Title: Civitas
1Civitas
IACR Board Meeting / CRYPTO August 19, 2008
Coin (ca. 63 B.C.) commemorating introduction of
secret ballot in 137 B.C.
2Civitas
- Features
- Designed for remote voting, coercion resistance,
verifiability - Supports plurality, approval, Condorcet methods
- Status
- Paper in Oakland 2008
- Publicly available 21,000 LOC (Jif, Java, and
C) - Prototype
- Suitable for IACR?
3Civitas Security Requirements
4Security Model
- No trusted supervision of polling places
- Including voters, procedures, hardware, software
- Voting could take place anywhere
- Remote voting
- Generalization of Internet voting and postal
voting - Interesting problem to solve!
IACR ?
5Adversary
- Always
- May perform any polynomial time computation
- May corrupt all but one of each type of election
authority - Distributed trust
- Almost always
- May control network
- May coerce voters, demanding secrets or behavior,
remotely or physically - Security properties
- Confidentiality, integrity, availability
6Integrity
- Verifiability
- Including
- Voter verifiability Voters can check that their
own vote is included - Universal verifiability Anyone can check that
only authorized votes are counted, no votes are
changed during tallying Sako and Killian 1995
The final tally is correct and verifiable.
IACR ?
7Confidentiality
- Voter coercion
- Employer, spouse, etc.
- Coercer can demand any behavior (vote buying)
- Coercer can observe and interact with voter
during remote voting - Must prevent coercers from trusting their own
observations
8Confidentiality
-
- gt receipt-freeness gt anonymity
- Hierarchy Delaune, Kremer, and Ryan, CSFW
2006
Coercion resistance
The adversary cannot learn how voters vote, even
if voters collude and interact with the adversary.
too weak for remote voting
IACR ?
9Availability
- We assume that this holds
- To guarantee, would need to make system
components highly available
Tally availability
The final tally of the election is produced.
IACR ?
10Civitas Design and Implementation
11JCJ Scheme
- Juels, Catalano, and Jakobsson, WPES 2005
- Formally defined coercion resistance and
verifiability - Constructed voting scheme
- Proved scheme satisfies coercion resistance and
verifiability - Backes, Hritcu, and Maffei, CSF 2008
- Verified simplification in ProVerif
12Civitas Architecture
registration teller
registration teller
registration teller
tabulation teller
bulletinboard
ballot box
tabulation teller
ballot box
ballot box
voterclient
tabulation teller
13Registration
registration teller
registration teller
registration teller
voterclient
Voter retrieves credential share from each
registration tellercombines to form credential
14Voting
ballot box
ballot box
ballot box
voterclient
Voter submits copy of encrypted choice and
credential ( ZK proofs) to each ballot box
15Resisting Coercion
- Voters invent fake credentials
- To adversary, fake ? real
- Votes with fake credentials removed during
tabulation
16Resisting Coercion
17Tabulation
tabulation teller
bulletinboard
ballot box
tabulation teller
ballot box
ballot box
tabulation teller
Tellers retrieve votes from ballot boxes
18Tabulation
tabulation teller
bulletinboard
tabulation teller
tabulation teller
Tabulation tellers anonymize votes with mix
networkeliminate unauthorized
credentials decrypt remaining choices post ZK
proofs
19Civitas Architecture
registration teller
registration teller
registration teller
tabulation teller
bulletinboard
ballot box
tabulation teller
ballot box
ballot box
voterclient
tabulation teller
20Protocols
- Leverage the literature
- El Gamal distributed Brandt non-malleable
Schnorr and Jakobsson - Proof of knowledge of discrete log Schnorr
- Proof of equality of discrete logarithms Chaum
Pederson - Authentication and key establishment
Needham-Schroeder-Lowe - Designated-verifier reencryption proof Hirt
Sako - 1-out-of-L reencryption proof Hirt Sako
- Signature of knowledge of discrete logarithms
Camenisch Stadler - Reencryption mix network with randomized partial
checking Jakobsson, Juels Rivest - Plaintext equivalence test Jakobsson Juels
21Secure Implementation
- In Jif Myers 1999, Chong and Myers 2005, 2008
- Security-typed language
- Types contain information-flow policies
- Confidentiality, integrity, declassification,
erasure - If policies in code express correct requirements
- (And Jif compiler is correct)
- Then code is secure w.r.t. requirements
22CivitasSecurity Evaluation
23Civitas Trust Assumptions
- DDH, RSA, random oracle model.
