Embed Size (px)
Citation preview
CivitasCivitasA Secure Remote Voting SystemA Secure Remote Voting System
Michael Clarkson, Stephen Chong, Andrew MyersCornell University
Dagstuhl Seminaron Frontiers of Electronic Voting
July 31, 2007
Clarkson: CIVS 2
GoalsGoals
Practicalperformance
Strong,provablesecurity
Remotevoting
Civitas (name was originally CIVS)
Clarkson: CIVS 3
TerminologyTerminology
• Voting system: (software) implementation
• Voting scheme: cryptographic construction
• Voting method: algorithm for choosing between candidates
Clarkson: CIVS 4
Security of CivitasSecurity of Civitas
• Satisfies strong security properties– Coercion-resistant– Universally verifiable
• Against a powerful adversary• With distributed trust in authorities
– Election authority: An agent providing some component of the election system
– Three different types: registration teller, ballot box, tabulation teller
• Using principled techniques– Cryptographic security proofs (by us and others)– Language-based security: Jif (Java + Information
Flow)
Clarkson: CIVS 5
Remote Voting with CivitasRemote Voting with Civitas
• No supervision of voting or voters• The right problem to solve:
– More general problem than supervised voting
– Internet voting (Debian, ACM, SERVE)– Absentee ballots
Clarkson: CIVS 6
Practicality of CivitasPracticality of Civitas
• Implementation– 22,000 LOC in Jif, Java, and C
• Performance study– Election tallied in 35 sec / voter /
authority– Cost is about 4¢ / voter– Cf. current election costs of $1-$3 / voter
[International Foundation for Election Systems]
Clarkson: CIVS 7
Civitas: OutlineCivitas: Outline
• Security requirements• Design
– Based on scheme due to Juels, Catalano, and Jakobsson (JCJ) [WPES ’05]
– We added:• Distributed registration• Lightweight ballot box• Blocking
– But this talk is not about mechanisms• Security evaluation• Performance study
Clarkson: CIVS 8
Confidentiality (Privacy)Confidentiality (Privacy)
• No adversary can learn any more about votes than is revealed by the final tally– Anonymity: hide map from voter to vote– Receipt-freeness: prohibit proof of vote– Coercion-resistance: adaptive
• Including forced abstention or randomization
[JCJ; Delaune, Kremer, and Ryan ‘06]
Voters cannot prove whether or how they voted, even if they can interact with the
adversary while voting.
Stronger
Clarkson: CIVS 9
Integrity (Correctness)Integrity (Correctness)
• Universal verifiability:
• Including:– The votes they cast are included– Only authorized votes are counted– No votes are changed during tallying
[JCJ, Sako and Killian ’95]
All voters can verify that the final tally is correct
Clarkson: CIVS 10
AvailabilityAvailability
• Unavailability of votes can compromise integrity– Missing votes not universally detectable– So need to guarantee availability of votes
• Otherwise, availability not guaranteed– Software systems implementing authorities– Results of election
• Orthogonal extensions possible– Byzantine fault tolerance– Threshold cryptography
Clarkson: CIVS 11
AdversaryAdversary
• May corrupt all but one of each type of election authority
• May coerce voters, demanding any secrets or behavior, remotely or physically
• May control network• May perform any polynomial time
computation
[JCJ]
Clarkson: CIVS 12
Civitas ArchitectureCivitas Architecture
JCJ scheme
bulletinboard
voterclient
tabulation teller
tabulation teller
tabulation teller
registrar
Clarkson: CIVS 13
Civitas ArchitectureCivitas Architecture
Civitas scheme
bulletinboard
voterclient
registration teller
tabulation teller
tabulation teller
tabulation teller
registration teller
registration teller
Clarkson: CIVS 14
Civitas ArchitectureCivitas Architecture
bulletinboard
voterclient
registration teller
tabulation teller
tabulation teller
tabulation teller
Civitas scheme
registration teller
registration teller
ballot boxballot boxballot box
What makes this secure? Why do we believe it is?
