1. Civitas Michael Clarkson Cornell Stephen Chong Harvard
Andrew Myers Cornell
IACR Board Meeting / CRYPTO
August 19, 2008
Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C.

2. Civitas Features: Status: …Suitable for IACR?
Designed for remote voting, coercion resistance, verifiability
Supports plurality, approval, Condorcet methods
Status:
Paper in Oakland 2008
Publicly available: 21,000 LOC (Jif, Java, and C)
Prototype
…Suitable for IACR?
Suitable for IACR? Yes or no, offers interesting features that should be kept in mind when evaluating other systems.
Clarkson: Civitas

3. Civitas Security Requirements

4. Security Model No trusted supervision of polling places Remote voting
Including voters, procedures, hardware, software
Voting could take place anywhere
Remote voting
Generalization of “Internet voting” and “postal voting”
Interesting problem to solve!
To begin, we wanted to build a system that did not rely on trusted supervision of polling places. This means that neither the voters, the procedures that are used, the hardware, or the software are supervised. Voting could therefore take place from anywhere. The term for this is “remote voting”, of which Internet voting is one instance.
Remote voting is a very interesting problem to tackle. It is a more general problem than supervised voting. That is, a secure remote voting system is also secure in a context with trusted supervision. And eliminating trusted supervision is a worthwhile goal, because it is the source of many vulnerabilities. Remote voting is also interesting because our society is trending towards one in which interactions can be carried out from any place at any time. This includes voting. Remote voting is becoming more common in both public elections and organizational elections. For example, the states of Oregon and Washington now vote (almost) entirely remotely.
IACR 
Clarkson: Civitas

5. Adversary Always: Almost always: Security properties:
May perform any polynomial time computation
May corrupt all but one of each type of election authority
Distributed trust
Almost always:
May control network
May coerce voters, demanding secrets or behavior, remotely or physically
Security properties:
Confidentiality, integrity, availability
In remote voting, we must be concerned about an adversary with strong capabilities. In Civitas, we assume that the adversary may corrupt all but one of each type of election authority. Election authorities are agents who conduct the election. They might be humans, organizations, or software provided by these. There are different types because the authorities have different responsibilities: registration, vote storage, and tabulation.
In remote voting, an adversary may also attempt to coerce voters, demanding secrets or arbitrary behavior from them, even in the physical presence of the voter. We need to protect voters against this. But we also assume that there will be some time when the voter is not in the control of the adversary.
We make two other standard assumptions: The adversary can control the network, and perform any polynomial time computation. We do make an exception regarding the network during voter registration, which I’ll return to a little later.
Against this adversary, we want Civitas to satisfy certain security properties. One reason that it’s hard to build secure voting systems is that these properties that are sometimes in tension with one another. I’ll frame my discussion of these properties in terms of three aspects of security that people often discuss, confidentiality, integrity, and availability.
Clarkson: Civitas

6. The final tally is correct and verifiable.
Integrity
Verifiability:
Including:
Voter verifiability: Voters can check that their own vote is included
Universal verifiability: Anyone can check that only authorized votes are counted, no votes are changed during tallying [Sako and Killian 1995]
The final tally is correct and verifiable.
Let me start with integrity. Civitas satisfies an integrity property which we call verifiability. Informally, this property says that the final tally of the election is correct and verifiable. This includes that voters can check that their own votes are included in the final tally, which is known as voter verifiability. And that anyone can check that the final tally was computed correctly, including that no votes are dropped, added, or change during tallying. This is known as universal verifiability.
These integrity properties are sorely lacking in current real-world systems.
It wouldn’t be as difficult to build secure voting systems if all we had to worry about was integrity. But we also need to worry about confidentiality.
IACR 
Clarkson: Civitas

7. Confidentiality Voter coercion:
Employer, spouse, etc.
Coercer can demand any behavior (vote buying)
Coercer can observe and interact with voter during remote voting
Must prevent coercers from trusting their own observations
Perhaps the biggest challenge with confidentiality in remote voting is voter coercion. You can imagine that the coercer might be someone such as the voter’s employer or spouse. Such a coercer might be able to demand any behavior of the voter. For example, the coercer might demand that the voter submit a particular vote, submit a random vote, or even abstain from the election. Note that this generalizes vote buying, which is just one behavior the coercer might demand. Coercers might be able to observe and interact with the voter, even being in the physical presence of the voter---perhaps standing over the voter’s shoulder as the voter votes. This leads to a requirement for remote voting systems: the voting system must prevent a coercer from trusting his own observations.
Clarkson: Civitas

