Presentation is loading. Please wait.

Presentation is loading. Please wait.

Civitas A Secure Remote Voting System Michael Clarkson, Stephen Chong, Andrew Myers Cornell University Dagstuhl Seminar on Frontiers of Electronic Voting.

Published byLeona Charla Martin Modified over 9 years ago

Similar presentations

Presentation on theme: "Civitas A Secure Remote Voting System Michael Clarkson, Stephen Chong, Andrew Myers Cornell University Dagstuhl Seminar on Frontiers of Electronic Voting."— Presentation transcript:

1 Civitas A Secure Remote Voting System Michael Clarkson, Stephen Chong, Andrew Myers Cornell University Dagstuhl Seminar on Frontiers of Electronic Voting July 31, 2007

2 Clarkson: CIVS 2Goals Practical performance Strong, provable security Remote voting Civitas (name was originally CIVS)

3 Clarkson: CIVS 3Terminology Voting system: (software) implementation Voting scheme: cryptographic construction Voting method: algorithm for choosing between candidates

4 Clarkson: CIVS 4 Security of Civitas Satisfies strong security properties –Coercion-resistant –Universally verifiable Against a powerful adversary With distributed trust in authorities –Election authority: An agent providing some component of the election system –Three different types: registration teller, ballot box, tabulation teller Using principled techniques –Cryptographic security proofs (by us and others) –Language-based security: Jif (Java + Information Flow)

5 Clarkson: CIVS 5 Remote Voting with Civitas No supervision of voting or voters The right problem to solve: –More general problem than supervised voting –Internet voting (Debian, ACM, SERVE) –Absentee ballots

6 Clarkson: CIVS 6 Practicality of Civitas Implementation –22,000 LOC in Jif, Java, and C Performance study –Election tallied in 35 sec / voter / authority –Cost is about 4¢ / voter –Cf. current election costs of $1-$3 / voter [International Foundation for Election Systems]

7 Clarkson: CIVS 7 Civitas: Outline Security requirements Design –Based on scheme due to Juels, Catalano, and Jakobsson (JCJ) [WPES ’05] –We added: Distributed registration Lightweight ballot box Blocking –But this talk is not about mechanisms Security evaluation Performance study

8 Clarkson: CIVS 8 Confidentiality (Privacy) No adversary can learn any more about votes than is revealed by the final tally –Anonymity: hide map from voter to vote –Receipt-freeness: prohibit proof of vote –Coercion-resistance: adaptive Including forced abstention or randomization [JCJ; Delaune, Kremer, and Ryan ‘06] Voters cannot prove whether or how they voted, even if they can interact with the adversary while voting. Stronger

9 Clarkson: CIVS 9 Integrity (Correctness) Universal verifiability: Including: –The votes they cast are included –Only authorized votes are counted –No votes are changed during tallying [JCJ, Sako and Killian ’95] All voters can verify that the final tally is correct

10 Clarkson: CIVS 10Availability Unavailability of votes can compromise integrity –Missing votes not universally detectable –So need to guarantee availability of votes Otherwise, availability not guaranteed –Software systems implementing authorities –Results of election Orthogonal extensions possible –Byzantine fault tolerance –Threshold cryptography

11 Clarkson: CIVS 11Adversary May corrupt all but one of each type of election authority May coerce voters, demanding any secrets or behavior, remotely or physically May control network May perform any polynomial time computation [JCJ]

12 Clarkson: CIVS 12 Civitas Architecture JCJ scheme bulletin board voter client tabulation teller registrar

13 Clarkson: CIVS 13 Civitas Architecture Civitas scheme bulletin board voter client registration teller tabulation teller registration teller

14 Clarkson: CIVS 14 Civitas Architecture bulletin board voter client registration teller tabulation teller Civitas scheme registration teller ballot box What makes this secure? Why do we believe it is?

