Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff EVT / WOTE August 11th, 2009 Montreal, Canada
Andy uses a voting machine to prepare a ballot. Andy wants to verify that the machine properly encrypted the ballot. 2
Neff’s MarkPledge and Moran-Naor. Two Problems. 1) 2 ciphertexts per challenge bit (40-50) 2) machine can use ballot to leak plaintext. 3
MarkPledge2 efficient ballot encoding: 2 ciphertexts for any challenge length covert-channel resistance: no leakage via the ballot. voting machine is significantly simplified. ➡ simpler voting machine = less chance of errors. 4
Voter Experience 5
Voter Experience Voter Check-in Andy _________ Ben _________ 5
Voter Experience Voter Check-in VHTI Andy _________ Ben _________ 5
Voter Experience Voter Check-in VHTI Andy _________ Ben _________ Hillary Barack John Bill 5
Voter Experience Voter Check-in VHTI Andy _________ Ben _________ Hillary Barack John Bill 5
Voter Experience Voter Check-in VHTI Andy _________ Ben _________ Hillary Barack Barack 8DX5 John Bill 5
Voter Experience Voter Check-in VHTI Andy _________ Ben _________ Hillary Barack Challenge? Barack 8DX5 John Bill 5
Voter Experience Voter Check-in VHTI Andy _________ Ben _________ Hillary Barack Challenge? Barack VHTI 8DX5 John Bill 5
Voter Experience Voter Receipt Check-in Hillary MCN3 VHTI Andy _________ 8DX5 Barack Ben _________ I341 John LQ21 Bill Challenge VHTI Hillary Barack Challenge? Barack VHTI 8DX5 John Bill 5
Voter Experience Voter Receipt Check-in Hillary MCN3 VHTI Andy _________ 8DX5 Barack Ben _________ I341 John LQ21 Bill Challenge VHTI Hillary Barack Challenge? Barack VHTI 8DX5 John Bill 5
Voter Experience Voter Receipt Check-in Hillary MCN3 VHTI Andy _________ 8DX5 Barack Ben _________ I341 John LQ21 Bill Challenge VHTI Hillary Barack Challenge? Barack VHTI 8DX5 John Bill 5
Special Bit Encryption Hillary 0 Encrypt a 0 or 1 Barack 1 for each candidate John 0 Special proof protocol Bill 0 ➡ for bit b=1 ➡ meaningful short strings as part of the commitment ➡ short challenge strings for real and simulated proofs 6
Special Bit Encryption Hillary 0 Encrypt a 0 or 1 Barack 1 for each candidate John 0 Special proof protocol Bill 0 ➡ for bit b=1 ➡ meaningful short strings <ciphertexts>, "8DX5" as part of the commitment ➡ short challenge strings for real and simulated proofs 6
Special Bit Encryption Hillary 0 Encrypt a 0 or 1 Barack 1 for each candidate John 0 Special proof protocol Bill 0 ➡ for bit b=1 ➡ meaningful short strings <ciphertexts>, "8DX5" as part of the commitment ➡ short challenge strings "VHTI" for real and simulated proofs 6
Special Bit Encryption Hillary 0 Encrypt a 0 or 1 Barack 1 for each candidate John 0 Special proof protocol Bill 0 ➡ for bit b=1 ➡ meaningful short strings <ciphertexts>, "8DX5" as part of the commitment ➡ short challenge strings "VHTI" for real and simulated proofs reveal enc factors 6
Voter Experience (II) Hillary 0 Barack 1 John 0 Bill 0 7
Voter Experience (II) <ciphertexts>, ���������� Hillary 0 <ciphertexts>, "8DX5" Barack 1 <ciphertexts>, ���������� John 0 <ciphertexts>, ���������� Bill 0 7
Voter Experience (II) <ciphertexts>, ���������� Hillary "VHTI" 0 <ciphertexts>, "8DX5" Barack "VHTI" 1 <ciphertexts>, ���������� John 0 "VHTI" <ciphertexts>, ���������� Bill "VHTI" 0 7
Voter Experience (II) <ciphertexts>, "MCN3" Hillary "VHTI" 0 <ciphertexts>, "8DX5" Barack "VHTI" 1 <ciphertexts>, "I341" John 0 "VHTI" <ciphertexts>, "LQ21" Bill "VHTI" 0 7
Voter Experience (II) <ciphertexts>, "MCN3" Hillary "VHTI" 0 reveal enc factors <ciphertexts>, "8DX5" Barack "VHTI" 1 reveal enc factors <ciphertexts>, "I341" John 0 "VHTI" reveal enc factors <ciphertexts>, "LQ21" Bill "VHTI" 0 reveal enc factors 7
Voter Experience (II) <ciphertexts>, "MCN3" MCN3 Hillary "VHTI" 0 reveal enc factors <ciphertexts>, "8DX5" 8DX5 Barack "VHTI" 1 reveal enc factors <ciphertexts>, "I341" John I341 0 "VHTI" reveal enc factors <ciphertexts>, "LQ21" Bill "VHTI" 0 LQ21 reveal enc factors 7
MarkPledge & Moran-Naor ... BitEnc(1) 0 0 1 1 0 0 ... Pledge 0 1 0 ... Challenge 1 1 0 ... Reveal 0 0 1 1 0 0 unique ... 1 0 0 1 0 1 BitEnc(0) that fits the challenge 8
Markpledge 2 different bit encryption q , with α 2 + β 2 = 1 ( α , β ) ∈ Z 2 ➡ isomorphic to SO (2 , q ) ➡ operation is rotation (matrix mult.) Designate 1-, 0-, and T-vectors ➡ any pair of a 1-vector and 0-vector bisected by a test vector ➡ dot-product with test vector. 9
Same pattern emerges MarkPledge MarkPledge2 ... BitEnc(1) x i y i 0 0 1 1 0 0 ... Pledge 0 1 0 i ... x C ,y C Challenge 1 1 0 ... x C x i + y C y i Reveal 0 0 1 1 0 0 m0,i chal unique xi,yi ... 1 0 0 1 0 1 BitEnc(0) that fits the challenge 10
Covert Channel Raised by Karloff, Sastry & Wagner If the voting machine chooses the random factor, it can embed info Can we make the voting machine fully deterministic given a voter ID and a selection in a given race? 11
Covert Channel Ballot #42 1 0 0 0 0 2, r' 1 Ballot #42 Trustee #1 0 0 1 0 0 7 = 2 mod 5 1, r' 2 r' 1 + r' 2 + r' 3 Trustee #2 0 0 0 1 0 Voting Machine 4, r' 3 Trustee #3 0 0 1 0 0 Bulletin Board Ballot #42 0 0 1 0 0 Pre-generate ciphertexts with trustees Rotate them on voter selection 12
Why is this receipt-free? What can the coercer ask the voter to do that affects the ballot / receipt? Only the challenge, which is selected before the voter enters the booth. All proofs will look the same, whether real or simulated. 13
Questions? 14
Recommend
More recommend