8. Hierarchy: [Delaune, Kremer, and Ryan, CSFW 2006]
Confidentiality
> receipt-freeness > anonymity
Hierarchy: [Delaune, Kremer, and Ryan, CSFW 2006]
Coercion resistance:
The adversary cannot learn how voters vote, even if voters collude and interact with the adversary.
too weak for remote voting
This leads to a confidentiality property known as coercion resistance, which says that the adversary cannot learn how voters vote, even if voters collude and interact with the adversary. And it is stronger than other properties you might have seen before, such as anonymity (which allows the voter to collude and interact), or receipt freeness (which allows the voter to collude but not interact). This relationship was established in work by DKR.
IACR ?
Clarkson: Civitas

9. The final tally of the election is produced.
Availability
We assume that this holds
To guarantee, would need to make system components highly available
Tally availability:
The final tally of the election is produced.
Finally, let’s talk about availability. Ultimately, what we want is that the final tally of the election is produced, and various components may need to remain available to make this happen.
In Civitas, we assume that this property will hold. This is different than confidentiality or integrity, which we’ll use cryptographic mechanisms to guarantee. If we wanted to guarantee tally availability---which would be important for real-world elections---we would need to at least make system components highly available. This might be done with standard reliable systems techniques, and we kept this in mind as we designed Civitas. (This included minimizing communication, as well as the number of hosts in the system that have to be available at any given time.) But we didn’t actually implement high availability.
IACR ?
Clarkson: Civitas

10. Civitas Design and Implementation

11. JCJ Scheme [Juels, Catalano, and Jakobsson, WPES 2005]
Formally defined coercion resistance and verifiability
Constructed voting scheme
Proved scheme satisfies coercion resistance and verifiability
[Backes, Hritcu, and Maffei, CSF 2008]
Verified simplification in ProVerif
Civitas is based on a voting scheme invented by Juels, Catalano, and Jakobsson. I’ll refer to this as the JCJ scheme. JCJ gave formal, mathematical definitions of the coercion resistance and verifiability properties, constructed a voting scheme, and proved that the scheme satisfies the properties.
Clarkson: Civitas

12. Civitas Architecture registration teller registration teller
tabulation teller
ballot box
bulletin board
ballot box
tabulation teller
ballot box
voter client
tabulation teller
Clarkson: Civitas

13. Registration
registration teller
registration teller
registration teller
bulletin board
tabulation teller
ballot box
voter client
Voter retrieves credential share from each registration teller; combines to form credential
Clarkson: Civitas

14. Voting
bulletin board
tabulation teller
registration teller
ballot box
ballot box
ballot box
voter client
Voter submits copy of encrypted choice and credential (+ ZK proofs) to each ballot box
Clarkson: Civitas

15. Resisting Coercion Voters invent fake credentials
To adversary, fake  real
Votes with fake credentials removed during tabulation
Clarkson: Civitas

16. Resisting Coercion If the adversary demands that the voter…
Then the voter…
Submits a particular vote
Does so with a fake credential.
Sells or surrenders a credential
Supplies a fake credential.
Abstains
Supplies a fake credential to the adversary and votes with a real one.
Clarkson: Civitas

17. Tellers retrieve votes from ballot boxes
Tabulation
voter client
registration teller
tabulation teller
ballot box
bulletin board
ballot box
tabulation teller
ballot box
tabulation teller
Tellers retrieve votes from ballot boxes
Clarkson: Civitas

18. decrypt remaining choices;
Tabulation
voter client
registration teller
ballot box
tabulation teller
bulletin board
tabulation teller
tabulation teller
Tabulation tellers anonymize votes with mix network; eliminate unauthorized credentials;
decrypt remaining choices;
post ZK proofs
Clarkson: Civitas

19. Civitas Architecture
registration teller
registration teller
registration teller
tabulation teller
ballot box
bulletin board
ballot box
tabulation teller
ballot box
voter client
tabulation teller
Verifiability: Tellers post zero-knowledge proofs during tabulation
Coercion resistance: Voters can undetectably fake credentials
Clarkson: Civitas

