efficient receipt-free ballot casting resistant to covert channels
DESCRIPTION
EVT/WOTE 2009 PresentationTRANSCRIPT
![Page 1: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/1.jpg)
Efficient Receipt-Free Ballot Casting
Resistant to Covert Channels
Ben AdidaC. Andrew Neff
EVT / WOTEAugust 11th, 2009Montreal, Canada
![Page 2: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/2.jpg)
Andy uses a voting machine to prepare a ballot.
Andy wants to verify thatthe machine properly encrypted the ballot.
2
![Page 3: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/3.jpg)
Neff ’s MarkPledgeand Moran-Naor.
Two Problems.1) 2 ciphertexts per challenge bit (40-50)2) machine can use ballot to leak plaintext.
3
![Page 4: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/4.jpg)
MarkPledge2
efficient ballot encoding:2 ciphertexts for any challenge length
covert-channel resistance:no leakage via the ballot.
voting machine is significantly simplified.➡ simpler voting machine = less chance of errors.
4
![Page 5: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/5.jpg)
Voter Experience
5
![Page 6: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/6.jpg)
Voter Experience
5
Voter
Check-in
Andy _________
Ben _________
![Page 7: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/7.jpg)
Voter Experience
5
Voter
Check-in
Andy _________
Ben _________
VHTI
![Page 8: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/8.jpg)
Voter Experience
5
Hillary Barack
John
Bill
Voter
Check-in
Andy _________
Ben _________
VHTI
![Page 9: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/9.jpg)
Voter Experience
5
Hillary Barack
John
Bill
Voter
Check-in
Andy _________
Ben _________
VHTI
![Page 10: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/10.jpg)
Voter Experience
5
Hillary Barack
John
Bill
Barack
8DX5
Voter
Check-in
Andy _________
Ben _________
VHTI
![Page 11: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/11.jpg)
Challenge?
Voter Experience
5
Hillary Barack
John
Bill
Barack
8DX5
Voter
Check-in
Andy _________
Ben _________
VHTI
![Page 12: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/12.jpg)
Challenge?
Voter Experience
5
Hillary Barack
John
Bill
Barack
8DX5 VHTI
Voter
Check-in
Andy _________
Ben _________
VHTI
![Page 13: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/13.jpg)
Challenge?
Voter Experience
5
Hillary Barack
John
Bill
Barack
8DX5
Receipt
Hillary
Barack
John
Bill
MCN3
8DX5
I341
LQ21
Challenge
VHTI
VHTI
Voter
Check-in
Andy _________
Ben _________
VHTI
![Page 14: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/14.jpg)
Challenge?
Voter Experience
5
Hillary Barack
John
Bill
Barack
8DX5
Receipt
Hillary
Barack
John
Bill
MCN3
8DX5
I341
LQ21
Challenge
VHTI
VHTI
Voter
Check-in
Andy _________
Ben _________
VHTI
![Page 15: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/15.jpg)
Challenge?
Voter Experience
5
Hillary Barack
John
Bill
Barack
8DX5
Receipt
Hillary
Barack
John
Bill
MCN3
8DX5
I341
LQ21
Challenge
VHTI
VHTI
Voter
Check-in
Andy _________
Ben _________
VHTI
![Page 16: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/16.jpg)
Special Bit Encryption
6
Hillary Barack
John
Bill
1
0
0
0
Encrypt a 0 or 1for each candidate
Special proof protocol➡ for bit b=1➡ meaningful short strings
as part of the commitment ➡ short challenge strings
for real and simulated proofs
![Page 17: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/17.jpg)
Special Bit Encryption
6
Hillary Barack
John
Bill
1
0
0
0
Encrypt a 0 or 1for each candidate
Special proof protocol➡ for bit b=1➡ meaningful short strings
as part of the commitment ➡ short challenge strings
for real and simulated proofs
<ciphertexts>, "8DX5"
![Page 18: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/18.jpg)
Special Bit Encryption
6
Hillary Barack
John
Bill
1
0
0
0
Encrypt a 0 or 1for each candidate
Special proof protocol➡ for bit b=1➡ meaningful short strings
as part of the commitment ➡ short challenge strings
for real and simulated proofs
<ciphertexts>, "8DX5"
"VHTI"
![Page 19: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/19.jpg)
Special Bit Encryption
6
Hillary Barack
John
Bill
1
0
0
0
Encrypt a 0 or 1for each candidate
Special proof protocol➡ for bit b=1➡ meaningful short strings
as part of the commitment ➡ short challenge strings
for real and simulated proofs
<ciphertexts>, "8DX5"
"VHTI"
reveal enc factors
![Page 20: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/20.jpg)
Voter Experience (II)
7
Hillary Barack
John
Bill
1
0
0
0
![Page 21: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/21.jpg)
Voter Experience (II)
7
Hillary Barack
John
Bill
1
0
0
0
<ciphertexts>, "8DX5"
<ciphertexts>, !!!!!!!!!!
