Cryptographic Voting Protocols: A Systems Perspective

1. 0 0 1 1 0 0 1 0 1 1 0 0 0 0 0 1 0 0 1 0 1 1 1 1 0 0 0 1 0 1 Chris Karlof Naveen Sastry David Wagner UC-Berkeley Cryptographic Voting Protocols: A Systems Perspective • Direct Recording Electronic voting machines (DREs) • Why use DREs? • Quick tallies • Accessibility • Flexibility • Disadvantages • Untrustworthy software • Lack of transparency • Security Goals • Current DREs  no guarantees • DREs w/ voter verified paper audit trail (VVPAT) • Cast-as-intended (in VVPAT record) • Counted-as-cast (for election officials) • DREs using cryptographic voting protocols • Two proposals by Andrews Neff and David Chaum • Verifiably cast-as-intended • Verifiably counted-as-cast (for everyone) • Our Contribution • A security analysis of Neff’s and Chaum’s crypto voting • protocols with attacks and countermeasures. An overview of cryptographic voting Andrew Neff’s scheme (simplified) An encrypted ballot representing a vote for Polk: • Three stages • Ballot preparation • Encrypted ballot • Receipt • Ballot tabulation • Encrypted ballots  bulletin board • Threshold decryption and tallying • Election verification • Voter uses her receipt to verify her • encrypted ballot on bulletin board, • but cannot prove how she voted to • anyone else. • Anyone can verify tallying is correct Vote on DRE w/ interactive crypto protocol Voter’s receipt Van Buren Polk Receipt validation Cass 1 Buchanan 0 Bulletin board b b = encryption of bit b = plaintext bit b Encrypted ballot • Chosen row contains pairs of (1,1) or (0,0) • Unchoice rows contain pairs of (1,0) or (0,1) • Chosen and unchoice rows are indistinguishable in encrypted ballot • Tally ballot by decrypting and looking for chosen row Threshold decryption and tallying • DRE and voter engage in interactive protocol to produce a receipt • Voter takes receipt home • With her receipt, a voter can verify her vote is accurately represented on the bulletin board • Receipts are vote-coercion resistant Receipt 0x91eed12311eb2b7 Conclusion:Crypto voting protocols are a promising direction with laudable goals of universal verifiability and no need to trust DRE software. However, we don’t believe they’re ready for deployment. We’ve identified some issues which need to be addressed and call for broader debate and analysis. Pledge Challenge 0111 RRLL 1000 LRRL 0100 LLRR 1011 LLRR • Weakness 1: Subliminal channels • Subliminal channels arise when there are multiple valid • representations of the voter’s choices. The choice of • representation can serve as a subliminal channel. • Causes of subliminal channels: randomness in ballots, • encryption, visual cryptography • Worst channel we found: 51 kbytes/ballot • Mitigation strategy: make ballot preparation deterministic • Weakness 2: Humans as crypto agents • Neff’s and Chaum’s protocols place voters as direct • participants in a cryptographic protocol. • Problems: • Crypto is subtle and minor deviations can affect security • Humans are stupid  may not notice a small change • We found attacks where if the DRE makes small changes to • the protocol, it can cheat undetectably. • Only point of detection is in the poll booth • No clear mitigation strategy: voter education, parallel auditing • and testing • Weakness 3: Denial of service attacks and election recovery • Neff’s and Chaum’s protocols only detect attacks. • A simple unrecoverable attack: • A trojan horse in every DRE nationwide • DREs selectively delete ballots + ballot stuffing • Selective DoS: DoS only if preferred candidate is losing • Need a flexible recover strategy • Undesirable to re-run the entire election • Use VVPAT in conjunction with crypto voting protocols Bulletin board Encrypted ballot 11:32am, Polk See our USENIX Security 2005 paper for more information.