Presentation is loading. Please wait.

Presentation is loading. Please wait.

Coercion-Resistant Remote Voting Michael Clarkson Cornell University Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. SecVote.

Published byIsabel Sims Modified over 8 years ago

Similar presentations

Presentation on theme: "Coercion-Resistant Remote Voting Michael Clarkson Cornell University Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. SecVote."— Presentation transcript:

1 Coercion-Resistant Remote Voting Michael Clarkson Cornell University Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. SecVote Summer School September 3, 2010 JCJ and Civitas

2 2

3 3

4 Remote Voting 4

5 5

6 Receipt Freeness. 6 [Benaloh & Tuinstra 1994, Okamoto 1997, Delaune, Kremer & Ryan 2006, Jonker and Pieters 2006, Jonker and de Vink 2007, Backes, Hritcu & Maffei 2008, …] Voters do not obtain information (a receipt) that proves how they voted.

7 Attacks 1. Randomization 2. Forced abstention 3. Simulation 7 [Schoenmakers 2000, Juels, Catalano & Jakobsson 2005]

8 Coercion Resistance Coercer can observe and interact with voter during remote voting… …must prevent coercers from trusting their own observations… …must enable voters to lie to coercers. 8

9 Coercion Resistance 9 The adversary cannot learn how voters vote, even if voters collude and interact with the adversary. [Juels, Catalano & Jakobsson 2005, Delaune, Kremer & Ryan 2006, Moran & Naor 2006, Backes, Hritcu & Maffei 2008, Küsters, Truderung & Vogt 2010] (RF + defense against three attacks)

10 JCJ Ari Juels, Dario Catalano & Markus Jakobsson. Coercion-resistant electronic elections. In Proc. Workshop in Privacy in the Electronic Society, 2005. 10

11 Civitas Michael Clarkson, Stephen Chong, Andrew Myers. Civitas: Toward a Secure Voting System. In Proc. IEEE Symposium on Security and Privacy, 2008. 11

12 12 Civitas LOC ComponentApprox. LOC Tabulation teller5,700 Registration teller1,300 Bulletin board, ballot box900 Voter client800 Other (incl. common code)4,700 Total Jif LOC13,400 Low-level crypto and I/O (Java and C) 8,000 Total LOC21,400

13 JCJ Key techniques:  Coercion-resistant credentials  Plaintext equivalence test (PET) [Jakobsson & Juels 2000, MacKenzie, Shrimpton & Jakobsson 2002] 13 Based on mix networks…

14 Mixnet Schemes 14 1. V → BB: sign(enc(vote; K T ); k V ) 2. Talliers: A. check and remove signatures B. mix votes C. decrypt votes

15 JCJ V → BB: enc(cred; K T ), enc(vote; K T ) 15 Talliers: Anonymize all submissions with mixnets Remove submissions with unauthorized credentials Decrypt votes

16 JCJ V → BB: enc(cred; K T ), enc(vote; K T ) 16 Want voters to be able to fake credentials

17 Resisting Coercion If the adversary demands that the voter… Then the voter… Submits a particular (even random) vote Does so with a fake credential. AbstainsSupplies a fake credential to the adversary and votes with a real one. Sells or surrenders a credential Supplies a fake credential. 17

18 Resisting Coercion If the adversary demands that the voter… Then the voter… Submits a particular (even random) vote Does so with a fake credential. AbstainsSupplies a fake credential to the adversary and votes with a real one. Sells or surrenders a credential Supplies a fake credential. 18 Defeats randomization attacks Defeats forced abstention attacks Defeats simulation attacks

19 19 Credentials Desired Properties  Verifiable  Unsalable  Unforgeable  Anonymous

20 20 JCJ Scheme Voter bulletin board RegistrarTallier

21 21 JCJ Scheme Voter T1T1 T2T2 T3T3 bulletin board R1R1 R2R2 R3R3 RegistrarTallier

22 Assumption 0 At least one of each type of authority is honest (Needed for CR, not for verifiability) 22

23 JCJ Phases:  Setup  Registration  Vote submission  Tabulation 23

24 24 Setup Voter T1T1 T2T2 T3T3 bulletin board R1R1 R2R2 R3R3 RegistrarTallier

25 Setup 1. Agree on El Gamal group G 2. Generate Tallier’s public encryption key K T, distribute private key k T 3. Post K T on BB 25

26 Assumption 1 DDH (also RSA, random oracle) 26 Civita s

27 27 Registration Voter T1T1 T2T2 T3T3 bulletin board R1R1 R2R2 R3R3 RegistrarTallier

28 Registration 1. Registrar: authenticate V 2. Registrar: s ← G 3. Registrar → BB: enc(s; K T ) 4. Registrar → V [untap.]: s 28 s = private credential enc(s) = S = public credential

29 Registration 1. Registrar: authenticate V 2. Registrar: s ← G 3. Registrar → BB: enc(s; K T ) 4. Registrar → V [untap.]: s 29 s = private credential enc(s) = S = public credential Electoral roll: list of all public credentials, signed by Registrar