Clarkson: CIVS 15
Security EvaluationSecurity Evaluation
• Cryptographic reduction proof by JCJ– Voting scheme provably achieves coercion
resistance and universal verifiability– We extended that proof for our distributed
registration construction– And we instantiated various oracles, ZK
proofs
• Gain insight by reviewing election process and assumptions used in proofs
Clarkson: CIVS 16
CryptographyCryptography
Assumption 1. DDH, RSA, random oracle model.
bulletinboard
voterclient
registration teller
tabulation teller
tabulation teller
tabulation teller
registration teller
registration teller
ballot boxballot boxballot box
Clarkson: CIVS 17
RegistrationRegistration
voterclient
registration teller
registration teller
registration teller
Assumption 2. The adversary cannot masquerade as voter during registration.
bulletinboard
tabulation teller
tabulation teller
tabulation teller
ballot boxballot boxballot box
Implement with: strong authentication, non-transferable secrets.
obtain credential
Clarkson: CIVS 18
RegistrationRegistration
voterclient
registration teller
registration teller
registration teller
Assumption 3. Each voter trusts at least oneregistration teller and has untappable channel to that teller.
bulletinboard
tabulation teller
tabulation teller
tabulation teller
ballot boxballot boxballot box
Why: weakest known assumption for coercion resistanceImplement with: advance, in person registration; information-theoretic encryption
obtain credential
Clarkson: CIVS 19
VotingVoting
voterclient
ballot boxballot boxballot box
Assumption 4. Voters trust their voting client.
bulletinboard
tabulation teller
tabulation teller
tabulation teller
registration teller
registration teller
registration teller
Reasonable: voter can choose client
Clarkson: CIVS 20
VotingVoting
voterclient
ballot boxballot boxballot box
Assumption 5. The channels from the voter tothe ballot boxes are anonymous.
bulletinboard
tabulation teller
tabulation teller
tabulation teller
registration teller
registration teller
registration teller
Why: otherwise coercion resistance trivially violated.
submit vote
Clarkson: CIVS 21
VotingVoting
voterclient
ballot boxballot boxballot box
Assumption 6. Each voter trusts at least oneballot box to make vote available for tallying.
bulletinboard
tabulation teller
tabulation teller
tabulation teller
registration teller
registration teller
registration teller
Why: expensive fault tolerance not required.
submit vote
Clarkson: CIVS 22
TabulationTabulation
bulletinboard
voterclient
registration teller
tabulation teller
tabulation teller
tabulation teller
registration teller
registration teller
ballot boxballot boxballot box
Assumption 7. At least one tabulation teller is honest.
Why: keeps tellers from decrypting votes too earlyor cheating throughout tabulation.
retrieve votes
anonymize and authenticate votes
audit
Clarkson: CIVS 23
ImplementationImplementation
• Civitas implemented in Jif [Myers ’99, Chong and Myers ’04 ‘05]– Security-typed language– Static-type checking and dynamic
enforcement of information-flow policies
• Yields assurance– Code is correct with respect to policies– Policies can be audited and certified
Clarkson: CIVS 24
ProtocolsProtocols
• Proof of knowledge of discrete log [Schnorr]• Proof of equality of discrete logarithms
[Chaum & Pederson]• Designated-verifier reencryption proof [Hirt
& Sako]• 1-out-of-L reencryption proof [Hirt & Sako]• Signature of knowledge of discrete
logarithms [Camenisch & Stadler]• Reencryption mix network with randomized
partial checking [Jakobsson, Juels & Rivest]• Plaintext equivalence test [Jakobsson &
Juels]
Clarkson: CIVS 25
ProtocolsProtocols
• Proof of knowledge of discrete log [Schnorr]• Proof of equality of discrete logarithms
[Chaum & Pederson]• Designated-verifier reencryption proof [Hirt
& Sako]• 1-out-of-L reencryption proof [Hirt & Sako]• Signature of knowledge of discrete
logarithms [Camenisch & Stadler]• Reencryption mix network with randomized
partial checking [Jakobsson, Juels & Rivest]• Plaintext equivalence test [Jakobsson &
Juels]
Quadratic in # voters and votes
Clarkson: CIVS 26
BlockingBlocking
• Assign voters into blocks– Block is a “virtual precinct”– Anonymity guaranteed within a block– Each block tallied independently of other
blocks, even in parallel
• Implementation– Protocols extended to include blocks– Registrar implements policy on assignment
• Best policy might be uniform random
– Reasonable block size? We use 100.
