530 likes | 790 Views
Civitas Michael Clarkson Cornell Stephen Chong Harvard Andrew Myers Cornell IACR Board Meeting / CRYPTO August 19, 2008 Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. Civitas Features: Designed for remote voting, coercion resistance, verifiability
E N D
Civitas Michael ClarksonCornell Stephen ChongHarvard Andrew MyersCornell IACR Board Meeting / CRYPTO August 19, 2008 Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C.
Civitas Features: • Designed for remote voting, coercion resistance, verifiability • Supports plurality, approval, Condorcet methods Status: • Paper in Oakland 2008 • Publicly available: 21,000 LOC (Jif, Java, and C) • Prototype …Suitable for IACR? Clarkson: Civitas
Civitas Security Requirements
Security Model No trusted supervision of polling places • Including voters, procedures, hardware, software • Voting could take place anywhere • Remote voting Generalization of “Internet voting” and “postal voting” Interesting problem to solve! IACR Clarkson: Civitas
Adversary Always: • May perform any polynomial time computation • May corrupt all but one of each type of election authority • Distributed trust Almost always: • May control network • May coerce voters, demanding secrets or behavior, remotely or physically Security properties: Confidentiality, integrity, availability Clarkson: Civitas
Integrity Verifiability: Including: • Voter verifiability: Voters can check that their own vote is included • Universal verifiability: Anyone can check that only authorized votes are counted, no votes are changed during tallying [Sako and Killian 1995] The final tally is correct and verifiable. IACR Clarkson: Civitas
Confidentiality Voter coercion: • Employer, spouse, etc. • Coercer can demand any behavior (vote buying) • Coercer can observe and interact with voter during remote voting • Must prevent coercers from trusting their own observations Clarkson: Civitas
Confidentiality > receipt-freeness> anonymity Hierarchy: [Delaune, Kremer, and Ryan, CSFW 2006] Coercion resistance: The adversary cannot learn how voters vote, even if voters collude and interact with the adversary. too weak for remote voting IACR ? Clarkson: Civitas
Availability • We assume that this holds • To guarantee, would need to make system components highly available Tally availability: The final tally of the election is produced. IACR ? Clarkson: Civitas
Civitas Design and Implementation
JCJ Scheme [Juels, Catalano, and Jakobsson, WPES 2005] • Formally defined coercion resistance and verifiability • Constructed voting scheme • Proved scheme satisfies coercion resistance and verifiability [Backes, Hritcu, and Maffei, CSF 2008] • Verified simplification in ProVerif Clarkson: Civitas
Civitas Architecture registration teller registration teller registration teller tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box voterclient tabulation teller Clarkson: Civitas
tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box tabulation teller Registration registration teller registration teller registration teller voterclient Voter retrieves credential share from each registration teller;combines to form credential Clarkson: Civitas
registration teller registration teller registration teller tabulation teller bulletinboard tabulation teller tabulation teller Voting ballot box ballot box ballot box voterclient Voter submits copy of encrypted choice and credential (+ ZK proofs) to each ballot box Clarkson: Civitas
Resisting Coercion Voters invent fake credentials • To adversary, fake real • Votes with fake credentials removed during tabulation Clarkson: Civitas
Resisting Coercion Clarkson: Civitas
registration teller registration teller registration teller voterclient Tabulation tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box tabulation teller Tellers retrieve votes from ballot boxes Clarkson: Civitas
registration teller registration teller registration teller ballot box ballot box ballot box voterclient Tabulation tabulation teller bulletinboard tabulation teller tabulation teller Tabulation tellers anonymize votes with mix network;eliminate unauthorized credentials; decrypt remaining choices; post ZK proofs Clarkson: Civitas