30 Assumption 2 Initial voter authentication is correct & Untappable channel (In person registration?) 30

31 Registration How many registrars? How trusted?  One, trusted  Many, untrusted 31

32 Registration One, untrusted registrar: 4. Registrar → V [untap.]: s, DVP(“S encrypts s”, V) 32

33 DVP Designated Verifier Proof [Jakobsson, Sako & Impagliazzo 1996] DVP(Φ, A) proves in ZK that “Φ holds, or prover knows A’s private key” 33

34 Registration One, untrusted registrar: 4. Registrar → V [untap.]: s, DVP(“S encrypts s”, V) DVP ensures proof isn’t receipt 34

35 Registration Many, untrusted registrars: For each registrar R i : 1. R i : authenticate V 2. R i : s i ← G 3. R i → BB: enc(s i ; K T ) which is S i 4. R i → V [unt.]: s i, DVP(“S i encrypts s i ”, V) … 35 Civita s

36 Registration …Voter calculates credential: s = ∏ i s i S = ∏ i S i S = ∏ i S i = ∏ i enc(s i ) = enc(∏ i s i ) = enc(s) 36 Civita s

37 Faking Credentials Voter V: 1. Picks registrar R i 2. Substitutes new ŝ i for s i 3. Invents DVP(“S i encrypts ŝ i ”, V) 37

38 Assumption 3 Trusted R i (Need untappable channel only to that registrar.) 38

39 39  Verifiable ✓  Unsalable ✓  Unforgeable ✓  Anonymous Credentials Desired Properties

40 40 Vote Submission Voter T1T1 T2T2 T3T3 bulletin board R1R1 R2R2 R3R3 RegistrarTallier

41 Vote Submission 1. V: select choice (candidate) c 2. V → BB [anon.]: enc(s; K T ), enc(c; K T ) 41

42 Assumption 4 Anonymous channel 42

43 Assumption 5 Voter client doesn’t leak credential & Voter client encrypts correctly 43

44 Assumption 5 Voter client doesn’t leak credential & Voter client encrypts correctly 44

45 Vote Submission 1. V: select choice (candidate) c 2. V → BB [anon.]: enc(s; K T ), enc(c; K T ) Problems: replay attacks, malformed choices 45

46 Vote Submission 1. V: select choice (candidate) c 2. V → BB [anon.]: enc(s; K T ), enc(c; K T ) Problems: replay attacks, malformed choices Solution: zero-knowledge proofs 46

47 Vote Submission 1. V: select choice (candidate) c 2. V → BB [anon.]: enc(s; K T ), enc(c; K T ), P k, P w P k : signature of knowledge [Camenisch & Stadler 1997] P w : 1-out-of-L reencryption proof [Hirt & Sako 2000] 47

48 Vote Submission 1. V: select choice (candidate) c 2. V → BB [anon.]: enc(s; K T ), enc(c; K T ), P k, P w Problem: scalability, reliability of BB 48

49 Vote Submission 1. V: select choice (candidate) c 2. V → BB [anon.]: enc(s; K T ), enc(c; K T ), P k, P w Problem: scalability, reliability of BB Solution: distributed ballot boxes 49 Civita s

50 50 Vote Submission Voter T1T1 T2T2 T3T3 bulletin board R1R1 R2R2 R3R3 RegistrarTallier

51 51 Vote Submission Voter T1T1 T2T2 T3T3 bulletin board R1R1 R2R2 R3R3 RegistrarTallier ballot box Civita s

52 52 Tabulation Voter T1T1 T2T2 T3T3 bulletin board R1R1 R2R2 R3R3 RegistrarTallier ballot box

53 Tabulation Talliers: 1. Check proofs 2. Eliminate duplicate credentials 3. Mix 4. Eliminate unauthorized credentials 5. Decrypt choices 53

54 Tabulation  Check proofs  Remove votes with bad P k or P w (Then can eliminate proofs) 54 enc(s; K T )enc(c; K T )Pk, PwPk, Pw ………

55 Tabulation  Eliminate duplicate credentials 55 enc(s; K T )enc(c 1 ; K T ) …… enc(s; K T )enc(c 2 ; K T )

56 Tabulation  Eliminate duplicate credentials Problem: enc() is probabilistic 56 enc(s; K T )enc(c 1 ; K T ) …… enc(s; K T )enc(c 2 ; K T )

57 Tabulation  Eliminate duplicate credentials Problem: enc() is probabilistic Solution: plaintext equivalence test 57 enc(s; K T )enc(c 1 ; K T ) …… enc(s; K T )enc(c 2 ; K T )

58 PET Plaintext Equivalence Test [Jakobsson & Juels 2000, MacKenzie, Shrimpton & Jakobsson 2002] PET(c 1, c 2 ) reveals whether dec(c 1 ) = dec(c 2 ) 58

59 Tabulation  Eliminate duplicate credentials  Perform PET(enc(s i ), enc(s j ))  Eliminate vote(s) if PET reveals equality 59 enc(s i ; K T )enc(c i ; K T ) …… enc(s j ; K T )enc(c j ; K T )

