Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan.

Slides:

Advertisements

Similar presentations

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.

Advertisements

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

A Pairing-Based Blind Signature

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.

Security Definitions in Computational Cryptography

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Electronic voting: theory and practice Mark D. Ryan ● Electronic voting promises – convenient way of recording and tallying votes – security against fraud.

Vanessa Teague Department of Computer Science and Software Engineering University of Melbourne Australia.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Reusable Anonymous Return Channels

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.

Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with.

Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.

Static Validation of a Voting ProtocolSlide 1 Static Validation of a Voting Protocol Christoffer Rosenkilde Nielsen with Esben Heltoft Andersen and Hanne.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Civitas Toward a Secure Voting System AFRL Information Management Workshop October 22, 2010 Michael Clarkson Cornell University.

Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud.

KYUSHUUNIVERSITYKYUSHUUNIVERSITY SAKURAILABORATORYSAKURAILABORATORY Sakurai Lab. Kyushu University Dr-course HER, Yong-Sork E-voting VS. E-auction.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Cryptography Lecture 8 Stefan Dziembowski

Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012.

8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.

CSCD 218 : DATA COMMUNICATIONS AND NETWORKING 1

6. Esoteric Protocols secure elections and multi-party computation Kim Hyoung-Shick.

Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.

Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.

Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham April 2005 Steve Kremer.

23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.

1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.

Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.

Research & development Towards Practical Coercion-Resistant Electronic Elections Jacques Traoré France Télécom / Orange Labs SecVote 2010 Bertinoro - Italy.

Network Security – Special Topic on Skype Security.

Digital Signatures, Message Digest and Authentication Week-9.

CS555Topic 251 Cryptography CS 555 Topic 25: Quantum Crpytography.

1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.

Zero-knowledge proof protocols 1 CHAPTER 12: Zero-knowledge proof protocols One of the most important, and at the same time very counterintuitive, primitives.

Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.

Remote Prêt à Voter 1.0 (FPTP): a voter-verifiable and receipt-free remote voting Zhe Xia (Joson) July 19, 2012.

Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.

Electronic Voting R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.

A Brief Introduction to Mix Networks Ari Juels RSA Laboratories © 2001, RSA Security Inc.

Key Management Network Systems Security Mort Anvari.

1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.

 5.1 Zero-Knowledge Proofs  5.2 Zero-Knowledge Proofs of Identity  5.3 Identity-Based Public-Key Cryptography  5.4 Oblivious Transfer  5.5 Oblivious.

On the (im)possibility of perennial message recognition protocols without public-key cryptography Peeter Laud Cybernetica AS & University of Tartu

Topic 36: Zero-Knowledge Proofs

Recipt-free Voting Through Distributed Blinding

ThreeBallot, VAV, and Twin

Course Business I am traveling April 25-May 3rd

OTR AKE Protocol.

Chapter 8 roadmap 8.1 What is network security?

ITIS 6200/8200 Chap 5 Dr. Weichao Wang.

Presentation transcript:

Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan

Some desired properties of e-voting systems – Eligibility: only eligible voters can vote, and only once. – Fairness: no voter can be influenced by votes already made. – Indiv. verif.: a voter can verify that her vote was counted. – Universal verifiability: a voter can verify that the published result is the tally of the votes cast. – Privacy: no-one can find out how a voter voted. – Receipt-freeness: Voter doesn’t get receipt for her vote. – Coercion-resistance: Voter cannot be blackmailed / bought. – Robustness: Voters cannot disrupt the election. Faulty behaviour tolerated. – Vote-and-go: Voters participate in one session.

Verification ● Computing systems are usually programmed at the low level – involving, e.g., detail of messages sent between components, and participants – detail of specific encryption arrangements ● But properties are expressed at a higher level of abstraction – they depend not on individual details, but on the system as a whole ● Model checking:

Verification of FOO’92 ● [KR’05] formalises the voting protocol of Fujioka/Okamoto/Ohta 1992 ● Using the Applied Pi Calculus ● We verified eligibility, fairness, and privacy. ● (What does that mean?) A 3-phase protocol using commitments and blind signatures A language for describing concurrent and communicating processes, and their properties

Kinds of properties ● Reachability properties: – The system can/cannot get into a certain state – e.g., a message will/won’t appear on a public channel ● Observational equivalence properties: – two versions of the system cannot be distinguished by an observer who can see messages on public channels and perform arbitrary tests on the processes.

