CivitasCivitasToward a Secure Voting Toward a Secure Voting
SystemSystem
Michael ClarksonCornell University
Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C.
Stevens Institute of TechnologyMarch 30, 2009
Clarkson: Civitas 2
Civitas
Electronic voting system; 21,000 LOC
[Clarkson, Chong, and Myers, Oakland 2008]
Clarkson: Civitas 5
State of Secure Electronic Voting
Major commercial voting systems are insecure California reviews [Wagner, Wallach,
Blaze, et al.]
Academics are pessimisticSERVE report [Jefferson et al.]
Clarkson: Civitas 6
Security of Voting
Was your vote captured correctly? Was your vote counted correctly? Can the tally be independently
verified? Is your vote anonymous? Can anyone sell their vote? Can voters be coerced?
…
Clarkson: Civitas 7
Potential Threats
Outsiders Programmers Election officials Candidates and parties Employers, organizations, spouses, … Voters
…Voting systems have some of the strongest and hardest security requirements of any systems
Clarkson: Civitas 8
Civitas Security Model
No trusted supervision of polling places Including voters, procedures, hardware,
software Voting could take place anywhere
Remote votingGeneralization of “Internet voting” and “postal voting”
No unilateral trust in an election authority Instead, mutually distrusting set of authorities
Distributed trust
Clarkson: Civitas 9
Adversary
Corrupt all but one of each type of election authority
Perform any polynomial time computation Control network Coerce voters, demanding secrets or
behavior, remotely or physically
Security properties: Confidentiality, integrity, availability
Clarkson: Civitas 10
Integrity
Verifiability:
Including:Voters can check that their own vote is
included Universal verifiability: Anyone can audit
the election results; no votes added, changed, or deleted [Sako and Killian 1995]
The final tally is correct and verifiable.
The final tally is correct and verifiable.
Clarkson: Civitas 11
Confidentiality
Voter coercion:Employer, spouse, etc.Coercer can demand any behavior
(abstain, sell)Coercer can observe and interact with
voter during remote voting
Must prevent coercers from trusting their own observations
Clarkson: Civitas 12
Confidentiality
> receipt-freeness= CR interaction
> anonymity= RF collusion
The adversary cannot learn how voters vote, even if voters collude and interact
with the adversary.
The adversary cannot learn how voters vote, even if voters collude and interact
with the adversary.
Coercion resistance:
too weak
Clarkson: Civitas 13
Availability
We assume that this holds To guarantee, would need to make
system components highly available, etc.
But it’s really about the votes
The final tally of the election is produced.The final tally of the election is produced.
Tally availability:
Clarkson: Civitas 14
Building Civitas
Started with abstract voting protocol…[Juels, Catalano, and Jakobsson, WPES
2005]Extended design to improve security
and performance Implemented in security-typed language
(Jif)Evaluated security and performance
Clarkson: Civitas 15
Civitas Architecture
bulletinboard
voterclient
tabulation teller
tabulation teller
tabulation teller
registration teller
registration teller
registration teller
ballot boxballot boxballot box
Clarkson: Civitas 16
Registration
voterclient
registration teller
registration teller
registration teller
bulletinbulletinboardboard
tabulation tellertabulation teller
tabulation tellertabulation teller
tabulation tellertabulation teller
ballot boxballot boxballot boxballot boxballot boxballot box
Voter retrieves credential share from each registration teller;combines to form credential
Clarkson: Civitas 17
Registration
voterclient
registration teller
registration teller
registration teller
credential share
credential
Clarkson: Civitas 18
Properties of Credentials
VerifiableTeller must prove that share is good, but proof is
convincing only to voter Voter can’t sell share
AnonymousNo subset of shares reveals information about
credential Credentials can’t be linked to voters
UnforgeableCreating new credential requires participation of all
tellers Tellers can’t “stuff the ballot box”
Clarkson: Civitas 19
Registration
voterclient
registration teller
registration teller
registration teller
bulletinbulletinboardboard
tabulation tellertabulation teller
tabulation tellertabulation teller
tabulation tellertabulation teller
ballot boxballot boxballot boxballot boxballot boxballot box
JCJ: single trusted registrarCivitas: distributed trust Improved confidentiality and integrity
Clarkson: Civitas 20
Voting
voterclient
ballot boxballot boxballot box
bulletinbulletinboardboard
tabulation tellertabulation teller
tabulation tellertabulation teller
tabulation tellertabulation teller
registration registration tellerteller
registration registration tellerteller
registration registration tellerteller
Voter submits copy of encrypted choice and credential (plus proofs) to each ballot box
Clarkson: Civitas 21
Properties of Votes