20. Protocols Leverage the literature:
El Gamal; distributed [Brandt]; non-malleable [Schnorr and Jakobsson]
Proof of knowledge of discrete log [Schnorr]
Proof of equality of discrete logarithms [Chaum & Pederson]
Authentication and key establishment [Needham-Schroeder-Lowe]
Designated-verifier reencryption proof [Hirt & Sako]
1-out-of-L reencryption proof [Hirt & Sako]
Signature of knowledge of discrete logarithms [Camenisch & Stadler]
Reencryption mix network with randomized partial checking [Jakobsson, Juels & Rivest]
Plaintext equivalence test [Jakobsson & Juels]
Implementation requires concrete protocols. So building Civitas required filling in the missing details of the abstract protocol design, including implementing a number of other protocols from the literature.
Clarkson: Civitas

21. Secure Implementation
In Jif [Myers 1999, Chong and Myers 2005, 2008]
Security-typed language
Types contain information-flow policies
Confidentiality, integrity, declassification, erasure
If policies in code express correct requirements…
(And Jif compiler is correct…)
Then code is secure w.r.t. requirements
Protocols may be secure in their design, but their implementation can be another story. We wanted assurance that our implementation of Civitas was itself secure.
We gained this by implementing Civitas in a language called Jif, whose name stands for Java plus information flow. It is a security typed language, in which types contain information flow policies. These policies express requirements on the confidentiality and integrity of information. The Jif compiler and runtime enforce those policies. This means that if the policies in the code express the right security requirements, and the Jif compiler is correct, then the code is secure w.r.t. the requirements.
Clarkson: Civitas

22. Civitas Security Evaluation
To evaluate the security of Civitas, we analyzed the assumptions that the security proofs make. This is a natural place to focus our attention, because in security, assumptions equate to vulnerabilities.

23. Civitas Trust Assumptions
DDH, RSA, random oracle model.
The adversary cannot masquerade as a voter during registration.
Voters trust their voting client.
At least one of each type of authority is honest.
The channels from the voter to the ballot boxes are anonymous.
Each voter has an untappable channel to a trusted registration teller.
We call these the trust assumptions for Civitas.
Clarkson: Civitas

24. Civitas Trust Assumptions
DDH, RSA, random oracle model.
The adversary cannot masquerade as a voter during registration.
Voters trust their voting client.
At least one of each type of authority is honest.
The channels from the voter to the ballot boxes are anonymous.
Each voter has an untappable channel to a trusted registration teller.
Verifiability and Coercion resistance
Coercion resistance
Clarkson: Civitas

25. Civitas Trust Assumptions
DDH, RSA, random oracle model.
The adversary cannot masquerade as a voter during registration.
Voters trust their voting client.
At least one of each type of authority is honest.
The channels from the voter to the ballot boxes are anonymous.
Each voter has an untappable channel to a trusted registration teller.
VER + CR CR
Clarkson: Civitas

26. Civitas Trust Assumptions
DDH, RSA, random oracle model.
The adversary cannot masquerade as a voter during registration.
Voters trust their voting client.
At least one of each type of authority is honest.
The channels from the voter to the ballot boxes are anonymous.
Each voter has an untappable channel to a trusted registration teller.
VER + CR CR
Clarkson: Civitas

27. Civitas Trust Assumptions
DDH, RSA, random oracle model.
The adversary cannot masquerade as a voter during registration.
Voters trust their voting client.
At least one of each type of authority is honest.
The channels from the voter to the ballot boxes are anonymous.
Each voter has an untappable channel to a trusted registration teller.
VER + CR CR
Clarkson: Civitas

28. Civitas Trust Assumptions
DDH, RSA, random oracle model.
The adversary cannot masquerade as a voter during registration.
Voters trust their voting client.
At least one of each type of authority is honest.
The channels from the voter to the ballot boxes are anonymous.
Each voter has an untappable channel to a trusted registration teller.
VER + CR CR
Clarkson: Civitas