Verifiability:Tellers post zero-knowledge proofs during tabulation Coercion resistance:Voters can undetectably fake credentials Civitas Architecture registration teller registration teller registration teller tabulation teller ballot box bulletinboard ballot box tabulation teller ballot box voterclient tabulation teller Clarkson: Civitas
Protocols Leverage the literature: • El Gamal; distributed [Brandt]; non-malleable [Schnorr and Jakobsson] • Proof of knowledge of discrete log [Schnorr] • Proof of equality of discrete logarithms [Chaum & Pederson] • Authentication and key establishment [Needham-Schroeder-Lowe] • Designated-verifier reencryption proof [Hirt & Sako] • 1-out-of-L reencryption proof [Hirt & Sako] • Signature of knowledge of discrete logarithms [Camenisch & Stadler] • Reencryption mix network with randomized partial checking [Jakobsson, Juels & Rivest] • Plaintext equivalence test [Jakobsson & Juels] Clarkson: Civitas
Secure Implementation In Jif [Myers 1999, Chong and Myers 2005, 2008] • Security-typed language • Types contain information-flow policies • Confidentiality, integrity, declassification, erasure If policies in code express correct requirements… • (And Jif compiler is correct…) • Then code is secure w.r.t. requirements Clarkson: Civitas
CivitasSecurity Evaluation
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. Clarkson: Civitas
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. Verifiability andCoercion resistance Coercion resistance Clarkson: Civitas
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. VER + CR CR Clarkson: Civitas
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. VER + CR CR Clarkson: Civitas
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. VER + CR CR Clarkson: Civitas
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. VER + CR CR Clarkson: Civitas
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. VER + CR CR Clarkson: Civitas
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. VER + CR CR Clarkson: Civitas
Civitas Trust Assumptions • DDH, RSA, random oracle model. • The adversary cannot masquerade as a voter during registration. • Voters trust their voting client. • At least one of each type of authority is honest. • The channels from the voter to the ballot boxes are anonymous. • Each voter has an untappable channel to a trusted registration teller. VER + CR CR Clarkson: Civitas
CivitasCost Evaluation
Real-World Cost Society makes a tradeoff on: • Cost of election, vs. • Security, usability, … Current totalcosts are $1-$3 / voter [International Foundation for Election Systems] We don’t know the total cost for Civitas. Cost of cryptography? Clarkson: Civitas
CPU Cost for Tabulation For reasonable security parameters, CPU time is 39 sec / voter / authority. If CPUs are bought, used (for 5 hours), then thrown away: $1500 / machine ) $12 / voter If CPUs are rented: $1 / CPU / hr ) 4¢ / voter Increased cost…Increased security IACR ? Clarkson: Civitas
Conclusion
Summary Civitas provides security: • Remote voting • Verifiability • Coercion resistance (strongest?) Civitas provides assurance: • Security proofs • Explicit trust assumptions • Information-flow analysis of implementation (first?) IACR Clarkson: Civitas
Technical Issues • Web interfaces • Testing • BFT bulletin board • Threshold cryptography • Anonymous channel integration IACR Clarkson: Civitas
Research Issues • Distribute trust in voter client • Eliminate in-person registration • Credential management • Application-level DoS Clarkson: Civitas
Web Site http://www.cs.cornell.edu/projects/civitas • Technical report with concrete protocols • Source code of our prototype Clarkson: Civitas
http://www.cs.cornell.edu/projects/civitas
Extra Slides Clarkson: Civitas
Paper • What paper does: • Convince voter that his vote was captured correctly • What paper does next: • Gets dropped in a ballot box • Immediately becomes insecure • Chain-of-custody, stuffing, loss, recount attacks… • Hacking paper elections has a long and (in)glorious tradition [Steal this Vote, Andrew Gumbel, 2005] • 20% of paper trails are missing or illegible [Michael Shamos, 2008] • What paper doesn’t: • Guarantee that a vote will be counted • Guarantee that a vote will be counted correctly Clarkson: Civitas
