Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Efficient Receipt-Free
    Ballot Casting
 Resistant to Covert
      Channels
           Ben Adida
        C. Andrew Neff

...
Andy uses a voting machine
   to prepare a ballot.

 Andy wants to verify that
  the machine properly
  encrypted the ball...
Neff ’s MarkPledge
         and Moran-Naor.

           Two Problems.
1) 2 ciphertexts per challenge bit (40-50)
2) machin...
MarkPledge2
efficient ballot encoding:
2 ciphertexts for any challenge length
covert-channel resistance:
no leakage via the...
Voter Experience




       5
Voter Experience
    Voter
   Check-in

Andy   _________
Ben    _________




                   5
Voter Experience
    Voter
   Check-in

Andy     VHTI
       _________
Ben    _________




                   5
Voter Experience
     Voter
    Check-in

Andy         VHTI
           _________
Ben        _________




 Hillary

 Barac...
Voter Experience
     Voter
    Check-in

Andy         VHTI
           _________
Ben        _________




 Hillary

 Barac...
Voter Experience
     Voter
    Check-in

Andy         VHTI
           _________
Ben        _________




 Hillary

 Barac...
Voter Experience
     Voter
    Check-in

Andy         VHTI
           _________
Ben        _________




 Hillary

 Barac...
Voter Experience
     Voter
    Check-in

Andy         VHTI
           _________
Ben        _________




 Hillary

 Barac...
Voter Experience
     Voter                                         Receipt
    Check-in
                                 ...
Voter Experience
     Voter                                         Receipt
    Check-in
                                 ...
Voter Experience
     Voter                                         Receipt
    Check-in
                                 ...
Special Bit Encryption
 Hillary   0

 Barack    1
                   Encrypt a 0 or 1
 John
                   for each ca...
Special Bit Encryption
     Hillary     0

     Barack      1
                            Encrypt a 0 or 1
     John
     ...
Special Bit Encryption
     Hillary     0

     Barack      1
                            Encrypt a 0 or 1
     John
     ...
Special Bit Encryption
     Hillary     0

     Barack      1
                            Encrypt a 0 or 1
     John
     ...
Voter Experience (II)
Hillary      0

Barack       1

John         0

Bill         0

                 7
Voter Experience (II)
                     <ciphertexts>, !!!!!!!!!!


Hillary      0
                     <ciphertexts>, ...
Voter Experience (II)
                     <ciphertexts>, !!!!!!!!!!


Hillary
                              "VHTI"
      ...
Voter Experience (II)
                     <ciphertexts>, "MCN3"


Hillary
                            "VHTI"
            ...
Voter Experience (II)
                     <ciphertexts>, "MCN3"


Hillary
                            "VHTI"
            ...
Voter Experience (II)
                     <ciphertexts>, "MCN3"


Hillary
                            "VHTI"           MC...
MarkPledge & Moran-Naor
   BitEnc(1)         0 0 1 1   ...   0 0

       Pledge        0    1    ...   0

    Challenge   ...
Markpledge 2
  different bit encryption
  (α, β) ∈    Zq ,
               2
                     with α + β = 1
          ...
Same pattern emerges
                      MarkPledge         MarkPledge2

BitEnc(1)         0 0 1 1   ...    0 0     xi  ...
Covert Channel
Raised by Karloff, Sastry & Wagner
If the voting machine chooses the
random factor, it can embed info
Can w...
Covert Channel
                  Ballot #42

              1   0 0 0 0
                               2, r'1
 Trustee #1
 ...
Why is this receipt-free?

What can the coercer ask the voter
to do that affects the ballot / receipt?
Only the challenge,...
Questions?



