Cryptographic Voting Protocols: A Systems Perspective By Chris Karlof, Naveen Sastry, and David Wagner University of California, Berkely Proceedings of the 14 th Usenix Security Symposium held in Baltimore on July 31st-August 5 th, 2005 Presenter: Rick Carback

Overview Selection Criteria Motivation Results New and Significant Goals of Secure Voting Systems Neff’s Protocol Attacks and Mitigations Subliminal Channels Human Unreliability Denial of Service Secure Voting Protocol Implementation Future Work Conclusions

Paper Selection Criteria Chris Karloff and Naveen Sastry are both 5 th year graduate students. David Wagner DIMACS Special Focus on Security Organizing committee member ACM CCS 2004 Program committee member USENIX Security 2006 Program committee member IEEE Security & Privacy 2006 Program committee member

Motivation Chose protocols by Neff and Chaum because they are revolutionary Viewed Neff and Chaum protocols as part of a complete voting system What are the weaknesses of these schemes in complete systems if implemented? Can these ideas work in the real world?

Results

New and Significant Enumerates E-Voting goals Analysis of Cryptographic Protocols in the larger systems context Exposes weaknesses in implementation of cryptographic protocols Provides countermeasures for these weaknesses Identified new challenges and open problems in electronic voting systems.

Goals of Secure Voting Systems Cast-as-Intended Counted-as-Cast Verifiability One voter, One vote Coercion Resistance Privacy

Neff’s Scheme Distributed Key Generation Protocol (Similar to Chaum's Scheme) DRE constructs a VC, a matrix of BMPs. Each row represents one candidate. BMPs are all (0, 0) or (1, 1) for the chosen candidate and (0, 1) or (1, 0) for the others.

Neff’s Scheme (cont.) DRE picks a pledge bit for each BMP for the chosen candidate, voter can verify by picking a side for each one. OVC is created with this information. Voter checks that challenge is correct on bulletin board.

Vote Here Receipts

Vote Here Bulletin Board

Subliminal channels Arises when DRE is free to chose the random values that are used. All randomized encryption schemes can contain subliminal channels. (Goldwasser, 1984) Through special selection of a random number r, the DRE can encode the sizeof(r) bits. Can hide a bit by repeatedly choosing a random number until you get what you want. Expected work is O(2 x ) to encrypt x bits.

Random Subliminal Channel Attack Neff's scheme makes extensive use of randomness. Each BMP has one side of it revealing the random parameter used in that side of the pair. If the DRE chooses the same random parameter for both sides it will always be revealed in the ballot. The random parameter is guaranteed to be revealed, allowing a number of bits equal to the size of the parameter to be sent subliminally for each BMP.

Avoiding Random Subliminal Attacks Change protocol so that it does not require randomness Very tricky Random tapes Trusted Hardware

Semantic Subliminal Channels Voters are unlikely to detect subtle changes (fonts, pixel, etc) Can use simple policy, no computational complexity Apparent only after decryption, not on the bulletin board

Mitigating Semantic Channels Unambiguous formats for ballots and all ballots tested for conformance Bad ballots cannot be posted on the bulletin board But this may violate other policies!

Human Unreliability Protocol security hinges on DRE not knowing how the voter will make future decisions Interactions must happen in a particular order Voter may not notice deviations in protocol Voter must monitor DRE output Most people don’t care People often make mistakes How does a voter prove the machine is wrong?

Message Reordering

Message Reordering (cont.)

Human Unreliability (cont.) Discarded Receipts DRE Generates Invalid Signature Voter cannot prove if the receipt was forged Printing incorrect DRE Machine ID Ignoring voter input Valid receipt, but not what voter chose

Mitigating Human Unreliability Parallel Testing Voter Education It should not be so hard to use a voting machine Shredders for receipts Verify Signature at voting station Needs another set of trusted software/hardware Preprinted Machine IDs

Denial of Service Malicious DREs can delete, alter, or stuff ballots Detectable, but still effective Malicious Tallying/Bulleting Board software Could delete keys, ballots, etc. Could be selective Target polling stations favoring undesired candidate

DoS Mitigation Strategies Revote Costly Voter Verified Paper Audit Trail Not secure

Implementing Secure Voting Systems Bulletin Board Required Properties? What Architecture? BSN Assignment User Friendly Interfaces Tallying Software Specification

Future Work Cryptographic protocols that prevent subliminal channels Mix-net security models Definition for security in the voting setting Humans as protocol participants Can we educate without discouraging participation and hurting trust?

Conclusions Every attack discussed requires malicious software (DRE/bulletin board/tallying) Is this better than what we currently have? What about non-malicious problems? Connectivity? Hardware failure?

References Votehere.com “Cryptographic Voting Protocols: A Systems Perspective”, Chris Karlof, Naveen Sastry, David Wagner