Your SlideShare is downloading. ×
  • Like
Efficient Receipt-Free Ballot Casting Resistant to Covert Channels
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Efficient Receipt-Free Ballot Casting Resistant to Covert Channels

  • 1,283 views
Published

EVT/WOTE 2009 Presentation

EVT/WOTE 2009 Presentation

Published in Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • thanq its very good together with helpful to me in thinking about development comes and think of that.... very nice function.... tanq for this.....
    Sharika
    http://winkhealth.com http://financewink.com
    Are you sure you want to
    Your message goes here
    Be the first to like this
No Downloads

Views

Total Views
1,283
On SlideShare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
6
Comments
1
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff EVT / WOTE August 11th, 2009 Montreal, Canada
  • 2. Andy uses a voting machine to prepare a ballot. Andy wants to verify that the machine properly encrypted the ballot. 2
  • 3. Neff ’s MarkPledge and Moran-Naor. Two Problems. 1) 2 ciphertexts per challenge bit (40-50) 2) machine can use ballot to leak plaintext. 3
  • 4. MarkPledge2 efficient ballot encoding: 2 ciphertexts for any challenge length covert-channel resistance: no leakage via the ballot. voting machine is significantly simplified. ➡ simpler voting machine = less chance of errors. 4
  • 5. Voter Experience 5
  • 6. Voter Experience Voter Check-in Andy _________ Ben _________ 5
  • 7. Voter Experience Voter Check-in Andy VHTI _________ Ben _________ 5
  • 8. Voter Experience Voter Check-in Andy VHTI _________ Ben _________ Hillary Barack John Bill 5
  • 9. Voter Experience Voter Check-in Andy VHTI _________ Ben _________ Hillary Barack John Bill 5
  • 10. Voter Experience Voter Check-in Andy VHTI _________ Ben _________ Hillary Barack Barack John 8DX5 Bill 5
  • 11. Voter Experience Voter Check-in Andy VHTI _________ Ben _________ Hillary Barack Barack Challenge? John 8DX5 Bill 5
  • 12. Voter Experience Voter Check-in Andy VHTI _________ Ben _________ Hillary Barack Barack Challenge? John 8DX5 VHTI Bill 5
  • 13. Voter Experience Voter Receipt Check-in Hillary MCN3 Andy VHTI _________ Barack 8DX5 Ben _________ John I341 Bill LQ21 Challenge Hillary VHTI Barack Barack Challenge? John 8DX5 VHTI Bill 5
  • 14. Voter Experience Voter Receipt Check-in Hillary MCN3 Andy VHTI _________ Barack 8DX5 Ben _________ John I341 Bill LQ21 Challenge Hillary VHTI Barack Barack Challenge? John 8DX5 VHTI Bill 5
  • 15. Voter Experience Voter Receipt Check-in Hillary MCN3 Andy VHTI _________ Barack 8DX5 Ben _________ John I341 Bill LQ21 Challenge Hillary VHTI Barack Barack Challenge? John 8DX5 VHTI Bill 5
  • 16. Special Bit Encryption Hillary 0 Barack 1 Encrypt a 0 or 1 John for each candidate 0 Bill 0 Special proof protocol ➡ for bit b=1 ➡ meaningful short strings as part of the commitment ➡ short challenge strings for real and simulated proofs 6
  • 17. Special Bit Encryption Hillary 0 Barack 1 Encrypt a 0 or 1 John for each candidate 0 Bill 0 Special proof protocol ➡ for bit b=1 ➡ meaningful short strings <ciphertexts>, "8DX5" as part of the commitment ➡ short challenge strings for real and simulated proofs 6
