Civitas - PowerPoint PPT Presentation

1 / 53
About This Presentation
Title:

Civitas

Description:

Votes with fake credentials removed during tabulation. Clarkson: Civitas ... Supplies a fake credential to the adversary and votes with a real one. Abstains ... – PowerPoint PPT presentation

Number of Views:30
Avg rating:3.0/5.0
Slides: 54
Provided by: MichaelC142
Category:
Tags: civitas | fake

less

Transcript and Presenter's Notes

Title: Civitas


1
Civitas
IACR Board Meeting / CRYPTO August 19, 2008
Coin (ca. 63 B.C.) commemorating introduction of
secret ballot in 137 B.C.
2
Civitas
  • Features
  • Designed for remote voting, coercion resistance,
    verifiability
  • Supports plurality, approval, Condorcet methods
  • Status
  • Paper in Oakland 2008
  • Publicly available 21,000 LOC (Jif, Java, and
    C)
  • Prototype
  • Suitable for IACR?

3
Civitas Security Requirements
4
Security Model
  • No trusted supervision of polling places
  • Including voters, procedures, hardware, software
  • Voting could take place anywhere
  • Remote voting
  • Generalization of Internet voting and postal
    voting
  • Interesting problem to solve!

IACR ?
5
Adversary
  • Always
  • May perform any polynomial time computation
  • May corrupt all but one of each type of election
    authority
  • Distributed trust
  • Almost always
  • May control network
  • May coerce voters, demanding secrets or behavior,
    remotely or physically
  • Security properties
  • Confidentiality, integrity, availability

6
Integrity
  • Verifiability
  • Including
  • Voter verifiability Voters can check that their
    own vote is included
  • Universal verifiability Anyone can check that
    only authorized votes are counted, no votes are
    changed during tallying Sako and Killian 1995

The final tally is correct and verifiable.
IACR ?
7
Confidentiality
  • Voter coercion
  • Employer, spouse, etc.
  • Coercer can demand any behavior (vote buying)
  • Coercer can observe and interact with voter
    during remote voting
  • Must prevent coercers from trusting their own
    observations

8
Confidentiality
  • gt receipt-freeness gt anonymity
  • Hierarchy Delaune, Kremer, and Ryan, CSFW
    2006

Coercion resistance
The adversary cannot learn how voters vote, even
if voters collude and interact with the adversary.
too weak for remote voting
IACR ?
9
Availability
  • We assume that this holds
  • To guarantee, would need to make system
    components highly available

Tally availability
The final tally of the election is produced.
IACR ?
10
Civitas Design and Implementation
11
JCJ Scheme
  • Juels, Catalano, and Jakobsson, WPES 2005
  • Formally defined coercion resistance and
    verifiability
  • Constructed voting scheme
  • Proved scheme satisfies coercion resistance and
    verifiability
  • Backes, Hritcu, and Maffei, CSF 2008
  • Verified simplification in ProVerif

12
Civitas Architecture
registration teller
registration teller
registration teller
tabulation teller
bulletinboard
ballot box
tabulation teller
ballot box
ballot box
voterclient
tabulation teller
13
Registration
registration teller
registration teller
registration teller
voterclient
Voter retrieves credential share from each
registration tellercombines to form credential
14
Voting
ballot box
ballot box
ballot box
voterclient
Voter submits copy of encrypted choice and
credential ( ZK proofs) to each ballot box
15
Resisting Coercion
  • Voters invent fake credentials
  • To adversary, fake ? real
  • Votes with fake credentials removed during
    tabulation

16
Resisting Coercion
17
Tabulation
tabulation teller
bulletinboard
ballot box
tabulation teller
ballot box
ballot box
tabulation teller
Tellers retrieve votes from ballot boxes
18
Tabulation
tabulation teller
bulletinboard
tabulation teller
tabulation teller
Tabulation tellers anonymize votes with mix
networkeliminate unauthorized
credentials decrypt remaining choices post ZK
proofs
19
Civitas Architecture
registration teller
registration teller
registration teller
tabulation teller
bulletinboard
ballot box
tabulation teller
ballot box
ballot box
voterclient
tabulation teller
20
Protocols
  • Leverage the literature
  • El Gamal distributed Brandt non-malleable
    Schnorr and Jakobsson
  • Proof of knowledge of discrete log Schnorr
  • Proof of equality of discrete logarithms Chaum
    Pederson
  • Authentication and key establishment
    Needham-Schroeder-Lowe
  • Designated-verifier reencryption proof Hirt
    Sako
  • 1-out-of-L reencryption proof Hirt Sako
  • Signature of knowledge of discrete logarithms
    Camenisch Stadler
  • Reencryption mix network with randomized partial
    checking Jakobsson, Juels Rivest
  • Plaintext equivalence test Jakobsson Juels

