Civitas Toward a Secure Voting System

1
CivitasToward a Secure Voting System

• Michael ClarksonCornell University

Stevens Institute of Technology March 30, 2009
Coin (ca. 63 B.C.) commemorating introduction of
secret ballot in 137 B.C.
2
Civitas

• Electronic voting system 21,000 LOC
• Clarkson, Chong, and Myers, Oakland 2008

3
Evolution of Voting Technology
4
(No Transcript)
5
State of Secure Electronic Voting

• Major commercial voting systems are insecure
• California reviews Wagner, Wallach, Blaze, et
  al.
• Academics are pessimistic
• SERVE report Jefferson et al.

6
Security of Voting

• Was your vote captured correctly?
• Was your vote counted correctly?
• Can the tally be independently verified?
• Is your vote anonymous?
• Can anyone sell their vote?
• Can voters be coerced?

7
Potential Threats

• Outsiders
• Programmers
• Election officials
• Candidates and parties
• Employers, organizations, spouses,
• Voters
• Voting systems have some of the strongest and
  hardest security requirements of any systems

8
Civitas Security Model

• No trusted supervision of polling places
• Including voters, procedures, hardware, software
• Voting could take place anywhere
• Remote voting
• Generalization of Internet voting and postal
  voting
• No unilateral trust in an election authority
• Instead, mutually distrusting set of authorities
• Distributed trust

9
Adversary

• Corrupt all but one of each type of election
  authority
• Perform any polynomial time computation
• Control network
• Coerce voters, demanding secrets or behavior,
  remotely or physically
• Security properties
• Confidentiality, integrity, availability

10
Integrity

• Verifiability
• Including
• Voters can check that their own vote is included
• Universal verifiability Anyone can audit the
  election results no votes added, changed, or
  deleted Sako and Killian 1995

The final tally is correct and verifiable.
11
Confidentiality

• Voter coercion
• Employer, spouse, etc.
• Coercer can demand any behavior (abstain, sell)
• Coercer can observe and interact with voter
  during remote voting
• Must prevent coercers from trusting their own
  observations

12
Confidentiality

• gt receipt-freeness CR - interactiongt
  anonymity RF - collusion

Coercion resistance
The adversary cannot learn how voters vote, even
if voters collude and interact with the adversary.
too weak
13
Availability
Tally availability

• We assume that this holds
• To guarantee, would need to make system
  components highly available, etc.
• But its really about the votes

The final tally of the election is produced.
14
Building Civitas

• Started with abstract voting protocol
• Juels, Catalano, and Jakobsson, WPES 2005
• Extended design to improve security and
  performance
• Implemented in security-typed language (Jif)
• Evaluated security and performance

15
Civitas Architecture
registration teller
registration teller
registration teller
tabulation teller
bulletinboard
ballot box
tabulation teller
ballot box
ballot box
voterclient
tabulation teller
16
Registration
registration teller
registration teller
registration teller
voterclient
Voter retrieves credential share from each
registration tellercombines to form credential
17
Registration
registration teller
registration teller
registration teller
voterclient
18
Properties of Credentials

• Verifiable
• Teller must prove that share is good, but proof
  is convincing only to voter
• Voter cant sell share
• Anonymous
• No subset of shares reveals information about
  credential
• Credentials cant be linked to voters
• Unforgeable
• Creating new credential requires participation of
  all tellers
• Tellers cant stuff the ballot box

19
Registration
JCJ single trusted registrarCivitas
distributed trust ? Improved confidentiality
and integrity
registration teller
registration teller
registration teller
voterclient
20
Voting
Voter submits copy of encrypted choice and
credential (plus proofs) to each ballot box
21
Properties of Votes

• Anonymous
• Credentials are anonymous
• Submitted over anonymous channel
• Replicated
• Votes can be deleted only if all ballot boxes
  collude
• Non-malleable
• No one can construct related votes
• Votes cant be changed or spoiled

22
Resisting Coercion

• Voters substitute fake credentials
• To adversary, fake ? real
• Votes with fake credentials removed during
  tabulation without revealing which are fake
• For any behavior adversary demands
• Voter complies, with fake credential
• Voter needs untappable channel to a registration
  teller

23
Voting
JCJ no ballot boxesCivitas distributed
storage ? Votes highly available
24
Tabulation
tabulation teller
bulletinboard
ballot box
tabulation teller
ballot box
ballot box
tabulation teller
Tellers retrieve votes from ballot boxes
25
Tabulation
tabulation teller
bulletinboard
tabulation teller
tabulation teller
Tabulation tellers anonymize votes with mix
network Chaum 1981
26
Mix Network
27
Tabulation
tabulation teller
bulletinboard
tabulation teller
tabulation teller
Tellers eliminate unauthorized credentials decryp
t remaining choices post proofs
28
Properties of Tabulation

• Verifiable
• Tellers post zero-knowledge proofs during
  tabulation
• Coercion-resistant
• No credentials (valid or fake) ever revealed
• Voters can undetectably fake credentials

29
Tabulation
JCJ O(V2) Civitas O(B2), B V ? Improved
scalability
tabulation teller
bulletinboard
tabulation teller
tabulation teller
30
Blocks

• Block is a virtual precinct
• Each voter assigned to one block
• Each block tallied independently of other blocks,
  even in parallel
• Tabulation time is
• Quadratic in block size
• Linear in number of voters
• If using one set of machines for many blocks
• Or, constant in number of voters
• If using one set of machines per block

