCR September 14, 2012 Michael Clarkson George Washington University with.
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.
Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.
Tree Homomorphic Encryption with Scalable Decryption Moti Yung Columbia University Joint work with Aggelos Kiayias University of Connecticut.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Electronic Voting (E-Voting) An introduction and review of technology Written By: Larry Brachfeld CS591, December 2010.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.
Static Validation of a Voting ProtocolSlide 1 Static Validation of a Voting Protocol Christoffer Rosenkilde Nielsen with Esben Heltoft Andersen and Hanne.
Civitas Toward a Secure Voting System AFRL Information Management Workshop October 22, 2010 Michael Clarkson Cornell University.
Cryptographic Voting Protocols: A Systems Perspective By Chris Karlof, Naveen Sastry, and David Wagner University of California, Berkely Proceedings of.
KYUSHUUNIVERSITYKYUSHUUNIVERSITY SAKURAILABORATORYSAKURAILABORATORY Sakurai Lab. Kyushu University Dr-course HER, Yong-Sork E-voting VS. E-auction.
Language-Based Information-Flow Security Richard Mancusi CSCI 297.
TOWARDS OPEN VOTE VERIFICATION METHOD IN E-VOTING Ali Fawzi Najm Al-Shammari17’th July2012 Sec Vote 2012.
Optimistic Mixing for Exit-Polls Philippe Golle, Stanford Sheng Zhong, Yale Dan Boneh, Stanford Markus Jakobsson, RSA Labs Ari Juels, RSA Labs.
Masked Ballot Voting for Receipt-Free Online Elections Sam Heinith, David Humphrey, and Maggie Watkins.
Cryptography, Authentication and Digital Signatures
6. Esoteric Protocols secure elections and multi-party computation Kim Hyoung-Shick.
Andreas Steffen, , LinuxTag2009.ppt 1 LinuxTag 2009 Berlin Verifiable E-Voting with Open Source Prof. Dr. Andreas Steffen Hochschule für Technik.
Research & development Towards Practical Coercion-Resistant Electronic Elections Jacques Traoré France Télécom / Orange Labs SecVote 2010 Bertinoro - Italy.
Coercion-Resistant Remote Voting Michael Clarkson Cornell University Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. SecVote.
A remote voting system based on Prêt à Voter coded by David Lundin Johannes Clos.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Remote Prêt à Voter 1.0 (FPTP): a voter-verifiable and receipt-free remote voting Zhe Xia (Joson) July 19, 2012.
Electronic Voting R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.
Almost Entirely Correct Mixing With Applications to Voting Philippe Golle Dan Boneh Stanford University.
Secure Remote Electronic Voting CSE-681 Fall 2006 David Foster and Laura Stapleton Laura StapletonLaura Stapleton.
ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.
Manu Drijvers, Joint work with Jan Camenisch, Anja Lehmann. March 9 th, 2016 Universally Composable Direct Anonymous Attestation.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Secure, verifiable online voting 29 th June 2016.
Topic 36: Zero-Knowledge Proofs
Intrusion Tolerant Architectures
Security Outline Encryption Algorithms Authentication Protocols
Recipt-free Voting Through Distributed Blinding
ThreeBallot, VAV, and Twin
Motivation Civitas RCF Security Properties of E-Voting protocols
Civitas Michael Clarkson Cornell Stephen Chong Harvard
Basic Network Encryption
Digital signatures.
ISI Day – 20th Anniversary
The Italian Academic Community’s Electronic Voting System
Basic Network Encryption
Presentation transcript:

Civitas A Secure Remote Voting System Michael Clarkson, Stephen Chong, Andrew Myers Cornell University Dagstuhl Seminar on Frontiers of Electronic Voting July 31, 2007

Clarkson: CIVS 2Goals Practical performance Strong, provable security Remote voting Civitas (name was originally CIVS)

Clarkson: CIVS 3Terminology Voting system: (software) implementation Voting scheme: cryptographic construction Voting method: algorithm for choosing between candidates

Clarkson: CIVS 4 Security of Civitas Satisfies strong security properties –Coercion-resistant –Universally verifiable Against a powerful adversary With distributed trust in authorities –Election authority: An agent providing some component of the election system –Three different types: registration teller, ballot box, tabulation teller Using principled techniques –Cryptographic security proofs (by us and others) –Language-based security: Jif (Java + Information Flow)

Clarkson: CIVS 5 Remote Voting with Civitas No supervision of voting or voters The right problem to solve: –More general problem than supervised voting –Internet voting (Debian, ACM, SERVE) –Absentee ballots

Clarkson: CIVS 6 Practicality of Civitas Implementation –22,000 LOC in Jif, Java, and C Performance study –Election tallied in 35 sec / voter / authority –Cost is about 4¢ / voter –Cf. current election costs of $1-$3 / voter [International Foundation for Election Systems]