- The adversary cannot masquerade as a voter during
registration. - Voters trust their voting client.
- At least one of each type of authority is
honest. - The channels from the voter to the ballot boxes
are anonymous. - Each voter has an untappable channel to a trusted
registration teller.
24Civitas Trust Assumptions
- DDH, RSA, random oracle model.
- The adversary cannot masquerade as a voter during
registration. - Voters trust their voting client.
- At least one of each type of authority is
honest. - The channels from the voter to the ballot boxes
are anonymous. - Each voter has an untappable channel to a trusted
registration teller.
Verifiability andCoercion resistance
Coercion resistance
25Civitas Trust Assumptions
- DDH, RSA, random oracle model.
- The adversary cannot masquerade as a voter during
registration. - Voters trust their voting client.
- At least one of each type of authority is
honest. - The channels from the voter to the ballot boxes
are anonymous. - Each voter has an untappable channel to a trusted
registration teller.
VER CR
CR
26Civitas Trust Assumptions
- DDH, RSA, random oracle model.
- The adversary cannot masquerade as a voter during
registration. - Voters trust their voting client.
- At least one of each type of authority is
honest. - The channels from the voter to the ballot boxes
are anonymous. - Each voter has an untappable channel to a trusted
registration teller.
VER CR
CR
27Civitas Trust Assumptions
- DDH, RSA, random oracle model.
- The adversary cannot masquerade as a voter during
registration. - Voters trust their voting client.
- At least one of each type of authority is
honest. - The channels from the voter to the ballot boxes
are anonymous. - Each voter has an untappable channel to a trusted
registration teller.
VER CR
CR
28Civitas Trust Assumptions
- DDH, RSA, random oracle model.
- The adversary cannot masquerade as a voter during
registration. - Voters trust their voting client.
- At least one of each type of authority is
honest. - The channels from the voter to the ballot boxes
are anonymous. - Each voter has an untappable channel to a trusted
registration teller.
VER CR
CR
29Civitas Trust Assumptions
- DDH, RSA, random oracle model.
- The adversary cannot masquerade as a voter during
registration. - Voters trust their voting client.
- At least one of each type of authority is
honest. - The channels from the voter to the ballot boxes
are anonymous. - Each voter has an untappable channel to a trusted
registration teller.
VER CR
CR
30Civitas Trust Assumptions
- DDH, RSA, random oracle model.
- The adversary cannot masquerade as a voter during
registration. - Voters trust their voting client.
- At least one of each type of authority is
honest. - The channels from the voter to the ballot boxes
are anonymous. - Each voter has an untappable channel to a trusted
registration teller.
VER CR
CR
31Civitas Trust Assumptions
- DDH, RSA, random oracle model.
- The adversary cannot masquerade as a voter during
registration. - Voters trust their voting client.
- At least one of each type of authority is
honest. - The channels from the voter to the ballot boxes
are anonymous. - Each voter has an untappable channel to a trusted
registration teller.
VER CR
CR
32CivitasCost Evaluation
33Real-World Cost
- Society makes a tradeoff on
- Cost of election, vs.
- Security, usability,
- Current total costs are 1-3 / voter
International Foundation for Election Systems - We dont know the total cost for Civitas.
- Cost of cryptography?
34CPU Cost for Tabulation
- For reasonable security parameters,
- CPU time is 39 sec / voter / authority.
- If CPUs are bought, used (for 5 hours), then
thrown away - 1500 / machine ) 12 / voter
- If CPUs are rented
- 1 / CPU / hr ) 4 / voter
- Increased costIncreased security
IACR ?
35Conclusion
36Summary
- Civitas provides security
- Remote voting
- Verifiability
- Coercion resistance (strongest?)
