Presentation is loading. Please wait.

Presentation is loading. Please wait.

Civitas Toward a Secure Voting System AFRL Information Management Workshop October 22, 2010 Michael Clarkson Cornell University.

Published byAleesha Arnold Modified over 9 years ago

Similar presentations

Presentation on theme: "Civitas Toward a Secure Voting System AFRL Information Management Workshop October 22, 2010 Michael Clarkson Cornell University."— Presentation transcript:

1 Civitas Toward a Secure Voting System AFRL Information Management Workshop October 22, 2010 Michael Clarkson Cornell University

2

3 Secret Ballot

4

5

6

7

8

9

10 Florida 2000: Bush v. Gore

11 “Flawless”

12 12

13 Security FAIL

14 Analysis of an electronic voting system [Kohno et al. 2003, 2004] DRE trusts smartcards Hardcoded keys and initialization vectors Weak message integrity Cryptographically insecure random number generator...

15 California top-to-bottom reviews [Bishop, Wagner, et al. 2007] “Virtually every important software security mechanism is vulnerable to circumvention.” “An attacker could subvert a single polling place device...then reprogram every polling place device in the county.” “We could not find a single instance of correctly used cryptography that successfully accomplished the security purposes for which it was apparently intended.”

16 Why is this so hard?

17 17 PRIVACYVERIFIABILITY

18 18 …not just correctness …even if everyone cheats

19 VERIFIABILITY 19 Universal verifiability Voter verifiability Eligibility verifiability UV: [Sako and Killian 1994, 1995] EV & VV: [Kremer, Ryan & Smyth 2010]

20 PRIVACY 20 …more than secrecy …even if almost everyone cheats

21 PRIVACY 21 Coercion resistance better than receipt freeness or simple anonymity RF: [Benaloh 1994] CR: [Juels, Catalano & Jakobsson 2005]

22 ROBUSTNESS 22 Tally availability

23 23 PRIVACYVERIFIABILITY ROBUSTNESS

24 Remote 24 PRIVACYVERIFIABILITY (including Internet) ROBUSTNESS

25 H.R. 2647 Sec. 589 25 Military and Overseas Voter Empowerment Act

26 How can we vote securely, electronically, remotely? 26

27 Cornell Voting Systems CIVS (ca. 2005) [Myers & Clarkson] http://www.cs.cornell.edu/andru/civs.html Civitas 0.7 (ca. 2007) [Clarkson, Chong & Myers] http://www.cs.cornell.edu/projects/civitas Published Oakland 2008 + 2 Masters projects Civitas 1.0 (started fall 2010) [Clarkson et al.] 27

28 Cornell Voting Systems CIVS (ca. 2005) [Myers & Clarkson] http://www.cs.cornell.edu/andru/civs.html Civitas 0.7 (ca. 2007) [Clarkson, Chong & Myers] http://www.cs.cornell.edu/projects/civitas Published Oakland 2008 + 2 Masters projects Civitas 1.0 (started fall 2010) [Clarkson et al.] 28

29 Security Properties Original Civitas: Universal verifiability Eligibility verifiability Coercion resistance Masters projects: Voter verifiability Tally availability 29 …under various assumptions

30 Mutual Distrust 30 KEY PRINCIPLE:

31 31 JCJ Voting Scheme [Juels, Catalano & Jakobsson 2005] Proved universal verifiability and coercion resistance Civitas extends JCJ

32 32 Civitas Architecture bulletin board voter client tabulation teller registration teller ballot box

33 33 Registration voter client registration teller Voter retrieves credential share from each registration teller; combines to form credential

34 Credentials Verifiable Unsalable Unforgeable Anonymous 34

35 35 Voting voter client ballot box Voter submits copy of encrypted choice and credential to each ballot box

36 Resisting Coercion: Fake Credentials 36

37 37 Resisting Coercion If the coercer demands that the voter… Then the voter… Submits a particular voteDoes so with a fake credential. Sells or surrenders a credential Supplies a fake credential. AbstainsSupplies a fake credential to the adversary and votes with a real one.