60 Tabulation  Eliminate duplicate credentials  Perform PET(enc(s i ), enc(s j ))  Eliminate vote(s) if PET reveals equality …for each pair of votes 60 enc(s i ; K T )enc(c i ; K T ) …… enc(s j ; K T )enc(c j ; K T )

61 Tabulation  Mix  Mix electoral roll to anonymize authorized credentials  Mix remaining votes to anonymize submitted credentials 61

62 Tabulation  Mix  Mix electoral roll to anonymize authorized credentials  Mix remaining votes to anonymize submitted credentials Verifiability: randomized partial checking [Jakobsson, Juels & Rivest 2002] 62

63 Tabulation  Eliminate unauthorized credentials  Perform PETs of votes vs. electoral roll  Eliminate vote if no PET reveals equality …for each pair 63 enc(s i ; K T )enc(c i ; K T ) …… enc(s j ; K T )enc(c j ; K T ) enc(s 1 ; K T ) … enc(s n ; K T ) Electoral rollVotes

64 Virtual Precincts  Each voter assigned to virtual precinct, a.k.a. block  Each block tallied independently of other blocks, even in parallel Tabulation time is:  Quadratic in block size  Linear in number of voters (1 set machines)  Or, constant in number of voters (1 set / block) 64 Civita s

65 Tabulation  Decrypt choices  But not credentials!  Election can finally be tallied 65 enc(s i ; K T )enc(c i ; K T ) …… enc(s j ; K T )enc(c j ; K T ) Votes

66 66  Verifiable ✓  Unsalable ✓  Unforgeable ✓  Anonymous ✓ Credentials Desired Properties

67 67 JCJ / Civitas Voter T1T1 T2T2 T3T3 bulletin board R1R1 R2R2 R3R3 RegistrarTallier ballot box

68 Universal Verifiability 68 Anyone can audit the election results: no votes added, changed, or deleted [Sako & Killian 1994, 1995]

69 Universal Verifiability Talliers post ZK proofs:  PETs  mixes  decryption 69

70 Tabulation Coercion resistant & Universally verifiable (also eligibility verifiable & accountable) 70

71 71 Security Assurance Design  JCJ proof of coercion resistance and verifiability  Backes et al. (CSF 2008) verification with ProVerif Implementation  In security-typed language

72 72 Secure Implementation In Jif [Myers 1999, Chong and Myers 2005, 2008]  Security-typed language  Types contain information-flow policies Confidentiality, integrity, declassification, erasure Compiler verifies code obeys policies

73 73 Tabulation Time vs. Anonymity K = # voters in block, # tab. tellers = 4, security strength ≥ 112 bits [NIST 2011–2030], 3GHz Xeons

74 74 Tabulation Time vs. # Voters K = 100 sequential parallel

75 75 CPU Cost for Tabulation CPU time is 39 sec / voter / authority If CPUs are bought, used (for 5 hours), then thrown away: $1500 / machine = $12 / voter If CPUs are rented: $1 / CPU / hr = 4¢ / voter

76 76 Examples: Condorcet, STV/IRV, Borda, … But: “Italian attack” Ranked Voting Brunello4 Sangiovese di Romagna 1 Chianti3 Barbaresco2 Barolo5

77 77 Ranked Voting Civitas implements coercion-resistant:  Condorcet  Approval  Plurality Intuition: decompose ballot

78 Ongoing Work  Threshold cryptography  BFT bulletin board  Verifiable voter client 78

79 79 Open Problems  In-person registration  Untappable channel  Credential management  Application-level DoS

80 80 Summary JCJ  Remote voting scheme  Coercion resistant & universally verifiable  Proved secure Civitas  Implemented JCJ with full, concrete protocols  Distributed registrar, vote storage  Trust assumptions  Ranked voting  Studied performance

81 http://www.cs.cornell.edu/projects/civit as (google “civitas voting”)

82 Coercion-Resistant Remote Voting Michael Clarkson Cornell University SecVote Summer School September 3, 2010 JCJ and Civitas

Download ppt "Coercion-Resistant Remote Voting Michael Clarkson Cornell University Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. SecVote."

Similar presentations

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.
Pretty Good Democracy James Heather, University of Surrey

Pretty Good Democracy James Heather, University of Surrey
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
An Architectural View of Universally Verifiable Election Schemes Berry Schoenmakers Coding & Crypto Group TU Eindhoven IPA Herfstdagen – Security Zwartsluis,

An Architectural View of Universally Verifiable Election Schemes Berry Schoenmakers Coding & Crypto Group TU Eindhoven IPA Herfstdagen – Security Zwartsluis,
1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.

1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.
Electronic Voting Ronald L. Rivest MIT CSAIL Norway June 14, 2004.

Electronic Voting Ronald L. Rivest MIT CSAIL Norway June 14, 2004.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
A Pairing-Based Blind Signature

A Pairing-Based Blind Signature
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.

ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
James Heather, University of Surrey Peter Y A Ryan, University of Luxembourg Vanessa Teague, University of Melbourne.

James Heather, University of Surrey Peter Y A Ryan, University of Luxembourg Vanessa Teague, University of Melbourne.
Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs)

Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs)
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Similar presentations

Ads by Google