Clarkson: CIVS 7 Civitas: Outline Security requirements Design –Based on scheme due to Juels, Catalano, and Jakobsson (JCJ) [WPES ’05] –We added: Distributed registration Lightweight ballot box Blocking –But this talk is not about mechanisms Security evaluation Performance study

Clarkson: CIVS 8 Confidentiality (Privacy) No adversary can learn any more about votes than is revealed by the final tally –Anonymity: hide map from voter to vote –Receipt-freeness: prohibit proof of vote –Coercion-resistance: adaptive Including forced abstention or randomization [JCJ; Delaune, Kremer, and Ryan ‘06] Voters cannot prove whether or how they voted, even if they can interact with the adversary while voting. Stronger

Clarkson: CIVS 9 Integrity (Correctness) Universal verifiability: Including: –The votes they cast are included –Only authorized votes are counted –No votes are changed during tallying [JCJ, Sako and Killian ’95] All voters can verify that the final tally is correct

Clarkson: CIVS 10Availability Unavailability of votes can compromise integrity –Missing votes not universally detectable –So need to guarantee availability of votes Otherwise, availability not guaranteed –Software systems implementing authorities –Results of election Orthogonal extensions possible –Byzantine fault tolerance –Threshold cryptography

Clarkson: CIVS 11Adversary May corrupt all but one of each type of election authority May coerce voters, demanding any secrets or behavior, remotely or physically May control network May perform any polynomial time computation [JCJ]

Clarkson: CIVS 12 Civitas Architecture JCJ scheme bulletin board voter client tabulation teller registrar

Clarkson: CIVS 13 Civitas Architecture Civitas scheme bulletin board voter client registration teller tabulation teller registration teller

Clarkson: CIVS 14 Civitas Architecture bulletin board voter client registration teller tabulation teller Civitas scheme registration teller ballot box What makes this secure? Why do we believe it is?

Clarkson: CIVS 15 Security Evaluation Cryptographic reduction proof by JCJ –Voting scheme provably achieves coercion resistance and universal verifiability –We extended that proof for our distributed registration construction –And we instantiated various oracles, ZK proofs Gain insight by reviewing election process and assumptions used in proofs

Clarkson: CIVS 16Cryptography Assumption 1. DDH, RSA, random oracle model. bulletin board voter client registration teller tabulation teller registration teller ballot box

Clarkson: CIVS 17Registration voter client registration teller Assumption 2. The adversary cannot masquerade as voter during registration. bulletin board tabulation teller ballot box Implement with: strong authentication, non-transferable secrets. obtain credential

Clarkson: CIVS 18Registration voter client registration teller Assumption 3. Each voter trusts at least one registration teller and has untappable channel to that teller. bulletin board tabulation teller ballot box Why: weakest known assumption for coercion resistance Implement with: advance, in person registration; information-theoretic encryption obtain credential

Clarkson: CIVS 19Voting voter client ballot box Assumption 4. Voters trust their voting client. bulletin board tabulation teller registration teller Reasonable: voter can choose client

Clarkson: CIVS 20Voting voter client ballot box Assumption 5. The channels from the voter to the ballot boxes are anonymous. bulletin board tabulation teller registration teller Why: otherwise coercion resistance trivially violated. submit vote

Clarkson: CIVS 21Voting voter client ballot box Assumption 6. Each voter trusts at least one ballot box to make vote available for tallying. bulletin board tabulation teller registration teller Why: expensive fault tolerance not required. submit vote

Clarkson: CIVS 22Tabulation bulletin board voter client registration teller tabulation teller registration teller ballot box Assumption 7. At least one tabulation teller is honest. Why: keeps tellers from decrypting votes too early or cheating throughout tabulation. retrieve votes anonymize and authenticate votes audit

Clarkson: CIVS 23Implementation Civitas implemented in Jif [Myers ’99, Chong and Myers ’04 ‘05] –Security-typed language –Static-type checking and dynamic enforcement of information-flow policies Yields assurance –Code is correct with respect to policies –Policies can be audited and certified

Clarkson: CIVS 24Protocols Proof of knowledge of discrete log [Schnorr] Proof of equality of discrete logarithms [Chaum & Pederson] Designated-verifier reencryption proof [Hirt & Sako] 1-out-of-L reencryption proof [Hirt & Sako] Signature of knowledge of discrete logarithms [Camenisch & Stadler] Reencryption mix network with randomized partial checking [Jakobsson, Juels & Rivest] Plaintext equivalence test [Jakobsson & Juels]