38 38 Tabulation bulletin board tabulation teller ballot box Tellers retrieve votes from ballot boxes

39 39 Tabulation bulletin board tabulation teller Tabulation tellers anonymize votes; eliminate unauthorized (and fake) credentials; decrypt remaining choices.

40 40 Auditing bulletin board Anyone can verify proofs that tabulation is correct ballot box

41 41 Civitas Architecture bulletin board voter client tabulation teller registration teller ballot box Universal verifiability: Tellers post proofs during tabulation Coercion resistance: Voters can undetectably fake credentials S ECURITY P ROOFS

42 42 Protocols –El Gamal; distributed [Brandt]; non-malleable [Schnorr and Jakobsson] –Proof of knowledge of discrete log [Schnorr] –Proof of equality of discrete logarithms [Chaum & Pederson] –Authentication and key establishment [Needham-Schroeder- Lowe] –Designated-verifier reencryption proof [Hirt & Sako] –1-out-of-L reencryption proof [Hirt & Sako] –Signature of knowledge of discrete logarithms [Camenisch & Stadler] –Reencryption mix network with randomized partial checking [Jakobsson, Juels & Rivest] –Plaintext equivalence test [Jakobsson & Juels] Implementation: 21k LoC

43 Trust Assumptions 43

44 44 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller.

45 45 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. Universal verifiability Coercion resistance Coercion resistance

46 46 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR

47 47 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR

48 48 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR

49 Registration 49 In person. In advance. Con:System not fully remote Pro:Credential can be used in many elections

50 50 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR

51 Eliminating Trust in Voter Client 51 UV: Use challenges CR: Open problem

52 52 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR

53 53 Trust Assumptions` 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR

54 54 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR

55 Untappable Channel 55 Minimal known assumption for receipt freeness and coercion resistance Eliminate? Open problem. (Eliminate trusted registration teller? Also open.)

56 56 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR

57 Trusted procedures? 57

58 Time to Tally 58

59 59 Tabulation Time # voters in precinct = K, # tab. tellers = 4, security strength ≥ 112 bits [NIST 2011–2030]

60 60 Summary Can achieve strong security and transparency: –Remote voting –Universal (voter, eligibility) verifiability –Coercion resistance Security is not free: –Stronger registration (untappable channel) –Cryptography (computationally expensive)

61 Assurance 61 Security proofs (JCJ) Secure implementation (Jif)

62 Ranked Voting 62

63 63 Open Problems Coercion-resistant voter client? Eliminate untappable channel in registration? Credential management? Application-level denial of service?

64 http://www.cs.cornell.edu/projects/civitas (google “civitas voting”)

65 Civitas Toward a Secure Voting System AFRL Information Management Workshop October 22, 2010 Michael Clarkson Cornell University

Download ppt "Civitas Toward a Secure Voting System AFRL Information Management Workshop October 22, 2010 Michael Clarkson Cornell University."

Similar presentations

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.
Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.

Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.
Pretty Good Democracy James Heather, University of Surrey

Pretty Good Democracy James Heather, University of Surrey
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.

Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.
Prêt à Voter A brief (heavily biased) history of verifiable voting Bertinoro 2010P Y A Ryan Prêt à Voter1 Peter Y A Ryan University of Luxembourg.

Prêt à Voter A brief (heavily biased) history of verifiable voting Bertinoro 2010P Y A Ryan Prêt à Voter1 Peter Y A Ryan University of Luxembourg.
1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.

1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.

The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.

ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs)

Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs)
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
Civitas Toward a Secure Voting System Michael Clarkson Cornell University Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. Stevens.

Civitas Toward a Secure Voting System Michael Clarkson Cornell University Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. Stevens.
Civitas A Secure Remote Voting System Michael Clarkson, Stephen Chong, Andrew Myers Cornell University Dagstuhl Seminar on Frontiers of Electronic Voting.

Civitas A Secure Remote Voting System Michael Clarkson, Stephen Chong, Andrew Myers Cornell University Dagstuhl Seminar on Frontiers of Electronic Voting.

Similar presentations

Ads by Google