  • 18. Special Bit Encryption Hillary 0 Barack 1 Encrypt a 0 or 1 John for each candidate 0 Bill 0 Special proof protocol ➡ for bit b=1 ➡ meaningful short strings <ciphertexts>, "8DX5" as part of the commitment "VHTI" ➡ short challenge strings for real and simulated proofs 6
  • 19. Special Bit Encryption Hillary 0 Barack 1 Encrypt a 0 or 1 John for each candidate 0 Bill 0 Special proof protocol ➡ for bit b=1 ➡ meaningful short strings <ciphertexts>, "8DX5" as part of the commitment "VHTI" ➡ short challenge strings for real and simulated proofs reveal enc factors 6
  • 20. Voter Experience (II) Hillary 0 Barack 1 John 0 Bill 0 7
  • 21. Voter Experience (II) <ciphertexts>, !!!!!!!!!! Hillary 0 <ciphertexts>, "8DX5" Barack 1 <ciphertexts>, !!!!!!!!!! John 0 <ciphertexts>, !!!!!!!!!! Bill 0 7
  • 22. Voter Experience (II) <ciphertexts>, !!!!!!!!!! Hillary "VHTI" 0 <ciphertexts>, "8DX5" Barack 1 "VHTI" <ciphertexts>, !!!!!!!!!! John 0 "VHTI" <ciphertexts>, !!!!!!!!!! Bill 0 "VHTI" 7
  • 23. Voter Experience (II) <ciphertexts>, "MCN3" Hillary "VHTI" 0 <ciphertexts>, "8DX5" Barack 1 "VHTI" <ciphertexts>, "I341" John 0 "VHTI" <ciphertexts>, "LQ21" Bill 0 "VHTI" 7
  • 24. Voter Experience (II) <ciphertexts>, "MCN3" Hillary "VHTI" 0 reveal enc factors <ciphertexts>, "8DX5" Barack 1 "VHTI" reveal enc factors <ciphertexts>, "I341" John 0 "VHTI" reveal enc factors <ciphertexts>, "LQ21" Bill 0 "VHTI" reveal enc factors 7
  • 25. Voter Experience (II) <ciphertexts>, "MCN3" Hillary "VHTI" MCN3 0 reveal enc factors <ciphertexts>, "8DX5" Barack 1 "VHTI" reveal enc factors 8DX5 <ciphertexts>, "I341" John 0 "VHTI" reveal enc factors I341 <ciphertexts>, "LQ21" Bill 0 "VHTI" reveal enc factors LQ21 7
  • 26. MarkPledge & Moran-Naor BitEnc(1) 0 0 1 1 ... 0 0 Pledge 0 1 ... 0 Challenge 1 1 ... 0 Reveal 0 0 1 1 ... 0 0 unique BitEnc(0) 1 0 0 1 ... 0 1 that fits the challenge 8
  • 27. Markpledge 2 different bit encryption (α, β) ∈ Zq , 2 with α + β = 1 2 2 ➡ isomorphic to SO(2, q) ➡ operation is rotation (matrix mult.) Designate 1-, 0-, and T-vectors ➡ any pair of a 1-vector and 0-vector bisected by a test vector ➡ dot-product with test vector. 9
  • 28. Same pattern emerges MarkPledge MarkPledge2 BitEnc(1) 0 0 1 1 ... 0 0 xi yi Pledge 0 1 ... 0 i Challenge 1 1 ... 0 xC,yC Reveal 0 0 1 1 ... 0 0 xCxi + yCyi m0,i chal unique xi,yi BitEnc(0) 1 0 0 1 ... 0 1 that fits the challenge 10
  • 29. Covert Channel Raised by Karloff, Sastry & Wagner If the voting machine chooses the random factor, it can embed info Can we make the voting machine fully deterministic given a voter ID and a selection in a given race? 11
  • 30. Covert Channel Ballot #42 1 0 0 0 0 2, r'1 Trustee #1 0 0 1 0 0 Ballot #42 7 = 2 mod 5 1, r'2 Trustee #2 0 0 0 1 0 r'1 + r'2 + r'3 Voting Machine 4, r'3 Trustee #3 0 0 1 0 0 Bulletin Board Ballot #42 0 0 1 0 0 Pre-generate ciphertexts with trustees Rotate them on voter selection 12
  • 31. Why is this receipt-free? What can the coercer ask the voter to do that affects the ballot / receipt? Only the challenge, which is selected before the voter enters the booth. All proofs will look the same, whether real or simulated. 13
  • 32. Questions? 14