Anonymous Credentials are anonymous Submitted over anonymous channel
Replicated Votes can be deleted only if all ballot boxes
collude
Non-malleableNo one can construct “related” votes Votes can’t be changed or spoiled
Clarkson: Civitas 22
Resisting Coercion
Voters substitute fake credentials To adversary, fake real Votes with fake credentials removed during
tabulation without revealing which are fake
For any behavior adversary demands…Voter complies, with fake credential
Voter needs untappable channel to a registration teller
Clarkson: Civitas 23
Voting
voterclient
ballot boxballot boxballot box
bulletinbulletinboardboard
tabulation tellertabulation teller
tabulation tellertabulation teller
tabulation tellertabulation teller
registration registration tellerteller
registration registration tellerteller
registration registration tellerteller
JCJ: no ballot boxesCivitas: distributed storage Votes highly available
Clarkson: Civitas 24
Tabulation
bulletinboard
tabulation teller
tabulation teller
tabulation teller
votervoterclientclient
registration registration tellerteller
registration registration tellerteller
registration registration tellerteller
ballot boxballot boxballot box
Tellers retrieve votes from ballot boxes
Clarkson: Civitas 25
Tabulation
bulletinboard
tabulation teller
tabulation teller
tabulation teller
votervoterclientclient
registration registration tellerteller
registration registration tellerteller
registration registration tellerteller
ballot boxballot boxballot boxballot boxballot boxballot box
Tabulation tellers anonymize votes with mix network [Chaum 1981]
Clarkson: Civitas 27
Tabulation
bulletinboard
tabulation teller
tabulation teller
tabulation teller
votervoterclientclient
registration registration tellerteller
registration registration tellerteller
registration registration tellerteller
ballot boxballot boxballot boxballot boxballot boxballot box
Tellers eliminate unauthorized credentials;decrypt remaining choices;
post proofs
Clarkson: Civitas 28
Properties of Tabulation
VerifiableTellers post zero-knowledge proofs during
tabulation
Coercion-resistantNo credentials (valid or fake) ever
revealedVoters can undetectably fake
credentials
Clarkson: Civitas 29
Tabulation
bulletinboard
tabulation teller
tabulation teller
tabulation teller
votervoterclientclient
registration registration tellerteller
registration registration tellerteller
registration registration tellerteller
ballot boxballot boxballot boxballot boxballot boxballot box
JCJ: O(V2) Civitas: O(B2), B ¿ V Improved scalability
Clarkson: Civitas 30
Blocks
Block is a “virtual precinct” Each voter assigned to one block Each block tallied independently of other blocks,
even in parallel
Tabulation time is: Quadratic in block size Linear in number of voters
If using one set of machines for many blocks Or, constant in number of voters
If using one set of machines per block
Clarkson: Civitas 31
Civitas Architecture
bulletinboard
voterclient
tabulation teller
tabulation teller
tabulation teller
registration teller
registration teller
registration teller
ballot boxballot boxballot box
Clarkson: Civitas 32
Cryptographic Protocols
Leverage the literature: El Gamal; distributed [Brandt]; non-malleable [Schnorr and
Jakobsson] Proof of knowledge of discrete log [Schnorr] Proof of equality of discrete logarithms [Chaum & Pederson] Authentication and key establishment [Needham-Schroeder-
Lowe] Designated-verifier reencryption proof [Hirt & Sako] 1-out-of-L reencryption proof [Hirt & Sako] Signature of knowledge of discrete logarithms [Camenisch &
Stadler] Reencryption mix network with randomized partial checking
[Jakobsson, Juels & Rivest] Plaintext equivalence test [Jakobsson & Juels]
Clarkson: Civitas 33
Civitas Security Assurance
Design JCJ proof of coercion resistance and
verifiability We extended proof
Backes et al. (CSF 2008) verification with ProVerif
Working to verify Civitas
Implementation…leverages language-based security
Clarkson: Civitas 34
Secure Implementation
In Jif [Myers 1999, Chong and Myers 2005, 2008]Security-typed languageTypes contain information-flow policies
Confidentiality, integrity, declassification, erasure
If policies in code express correct requirements…(And Jif compiler is correct…)Then code is secure w.r.t. requirements
Clarkson: Civitas 35
Civitas Policy Examples
Confidentiality: Information: Voter’s credential share Policy: “RT permits only this voter to learn this information” Jif syntax: RT Voter
Confidentiality: Information: Teller’s private key Policy: “TT permits no one else to learn this information” Jif syntax: TT TT
Integrity: Information: Random nonces used by tellers Policy: “TT permits only itself to influence this information” Jif syntax: TT TT
Clarkson: Civitas 36
Civitas Policy Examples
Declassification: Information: Bits that are committed to then revealed Policy: “TT permits no one to read this information
until all commitments become available, then TT declassifies it to allow everyone to read.”