21
Secure Implementation
  • In Jif Myers 1999, Chong and Myers 2005, 2008
  • Security-typed language
  • Types contain information-flow policies
  • Confidentiality, integrity, declassification,
    erasure
  • If policies in code express correct requirements
  • (And Jif compiler is correct)
  • Then code is secure w.r.t. requirements

22
CivitasSecurity Evaluation
23
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during
    registration.
  • Voters trust their voting client.
  • At least one of each type of authority is
    honest.
  • The channels from the voter to the ballot boxes
    are anonymous.
  • Each voter has an untappable channel to a trusted
    registration teller.

24
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during
    registration.
  • Voters trust their voting client.
  • At least one of each type of authority is
    honest.
  • The channels from the voter to the ballot boxes
    are anonymous.
  • Each voter has an untappable channel to a trusted
    registration teller.

Verifiability andCoercion resistance
Coercion resistance
25
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during
    registration.
  • Voters trust their voting client.
  • At least one of each type of authority is
    honest.
  • The channels from the voter to the ballot boxes
    are anonymous.
  • Each voter has an untappable channel to a trusted
    registration teller.

VER CR
CR
26
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during
    registration.
  • Voters trust their voting client.
  • At least one of each type of authority is
    honest.
  • The channels from the voter to the ballot boxes
    are anonymous.
  • Each voter has an untappable channel to a trusted
    registration teller.

VER CR
CR
27
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during
    registration.
  • Voters trust their voting client.
  • At least one of each type of authority is
    honest.
  • The channels from the voter to the ballot boxes
    are anonymous.
  • Each voter has an untappable channel to a trusted
    registration teller.

VER CR
CR
28
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during
    registration.
  • Voters trust their voting client.
  • At least one of each type of authority is
    honest.
  • The channels from the voter to the ballot boxes
    are anonymous.
  • Each voter has an untappable channel to a trusted
    registration teller.

VER CR
CR
29
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during
    registration.
  • Voters trust their voting client.
  • At least one of each type of authority is
    honest.
  • The channels from the voter to the ballot boxes
    are anonymous.
  • Each voter has an untappable channel to a trusted
    registration teller.

VER CR
CR
30
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during
    registration.
  • Voters trust their voting client.
  • At least one of each type of authority is
    honest.
  • The channels from the voter to the ballot boxes
    are anonymous.
  • Each voter has an untappable channel to a trusted
    registration teller.

VER CR
CR
31
Civitas Trust Assumptions
  • DDH, RSA, random oracle model.
  • The adversary cannot masquerade as a voter during
    registration.
  • Voters trust their voting client.
  • At least one of each type of authority is
    honest.
  • The channels from the voter to the ballot boxes
    are anonymous.
  • Each voter has an untappable channel to a trusted
    registration teller.

VER CR
CR
32
CivitasCost Evaluation
33
Real-World Cost
  • Society makes a tradeoff on
  • Cost of election, vs.
  • Security, usability,
  • Current total costs are 1-3 / voter
    International Foundation for Election Systems
  • We dont know the total cost for Civitas.
  • Cost of cryptography?

34
CPU Cost for Tabulation
  • For reasonable security parameters,
  • CPU time is 39 sec / voter / authority.
  • If CPUs are bought, used (for 5 hours), then
    thrown away
  • 1500 / machine ) 12 / voter
  • If CPUs are rented
  • 1 / CPU / hr ) 4 / voter
  • Increased costIncreased security

IACR ?
35
Conclusion
36
Summary
  • Civitas provides security
  • Remote voting
  • Verifiability
  • Coercion resistance (strongest?)
  • Civitas provides assurance
  • Security proofs
  • Explicit trust assumptions
  • Information-flow analysis of implementation
    (first?)