15 Clarkson: CIVS 15 Security Evaluation Cryptographic reduction proof by JCJ –Voting scheme provably achieves coercion resistance and universal verifiability –We extended that proof for our distributed registration construction –And we instantiated various oracles, ZK proofs Gain insight by reviewing election process and assumptions used in proofs

16 Clarkson: CIVS 16Cryptography Assumption 1. DDH, RSA, random oracle model. bulletin board voter client registration teller tabulation teller registration teller ballot box

17 Clarkson: CIVS 17Registration voter client registration teller Assumption 2. The adversary cannot masquerade as voter during registration. bulletin board tabulation teller ballot box Implement with: strong authentication, non-transferable secrets. obtain credential

18 Clarkson: CIVS 18Registration voter client registration teller Assumption 3. Each voter trusts at least one registration teller and has untappable channel to that teller. bulletin board tabulation teller ballot box Why: weakest known assumption for coercion resistance Implement with: advance, in person registration; information-theoretic encryption obtain credential

19 Clarkson: CIVS 19Voting voter client ballot box Assumption 4. Voters trust their voting client. bulletin board tabulation teller registration teller Reasonable: voter can choose client

20 Clarkson: CIVS 20Voting voter client ballot box Assumption 5. The channels from the voter to the ballot boxes are anonymous. bulletin board tabulation teller registration teller Why: otherwise coercion resistance trivially violated. submit vote

21 Clarkson: CIVS 21Voting voter client ballot box Assumption 6. Each voter trusts at least one ballot box to make vote available for tallying. bulletin board tabulation teller registration teller Why: expensive fault tolerance not required. submit vote

22 Clarkson: CIVS 22Tabulation bulletin board voter client registration teller tabulation teller registration teller ballot box Assumption 7. At least one tabulation teller is honest. Why: keeps tellers from decrypting votes too early or cheating throughout tabulation. retrieve votes anonymize and authenticate votes audit

23 Clarkson: CIVS 23Implementation Civitas implemented in Jif [Myers ’99, Chong and Myers ’04 ‘05] –Security-typed language –Static-type checking and dynamic enforcement of information-flow policies Yields assurance –Code is correct with respect to policies –Policies can be audited and certified

24 Clarkson: CIVS 24Protocols Proof of knowledge of discrete log [Schnorr] Proof of equality of discrete logarithms [Chaum & Pederson] Designated-verifier reencryption proof [Hirt & Sako] 1-out-of-L reencryption proof [Hirt & Sako] Signature of knowledge of discrete logarithms [Camenisch & Stadler] Reencryption mix network with randomized partial checking [Jakobsson, Juels & Rivest] Plaintext equivalence test [Jakobsson & Juels]

25 Clarkson: CIVS 25Protocols Proof of knowledge of discrete log [Schnorr] Proof of equality of discrete logarithms [Chaum & Pederson] Designated-verifier reencryption proof [Hirt & Sako] 1-out-of-L reencryption proof [Hirt & Sako] Signature of knowledge of discrete logarithms [Camenisch & Stadler] Reencryption mix network with randomized partial checking [Jakobsson, Juels & Rivest] Plaintext equivalence test [Jakobsson & Juels] Quadratic in # voters and votes

26 Clarkson: CIVS 26Blocking Assign voters into blocks –Block is a “virtual precinct” –Anonymity guaranteed within a block –Each block tallied independently of other blocks, even in parallel Implementation –Protocols extended to include blocks –Registrar implements policy on assignment Best policy might be uniform random –Reasonable block size? We use 100. Tabulation time is: –Quadratic in block size (thus anonymity) –Linear in number of voters

27 Clarkson: CIVS 27 Performance Study Experimental design –Emulab: 3 GHz CPUs for tab. tellers –Keys: 1024 ElGamal, 2048 RSA, 256 AES –Experiments repeated three times, sample mean reported, stdev < 2% Parameters: –V: number of voters –A: number of authorities of each type –K: minimum number of voters in a block

28 Clarkson: CIVS 28 Tabulation Time vs. # Voters (K = 100, A = 4) 35 sec / voter / authority $1/CPU/hr = 4¢/voter sequential parallel Use once then throw away: $1500/machine = $12/voter

29 Clarkson: CIVS 29 Tabulation Time vs. Anonymity (V = K, A = 4)

30 Clarkson: CIVS 30 Tabulation Time vs. # Authorities (K = V = 100)

31 Clarkson: CIVS 31 Extension: Ranked Voting Voters submit (partial) order on candidates –E.g. Condorcet, Borda, STV Civitas implements coercion-resistant Condorcet –Tricky because rankings can be used to signal identity (“Italian attack”) –Use ballot decomposition from FEE’05 Civitas also implements approval and FPTP ballots