31
Civitas Architecture
registration teller
registration teller
registration teller
tabulation teller
bulletinboard
ballot box
tabulation teller
ballot box
ballot box
voterclient
tabulation teller
32
Cryptographic Protocols

• Leverage the literature
• El Gamal distributed Brandt non-malleable
  Schnorr and Jakobsson
• Proof of knowledge of discrete log Schnorr
• Proof of equality of discrete logarithms Chaum
  Pederson
• Authentication and key establishment
  Needham-Schroeder-Lowe
• Designated-verifier reencryption proof Hirt
  Sako
• 1-out-of-L reencryption proof Hirt Sako
• Signature of knowledge of discrete logarithms
  Camenisch Stadler
• Reencryption mix network with randomized partial
  checking Jakobsson, Juels Rivest
• Plaintext equivalence test Jakobsson Juels

33
Civitas Security Assurance

• Design
• JCJ proof of coercion resistance and
  verifiability
• We extended proof
• Backes et al. (CSF 2008) verification with
  ProVerif
• Working to verify Civitas
• Implementation
• leverages language-based security

34
Secure Implementation

• In Jif Myers 1999, Chong and Myers 2005, 2008
• Security-typed language
• Types contain information-flow policies
• Confidentiality, integrity, declassification,
  erasure
• If policies in code express correct requirements
• (And Jif compiler is correct)
• Then code is secure w.r.t. requirements

35
Civitas Policy Examples

• Confidentiality
• Information Voters credential share
• Policy RT permits only this voter to learn this
  information
• Jif syntax RT ? Voter
• Confidentiality
• Information Tellers private key
• Policy TT permits no one else to learn this
  information
• Jif syntax TT ? TT
• Integrity
• Information Random nonces used by tellers
• Policy TT permits only itself to influence this
  information
• Jif syntax TT ? TT

36
Civitas Policy Examples

• Declassification
• Information Bits that are committed to then
  revealed
• Policy TT permits no one to read this
  information until all commitments become
  available, then TT declassifies it to allow
  everyone to read.
• Jif syntax TT ? TT ?commAvail ?
• Erasure
• Information Voters credential shares
• Policy Voter requires, after all shares are
  received and full credential is constructed, that
  shares must be erased.
• Jif syntax Voter ? Voter credConst? T

37
Civitas LOC
38
Real-World Cost

• Tradeoff cost of election vs. security,
  usability,
• Current total costs are 1-3 / voter
  International Foundation for Election Systems
• We dont know the total cost for Civitas
• Computational cost of advanced cryptography?

39
Tabulation Time vs. Anonymity
K voters, tab. tellers 4, security
strength 112 bits NIST 20112030, 3GHz Xeons
40
Tabulation Time vs. Voters
sequential
K 100
41
CPU Cost for Tabulation

• CPU time is 39 sec / voter / authority
• If CPUs are bought, used (for 5 hours), then
  thrown away
• 1500 / machine 12 / voter
• If CPUs are rented
• 1 / CPU / hr 4 / voter
• for this extra cost, we get increased security

42
Ranked Voting Methods

• Voters submit ordering of candidates
• Examples Condorcet, STV/IRV, Borda,

43
Ranked Voting Methods

• Low-order rankings create a covert channel
• Coercion intrinsically possible

4! completions
44
Civitas Voting Methods

• Civitas implements coercion-resistant
• Condorcet
• Approval
• Plurality
• Intuition decompose ballot

45
Summary

• Civitas is a remote voting system
• Civitas contributes to
• Protocols (theory of voting)
• Distributed trust in registration for
  confidentiality
• Distributed vote storage for availability
• Introduced blocks (virtual precincts) for
  scalability
• Articulated and analyzed trust assumptions
• Efficient coercion-resistant Condorcet voting
• Systems (practice of voting)
• Developed full, concrete protocols
• Implemented system
• Studied performance

46
Related Work

• Abstract voting schemes
• Baudron et al. Benaloh Benaloh and Tuinstra
  Boyd Chaum Chaum, Ryan, and Schneider Chen and
  Burminster Cohen and Fischer Cramer, Gennaro,
  and Schoenmakers Fujioka, Okamoto, and Ohta
  Hirt and Sako Iversen Kiayias and Yung Magkos
  et al. Merrit Neff Niemi and Renvall Sako and
  Killian Ohkubo et al. Ohta Okamoto Park et
  al. Rivest
• Implemented voting systems
• Adder Kiayias, Korman, Walluck
• ElectMe Shubina and Smith
• EVOX Herschberg, DuRette
• Helios Adida, Rivest
• Prêt à Voter Schneider, Heather, et al. Ryan
  Chaum
• Punchscan Stanton, Essex, Popoveniuc, et al.
  Chaum
• REVS Joaquim, Zúquette, Ferreira Lebre
• Sensus Cranor and Cytron
• VoteHere Neff
• W-Voting Kutylowski, Zagórski, et al.
• Civitas Strongest coercion resistance, first to
  offer security proofs or information-flow analysis

47
Web Site

• http//www.cs.cornell.edu/projects/civitas
• Technical report with concrete protocols
• Source code of our prototype

48
CivitasToward a Secure Voting System

• Michael ClarksonCornell University

Stevens Institute of Technology March 30, 2009