Cryptography “The public won’t trust cryptography.” • It already does… • Because experts already do “I don’t trust cryptography.” • You don’t trust the proofs, or • You reject the hardness assumptions Clarkson: Civitas
Selling Votes Requires selling credential… • Which requires: • Adversary tapped the untappable channel, or • Adversary authenticated in place of voter… • Which then requires: • Voter transferred ability to authenticate to adversary; something voter… • Has: too easy • Knows: need incentive not to transfer • Is: hardest to transfer Clarkson: Civitas
Civitas LOC Clarkson: Civitas
Civitas Policy Examples • Confidentiality: • Information: Voter’s credential share • Policy: “RT permits only this voter to learn this information” • Jif syntax: RT Voter • Confidentiality: • Information: Teller’s private key • Policy: “TT permits no one else to learn this information” • Jif syntax: TT TT • Integrity: • Information: Random nonces used by tellers • Policy: “TT permits only itself to influence this information” • Jif syntax: TT TT Clarkson: Civitas
Civitas Policy Examples • Declassification: • Information: Bits that are committed to then revealed • Policy: “TT permits no one to read this information until all commitments become available, then TT declassifies it to allow everyone to read.” • Jif syntax: TT [TT commAvail ] • Erasure: • Information: Voter’s credential shares • Policy: “Voter requires, after all shares are received and full credential is constructed, that shares must be erased.” • Jif syntax: Voter [Voter credConstT ] Clarkson: Civitas
Registration Trust Assumptions One way to discharge is with in-person registration • Not an absolute requirement • Though for strong authentication, physical presence (“something you are”) is reasonable • Need not register in-person with all tellers Works like real-world voting today: • Registration teller trusted to correctly authenticate voter • Issue of credential must happen in trusted “registration booth” • But doesn’t need to happen on special day Con: System not fully remote Pro: Credential can be used remotely for many elections • Reusing real-world mechanism, can bootstrap into a system offering stronger security Clarkson: Civitas
Voting Client Trust Assumption Civitas voting client is not a DRE: • Voters are not required to trust a single (closed-source) implementation • Civitas allows open-source (re)implementations of the client • Voters can obtain or travel to implementation provided by organization they trust Discharge? Distribute trust in client. [Benaloh, Chaum, Joaquim and Ribeiro, Kutyłowski et al., Zúquete et al., …] Clarkson: Civitas
Blocks Block is a “virtual precinct” • Each voter assigned to one block • Each block tallied independently of other blocks, even in parallel Tabulation time is: • Quadratic in block size • Linear in number of voters • If using one set of machines for many blocks • Or, constant in number of voters • If using one set of machines per block Clarkson: Civitas
玻璃钢生产厂家玻璃钢艺术雕塑经销商湖南玻璃钢瓜果雕塑商场美陈app玻璃钢雕塑类型公司定西大型玻璃钢雕塑哪家好动物玻璃钢卡通雕塑图片成都市哪里有玻璃钢雕塑厂家广东卡通玻璃钢动物牛雕塑亳州卡通玻璃钢雕塑公司合肥商场大厅美陈辽宁抽象动物玻璃钢雕塑报价玻璃钢佛像雕塑报价单临汾玻璃钢长颈雕塑小区玻璃钢雕塑施工哪家好湖北玻璃钢人物铜雕塑厂家金昌玻璃钢雕塑加工邯郸玻璃钢雕塑招人店庆 商场美陈襄阳商场美陈花器玻璃钢动物头型雕塑漯河景观校园玻璃钢景观雕塑定做潜江玻璃钢游乐场门头雕塑上海玻璃钢雕塑厂达州玻璃钢雕塑摆件打造厂家成都人物玻璃钢雕塑价格青岛商场美陈销售无锡玻璃钢仿铜雕塑厂家上海玻璃钢动物雕塑生产厂家山西户外玻璃钢雕塑价位徐州美陈商场布置香港通过《维护国家安全条例》两大学生合买彩票中奖一人不认账让美丽中国“从细节出发”19岁小伙救下5人后溺亡 多方发声单亲妈妈陷入热恋 14岁儿子报警汪小菲曝离婚始末遭遇山火的松茸之乡雅江山火三名扑火人员牺牲系谣言何赛飞追着代拍打萧美琴窜访捷克 外交部回应卫健委通报少年有偿捐血浆16次猝死手机成瘾是影响睡眠质量重要因素高校汽车撞人致3死16伤 司机系学生315晚会后胖东来又人满为患了小米汽车超级工厂正式揭幕中国拥有亿元资产的家庭达13.3万户周杰伦一审败诉网易男孩8年未见母亲被告知被遗忘许家印被限制高消费饲养员用铁锨驱打大熊猫被辞退男子被猫抓伤后确诊“猫抓病”特朗普无法缴纳4.54亿美元罚金倪萍分享减重40斤方法联合利华开始重组张家界的山上“长”满了韩国人?张立群任西安交通大学校长杨倩无缘巴黎奥运“重生之我在北大当嫡校长”黑马情侣提车了专访95后高颜值猪保姆考生莫言也上北大硕士复试名单了网友洛杉矶偶遇贾玲专家建议不必谈骨泥色变沉迷短剧的人就像掉进了杀猪盘奥巴马现身唐宁街 黑色着装引猜测七年后宇文玥被薅头发捞上岸事业单位女子向同事水杯投不明物质凯特王妃现身!外出购物视频曝光河南驻马店通报西平中学跳楼事件王树国卸任西安交大校长 师生送别恒大被罚41.75亿到底怎么缴男子被流浪猫绊倒 投喂者赔24万房客欠租失踪 房东直发愁西双版纳热带植物园回应蜉蝣大爆发钱人豪晒法院裁定实锤抄袭外国人感慨凌晨的中国很安全胖东来员工每周单休无小长假白宫:哈马斯三号人物被杀测试车高速逃费 小米:已补缴老人退休金被冒领16年 金额超20万