1. Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs) Why use DREs? Quick tallies Accessibility Flexibility Disadvantages Untrustworthy software Lack of transparency Security Goals Current DREs  no guarantees DREs w/ voter verified paper audit trail (VVPAT) Cast-as-intended (in VVPAT record) Counted-as-cast (for election officials) DREs using cryptographic voting protocols Two proposals by Andrews Neff and David Chaum Verifiably cast-as-intended Verifiably counted-as-cast (for everyone) Our Contribution A security analysis of Neff’s and Chaum’s crypto voting protocols with attacks and countermeasures. Vote on DRE w/ interactive crypto protocol Threshold decryption and tallying Receipt validation Bulletin board Voter’s receipt Encrypted ballot Three stages Ballot preparation Encrypted ballot Receipt Ballot tabulation Encrypted ballots  bulletin board Threshold decryption and tallying Election verification Voter uses her receipt to verify her encrypted ballot on bulletin board, but cannot prove how she voted to anyone else. Anyone can verify tallying is correct An overview of cryptographic voting 1 1 0 0 0 0 0 0 1 0 0 1 0 1 0 1 1 0 0 1 1 0 1 0 0 1 1 0 0 1 0 1 Chosen row contains pairs of (1,1) or (0,0) Unchoice rows contain pairs of (1,0) or (0,1) Chosen and unchoice rows are indistinguishable in encrypted ballot Tally ballot by decrypting and looking for chosen row Van Buren Polk Cass Buchanan Andrew Neff’s scheme (simplified) An encrypted ballot representing a vote for Polk: b b = encryption of bit b= plaintext bit b Pledge Challenge Receipt 0x91eed12311eb2b7 1000 0111 0100 1011 RRLL LRRL LLRR DRE and voter engage in interactive protocol to produce a receipt Voter takes receipt home With her receipt, a voter can verify her vote is accurately represented on the bulletin board Receipts are vote-coercion resistant Weakness 1: Subliminal channels Subliminal channels arise when there are multiple valid representations of the voter’s choices. The choice of representation can serve as a subliminal channel. Causes of subliminal channels: randomness in ballots, encryption, visual cryptography Worst channel we found: 51 kbytes/ballot Mitigation strategy: make ballot preparation deterministic Weakness 2: Humans as crypto agents Neff’s and Chaum’s protocols place voters as direct participants in a cryptographic protocol. Problems: Crypto is subtle and minor deviations can affect security Humans are stupid  may not notice a small change We found attacks where if the DRE makes small changes to the protocol, it can cheat undetectably. Only point of detection is in the poll booth No clear mitigation strategy: voter education, parallel auditing and testing Weakness 3: Denial of service attacks and election recovery Neff’s and Chaum’s protocols only detect attacks. A simple unrecoverable attack: A trojan horse in every DRE nationwide DREs selectively delete ballots + ballot stuffing Selective DoS: DoS only if preferred candidate is losing Need a flexible recover strategy Undesirable to re-run the entire election Use VVPAT in conjunction with crypto voting protocols Conclusion: Crypto voting protocols are a promising direction with laudable goals of universal verifiability and no need to trust DRE software. However, we don’t believe they’re ready for deployment. We’ve identified some issues which need to be addressed and call for broader debate and analysis. Bulletin board Encrypted ballot 11:32am, Polk See our USENIX Security 2005 paper for more information.