• Tabulation time is:– Quadratic in block size (thus anonymity)– Linear in number of voters
Clarkson: CIVS 27
Performance StudyPerformance Study
• Experimental design– Emulab: 3 GHz CPUs for tab. tellers– Keys: 1024 ElGamal, 2048 RSA, 256 AES– Experiments repeated three times,
sample mean reported, stdev < 2%
• Parameters:– V: number of voters– A: number of authorities of each type– K: minimum number of voters in a block
Clarkson: CIVS 28
Tabulation Time vs. # VotersTabulation Time vs. # Voters
(K = 100, A = 4)
35 sec / voter / authority$1/CPU/hr = 4¢/voter
sequential
parallelUse once then throw away:$1500/machine = $12/voter
Clarkson: CIVS 29
Tabulation Time vs. AnonymityTabulation Time vs. Anonymity
(V = K, A = 4)
Clarkson: CIVS 30
Tabulation Time vs. # Tabulation Time vs. # AuthoritiesAuthorities
(K = V = 100)
Clarkson: CIVS 31
Extension: Ranked VotingExtension: Ranked Voting
• Voters submit (partial) order on candidates– E.g. Condorcet, Borda, STV
• Civitas implements coercion-resistant Condorcet– Tricky because rankings can be used to
signal identity (“Italian attack”)– Use ballot decomposition from FEE’05
• Civitas also implements approval and FPTP ballots
Clarkson: CIVS 32
Related WorkRelated Work
• Voting schemes […]• Implemented (academic) voting systems:
– Sensus [Cranor and Cytron]– EVOX [Herschberg, DuRette]– REVS [Joaquim, Zúquette, Ferreira; Lebre]– ElectMe [Shubina and Smith]– Adder [Kiayias, Korman, Walluck]
• VoComp:– Prêt à Voter [Schneider, Heather, et al.; Ryan;
Chaum]– Prime III [Gilbert, Cross, et al.]– Punchscan [Stanton, Essex, Popoveniuc, et al.;
Chaum]– Voting Ducks [Kutyłowski, Zagórski, et al.]
Clarkson: CIVS 33
SummarySummary
• Civitas is a secure, practical, remote voting system
• Security:– Based on JCJ proof– Assumptions– Implementation in Jif
• Performance:– Linear (or constant) in number of voters,
quadratic in anonymity– As low as 4¢ per voter
Clarkson: CIVS 34
Future WorkFuture Work
• Improve performance/anonymity trade-off
• Construct untappable channel• Security proof for composition
– UC definitions and constructions?
• Distribute trust in voter client• Implement high availability
Clarkson: CIVS 35
ResourcesResources
• Technical report with concrete protocolshttp://www.cs.cornell.edu/people/clarkson/papers/clarkson_civs_tr.pdf
• Source code to be released
CivitasCivitasA Secure Remote Voting SystemA Secure Remote Voting System
Michael Clarkson, Stephen Chong, Andrew MyersCornell University
Dagstuhl Seminaron Frontiers of Electronic Voting
July 31, 2007
Clarkson: CIVS 37
Extra SlidesExtra Slides
Clarkson: CIVS 38
Registration and Voting TimesRegistration and Voting Times
• For A=4, total voter time to register and vote is 1.5sec– 350ms for voter to retrieve credential
from registration teller– 230ms CPU time for registration teller to
retrieve a voter’s credential– 25ms for voter to submit vote to ballot
box
• Registration teller throughput > 15,000 voters / hr
Clarkson: CIVS 39
Tab. Time vs. % ChaffTab. Time vs. % Chaff
(K = V = 100, A = 4)
Clarkson: CIVS 40
% CPU Util. vs. # Voters% CPU Util. vs. # Voters
(K = 100, A = 4)
Clarkson: CIVS 41
Attacks: Voter ClientAttacks: Voter Client
• Unlike DRE systems, voter can choose supplier of client (hardware and software)– Transfer trust to an organization they
trust
• Publicly available protocols and implementation
Clarkson: CIVS 42
Attacks: RegistrationAttacks: Registration
• Strong authentication to prevent adversary from masquerading as voter
• Registration by mail or in person
Clarkson: CIVS 43
Attacks: NetworkAttacks: Network
• Tappable channel exploitable only if adversary:– Compromises network and – Induces voter to use compromised client
during registration
• Valid registration clients can erase credential shares
Clarkson: CIVS 44
Attacks: AvailabilityAttacks: Availability
• BFT, threshold cryptography• Rate-limiting and puzzles to mitigate
application-level DOS– But PETs still a fundamental problem
Clarkson: CIVS 45
Attacks: AuthoritiesAttacks: Authorities
• Corrupt registration teller– Need third-party intervention
• Failed bulletin board– Integrity guaranteed, not availability
• Corrupt registrar or supervisor– Must verify against external policy
(electoral roll, ballot design, etc.)
![Civitas: Toward a Secure Voting System - [email protected]: Home](https://img.pdfslide.us/doc/110x75/61fb54472e268c58cd5ce1a9/civitas-toward-a-secure-voting-system-emailprotected-home.jpg)