14
Upcoming SlideShare
Loading in …5
×

Efficient Receipt-Free Ballot Casting Resistant to Covert Channels

2,282 views

Published on

EVT/WOTE 2009 Presentation

Published in: Technology, Business
  • thanq its very good together with helpful to me in thinking about development comes and think of that.... very nice function.... tanq for this.....
    Sharika
    http://winkhealth.com http://financewink.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Efficient Receipt-Free Ballot Casting Resistant to Covert Channels

  1. 1. Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff EVT / WOTE August 11th, 2009 Montreal, Canada
  2. 2. Andy uses a voting machine to prepare a ballot. Andy wants to verify that the machine properly encrypted the ballot. 2
  3. 3. Neff ’s MarkPledge and Moran-Naor. Two Problems. 1) 2 ciphertexts per challenge bit (40-50) 2) machine can use ballot to leak plaintext. 3
  4. 4. MarkPledge2 efficient ballot encoding: 2 ciphertexts for any challenge length covert-channel resistance: no leakage via the ballot. voting machine is significantly simplified. ➡ simpler voting machine = less chance of errors. 4
  5. 5. Voter Experience 5
  6. 6. Voter Experience Voter Check-in Andy _________ Ben _________ 5
  7. 7. Voter Experience Voter Check-in Andy VHTI _________ Ben _________ 5
  8. 8. Voter Experience Voter Check-in Andy VHTI _________ Ben _________ Hillary Barack John Bill 5
  9. 9. Voter Experience Voter Check-in Andy VHTI _________ Ben _________ Hillary Barack John Bill 5
  10. 10. Voter Experience Voter Check-in Andy VHTI _________ Ben _________ Hillary Barack Barack John 8DX5 Bill 5
  11. 11. Voter Experience Voter Check-in Andy VHTI _________ Ben _________ Hillary Barack Barack Challenge? John 8DX5 Bill 5
  12. 12. Voter Experience Voter Check-in Andy VHTI _________ Ben _________ Hillary Barack Barack Challenge? John 8DX5 VHTI Bill 5
  13. 13. Voter Experience Voter Receipt Check-in Hillary MCN3 Andy VHTI _________ Barack 8DX5 Ben _________ John I341 Bill LQ21 Challenge Hillary VHTI Barack Barack Challenge? John 8DX5 VHTI Bill 5
  14. 14. Voter Experience Voter Receipt Check-in Hillary MCN3 Andy VHTI _________ Barack 8DX5 Ben _________ John I341 Bill LQ21 Challenge Hillary VHTI Barack Barack Challenge? John 8DX5 VHTI Bill 5
  15. 15. Voter Experience Voter Receipt Check-in Hillary MCN3 Andy VHTI _________ Barack 8DX5 Ben _________ John I341 Bill LQ21 Challenge Hillary VHTI Barack Barack Challenge? John 8DX5 VHTI Bill 5
  16. 16. Special Bit Encryption Hillary 0 Barack 1 Encrypt a 0 or 1 John for each candidate 0 Bill 0 Special proof protocol ➡ for bit b=1 ➡ meaningful short strings as part of the commitment ➡ short challenge strings for real and simulated proofs 6
  17. 17. Special Bit Encryption Hillary 0 Barack 1 Encrypt a 0 or 1 John for each candidate 0 Bill 0 Special proof protocol ➡ for bit b=1 ➡ meaningful short strings <ciphertexts>, "8DX5" as part of the commitment ➡ short challenge strings for real and simulated proofs 6