32 Clarkson: CIVS 32 Related Work Voting schemes […] Implemented (academic) voting systems: –Sensus [Cranor and Cytron] –EVOX [Herschberg, DuRette] –REVS [Joaquim, Zúquette, Ferreira; Lebre] –ElectMe [Shubina and Smith] –Adder [Kiayias, Korman, Walluck] VoComp: –Prêt à Voter [Schneider, Heather, et al.; Ryan; Chaum] –Prime III [Gilbert, Cross, et al.] –Punchscan [Stanton, Essex, Popoveniuc, et al.; Chaum] –Voting Ducks [Kutyłowski, Zagórski, et al.]

33 Clarkson: CIVS 33Summary Civitas is a secure, practical, remote voting system Security: –Based on JCJ proof –Assumptions –Implementation in Jif Performance: –Linear (or constant) in number of voters, quadratic in anonymity –As low as 4¢ per voter

34 Clarkson: CIVS 34 Future Work Improve performance/anonymity trade-off Construct untappable channel Security proof for composition –UC definitions and constructions? Distribute trust in voter client Implement high availability

35 Clarkson: CIVS 35Resources Technical report with concrete protocols http://www.cs.cornell.edu/people/clarkson/papers/clarkson_civs_tr.pdf Source code to be released

36 Civitas A Secure Remote Voting System Michael Clarkson, Stephen Chong, Andrew Myers Cornell University Dagstuhl Seminar on Frontiers of Electronic Voting July 31, 2007

37 Clarkson: CIVS 37 Extra Slides

38 Clarkson: CIVS 38 Registration and Voting Times For A=4, total voter time to register and vote is 1.5sec –350ms for voter to retrieve credential from registration teller –230ms CPU time for registration teller to retrieve a voter’s credential –25ms for voter to submit vote to ballot box Registration teller throughput > 15,000 voters / hr

39 Clarkson: CIVS 39 Tab. Time vs. % Chaff (K = V = 100, A = 4)

40 Clarkson: CIVS 40 % CPU Util. vs. # Voters (K = 100, A = 4)

41 Clarkson: CIVS 41 Attacks: Voter Client Unlike DRE systems, voter can choose supplier of client (hardware and software) –Transfer trust to an organization they trust Publicly available protocols and implementation

42 Clarkson: CIVS 42 Attacks: Registration Strong authentication to prevent adversary from masquerading as voter Registration by mail or in person

43 Clarkson: CIVS 43 Attacks: Network Tappable channel exploitable only if adversary: –Compromises network and –Induces voter to use compromised client during registration Valid registration clients can erase credential shares

44 Clarkson: CIVS 44 Attacks: Availability BFT, threshold cryptography Rate-limiting and puzzles to mitigate application-level DOS –But PETs still a fundamental problem

45 Clarkson: CIVS 45 Attacks: Authorities Corrupt registration teller –Need third-party intervention Failed bulletin board –Integrity guaranteed, not availability Corrupt registrar or supervisor –Must verify against external policy (electoral roll, ballot design, etc.)

Download ppt "Civitas A Secure Remote Voting System Michael Clarkson, Stephen Chong, Andrew Myers Cornell University Dagstuhl Seminar on Frontiers of Electronic Voting."

Similar presentations

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.
Pretty Good Democracy James Heather, University of Surrey

Pretty Good Democracy James Heather, University of Surrey
Course summary COS 433: Crptography -Spring 2010 Boaz Barak.

Course summary COS 433: Crptography -Spring 2010 Boaz Barak.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.

Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.

The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.

ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark.

On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark.
Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs)

Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs)
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
Civitas Toward a Secure Voting System Michael Clarkson Cornell University Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. Stevens.

Civitas Toward a Secure Voting System Michael Clarkson Cornell University Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. Stevens.
Civitas Verifiability and Coercion Resistance for Remote Voting Virginia Tech NCR September 14, 2012 Michael Clarkson George Washington University with.

Civitas Verifiability and Coercion Resistance for Remote Voting Virginia Tech NCR September 14, 2012 Michael Clarkson George Washington University with.

Similar presentations

Ads by Google