efficient receipt free ballot casting resistant to covert
play

Efficient Receipt-Free Ballot Casting Resistant to Covert Channels - PowerPoint PPT Presentation

Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff EVT / WOTE August 11th, 2009 Montreal, Canada Andy uses a voting machine to prepare a ballot. Andy wants to verify that the machine properly


  1. Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff EVT / WOTE August 11th, 2009 Montreal, Canada

  2. Andy uses a voting machine to prepare a ballot. Andy wants to verify that the machine properly encrypted the ballot. 2

  3. Neff’s MarkPledge and Moran-Naor. Two Problems. 1) 2 ciphertexts per challenge bit (40-50) 2) machine can use ballot to leak plaintext. 3

  4. MarkPledge2 efficient ballot encoding: 2 ciphertexts for any challenge length covert-channel resistance: no leakage via the ballot. voting machine is significantly simplified. ➡ simpler voting machine = less chance of errors. 4

  5. Voter Experience 5

  6. Voter Experience Voter Check-in Andy _________ Ben _________ 5

  7. Voter Experience Voter Check-in VHTI Andy _________ Ben _________ 5

  8. Voter Experience Voter Check-in VHTI Andy _________ Ben _________ Hillary Barack John Bill 5

  9. Voter Experience Voter Check-in VHTI Andy _________ Ben _________ Hillary Barack John Bill 5

  10. Voter Experience Voter Check-in VHTI Andy _________ Ben _________ Hillary Barack Barack 8DX5 John Bill 5

  11. Voter Experience Voter Check-in VHTI Andy _________ Ben _________ Hillary Barack Challenge? Barack 8DX5 John Bill 5

  12. Voter Experience Voter Check-in VHTI Andy _________ Ben _________ Hillary Barack Challenge? Barack VHTI 8DX5 John Bill 5

  13. Voter Experience Voter Receipt Check-in Hillary MCN3 VHTI Andy _________ 8DX5 Barack Ben _________ I341 John LQ21 Bill Challenge VHTI Hillary Barack Challenge? Barack VHTI 8DX5 John Bill 5

  14. Voter Experience Voter Receipt Check-in Hillary MCN3 VHTI Andy _________ 8DX5 Barack Ben _________ I341 John LQ21 Bill Challenge VHTI Hillary Barack Challenge? Barack VHTI 8DX5 John Bill 5

  15. Voter Experience Voter Receipt Check-in Hillary MCN3 VHTI Andy _________ 8DX5 Barack Ben _________ I341 John LQ21 Bill Challenge VHTI Hillary Barack Challenge? Barack VHTI 8DX5 John Bill 5

  16. Special Bit Encryption Hillary 0 Encrypt a 0 or 1 Barack 1 for each candidate John 0 Special proof protocol Bill 0 ➡ for bit b=1 ➡ meaningful short strings as part of the commitment ➡ short challenge strings for real and simulated proofs 6

  17. Special Bit Encryption Hillary 0 Encrypt a 0 or 1 Barack 1 for each candidate John 0 Special proof protocol Bill 0 ➡ for bit b=1 ➡ meaningful short strings <ciphertexts>, "8DX5" as part of the commitment ➡ short challenge strings for real and simulated proofs 6

  18. Special Bit Encryption Hillary 0 Encrypt a 0 or 1 Barack 1 for each candidate John 0 Special proof protocol Bill 0 ➡ for bit b=1 ➡ meaningful short strings <ciphertexts>, "8DX5" as part of the commitment ➡ short challenge strings "VHTI" for real and simulated proofs 6

  19. Special Bit Encryption Hillary 0 Encrypt a 0 or 1 Barack 1 for each candidate John 0 Special proof protocol Bill 0 ➡ for bit b=1 ➡ meaningful short strings <ciphertexts>, "8DX5" as part of the commitment ➡ short challenge strings "VHTI" for real and simulated proofs reveal enc factors 6

  20. Voter Experience (II) Hillary 0 Barack 1 John 0 Bill 0 7

  21. Voter Experience (II) <ciphertexts>, ���������� Hillary 0 <ciphertexts>, "8DX5" Barack 1 <ciphertexts>, ���������� John 0 <ciphertexts>, ���������� Bill 0 7

  22. Voter Experience (II) <ciphertexts>, ���������� Hillary "VHTI" 0 <ciphertexts>, "8DX5" Barack "VHTI" 1 <ciphertexts>, ���������� John 0 "VHTI" <ciphertexts>, ���������� Bill "VHTI" 0 7

  23. Voter Experience (II) <ciphertexts>, "MCN3" Hillary "VHTI" 0 <ciphertexts>, "8DX5" Barack "VHTI" 1 <ciphertexts>, "I341" John 0 "VHTI" <ciphertexts>, "LQ21" Bill "VHTI" 0 7

  24. Voter Experience (II) <ciphertexts>, "MCN3" Hillary "VHTI" 0 reveal enc factors <ciphertexts>, "8DX5" Barack "VHTI" 1 reveal enc factors <ciphertexts>, "I341" John 0 "VHTI" reveal enc factors <ciphertexts>, "LQ21" Bill "VHTI" 0 reveal enc factors 7

  25. Voter Experience (II) <ciphertexts>, "MCN3" MCN3 Hillary "VHTI" 0 reveal enc factors <ciphertexts>, "8DX5" 8DX5 Barack "VHTI" 1 reveal enc factors <ciphertexts>, "I341" John I341 0 "VHTI" reveal enc factors <ciphertexts>, "LQ21" Bill "VHTI" 0 LQ21 reveal enc factors 7

  26. MarkPledge & Moran-Naor ... BitEnc(1) 0 0 1 1 0 0 ... Pledge 0 1 0 ... Challenge 1 1 0 ... Reveal 0 0 1 1 0 0 unique ... 1 0 0 1 0 1 BitEnc(0) that fits the challenge 8

  27. Markpledge 2 different bit encryption q , with α 2 + β 2 = 1 ( α , β ) ∈ Z 2 ➡ isomorphic to SO (2 , q ) ➡ operation is rotation (matrix mult.) Designate 1-, 0-, and T-vectors ➡ any pair of a 1-vector and 0-vector bisected by a test vector ➡ dot-product with test vector. 9

  28. Same pattern emerges MarkPledge MarkPledge2 ... BitEnc(1) x i y i 0 0 1 1 0 0 ... Pledge 0 1 0 i ... x C ,y C Challenge 1 1 0 ... x C x i + y C y i Reveal 0 0 1 1 0 0 m0,i chal unique xi,yi ... 1 0 0 1 0 1 BitEnc(0) that fits the challenge 10

  29. Covert Channel Raised by Karloff, Sastry & Wagner If the voting machine chooses the random factor, it can embed info Can we make the voting machine fully deterministic given a voter ID and a selection in a given race? 11

  30. Covert Channel Ballot #42 1 0 0 0 0 2, r' 1 Ballot #42 Trustee #1 0 0 1 0 0 7 = 2 mod 5 1, r' 2 r' 1 + r' 2 + r' 3 Trustee #2 0 0 0 1 0 Voting Machine 4, r' 3 Trustee #3 0 0 1 0 0 Bulletin Board Ballot #42 0 0 1 0 0 Pre-generate ciphertexts with trustees Rotate them on voter selection 12

  31. Why is this receipt-free? What can the coercer ask the voter to do that affects the ballot / receipt? Only the challenge, which is selected before the voter enters the booth. All proofs will look the same, whether real or simulated. 13

  32. Questions? 14

Recommend


More recommend