  18. 18. Special Bit Encryption Hillary 0 Barack 1 Encrypt a 0 or 1 John for each candidate 0 Bill 0 Special proof protocol ➡ for bit b=1 ➡ meaningful short strings <ciphertexts>, "8DX5" as part of the commitment "VHTI" ➡ short challenge strings for real and simulated proofs 6
  19. 19. Special Bit Encryption Hillary 0 Barack 1 Encrypt a 0 or 1 John for each candidate 0 Bill 0 Special proof protocol ➡ for bit b=1 ➡ meaningful short strings <ciphertexts>, "8DX5" as part of the commitment "VHTI" ➡ short challenge strings for real and simulated proofs reveal enc factors 6
  20. 20. Voter Experience (II) Hillary 0 Barack 1 John 0 Bill 0 7
  21. 21. Voter Experience (II) <ciphertexts>, !!!!!!!!!! Hillary 0 <ciphertexts>, "8DX5" Barack 1 <ciphertexts>, !!!!!!!!!! John 0 <ciphertexts>, !!!!!!!!!! Bill 0 7
  22. 22. Voter Experience (II) <ciphertexts>, !!!!!!!!!! Hillary "VHTI" 0 <ciphertexts>, "8DX5" Barack 1 "VHTI" <ciphertexts>, !!!!!!!!!! John 0 "VHTI" <ciphertexts>, !!!!!!!!!! Bill 0 "VHTI" 7
  23. 23. Voter Experience (II) <ciphertexts>, "MCN3" Hillary "VHTI" 0 <ciphertexts>, "8DX5" Barack 1 "VHTI" <ciphertexts>, "I341" John 0 "VHTI" <ciphertexts>, "LQ21" Bill 0 "VHTI" 7
  24. 24. Voter Experience (II) <ciphertexts>, "MCN3" Hillary "VHTI" 0 reveal enc factors <ciphertexts>, "8DX5" Barack 1 "VHTI" reveal enc factors <ciphertexts>, "I341" John 0 "VHTI" reveal enc factors <ciphertexts>, "LQ21" Bill 0 "VHTI" reveal enc factors 7
  25. 25. Voter Experience (II) <ciphertexts>, "MCN3" Hillary "VHTI" MCN3 0 reveal enc factors <ciphertexts>, "8DX5" Barack 1 "VHTI" reveal enc factors 8DX5 <ciphertexts>, "I341" John 0 "VHTI" reveal enc factors I341 <ciphertexts>, "LQ21" Bill 0 "VHTI" reveal enc factors LQ21 7
  26. 26. MarkPledge & Moran-Naor BitEnc(1) 0 0 1 1 ... 0 0 Pledge 0 1 ... 0 Challenge 1 1 ... 0 Reveal 0 0 1 1 ... 0 0 unique BitEnc(0) 1 0 0 1 ... 0 1 that fits the challenge 8
  27. 27. Markpledge 2 different bit encryption (α, β) ∈ Zq , 2 with α + β = 1 2 2 ➡ isomorphic to SO(2, q) ➡ operation is rotation (matrix mult.) Designate 1-, 0-, and T-vectors ➡ any pair of a 1-vector and 0-vector bisected by a test vector ➡ dot-product with test vector. 9
  28. 28. Same pattern emerges MarkPledge MarkPledge2 BitEnc(1) 0 0 1 1 ... 0 0 xi yi Pledge 0 1 ... 0 i Challenge 1 1 ... 0 xC,yC Reveal 0 0 1 1 ... 0 0 xCxi + yCyi m0,i chal unique xi,yi BitEnc(0) 1 0 0 1 ... 0 1 that fits the challenge 10
  29. 29. Covert Channel Raised by Karloff, Sastry & Wagner If the voting machine chooses the random factor, it can embed info Can we make the voting machine fully deterministic given a voter ID and a selection in a given race? 11
  30. 30. Covert Channel Ballot #42 1 0 0 0 0 2, r'1 Trustee #1 0 0 1 0 0 Ballot #42 7 = 2 mod 5 1, r'2 Trustee #2 0 0 0 1 0 r'1 + r'2 + r'3 Voting Machine 4, r'3 Trustee #3 0 0 1 0 0 Bulletin Board Ballot #42 0 0 1 0 0 Pre-generate ciphertexts with trustees Rotate them on voter selection 12
  31. 31. Why is this receipt-free? What can the coercer ask the voter to do that affects the ballot / receipt? Only the challenge, which is selected before the voter enters the booth. All proofs will look the same, whether real or simulated. 13
  32. 32. Questions? 14

×