SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
Efficient Receipt-Free Ballot Casting Resistant to Covert Channels
Efficient Receipt-Free Ballot Casting Resistant to Covert Channels
1.
Efficient Receipt-Free
Ballot Casting
Resistant to Covert
Channels
Ben Adida
C. Andrew Neff
EVT / WOTE
August 11th, 2009
Montreal, Canada
2.
Andy uses a voting machine
to prepare a ballot.
Andy wants to verify that
the machine properly
encrypted the ballot.
2
3.
Neff ’s MarkPledge
and Moran-Naor.
Two Problems.
1) 2 ciphertexts per challenge bit (40-50)
2) machine can use ballot to leak plaintext.
3
4.
MarkPledge2
efficient ballot encoding:
2 ciphertexts for any challenge length
covert-channel resistance:
no leakage via the ballot.
voting machine is significantly simplified.
➡ simpler voting machine = less chance of errors.
4
6.
Voter Experience
Voter
Check-in
Andy _________
Ben _________
5
7.
Voter Experience
Voter
Check-in
Andy VHTI
_________
Ben _________
5
8.
Voter Experience
Voter
Check-in
Andy VHTI
_________
Ben _________
Hillary
Barack
John
Bill
5
9.
Voter Experience
Voter
Check-in
Andy VHTI
_________
Ben _________
Hillary
Barack
John
Bill
5
10.
Voter Experience
Voter
Check-in
Andy VHTI
_________
Ben _________
Hillary
Barack Barack
John 8DX5
Bill
5
11.
Voter Experience
Voter
Check-in
Andy VHTI
_________
Ben _________
Hillary
Barack Barack Challenge?
John 8DX5
Bill
5
12.
Voter Experience
Voter
Check-in
Andy VHTI
_________
Ben _________
Hillary
Barack Barack Challenge?
John 8DX5 VHTI
Bill
5
13.
Voter Experience
Voter Receipt
Check-in
Hillary MCN3
Andy VHTI
_________ Barack 8DX5
Ben _________ John I341
Bill LQ21
Challenge
Hillary VHTI
Barack Barack Challenge?
John 8DX5 VHTI
Bill
5
14.
Voter Experience
Voter Receipt
Check-in
Hillary MCN3
Andy VHTI
_________ Barack 8DX5
Ben _________ John I341
Bill LQ21
Challenge
Hillary VHTI
Barack Barack Challenge?
John 8DX5 VHTI
Bill
5
15.
Voter Experience
Voter Receipt
Check-in
Hillary MCN3
Andy VHTI
_________ Barack 8DX5
Ben _________ John I341
Bill LQ21
Challenge
Hillary VHTI
Barack Barack Challenge?
John 8DX5 VHTI
Bill
5
16.
Special Bit Encryption
Hillary 0
Barack 1
Encrypt a 0 or 1
John
for each candidate
0
Bill 0
Special proof protocol
➡ for bit b=1
➡ meaningful short strings
as part of the commitment
➡ short challenge strings
for real and simulated proofs
6
17.
Special Bit Encryption
Hillary 0
Barack 1
Encrypt a 0 or 1
John
for each candidate
0
Bill 0
Special proof protocol
➡ for bit b=1
➡ meaningful short strings
<ciphertexts>, "8DX5"
as part of the commitment
➡ short challenge strings
for real and simulated proofs
6
18.
Special Bit Encryption
Hillary 0
Barack 1
Encrypt a 0 or 1
John
for each candidate
0
Bill 0
Special proof protocol
➡ for bit b=1
➡ meaningful short strings
<ciphertexts>, "8DX5"
as part of the commitment
"VHTI" ➡ short challenge strings
for real and simulated proofs
6
19.
Special Bit Encryption
Hillary 0
Barack 1
Encrypt a 0 or 1
John
for each candidate
0
Bill 0
Special proof protocol
➡ for bit b=1
➡ meaningful short strings
<ciphertexts>, "8DX5"
as part of the commitment
"VHTI" ➡ short challenge strings
for real and simulated proofs
reveal enc factors
6
20.
Voter Experience (II)
Hillary 0
Barack 1
John 0
Bill 0
7
21.
Voter Experience (II)
<ciphertexts>, !!!!!!!!!!
Hillary 0
<ciphertexts>, "8DX5"
Barack 1
<ciphertexts>, !!!!!!!!!!
John 0
<ciphertexts>, !!!!!!!!!!
Bill 0
7
22.
Voter Experience (II)
<ciphertexts>, !!!!!!!!!!
Hillary
"VHTI"
0
<ciphertexts>, "8DX5"
Barack 1 "VHTI"
<ciphertexts>, !!!!!!!!!!
John 0 "VHTI"
<ciphertexts>, !!!!!!!!!!
Bill 0
"VHTI"
7
23.
Voter Experience (II)
<ciphertexts>, "MCN3"
Hillary
"VHTI"
0
<ciphertexts>, "8DX5"
Barack 1 "VHTI"
<ciphertexts>, "I341"
John 0 "VHTI"
<ciphertexts>, "LQ21"
Bill 0
"VHTI"
7
27.
Markpledge 2
different bit encryption
(α, β) ∈ Zq ,
2
with α + β = 1
2 2
➡ isomorphic to SO(2, q)
➡ operation is rotation (matrix mult.)
Designate 1-, 0-, and T-vectors
➡ any pair of a 1-vector and 0-vector
bisected by a test vector
➡ dot-product with test vector.
9
28.
Same pattern emerges
MarkPledge MarkPledge2
BitEnc(1) 0 0 1 1 ... 0 0 xi yi
Pledge 0 1 ... 0 i
Challenge 1 1 ... 0 xC,yC
Reveal 0 0 1 1 ... 0 0 xCxi + yCyi
m0,i
chal
unique
xi,yi
BitEnc(0) 1 0 0 1 ... 0 1
that fits the
challenge
10
29.
Covert Channel
Raised by Karloff, Sastry & Wagner
If the voting machine chooses the
random factor, it can embed info
Can we make the voting machine
fully deterministic given a voter ID
and a selection in a given race?
11
31.
Why is this receipt-free?
What can the coercer ask the voter
to do that affects the ballot / receipt?
Only the challenge, which is selected
before the voter enters the booth.
All proofs will look the same,
whether real or simulated.
13