Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Slides:

Advertisements

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Advertisements

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.

Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.

Pretty Good Democracy James Heather, University of Surrey

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.

Prêt à Voter A brief (heavily biased) history of verifiable voting Bertinoro 2010P Y A Ryan Prêt à Voter1 Peter Y A Ryan University of Luxembourg.

1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.

Electronic Voting Ronald L. Rivest MIT CSAIL Norway June 14, 2004.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.

On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark.

Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs)

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

Information Security Research Centre MCS Workshop, Melbourne Electronic Voting and Receipt-freeness Byoungcheon Lee 1,2, Colin Boyd 1, Ed Dawson 1 1 Information.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Civitas Toward a Secure Voting System Michael Clarkson Cornell University Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. Stevens.

Civitas A Secure Remote Voting System Michael Clarkson, Stephen Chong, Andrew Myers Cornell University Dagstuhl Seminar on Frontiers of Electronic Voting.

Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum.

Civitas Verifiability and Coercion Resistance for Remote Voting Virginia Tech NCR September 14, 2012 Michael Clarkson George Washington University with.

Vanessa Teague Department of Computer Science and Software Engineering University of Melbourne Australia.

Self-Enforcing E-Voting (SEEV) Feng Hao Newcastle University, UK CryptoForma’13, Egham.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Reusable Anonymous Return Channels

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

© VoteHere, Inc. All rights reserved. November 2004 VHTi Data Demonstration Andrew Berg Director, Engineering.

Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.

10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

The Current State of Cryptographic Election Protocols Josh Benaloh Microsoft Research.

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

1/11/2007 bswilson/eVote-PTCWS 1 Enhancing PTC based Secure E-Voting System (note: modification of Brett Wilson’s Paillier Threshold Cryptography Web Service.

A (Brief) Comparison of Cryptographic Schemes for Electronic Voting

PRESENTED BY CHRIS ANDERSON JULY 29, 2009 Using Zero Knowledge Proofs to Validate Electronic Votes.

Civitas Toward a Secure Voting System AFRL Information Management Workshop October 22, 2010 Michael Clarkson Cornell University.

An Architecture For Electronic Voting Master Thesis Presentation Clifford Allen McCullough Department of Computer Science University of Colorado at Colorado.

Cryptographic Voting Protocols: A Systems Perspective By Chris Karlof, Naveen Sastry, and David Wagner University of California, Berkely Proceedings of.

KYUSHUUNIVERSITYKYUSHUUNIVERSITY SAKURAILABORATORYSAKURAILABORATORY Sakurai Lab. Kyushu University Dr-course HER, Yong-Sork E-voting VS. E-auction.

Anual Workshop February 5th, Anonymous yet reliable ePoll application Italo Dacosta SecAnon-DistriNet.

Optimistic Mixing for Exit-Polls Philippe Golle, Stanford Sheng Zhong, Yale Dan Boneh, Stanford Markus Jakobsson, RSA Labs Ari Juels, RSA Labs.

Masked Ballot Voting for Receipt-Free Online Elections Sam Heinith, David Humphrey, and Maggie Watkins.

6. Esoteric Protocols secure elections and multi-party computation Kim Hyoung-Shick.

Andreas Steffen, , LinuxTag2009.ppt 1 LinuxTag 2009 Berlin Verifiable E-Voting with Open Source Prof. Dr. Andreas Steffen Hochschule für Technik.

Online voting: a legal perspective

Research & development Towards Practical Coercion-Resistant Electronic Elections Jacques Traoré France Télécom / Orange Labs SecVote 2010 Bertinoro - Italy.

Coercion-Resistant Remote Voting Michael Clarkson Cornell University Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. SecVote.

A remote voting system based on Prêt à Voter coded by David Lundin Johannes Clos.

Implementation Requirements for UK General Elections TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A Chris.

The Paillier Cryptosystem

Privacy and Anonymity Using Mix Networks* Slides borrowed from Philippe Golle, Markus Jacobson.

Electronic Voting R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.

A Brief Introduction to Mix Networks Ari Juels RSA Laboratories © 2001, RSA Security Inc.

Secure Remote Electronic Voting CSE-681 Fall 2006 David Foster and Laura Stapleton Laura StapletonLaura Stapleton.

Secure, verifiable online voting 29 th June 2016.

