Cryptographic Voting Protocols: A Systems Perspective
By Chris Karlof, Naveen Sastry, and David WagnerUniversity of California, Berkely
Proceedings of the 14th Usenix Security Symposium held in Baltimore on July 31st-August
5th, 2005
Presenter: Rick Carback11-16-05
Overview Selection Criteria Motivation Results New and Significant Goals of Secure
Voting Systems Neff’s Protocol
Attacks and Mitigations Subliminal Channels Human Unreliability Denial of Service
Secure Voting Protocol Implementation
Future Work Conclusions
Paper Selection Criteria Chris Karloff and Naveen Sastry are both 5th year
graduate students. David Wagner
DIMACS Special Focus on Security Organizing committee member
ACM CCS 2004 Program committee member USENIX Security 2006 Program committee member IEEE Security & Privacy 2006 Program committee
member
Motivation Chose protocols by Neff and Chaum
because they are revolutionary Viewed Neff and Chaum protocols as part
of a complete voting system What are the weaknesses of these schemes
in complete systems if implemented? Can these ideas work in the real world?
Results
New and Significant Enumerates E-Voting goals Analysis of Cryptographic Protocols in the
larger systems context Exposes weaknesses in implementation of
cryptographic protocols Provides countermeasures for these weaknesses
Identified new challenges and open problems in electronic voting systems.
Goals of Secure Voting Systems Cast-as-Intended Counted-as-Cast Verifiability One voter, One vote Coercion Resistance Privacy
Neff’s Scheme Distributed Key
Generation Protocol (Similar to Chaum's Scheme)
DRE constructs a VC, a matrix of BMPs. Each row represents one candidate.
BMPs are all (0, 0) or (1, 1) for the chosen candidate and (0, 1) or (1, 0) for the others.
Neff’s Scheme (cont.) DRE picks a pledge bit
for each BMP for the chosen candidate, voter can verify by picking a side for each one.
OVC is created with this information.
Voter checks that challenge is correct on bulletin board.
Vote Here Receipts
Vote Here Bulletin Board
Subliminal channels Arises when DRE is free to chose the random
values that are used. All randomized encryption schemes can contain
subliminal channels. (Goldwasser, 1984) Through special selection of a random number r, the
DRE can encode the sizeof(r) bits. Can hide a bit by repeatedly choosing a random
number until you get what you want. Expected work is O(2x) to encrypt x bits.
Random Subliminal Channel Attack Neff's scheme makes extensive use of randomness. Each BMP has one side of it revealing the random
parameter used in that side of the pair. If the DRE chooses the same random parameter for
both sides it will always be revealed in the ballot. The random parameter is guaranteed to be revealed,
allowing a number of bits equal to the size of the parameter to be sent subliminally for each BMP.
Avoiding Random Subliminal Attacks Change protocol so that it does not
require randomness Very tricky
Random tapes Trusted Hardware
Semantic Subliminal Channels Voters are unlikely to detect subtle
changes (fonts, pixel, etc) Can use simple policy, no computational
complexity Apparent only after decryption, not on
the bulletin board
Mitigating Semantic Channels Unambiguous formats for ballots and all
ballots tested for conformance Bad ballots cannot be posted on the
bulletin board But this may violate other policies!
Human Unreliability Protocol security hinges on DRE not knowing
how the voter will make future decisions Interactions must happen in a particular order
Voter may not notice deviations in protocol Voter must monitor DRE output
Most people don’t care People often make mistakes How does a voter prove the machine is wrong?
Message Reordering
Message Reordering (cont.)
Message Reordering (cont.)
Human Unreliability (cont.) Discarded Receipts DRE Generates Invalid Signature
Voter cannot prove if the receipt was forged
Printing incorrect DRE Machine ID Ignoring voter input
Valid receipt, but not what voter chose
Mitigating Human Unreliability Parallel Testing Voter Education
It should not be so hard to use a voting machine Shredders for receipts Verify Signature at voting station
Needs another set of trusted software/hardware Preprinted Machine IDs
Denial of Service Malicious DREs can delete, alter, or stuff
ballots Detectable, but still effective
Malicious Tallying/Bulleting Board software Could delete keys, ballots, etc.
Could be selective Target polling stations favoring undesired
candidate
DoS Mitigation Strategies Revote
Costly Voter Verified Paper Audit Trail
Not secure
Implementing Secure Voting Systems Bulletin Board
Required Properties? What Architecture? BSN Assignment User Friendly Interfaces Tallying Software Specification
Future Work Cryptographic protocols that prevent
subliminal channels Mix-net security models
Definition for security in the voting setting Humans as protocol participants
Can we educate without discouraging participation and hurting trust?
Conclusions Every attack discussed requires
malicious software (DRE/bulletin board/tallying)
Is this better than what we currently have?
What about non-malicious problems? Connectivity? Hardware failure?
References Votehere.com “Cryptographic Voting Protocols: A
Systems Perspective”, Chris Karlof, Naveen Sastry, David Wagner