29. Civitas Trust Assumptions
DDH, RSA, random oracle model.
The adversary cannot masquerade as a voter during registration.
Voters trust their voting client.
At least one of each type of authority is honest.
The channels from the voter to the ballot boxes are anonymous.
Each voter has an untappable channel to a trusted registration teller.
VER + CR CR
Clarkson: Civitas

30. Civitas Trust Assumptions
DDH, RSA, random oracle model.
The adversary cannot masquerade as a voter during registration.
Voters trust their voting client.
At least one of each type of authority is honest.
The channels from the voter to the ballot boxes are anonymous.
Each voter has an untappable channel to a trusted registration teller.
VER + CR CR
Clarkson: Civitas

31. Civitas Trust Assumptions
DDH, RSA, random oracle model.
The adversary cannot masquerade as a voter during registration.
Voters trust their voting client.
At least one of each type of authority is honest.
The channels from the voter to the ballot boxes are anonymous.
Each voter has an untappable channel to a trusted registration teller.
VER + CR CR
Clarkson: Civitas

32. Civitas Cost Evaluation
The security of Civitas is not the only thing we analyzed. We also conducted a performance study of Civitas.

33. Real-World Cost Society makes a tradeoff on:
Cost of election, vs.
Security, usability, …
Current total costs are $1-$3 / voter [International Foundation for Election Systems]
We don’t know the total cost for Civitas.
Cost of cryptography?
Society today makes a tradeoff when it comes to the cost of elections. We balance cost with other factors like security and usability.
The International Foundation for Election Systems estimates that the current total cost of an election in a Western democracy is $1-$3 per voter. And we get some level of security for that cost.
I’d like to compare that $1-$3 cost to what the cost of Civitas would be, but I don’t know the total cost of a Civitas election. What I do know is that using Civitas would incur at least one new cost not generally present in real-world elections---the computational cost of performing all the cryptography during tabulation. So using our implementation, we investigated what the tabulation cost of Civitas would be.
Clarkson: Civitas

34. CPU Cost for Tabulation
For reasonable security parameters,
CPU time is 39 sec / voter / authority.
If CPUs are bought, used (for 5 hours), then thrown away:
$1500 / machine ) $12 / voter
If CPUs are rented:
$1 / CPU / hr ) 4¢ / voter
Increased cost…Increased security
But in the real-world, it isn’t just asymptotics that matter. It’s cost. The previous graph’s data reveal that tabulation takes about 39 sec / voter / authority. Suppose that you had to buy all the hardware to tally the selection, use it for 5 hours, then throw it away afterwards. Then at a cost of $1500 per machine (which is what the machines we ran these experiments on cost at the time we ran the experiments), the cost to tabulate the election would be $12 per voter. Or, suppose that you could rent CPU time at a price of one dollar per CPU per hour --- in fact Sun offers just this --- than the cost to tabulate the election would be four cents per voter.
Would society pay this extra cost for more secure elections? I don’t know. As I said before, it’s a tradeoff.
IACR ?
Clarkson: Civitas

35. Conclusion
This brings me almost to the end of my talk, so let me begin to wrap up.

36. Summary Civitas provides security: Civitas provides assurance:
Remote voting
Verifiability
Coercion resistance (strongest?)
Civitas provides assurance:
Security proofs
Explicit trust assumptions
Information-flow analysis of implementation (first?)
I've told you today about Civitas, a secure remote voting system that we implemented.
IACR 
Clarkson: Civitas

37. Technical Issues Web interfaces Testing BFT bulletin board
Threshold cryptography
Anonymous channel integration
IACR 
Clarkson: Civitas

38. Research Issues Distribute trust in voter client
Eliminate in-person registration
Credential management
Application-level DoS
Clarkson: Civitas

39. Web Site Technical report with concrete protocols
Technical report with concrete protocols
Source code of our prototype
If you'd like to learn more about Civitas, you can visit this URL. Our website has a technical report containing a concrete specification of the protocols that Civitas uses, and a prototype implementation that you can download.
Clarkson: Civitas

41. Extra Slides
Clarkson: Civitas

42. Paper What paper does: What paper does next: What paper doesn’t:
Convince voter that his vote was captured correctly
What paper does next:
Gets dropped in a ballot box
Immediately becomes insecure
Chain-of-custody, stuffing, loss, recount attacks…
Hacking paper elections has a long and (in)glorious tradition [Steal this Vote, Andrew Gumbel, 2005]
20% of paper trails are missing or illegible [Michael Shamos, 2008]
What paper doesn’t:
Guarantee that a vote will be counted
Guarantee that a vote will be counted correctly
Clarkson: Civitas