● Privacy – no-one can find out how Alice voted. ● Receipt-freeness – Alice doesn’t get a receipt (or any other by-product of the voting process); thus Alice cannot prove afterwards to a coercer how she voted – Receipt-freeness is like privacy, but even with Alice’s cooperation ● Coercion-resistance – Alice cannot prove how she voted, even if interaction with the coercer is allowed during the voting process – Even stronger than receipt-freeness. Some properties in strength-order

Formalising privacy ● ?? No-one can find out how Alice voted – Actually too strong: e.g., if the vote was unanimous, then everyone knows how Alice voted – Even if not unanimous, a coalition consisting of all voters except Alice can tell how Alice voted. ● If Alice and Bob were to swap votes, no-one would be able to tell ● A situation in which Alice votes vote v A and Bob votes v B is indistinguishable by the attacker to one in which Alice votes v B and Bob votes v A.

Formalising receipt-freeness ● Like privacy, but Alice cooperates by publishing her private key and any secrets (e.g. nonces) ● Before the election: e.g. her private key ● After the election: secrets she has learned during the election process ● The coercer needs to be convinced that Alice is telling the truth ● He needs to be able to verify the secrets ● Suppose A(v C ) is the process that votes v C and copies the voting interaction (messages received and sent) to the coercer. The protocol is receipt-free if exists A’ such that

Coercion-resistance ● In this case, Alice interacts with the coercer (e.g. by mobile phone) during the election. ● The coercer can participate in Alice’s vote: ● She can tell him messages she receives during the process (although he might not believe her) ● He can instruct her on what messages to send back (although she might not obey). ● He might have independent means of verifying her reports and her actions

The voting booth c Voting booth Voting system Published data a Coercer

Interaction between the voter and the coercer ● Let P be a process and c 1, c 2 be channels. The process P c1,c2 is a process like P but which copies all messages it receives on c 1 to c 2, and accepts inputs on c 2 for messages it sends on c 1. Specifically, ● Every in(c 1,y) in P is replaced by in(c 1,y); out(c 2,y). ● Every out(c 1,m) in P is replaced by in(c 2,x); out(c 1,x) where x is a variable not occurring in P. ● Every new n in P is replaced by new n; out(c 2,n). ● If A is Alice’s voting process, then A a,c is the process in which Alice cooperates fully with the coercer.

Formalising coercion-resistance Rough idea: ● Better: there exists a process A’ such that – If A’ votes then it votes v A – For all coercers C, there exists a vote v, such that ● Consider the cases ● Coercer’s vote is v A ● Coercer’s vote is v C ● Coercer sends garbage

Fault attack ● The coercer could try to distinguish the two sides by sending incoherent messages to Alice. ● On the left-hand side, C|A will block, so only B’s vote for v A will be observed. ● On the right-hand side, A’ will still vote v A, so v and v A will be observed. ● If successful, this is an attack on coercion resistance. ● Might not be successful if A’ can detect the incoherence of the messages from C.

Simplified [LBDKYY’03] ● Uses re-encryption and designated verifier proofs. ● Re-encryption ● Randomised encryption: {m} K contains “random coins” ● Re-encryption: change the random coin ● E.g., in El Gamal, the ciphertext (x,y) is changed to (xg r,yh r ). ● Designated verifier proofs ● S can prove to A that, say, c is the encryption of m, but A cannot use this proof to convince someone else. ● Technically this is achieved by giving A the ability to simulate transcripts of the proof

Simplified [LBDKYY’03] AliceAdministratorCollector

Simplified [LBDKYY’03] ● Fails coercion resistance, because coercer can ● prepare a message meant to look like but actually garbage; ● test whether Alice votes or not. ● Fixable by encoding s.t. every message can be interpreted as a valid encryption of a valid vote.

Conclusions ● A strong notion of coercion resistance is formalised ● Coercer interacts with voter during election process ● Can give her messages to use, including ones designed specifically to test her loyalty ● No experience yet in proving protocols satisfy CR ● Need to compare with computational notion of [JCJ05] [JCJ05] A. Juels, D.Catalano, M. Jakobsson. Coercion Resistant Electronic Elections. WPES, Nov 2005.