- Civitas provides assurance
- Security proofs
- Explicit trust assumptions
- Information-flow analysis of implementation
(first?)
IACR ?
37Technical Issues
- Web interfaces
- Testing
- BFT bulletin board
- Threshold cryptography
- Anonymous channel integration
IACR ?
38Research Issues
- Distribute trust in voter client
- Eliminate in-person registration
- Credential management
- Application-level DoS
39Web Site
- http//www.cs.cornell.edu/projects/civitas
- Technical report with concrete protocols
- Source code of our prototype
-
40http//www.cs.cornell.edu/projects/civitas
41Extra Slides
42Paper
- What paper does
- Convince voter that his vote was captured
correctly - What paper does next
- Gets dropped in a ballot box
- Immediately becomes insecure
- Chain-of-custody, stuffing, loss, recount
attacks - Hacking paper elections has a long and
(in)glorious tradition Steal this Vote, Andrew
Gumbel, 2005 - 20 of paper trails are missing or illegible
Michael Shamos, 2008 - What paper doesnt
- Guarantee that a vote will be counted
- Guarantee that a vote will be counted correctly
43Cryptography
- The public wont trust cryptography.
- It already does
- Because experts already do
- I dont trust cryptography.
- You dont trust the proofs, or
- You reject the hardness assumptions
44Selling Votes
- Requires selling credential
- Which requires
- Adversary tapped the untappable channel, or
- Adversary authenticated in place of voter
- Which then requires
- Voter transferred ability to authenticate to
adversary something voter - Has too easy
- Knows need incentive not to transfer
- Is hardest to transfer
45Civitas LOC
46Civitas Policy Examples
- Confidentiality
- Information Voters credential share
- Policy RT permits only this voter to learn this
information - Jif syntax RT ? Voter
- Confidentiality
- Information Tellers private key
- Policy TT permits no one else to learn this
information - Jif syntax TT ? TT
- Integrity
- Information Random nonces used by tellers
- Policy TT permits only itself to influence this
information - Jif syntax TT ? TT
47Civitas Policy Examples
- Declassification
- Information Bits that are committed to then
revealed - Policy TT permits no one to read this
information until all commitments become
available, then TT declassifies it to allow
everyone to read. - Jif syntax TT ? TT ?commAvail ?
- Erasure
- Information Voters credential shares
- Policy Voter requires, after all shares are
received and full credential is constructed, that
shares must be erased. - Jif syntax Voter ? Voter credConst? T
48Registration Trust Assumptions
- One way to discharge is with in-person
registration - Not an absolute requirement
- Though for strong authentication, physical
presence (something you are) is reasonable - Need not register in-person with all tellers
- Works like real-world voting today
- Registration teller trusted to correctly
authenticate voter - Issue of credential must happen in trusted
registration booth - But doesnt need to happen on special day
- Con System not fully remote
- Pro Credential can be used remotely for many
elections - Reusing real-world mechanism, can bootstrap into
a system offering stronger security
49Voting Client Trust Assumption
- Civitas voting client is not a DRE
- Voters are not required to trust a single
(closed-source) implementation - Civitas allows open-source (re)implementations of
the client - Voters can obtain or travel to implementation
provided by organization they trust - Discharge? Distribute trust in client.
- Benaloh, Chaum, Joaquim and Ribeiro, Kutylowski
et al., Zúquete et al.,
50Blocks
- Block is a virtual precinct
- Each voter assigned to one block
- Each block tallied independently of other blocks,
even in parallel - Tabulation time is
- Quadratic in block size
- Linear in number of voters
- If using one set of machines for many blocks
- Or, constant in number of voters
- If using one set of machines per block
51Tabulation Time vs. Anonymity
voters K, tab. tellers 4, security
strength 112 bits NIST 20112030
52Tabulation Time vs. Voters
sequential
K 100
53Ranked Voting Methods
- Voters submit ranking of candidates
- e.g., Condorcet, Borda, STV
- Help avoid spoiler effects
- Defend against strategic voting
- Italian attack
- Civitas implements coercion-resistant Condorcet,
approval and plurality voting methods - Could do any summable method