Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark.

Published byAubrey Collar Modified over 9 years ago

Similar presentations

Presentation on theme: "On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark."— Presentation transcript:

1 On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark

2 Introduction A comparison of useful information leaked by ballot receipts in three E2E systems: 1)ThreeBallot 2)Prêt à Voter 3)Punchscan Full Disclosure: First and second authors are members of the Punchscan team. Attach due scepticism. On the Security of Ballot Receipts in E2E Voting Systems

3 A ballot receipt should satisfy the following two properties: Privacy Property: The ballot receipt should provide no information that would increase an adversary’s ability to determine how the ballot was cast. Integrity Property: The ballot receipt should provide no information that would increase an adversary’s ability to add, delete, or modify ballots without detection. On the Security of Ballot Receipts in E2E Voting Systems No Information

4 Prêt à Voter On the Security of Ballot Receipts in E2E Voting Systems 1)Chosen: a random permutation. 2)Choose a candidate. Does 1 reveal information about 2?

5 Punchscan 1)Chosen: a random permutation on top sheet. 2)Chosen: a random permutation on bottom sheet. 3)Choose a candidate. Does 1&2 reveal information about 3? On the Security of Ballot Receipts in E2E Voting Systems

6 ThreeBallot 1)Choose a candidate. 2)Choose a marking pattern to vote for that candidate. 3)Choose a ballot to keep as a receipt. Do 2&3 reveal information about 1? On the Security of Ballot Receipts in E2E Voting Systems R. Rivest. Public Domain

7 “No” Information Privacy Property: The ballot receipt should provide no information that would increase an adversary’s ability to determine how the ballot was cast. What does “no information” mean? Insufficient information – receipt cannot be used in any manner to prove with certainty the cast vote of its respective ballot. Negligible information – receipt cannot be used in any manner to guess with better than random probability the cast vote of its respective ballot. On the Security of Ballot Receipts in E2E Voting Systems

8 Attack Game To test for ‘guess with better than random probability’ information, we implement an attack game. Random Voting Oracle – randomly selects a candidate to vote for and produces a ballot receipt based on random choices for each of the dynamic elements of a ballot. On the Security of Ballot Receipts in E2E Voting Systems

9 Prêt à Voter On the Security of Ballot Receipts in E2E Voting Systems 1)Chosen: a random permutation. 2)Choose a candidate. Does 1 reveal information about 2?

10 Punchscan 1)Chosen: a random permutation on top sheet. 2)Chosen: a random permutation on bottom sheet. 3)Choose a candidate. Does 1&2 reveal information about 3? On the Security of Ballot Receipts in E2E Voting Systems

11 ThreeBallot 1)Choose a candidate. 2)Choose a marking pattern to vote for that candidate. 3)Choose a ballot to keep as a receipt. Do 2&3 reveal information about 1? On the Security of Ballot Receipts in E2E Voting Systems R. Rivest. Public Domain

12 Attack Game To test for ‘guess with better than random probability’ information, we implement an attack game. Random Voting Oracle – randomly selects a candidate to vote for and produces a ballot receipt based on random choices for each of the dynamic elements of a ballot. Adversary – guesses which candidate was voted for based on the ballot receipt alone. Assumed to be PPT-bounded. Advantage – if the adversary can guess with better probability than a random choice, this is the adversary’s advantage. On the Security of Ballot Receipts in E2E Voting Systems

13 Attack Game (2) On the Security of Ballot Receipts in E2E Voting Systems

14 Advantage This is the weakest adversary possible. She only has access to the marks themselves. This is necessary but not sufficient for provable security. The way to a provably secure voting system: Psuedorandom Permutations Serial Numbers or Cryptographic Onions Bulletin Board Election Results Other Audit Information On the Security of Ballot Receipts in E2E Voting Systems

15 Prêt à Voter and Punchscan Prêt à VoterPunchscan On the Security of Ballot Receipts in E2E Voting Systems

16 ThreeBallot On the Security of Ballot Receipts in E2E Voting Systems

17 ThreeBallot (2) On the Security of Ballot Receipts in E2E Voting Systems

18

19 Advantage On the Security of Ballot Receipts in E2E Voting Systems

20 Advantage (2) On the Security of Ballot Receipts in E2E Voting Systems

21 Integrity Integrity Property: The ballot receipt should provide no information that would increase an adversary’s ability to add, delete, or modify ballots without detection. Cost-Benefit Analysis: The probability of getting caught tampering with election results can be thought of as a cost to the adversary. What tampering with an election achieves can be thought of as a benefit. On the Security of Ballot Receipts in E2E Voting Systems