43. Cryptography “The public won’t trust cryptography.”
It already does…
Because experts already do
“I don’t trust cryptography.”
You don’t trust the proofs, or
You reject the hardness assumptions
Clarkson: Civitas

44. Selling Votes Requires selling credential… Which requires:
Adversary tapped the untappable channel, or
Adversary authenticated in place of voter…
Which then requires:
Voter transferred ability to authenticate to adversary; something voter…
Has: too easy
Knows: need incentive not to transfer
Is: hardest to transfer
Clarkson: Civitas

45. Civitas LOC Component Approx. LOC Tabulation teller 5,700
Registration teller
1,300
Bulletin board, ballot box
900
Voter client
800
Other (incl. common code)
4,700
Total Jif LOC
13,400
Low-level crypto and I/O (Java and C)
8,000
Total LOC
21,400
Policy
Distinct annota-tions
Confidentiality 20
Integrity 26
After implementing Civitas, we ended up with the following LOC. About 13,000 are in Jif, which makes this the largest system yet implemented in Jif. About 8000 LOC are Java, with a tiny bit of C, to implement numeric operations for crypto, and to implement low-level I/O.
In the Jif code, there are 20 distinct confidentiality policies, and 26 distinct integrity policies.
Clarkson: Civitas

46. Civitas Policy Examples
Confidentiality:
Information: Voter’s credential share
Policy: “RT permits only this voter to learn this information”
Jif syntax: RT  Voter
Information: Teller’s private key
Policy: “TT permits no one else to learn this information”
Jif syntax: TT  TT
Integrity:
Information: Random nonces used by tellers
Policy: “TT permits only itself to influence this information”
Jif syntax: TT  TT
Let me give you a few examples of how we use Jif policies in Civitas.
As an example of a confidentiality policy, consider a voter’s credential share, stored by a registration teller. That teller should permit only the voter to learn that information. In the code, this requirement is expressed as RT -> voter (though I’m simplifying).
As an example of an integrity policy, consider the ballot design of an election. Suppose there’s an election supervisor whose job it is to specify this. Then the tabulation tellers, who need to check that all the votes conform to this design, would require that only the supervisor can influence the ballot design. In Jif, this is expressed as TT <- Sup
Clarkson: Civitas

47. Civitas Policy Examples
Declassification:
Information: Bits that are committed to then revealed
Policy: “TT permits no one to read this information until all commitments become available, then TT declassifies it to allow everyone to read.”
Jif syntax: TT  [TT commAvail  ]
Erasure:
Information: Voter’s credential shares
Policy: “Voter requires, after all shares are received and full credential is constructed, that shares must be erased.”
Jif syntax: Voter  [Voter credConst T ]
Jif also permits richer kinds of confidentiality requirements to be expressed as policies.
Declassification policies allow information to become more public. For example, bit commitments are used during the tabulation protocols. The bits that are committed to must remain secret until all the tellers have committed, at which point they become public knowledge. We can express this as a declassification policy, though I’ll omit the somewhat complicated Jif syntax.
Erasure policies require information to become more secret; perhaps even erased completely. For example, a voter’s credential shares are only needed to construct the full credential. Once this is done, there is no reason to keep them around. In fact, deleting them improves coercion resistance. This is a policy that can be expressed in Jif, which will at run-time automatically delete the information.
Clarkson: Civitas