Recipt-free Voting Through Distributed Blinding

ThreeBallot, VAV, and Twin

Some slides borrowed from Philippe Golle, Markus Jacobson

Motivation Civitas RCF Security Properties of E-Voting protocols

Secure and Insecure Mixing

Civitas Michael Clarkson Cornell Stephen Chong Harvard

Digital signatures.

eVoting System Proposal

The Italian Academic Community’s Electronic Voting System

Ronald L. Rivest MIT ShafiFest January 13, 2019

Presentation transcript:

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard) and Andrew Myers (Cornell)

2 SECURITYTRANSPARENCY

3 PRIVACYVERIFIABILITY

Remote 4 PRIVACYVERIFIABILITY (including Internet)

Mutual Distrust 5 KEY PRINCIPLE:

VERIFIABILITY 6 Universal verifiability Voter verifiability Eligibility verifiability UV: [Sako and Killian 1994, 1995] EV & VV: [Kremer, Ryan & Smyth 2010]

PRIVACY 7 Coercion resistance better than receipt freeness or simple anonymity RF: [Benaloh 1994] CR: [Juels, Catalano & Jakobsson 2005]

ROBUSTNESS 8 Tally availability

Security Properties Original system: Universal verifiability Eligibility verifiability Coercion resistance Ongoing projects: Voter verifiability Tally availability 9 …under various assumptions

10 JCJ Voting Scheme [Juels, Catalano & Jakobsson 2005] Proved universal verifiability and coercion resistance Civitas extends JCJ

11 Civitas Architecture bulletin board voter client tabulation teller registration teller ballot box

12 Registration voter client registration teller Voter retrieves credential share from each registration teller; combines to form credential

Credentials Verifiable Unsalable Unforgeable Anonymous 13

14 Voting voter client ballot box Voter submits copy of encrypted choice and credential to each ballot box

Resisting Coercion: Fake Credentials 15

16 Resisting Coercion If the coercer demands that the voter… Then the voter… Submits a particular voteDoes so with a fake credential. Sells or surrenders a credential Supplies a fake credential. AbstainsSupplies a fake credential to the adversary and votes with a real one.

17 Tabulation bulletin board tabulation teller ballot box Tellers retrieve votes from ballot boxes

18 Tabulation bulletin board tabulation teller Tabulation tellers anonymize votes; eliminate unauthorized (and fake) credentials; decrypt remaining choices.

19 Auditing bulletin board Anyone can verify proofs that tabulation is correct ballot box

20 Civitas Architecture bulletin board voter client tabulation teller registration teller ballot box Universal verifiability: Tellers post proofs during tabulation Coercion resistance: Voters can undetectably fake credentials S ECURITY P ROOFS

21 Protocols –El Gamal; distributed [Brandt]; non-malleable [Schnorr and Jakobsson] –Proof of knowledge of discrete log [Schnorr] –Proof of equality of discrete logarithms [Chaum & Pederson] –Authentication and key establishment [Needham-Schroeder- Lowe] –Designated-verifier reencryption proof [Hirt & Sako] –1-out-of-L reencryption proof [Hirt & Sako] –Signature of knowledge of discrete logarithms [Camenisch & Stadler] –Reencryption mix network with randomized partial checking [Jakobsson, Juels & Rivest] –Plaintext equivalence test [Jakobsson & Juels] Implementation: 21k LoC

Trust Assumptions 22

23 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller.

24 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. Universal verifiability Coercion resistance Coercion resistance

25 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR

26 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR

27 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR

Registration 28 In person. In advance. Con:System not fully remote Pro:Credential can be used in many elections

29 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR

Eliminating Trust in Voter Client 30 UV: Use challenges (like Helios) CR: Open problem

31 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR

32 Trust Assumptions` 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR

33 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR

Untappable Channel 34 Minimal known assumption for receipt freeness and coercion resistance Eliminate? Open problem. (Eliminate trusted registration teller? Also open.)

35 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR

Trusted procedures? 36

Time to Tally 37

38 Tabulation Time # voters in precinct = K, # tab. tellers = 4, security strength ≥ 112 bits [NIST 2011–2030]

39 Summary Can achieve strong security and transparency: –Remote voting –Universal (voter, eligibility) verifiability –Coercion resistance Security is not free: –Stronger registration (untappable channel) –Cryptography (computationally expensive)

Assurance 40 Security proofs (JCJ) Secure implementation (Jif)

Ranked Voting 41

42 Open Problems Coercion-resistant voter client? Eliminate untappable channel in registration? Credential management? Application-level denial of service?

as (google “civitas voting”)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard) and Andrew Myers (Cornell)