IACR ?
37
Technical Issues
  • Web interfaces
  • Testing
  • BFT bulletin board
  • Threshold cryptography
  • Anonymous channel integration

IACR ?
38
Research Issues
  • Distribute trust in voter client
  • Eliminate in-person registration
  • Credential management
  • Application-level DoS

39
Web Site
  • http//www.cs.cornell.edu/projects/civitas
  • Technical report with concrete protocols
  • Source code of our prototype

40
http//www.cs.cornell.edu/projects/civitas
41
Extra Slides
42
Paper
  • What paper does
  • Convince voter that his vote was captured
    correctly
  • What paper does next
  • Gets dropped in a ballot box
  • Immediately becomes insecure
  • Chain-of-custody, stuffing, loss, recount
    attacks
  • Hacking paper elections has a long and
    (in)glorious tradition Steal this Vote, Andrew
    Gumbel, 2005
  • 20 of paper trails are missing or illegible
    Michael Shamos, 2008
  • What paper doesnt
  • Guarantee that a vote will be counted
  • Guarantee that a vote will be counted correctly

43
Cryptography
  • The public wont trust cryptography.
  • It already does
  • Because experts already do
  • I dont trust cryptography.
  • You dont trust the proofs, or
  • You reject the hardness assumptions

44
Selling Votes
  • Requires selling credential
  • Which requires
  • Adversary tapped the untappable channel, or
  • Adversary authenticated in place of voter
  • Which then requires
  • Voter transferred ability to authenticate to
    adversary something voter
  • Has too easy
  • Knows need incentive not to transfer
  • Is hardest to transfer

45
Civitas LOC
46
Civitas Policy Examples
  • Confidentiality
  • Information Voters credential share
  • Policy RT permits only this voter to learn this
    information
  • Jif syntax RT ? Voter
  • Confidentiality
  • Information Tellers private key
  • Policy TT permits no one else to learn this
    information
  • Jif syntax TT ? TT
  • Integrity
  • Information Random nonces used by tellers
  • Policy TT permits only itself to influence this
    information
  • Jif syntax TT ? TT

47
Civitas Policy Examples
  • Declassification
  • Information Bits that are committed to then
    revealed
  • Policy TT permits no one to read this
    information until all commitments become
    available, then TT declassifies it to allow
    everyone to read.
  • Jif syntax TT ? TT ?commAvail ?
  • Erasure
  • Information Voters credential shares
  • Policy Voter requires, after all shares are
    received and full credential is constructed, that
    shares must be erased.
  • Jif syntax Voter ? Voter credConst? T

48
Registration Trust Assumptions
  • One way to discharge is with in-person
    registration
  • Not an absolute requirement
  • Though for strong authentication, physical
    presence (something you are) is reasonable
  • Need not register in-person with all tellers
  • Works like real-world voting today
  • Registration teller trusted to correctly
    authenticate voter
  • Issue of credential must happen in trusted
    registration booth
  • But doesnt need to happen on special day
  • Con System not fully remote
  • Pro Credential can be used remotely for many
    elections
  • Reusing real-world mechanism, can bootstrap into
    a system offering stronger security

49
Voting Client Trust Assumption
  • Civitas voting client is not a DRE
  • Voters are not required to trust a single
    (closed-source) implementation
  • Civitas allows open-source (re)implementations of
    the client
  • Voters can obtain or travel to implementation
    provided by organization they trust
  • Discharge? Distribute trust in client.
  • Benaloh, Chaum, Joaquim and Ribeiro, Kutylowski
    et al., Zúquete et al.,

50
Blocks
  • Block is a virtual precinct
  • Each voter assigned to one block
  • Each block tallied independently of other blocks,
    even in parallel
  • Tabulation time is
  • Quadratic in block size
  • Linear in number of voters
  • If using one set of machines for many blocks
  • Or, constant in number of voters
  • If using one set of machines per block

51
Tabulation Time vs. Anonymity
voters K, tab. tellers 4, security
strength 112 bits NIST 20112030
52
Tabulation Time vs. Voters
sequential
K 100
53
Ranked Voting Methods
  • Voters submit ranking of candidates
  • e.g., Condorcet, Borda, STV
  • Help avoid spoiler effects
  • Defend against strategic voting
  • Italian attack
  • Civitas implements coercion-resistant Condorcet,
    approval and plurality voting methods
  • Could do any summable method
Write a Comment
User Comments (0)
About PowerShow.com