48. Registration Trust Assumptions
One way to discharge is with in-person registration
Not an absolute requirement
Though for strong authentication, physical presence (“something you are”) is reasonable
Need not register in-person with all tellers
Works like real-world voting today:
Registration teller trusted to correctly authenticate voter
Issue of credential must happen in trusted “registration booth”
But doesn’t need to happen on special day
Con: System not fully remote
Pro: Credential can be used remotely for many elections
Reusing real-world mechanism, can bootstrap into a system offering stronger security
One way to satisfy both of these assumptions is to use in-person registration. This is not an absolute requirement, though it seems reasonable if you want strong assurance in the authentication of voters. Also, voters need not register in-person with all tellers.
In-person registration would actually be implemented much like real-world voting is today. The registration teller would need to be trusted to correctly authenticate a voter, and thus prevent an adversary from registering on behalf of a voter. The issue of the credential would need to happen in a registration booth, which would offer the same privacy that a voting booth does today. And registration need not happen on the same day for all voters; it could be an ongoing process.
Although this does compromise our goal of a fully remote system, the credential obtained by an in-person registration could be reused to vote remotely in many elections. This reveals something interesting: we can use the same mechanism as in the real world today (in-person authentication + booth) to bootstrap and get a voting system that can offer stronger security than the real world, and even allow remote voting.
Clarkson: Civitas

49. Voting Client Trust Assumption
Civitas voting client is not a DRE:
Voters are not required to trust a single (closed-source) implementation
Civitas allows open-source (re)implementations of the client
Voters can obtain or travel to implementation provided by organization they trust
Discharge? Distribute trust in client.
[Benaloh, Chaum, Joaquim and Ribeiro, Kutyłowski et al., Zúquete et al., …]
This is a rather strong assumption, but I want to point out that it's not the same assumption made in real-world voting systems. In particular, we are not introducing a DRE. (DRE stands for direct recording electronic, typified by touchscreen vote-capture systems.) Unlike with DRE's, voters are not required to trust a single, closed source implementation. Rather, voters can obtain a client from, or travel to a client provided by any organization that they trust.
Ideally, of course, we would instead like to discharge this assumption by refactoring the client into distinct pieces, and distribute trust over those pieces, much as we distributed trust over a set of tellers. And there is ongoing research in this area, which I hope that one day can be integrated into Civitas.
Clarkson: Civitas

50. Blocks Block is a “virtual precinct” Tabulation time is:
Each voter assigned to one block
Each block tallied independently of other blocks, even in parallel
Tabulation time is:
Quadratic in block size
Linear in number of voters
If using one set of machines for many blocks
Or, constant in number of voters
If using one set of machines per block
The benefit of blocks is the tabulation time, while still remaining quadratic in the block size, can now be linear in the number of voters. And that's assuming that we use one set of machines to tabulate the election for all blocks. But suppose we have a set of machines per block: then tabulation time would actually be constant in the number of voters, for a given block size.
Clarkson: Civitas

51. Tabulation Time vs. Anonymity
First, you’ll recall that tabulation time is quadratic in the block size. This graph shows wall clock time to tabulate on the y axis vs. the block size on the x axis. We assume that there are four tabulation tellers. You can see that, for a tabulation time of 1 hour, we can have up to 100 voters in a block. Also, the graph confirms that tabulation is quadratic in the block size.
# voters = K, # tab. tellers = 4, security strength ≥ 112 bits [NIST 2011–2030]
Clarkson: Civitas

52. Tabulation Time vs. # Voters
sequential
parallel
So fixing the block size at 100, Let’s look at how what happens when we vary the number of voters. In this graph, the y-axis is still wall clock time to tabulate the election, and the x-axis is now the number of voters.
A single set of machines is used to tally all the blocks. As you can see, we get exactly the linear performance that we expected. However, given a set of machines per block, Civitas could tally any number of voters in about an hour.
K = 100
Clarkson: Civitas

53. Ranked Voting Methods Voters submit ranking of candidates
e.g., Condorcet, Borda, STV
Help avoid spoiler effects
Defend against strategic voting
“Italian attack”
Civitas implements coercion-resistant Condorcet, approval and plurality voting methods
Could do any summable method
Ranked voting methods allow voters to express more detailed preferences than standard (plurality) voting. Examples include Condorcet, Borda, STV/IRV, etc. These methods are desirable because they can help to eliminate spoiler effects and to defend against strategic voting.
Implementing coercion-resistant ranked voting is tricky, because rankings can be used to signal a voter’s identity. (Italian attack is like the “Netflix attack”---another high dimensional space.)
Civitas implements Condorcet, approval, and plurality voting. And in principle, we could implement any summable voting method (in which a ballot can be decomposed in a particular way). The TR for this paper gives a new construction for coercion-resistant Condorcet, based on homomorphic encryption, that is far more efficient than previous constructions.
Clarkson: Civitas