22 Cost In ThreeBallot, each receipt has a serial number. If the adversary sees a receipt or copy of one, she will not modify the corresponding ballot on the bulletin board when choosing a ballot to tamper with. This decreases her probability of getting caught, thus receipts leak partial information useful to the attacker. If the adversary she’s all the receipts, her probability of getting caught is zero. ThreeBallot’s integrity checking is an improper cut-and-choose protocol. This problem does not arise in Prêt à Voter or Punchscan because all the inputs to the tallying function are receipts. On the Security of Ballot Receipts in E2E Voting Systems

23 Benefit In Prêt à Voter and Punchscan, the best an adversary can hope to achieve is apply a random mapping between which candidate was voted for and which candidate gets the vote. In ThreeBallot, an adversary can explicitly take a vote away from one candidate and give it to another candidate. So ThreeBallot has both a lower cost and a greater benefit to an adversary mounting an integrity attack. In the special case, where the adversary sees every receipt, the cost is zero. On the Security of Ballot Receipts in E2E Voting Systems

24 Conclusions Privacy Property: The ballot receipt should provide no information that would increase an adversary’s ability to determine how the ballot was cast. Integrity Property: The ballot receipt should provide no information that would increase an adversary’s ability to add, delete, or modify ballots without detection. ThreeBallot receipts fail to meet both criterion. On the Security of Ballot Receipts in E2E Voting Systems

25 Future Work The way to a provably secure voting system: Marks Only Psuedorandom Permutations Serial Numbers or Cryptographic Onions Bulletin Board Election Results Other Audit Information On the Security of Ballot Receipts in E2E Voting Systems

26 Future Work The way to a provably secure voting system: Marks Only Psuedorandom Permutations Serial Numbers or Cryptographic Onions Bulletin Board Election Results Other Audit Information On the Security of Ballot Receipts in E2E Voting Systems Punchscan

27 Future Work The way to a provably secure voting system: Marks Only Psuedorandom Permutations Serial Numbers or Cryptographic Onions Bulletin Board Election Results Other Audit Information On the Security of Ballot Receipts in E2E Voting Systems Prêt à Voter, Punchscan, & ThreeBallot

28 Future Work The way to a provably secure voting system: Marks Only Psuedorandom Permutations Serial Numbers or Cryptographic Onions Bulletin Board Election Results Other Audit Information Combine partial information from ballot receipts to the Strauss attack on ThreeBallot. Also loosen the Strauss attack to be probabilistic. On the Security of Ballot Receipts in E2E Voting Systems Prêt à Voter, Punchscan, & ThreeBallot

29 Future Work The way to a provably secure voting system: Marks Only Psuedorandom Permutations Serial Numbers or Cryptographic Onions Bulletin Board Election Results Other Audit Information On the Security of Ballot Receipts in E2E Voting Systems Prêt à Voter, Punchscan, & ThreeBallot

30 Future Work The way to a provably secure voting system: Marks Only Psuedorandom Permutations Serial Numbers or Cryptographic Onions Bulletin Board Election Results Other Audit Information On the Security of Ballot Receipts in E2E Voting Systems Prêt à Voter & Punchscan

31 Questions? On the Security of Ballot Receipts in E2E Voting Systems

Download ppt "On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark."

Similar presentations

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.
Analysis of an Internet Voting Protocol Dale Neal Garrett Smith.

Analysis of an Internet Voting Protocol Dale Neal Garrett Smith.
Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.

Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.
Electronic Voting Systems

Electronic Voting Systems
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Pretty Good Democracy James Heather, University of Surrey

Pretty Good Democracy James Heather, University of Surrey
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.

Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.
1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.

1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.
Electronic Voting Ronald L. Rivest MIT CSAIL Norway June 14, 2004.

Electronic Voting Ronald L. Rivest MIT CSAIL Norway June 14, 2004.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
A Pairing-Based Blind Signature

A Pairing-Based Blind Signature
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.

ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
A technical analysis of the VVSG 2007 Stefan Popoveniuc George Washington University The PunchScan Project.

A technical analysis of the VVSG 2007 Stefan Popoveniuc George Washington University The PunchScan Project.
Lesson 7: The Voting Process. Opening Discussion Have you ever voted for something before? How was the winner decided? Did you think the process was fair?

Lesson 7: The Voting Process. Opening Discussion Have you ever voted for something before? How was the winner decided? Did you think the process was fair?

Similar presentations

Ads by Google