Jif syntax: TT [TT commAvail ]
Erasure: Information: Voter’s credential shares Policy: “Voter requires, after all shares are received
and full credential is constructed, that shares must be erased.”
Jif syntax: Voter [Voter credConst T ]
Clarkson: Civitas 37
Civitas LOC
Component Approx. LOC
Tabulation teller 5,700
Registration teller 1,300
Bulletin board, ballot box
900
Voter client 800
Other (incl. common code)
4,700
Total Jif LOC 13,400
Low-level crypto and I/O
(Java and C)
8,000
Total LOC 21,400
Policy Distinct annotati
ons
Confidentiality
20
Integrity 26
Clarkson: Civitas 38
Real-World Cost
Tradeoff: cost of election vs. security, usability, …
Current total costs are $1-$3 / voter [International Foundation for Election Systems]
We don’t know the total cost for Civitas…Computational cost of advanced
cryptography?
Clarkson: Civitas 39
Tabulation Time vs. Anonymity
K = # voters, # tab. tellers = 4, security strength ≥ 112 bits [NIST 2011–2030],
3GHz Xeons
Clarkson: Civitas 41
CPU Cost for Tabulation
CPU time is 39 sec / voter / authority If CPUs are bought, used (for 5 hours),
then thrown away:$1500 / machine = $12 / voter
If CPUs are rented:$1 / CPU / hr = 4¢ / voter
…for this extra cost, we get increased security
Clarkson: Civitas 42
Voters submit ordering of candidates:
Examples: Condorcet, STV/IRV, Borda, …
Ranked Voting Methods
Vanilla 4
Chocolate 1
Strawberry 3
Cookie dough 2
Mint chocolate chip
5
Clarkson: Civitas 43
Ranked Voting Methods
Low-order rankings create a covert channel
Coercion intrinsically possible
Vanilla X
Chocolate X
Strawberry X
Cookie dough X
Mint chocolate chip
1
4! completions
Clarkson: Civitas 44
Civitas Voting Methods
Civitas implements coercion-resistant:CondorcetApprovalPlurality
Intuition: decompose ballot
Clarkson: Civitas 45
Summary
Civitas is a remote voting system
Civitas contributes to: Protocols (theory of voting):
Distributed trust in registration for confidentiality Distributed vote storage for availability Introduced blocks (virtual precincts) for scalability Articulated and analyzed trust assumptions Efficient coercion-resistant Condorcet voting
Systems (practice of voting): Developed full, concrete protocols Implemented system Studied performance
Clarkson: Civitas 46
Related Work
Abstract voting schemes:[Baudron et al.; Benaloh; Benaloh and Tuinstra; Boyd; Chaum; Chaum, Ryan, and Schneider Chen and Burminster; Cohen and Fischer; Cramer, Gennaro, and Schoenmakers; Fujioka, Okamoto, and Ohta; Hirt and Sako; Iversen; Kiayias and Yung; Magkos et al.; Merrit; Neff; Niemi and Renvall; Sako and Killian; Ohkubo et al.; Ohta; Okamoto; Park et al.; Rivest]
… Implemented voting systems:
Adder [Kiayias, Korman, Walluck] ElectMe [Shubina and Smith] EVOX [Herschberg, DuRette] Helios [Adida, Rivest] Prêt à Voter [Schneider, Heather, et al.; Ryan; Chaum] Punchscan [Stanton, Essex, Popoveniuc, et al.; Chaum] REVS [Joaquim, Zúquette, Ferreira; Lebre] Sensus [Cranor and Cytron] VoteHere [Neff] W-Voting [Kutyłowski, Zagórski, et al.] Civitas: Strongest coercion resistance, first to offer
security proofs or information-flow analysis
Clarkson: Civitas 47
Web Site
http://www.cs.cornell.edu/projects/civitas
Technical report with concrete protocols
Source code of our prototype
Top Related