Download presentation
Presentation is loading. Please wait.
Published byGina Sears Modified over 9 years ago
1
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard) and Andrew Myers (Cornell)
2
2 SECURITYTRANSPARENCY
3
3 PRIVACYVERIFIABILITY
4
Remote 4 PRIVACYVERIFIABILITY (including Internet)
5
Mutual Distrust 5 KEY PRINCIPLE:
6
VERIFIABILITY 6 Universal verifiability Voter verifiability Eligibility verifiability UV: [Sako and Killian 1994, 1995] EV & VV: [Kremer, Ryan & Smyth 2010]
7
PRIVACY 7 Coercion resistance better than receipt freeness or simple anonymity RF: [Benaloh 1994] CR: [Juels, Catalano & Jakobsson 2005]
8
ROBUSTNESS 8 Tally availability
9
Security Properties Original system: Universal verifiability Eligibility verifiability Coercion resistance Ongoing projects: Voter verifiability Tally availability 9 …under various assumptions
10
10 JCJ Voting Scheme [Juels, Catalano & Jakobsson 2005] Proved universal verifiability and coercion resistance Civitas extends JCJ
11
11 Civitas Architecture bulletin board voter client tabulation teller registration teller ballot box
12
12 Registration voter client registration teller Voter retrieves credential share from each registration teller; combines to form credential
13
Credentials Verifiable Unsalable Unforgeable Anonymous 13
14
14 Voting voter client ballot box Voter submits copy of encrypted choice and credential to each ballot box
15
Resisting Coercion: Fake Credentials 15
16
16 Resisting Coercion If the coercer demands that the voter… Then the voter… Submits a particular voteDoes so with a fake credential. Sells or surrenders a credential Supplies a fake credential. AbstainsSupplies a fake credential to the adversary and votes with a real one.
17
17 Tabulation bulletin board tabulation teller ballot box Tellers retrieve votes from ballot boxes
18
18 Tabulation bulletin board tabulation teller Tabulation tellers anonymize votes; eliminate unauthorized (and fake) credentials; decrypt remaining choices.
19
19 Auditing bulletin board Anyone can verify proofs that tabulation is correct ballot box
20
20 Civitas Architecture bulletin board voter client tabulation teller registration teller ballot box Universal verifiability: Tellers post proofs during tabulation Coercion resistance: Voters can undetectably fake credentials S ECURITY P ROOFS
21
21 Protocols –El Gamal; distributed [Brandt]; non-malleable [Schnorr and Jakobsson] –Proof of knowledge of discrete log [Schnorr] –Proof of equality of discrete logarithms [Chaum & Pederson] –Authentication and key establishment [Needham-Schroeder- Lowe] –Designated-verifier reencryption proof [Hirt & Sako] –1-out-of-L reencryption proof [Hirt & Sako] –Signature of knowledge of discrete logarithms [Camenisch & Stadler] –Reencryption mix network with randomized partial checking [Jakobsson, Juels & Rivest] –Plaintext equivalence test [Jakobsson & Juels] Implementation: 21k LoC
22
Trust Assumptions 22
23
23 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller.
24
24 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. Universal verifiability Coercion resistance Coercion resistance
25
25 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR
26
26 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR
27
27 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR
28
Registration 28 In person. In advance. Con:System not fully remote Pro:Credential can be used in many elections
29
29 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR
30
Eliminating Trust in Voter Client 30 UV: Use challenges (like Helios) CR: Open problem
31
31 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR
32
32 Trust Assumptions` 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR
33
33 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR
34
Untappable Channel 34 Minimal known assumption for receipt freeness and coercion resistance Eliminate? Open problem. (Eliminate trusted registration teller? Also open.)
35
35 Trust Assumptions 1. “Cryptography works.” 2. The adversary cannot masquerade as a voter during registration. 3. Voters trust their voting client. 4. At least one of each type of authority is honest. 5. The channels from the voter to the ballot boxes are anonymous. 6. Each voter has an untappable channel to a trusted registration teller. UV + CR CR
36
Trusted procedures? 36
37
Time to Tally 37
38
38 Tabulation Time # voters in precinct = K, # tab. tellers = 4, security strength ≥ 112 bits [NIST 2011–2030]
39
39 Summary Can achieve strong security and transparency: –Remote voting –Universal (voter, eligibility) verifiability –Coercion resistance Security is not free: –Stronger registration (untappable channel) –Cryptography (computationally expensive)
40
Assurance 40 Security proofs (JCJ) Secure implementation (Jif)
41
Ranked Voting 41
42
42 Open Problems Coercion-resistant voter client? Eliminate untappable channel in registration? Credential management? Application-level denial of service?
43
http://www.cs.cornell.edu/projects/civit as (google “civitas voting”)
44
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard) and Andrew Myers (Cornell)
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.