<ciphertexts>, !!!!!!!!!!
<ciphertexts>, !!!!!!!!!!
![Page 22: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/22.jpg)
Voter Experience (II)
7
Hillary Barack
John
Bill
1
0
0
0
"VHTI"
"VHTI"
"VHTI"
"VHTI"
<ciphertexts>, "8DX5"
<ciphertexts>, !!!!!!!!!!
<ciphertexts>, !!!!!!!!!!
<ciphertexts>, !!!!!!!!!!
![Page 23: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/23.jpg)
<ciphertexts>, "MCN3"
<ciphertexts>, "I341"
<ciphertexts>, "LQ21"
Voter Experience (II)
7
Hillary Barack
John
Bill
1
0
0
0
"VHTI"
"VHTI"
"VHTI"
"VHTI"
<ciphertexts>, "8DX5"
![Page 24: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/24.jpg)
<ciphertexts>, "MCN3"
<ciphertexts>, "I341"
<ciphertexts>, "LQ21"
Voter Experience (II)
7
Hillary Barack
John
Bill
1
0
0
0
"VHTI"
"VHTI"
"VHTI"
"VHTI"
reveal enc factors
reveal enc factors
reveal enc factors
reveal enc factors
<ciphertexts>, "8DX5"
![Page 25: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/25.jpg)
<ciphertexts>, "MCN3"
<ciphertexts>, "I341"
<ciphertexts>, "LQ21"
Voter Experience (II)
7
Hillary Barack
John
Bill
1
0
0
0
"VHTI"
"VHTI"
"VHTI"
"VHTI"
reveal enc factors
reveal enc factors
reveal enc factors
reveal enc factors
MCN3
8DX5
I341
LQ21
<ciphertexts>, "8DX5"
![Page 26: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/26.jpg)
MarkPledge & Moran-Naor
8
BitEnc(1) 0 0 1 1 0 0...
Pledge 0 1 0...
unique
BitEnc(0)that fits the
challenge
11 0 0 1 0...
Challenge 1 1 0...
00 0 1 1 0...Reveal
![Page 27: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/27.jpg)
Markpledge 2
9
different bit encryption
➡ isomorphic to ➡ operation is rotation (matrix mult.)
Designate 1-, 0-, and T-vectors➡ any pair of a 1-vector and 0-vector
bisected by a test vector➡ dot-product with test vector.
SO(2, q)
(!,") ! Z2q , with !2 + "2 = 1
![Page 28: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/28.jpg)
Same pattern emerges
10
BitEnc(1) 0 0 1 1 0 0...
Pledge 0 1 0...
unique
BitEnc(0)that fits the
challenge
11 0 0 1 0...
Challenge 1 1 0...
00 0 1 1 0...Reveal
xi yi
i
xC,yC
xCxi + yCyi
xi,yi
chalm0,i
MarkPledge MarkPledge2
![Page 29: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/29.jpg)
Covert Channel
Raised by Karloff, Sastry & Wagner
If the voting machine chooses therandom factor, it can embed info
Can we make the voting machinefully deterministic given a voter IDand a selection in a given race?
11
![Page 30: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/30.jpg)
Covert Channel
Pre-generate ciphertexts with trustees
Rotate them on voter selection
12
001 0
000 1
0
0
100 0 0
000 1 0
2, r'1
1, r'2
4, r'3Voting Machine
Trustee #1
Trustee #2
Trustee #3
7 = 2 mod 5
r'1 + r'2 + r'3
Ballot #42
Bulletin Board
000 1 0
Ballot #42
Ballot #42
![Page 31: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/31.jpg)
Why is this receipt-free?
What can the coercer ask the voterto do that affects the ballot / receipt?
Only the challenge, which is selectedbefore the voter enters the booth.
All proofs will look the same,whether real or simulated.
13
![Page 32: Efficient Receipt-Free Ballot Casting Resistant to Covert Channels](https://reader033.vdocuments.site/reader033/viewer/2022042521/5568200dd8b42afe5c8b526b/html5/thumbnails/32.jpg)
Questions?
14