Embed Size (px)
DESCRIPTION
EVT/WOTE 2009 Presentation
Citation preview
Efficient Receipt-Free Ballot Casting
Resistant to Covert Channels
Ben AdidaC. Andrew Neff
EVT / WOTEAugust 11th, 2009Montreal, Canada
Andy uses a voting machine to prepare a ballot.
Andy wants to verify thatthe machine properly encrypted the ballot.
2
Neff ’s MarkPledgeand Moran-Naor.
Two Problems.1) 2 ciphertexts per challenge bit (40-50)2) machine can use ballot to leak plaintext.
3
MarkPledge2
efficient ballot encoding:2 ciphertexts for any challenge length
covert-channel resistance:no leakage via the ballot.
voting machine is significantly simplified.➡ simpler voting machine = less chance of errors.
4
Voter Experience
5
Voter Experience
5
Voter
Check-in
Andy _________
Ben _________
Voter Experience
5
Voter
Check-in
Andy _________
Ben _________
VHTI
Voter Experience
5
Hillary Barack
John
Bill
Voter
Check-in
Andy _________
Ben _________
VHTI
Voter Experience
5
Hillary Barack
John
Bill
Voter
Check-in
Andy _________
Ben _________
VHTI
Voter Experience
5
Hillary Barack
John
Bill
Barack
8DX5
Voter
Check-in
Andy _________
Ben _________
VHTI
Challenge?
Voter Experience
5
Hillary Barack
John
Bill
Barack
8DX5
Voter
Check-in
Andy _________
Ben _________
VHTI
Challenge?
Voter Experience
5
Hillary Barack
John
Bill
Barack
8DX5 VHTI
Voter
Check-in
Andy _________
Ben _________
VHTI
Challenge?
Voter Experience
5
Hillary Barack
John
Bill
Barack
8DX5
Receipt
Hillary
Barack
John
Bill
MCN3
8DX5
I341
LQ21
Challenge
VHTI
VHTI
Voter
Check-in
Andy _________
Ben _________
VHTI
Challenge?
Voter Experience
5
Hillary Barack
John
Bill
Barack
8DX5
Receipt
Hillary
Barack
John
Bill
MCN3
8DX5
I341
LQ21
Challenge
VHTI
VHTI
Voter
Check-in
Andy _________
Ben _________
VHTI
Challenge?
Voter Experience
5
Hillary Barack
John
Bill
Barack
8DX5
Receipt
Hillary
Barack
John
Bill
MCN3
8DX5
I341
LQ21
Challenge
VHTI
VHTI
Voter
Check-in
Andy _________
Ben _________
VHTI
Special Bit Encryption
6
Hillary Barack
John
Bill
1
0
0
0
Encrypt a 0 or 1for each candidate
Special proof protocol➡ for bit b=1➡ meaningful short strings
as part of the commitment ➡ short challenge strings
for real and simulated proofs
Special Bit Encryption
6
Hillary Barack
John
Bill
1
0
0
0
Encrypt a 0 or 1for each candidate
Special proof protocol➡ for bit b=1➡ meaningful short strings
as part of the commitment ➡ short challenge strings
for real and simulated proofs
<ciphertexts>, "8DX5"
Special Bit Encryption
6
Hillary Barack
John
Bill
1
0
0
0
Encrypt a 0 or 1for each candidate
Special proof protocol➡ for bit b=1➡ meaningful short strings
as part of the commitment ➡ short challenge strings
for real and simulated proofs
<ciphertexts>, "8DX5"
"VHTI"
Special Bit Encryption
6
Hillary Barack
John
Bill
1
0
0
0
Encrypt a 0 or 1for each candidate
Special proof protocol➡ for bit b=1➡ meaningful short strings
as part of the commitment ➡ short challenge strings
for real and simulated proofs
<ciphertexts>, "8DX5"
"VHTI"
reveal enc factors
Voter Experience (II)
7
Hillary Barack
John
Bill
1
0
0
0
Voter Experience (II)
7
Hillary Barack
John
Bill
1
0
0
0
<ciphertexts>, "8DX5"
<ciphertexts>, !!!!!!!!!!
<ciphertexts>, !!!!!!!!!!
<ciphertexts>, !!!!!!!!!!
Voter Experience (II)
7
Hillary Barack
John
Bill
1
0
0
0
"VHTI"
"VHTI"
"VHTI"
"VHTI"
<ciphertexts>, "8DX5"
<ciphertexts>, !!!!!!!!!!
<ciphertexts>, !!!!!!!!!!
<ciphertexts>, !!!!!!!!!!
<ciphertexts>, "MCN3"
<ciphertexts>, "I341"
<ciphertexts>, "LQ21"
Voter Experience (II)
7
Hillary Barack
John
Bill
1
0
0
0
"VHTI"
"VHTI"
"VHTI"
"VHTI"
<ciphertexts>, "8DX5"
<ciphertexts>, "MCN3"
<ciphertexts>, "I341"
<ciphertexts>, "LQ21"
Voter Experience (II)
7
Hillary Barack
John
Bill
1
0
0
0
"VHTI"
"VHTI"
"VHTI"
"VHTI"
reveal enc factors
reveal enc factors
reveal enc factors
reveal enc factors
<ciphertexts>, "8DX5"
<ciphertexts>, "MCN3"
<ciphertexts>, "I341"
<ciphertexts>, "LQ21"
Voter Experience (II)
7
Hillary Barack
John
Bill
1
0
0
0
"VHTI"
"VHTI"
"VHTI"
"VHTI"
reveal enc factors
reveal enc factors
reveal enc factors
reveal enc factors
MCN3
8DX5
I341
LQ21
<ciphertexts>, "8DX5"
MarkPledge & Moran-Naor
8
BitEnc(1) 0 0 1 1 0 0...
Pledge 0 1 0...
unique
BitEnc(0)that fits the
challenge
11 0 0 1 0...
Challenge 1 1 0...
00 0 1 1 0...Reveal
Markpledge 2
9
different bit encryption
➡ isomorphic to ➡ operation is rotation (matrix mult.)
Designate 1-, 0-, and T-vectors➡ any pair of a 1-vector and 0-vector
bisected by a test vector➡ dot-product with test vector.
SO(2, q)
(!,") ! Z2q , with !2 + "2 = 1
Same pattern emerges
10
BitEnc(1) 0 0 1 1 0 0...
Pledge 0 1 0...
unique
BitEnc(0)that fits the
challenge
11 0 0 1 0...
Challenge 1 1 0...
00 0 1 1 0...Reveal
xi yi
i
xC,yC
xCxi + yCyi
xi,yi
chalm0,i
MarkPledge MarkPledge2
Covert Channel
Raised by Karloff, Sastry & Wagner
If the voting machine chooses therandom factor, it can embed info
Can we make the voting machinefully deterministic given a voter IDand a selection in a given race?
11
Covert Channel
Pre-generate ciphertexts with trustees
Rotate them on voter selection
12
001 0
000 1
0
0
100 0 0
000 1 0
2, r'1
1, r'2
4, r'3Voting Machine
Trustee #1
Trustee #2
Trustee #3
7 = 2 mod 5
r'1 + r'2 + r'3
Ballot #42
Bulletin Board
000 1 0
Ballot #42
Ballot #42
Why is this receipt-free?
What can the coercer ask the voterto do that affects the ballot / receipt?
Only the challenge, which is selectedbefore the voter enters the booth.
All proofs will look the same,whether real or simulated.
13
Questions?
14