Clarkson: CIVS 25Protocols Proof of knowledge of discrete log [Schnorr] Proof of equality of discrete logarithms [Chaum & Pederson] Designated-verifier reencryption proof [Hirt & Sako] 1-out-of-L reencryption proof [Hirt & Sako] Signature of knowledge of discrete logarithms [Camenisch & Stadler] Reencryption mix network with randomized partial checking [Jakobsson, Juels & Rivest] Plaintext equivalence test [Jakobsson & Juels] Quadratic in # voters and votes

Clarkson: CIVS 26Blocking Assign voters into blocks –Block is a “virtual precinct” –Anonymity guaranteed within a block –Each block tallied independently of other blocks, even in parallel Implementation –Protocols extended to include blocks –Registrar implements policy on assignment Best policy might be uniform random –Reasonable block size? We use 100. Tabulation time is: –Quadratic in block size (thus anonymity) –Linear in number of voters

Clarkson: CIVS 27 Performance Study Experimental design –Emulab: 3 GHz CPUs for tab. tellers –Keys: 1024 ElGamal, 2048 RSA, 256 AES –Experiments repeated three times, sample mean reported, stdev < 2% Parameters: –V: number of voters –A: number of authorities of each type –K: minimum number of voters in a block

Clarkson: CIVS 28 Tabulation Time vs. # Voters (K = 100, A = 4) 35 sec / voter / authority $1/CPU/hr = 4¢/voter sequential parallel Use once then throw away: $1500/machine = $12/voter

Clarkson: CIVS 29 Tabulation Time vs. Anonymity (V = K, A = 4)

Clarkson: CIVS 30 Tabulation Time vs. # Authorities (K = V = 100)

Clarkson: CIVS 31 Extension: Ranked Voting Voters submit (partial) order on candidates –E.g. Condorcet, Borda, STV Civitas implements coercion-resistant Condorcet –Tricky because rankings can be used to signal identity (“Italian attack”) –Use ballot decomposition from FEE’05 Civitas also implements approval and FPTP ballots

Clarkson: CIVS 32 Related Work Voting schemes […] Implemented (academic) voting systems: –Sensus [Cranor and Cytron] –EVOX [Herschberg, DuRette] –REVS [Joaquim, Zúquette, Ferreira; Lebre] –ElectMe [Shubina and Smith] –Adder [Kiayias, Korman, Walluck] VoComp: –Prêt à Voter [Schneider, Heather, et al.; Ryan; Chaum] –Prime III [Gilbert, Cross, et al.] –Punchscan [Stanton, Essex, Popoveniuc, et al.; Chaum] –Voting Ducks [Kutyłowski, Zagórski, et al.]

Clarkson: CIVS 33Summary Civitas is a secure, practical, remote voting system Security: –Based on JCJ proof –Assumptions –Implementation in Jif Performance: –Linear (or constant) in number of voters, quadratic in anonymity –As low as 4¢ per voter

Clarkson: CIVS 34 Future Work Improve performance/anonymity trade-off Construct untappable channel Security proof for composition –UC definitions and constructions? Distribute trust in voter client Implement high availability

Clarkson: CIVS 35Resources Technical report with concrete protocols Source code to be released

Civitas A Secure Remote Voting System Michael Clarkson, Stephen Chong, Andrew Myers Cornell University Dagstuhl Seminar on Frontiers of Electronic Voting July 31, 2007

Clarkson: CIVS 37 Extra Slides

Clarkson: CIVS 38 Registration and Voting Times For A=4, total voter time to register and vote is 1.5sec –350ms for voter to retrieve credential from registration teller –230ms CPU time for registration teller to retrieve a voter’s credential –25ms for voter to submit vote to ballot box Registration teller throughput > 15,000 voters / hr

Clarkson: CIVS 39 Tab. Time vs. % Chaff (K = V = 100, A = 4)

Clarkson: CIVS 40 % CPU Util. vs. # Voters (K = 100, A = 4)

Clarkson: CIVS 41 Attacks: Voter Client Unlike DRE systems, voter can choose supplier of client (hardware and software) –Transfer trust to an organization they trust Publicly available protocols and implementation

Clarkson: CIVS 42 Attacks: Registration Strong authentication to prevent adversary from masquerading as voter Registration by mail or in person

Clarkson: CIVS 43 Attacks: Network Tappable channel exploitable only if adversary: –Compromises network and –Induces voter to use compromised client during registration Valid registration clients can erase credential shares

Clarkson: CIVS 44 Attacks: Availability BFT, threshold cryptography Rate-limiting and puzzles to mitigate application-level DOS –But PETs still a fundamental problem

Clarkson: CIVS 45 Attacks: Authorities Corrupt registration teller –Need third-party intervention Failed bulletin board –Integrity guaranteed, not availability Corrupt registrar or supervisor –Must verify against external policy (electoral roll, ballot design, etc.)