Protocoles de vote end-to-end

Similar documents
A Block Cipher Based Pseudo Random Number Generator Secure against Side-Channel Key Recovery

Five-Card Secure Computations Using Unequal Division Shuffle

MA 110 Homework 1 ANSWERS

D. Plurality-with-Elimination Method

Recommendations for E-Voting System Usability: Lessons from Literature for Interface Design, User Studies and Usability Criteria

How to carbon date digital information! Jeremy Clark

Introduction to Cryptography CS 355

INTERNATIONAL RESEARCH JOURNAL IN ADVANCED ENGINEERING AND TECHNOLOGY (IRJAET)

How to Implement a Random Bisection Cut

Secure Function Evaluation

Generic Attacks on Feistel Schemes

A Glossary of Voting Terminology

Note Computations with a deck of cards

Merkle s Puzzles. c Eli Biham - May 3, Merkle s Puzzles (8)

CS 261 Notes: Zerocash

Generic Attacks on Feistel Schemes

MA 111 Worksheet Sept. 9 Name:

Chapter 1 out of 37 from Discrete Mathematics for Neophytes: Number Theory, Probability, Algorithms, and Other Stuff by J. M. Cargal.

ECO 463. SimultaneousGames

Part I. First Notions

André and the Ballot Problem - History and a Generalization

Simple And Efficient Shuffling With Provable Correctness and ZK Privacy

Part 2. Cooperative Game Theory

Lecture 2. 1 Nondeterministic Communication Complexity

We saw Hamilton at a fantastic old theater. It was restored in the 1980s, and Cher performed there once.

Card-Based Protocols for Securely Computing the Conjunction of Multiple Variables

Andrei Sabelfeld. Joint work with Per Hallgren and Martin Ochoa

How wordsy can you be?

Not-Too-Silly Stories

2 An n-person MK Proportional Protocol

Distributed Settlers of Catan

Device Pairing at the Touch of an Electrode

Easy English. How to Vote by Mail

PROBLEM SET Explain the difference between mutual knowledge and common knowledge.

The Chinese Remainder Theorem

Overview GAME THEORY. Basic notions

Stoa Administrative Calendar

PROBLEM SET 1 1. (Geanokoplos, 1992) Imagine three girls sitting in a circle, each wearing either a red hat or a white hat. Each girl can see the colo

Analyzing Execution Time of Card-Based Protocols

The Chinese Remainder Theorem

Getting Around Voting Problems. No or limited accessible parking at the polling place...

ECON 282 Final Practice Problems

Encryption at the Speed of Light? Towards a cryptanalysis of an optical CDMA encryption scheme

Knights, Spies, Games and Social Networks

Basic Probability Concepts

PROBLEM SET 1 1. (Geanokoplos, 1992) Imagine three girls sitting in a circle, each wearing either a red hat or a white hat. Each girl can see the colo

IMPROVED CURRENT MIRROR OUTPUT PERFORMANCE BY USING GRADED-CHANNEL SOI NMOSFETS

arxiv: v1 [cs.cr] 3 Jun 2016

CS1800: More Counting. Professor Kevin Gold

Building Oblivious Transfer on Channel Delays

Digital support for gathering administrative ideas from constituents of democratic bodies

Deterring Voluntary Trace Disclosure in Re-encryption Mix Networks

*A version of the game Secret Hitler made for Homestuck. Enjoy!

The year is 298 After Aegon's Conquest. The place is King's Landing, the capital of Westeros. King Robert has just died in a hunting accident.

Data Dependent Power Use in Multipliers

MATH4994 Capstone Projects in Mathematics and Economics

The sensible guide to y

Unlinkability and Redundancy in Anonymous Publication Systems

Physical Zero-Knowledge Proof: From Sudoku to Nonogram

than six players on one side of the table and a place for the dealer on the opposite The layout for a Dragon Poker table shall contain, at a minimum:

But Wait, There s More! By Jay Cormier and Sen-Foong Lim

Andrés Sánchez González. FTEC 2nd Workshop. CERN and CIEMAT. CERN Graphic Charter: use of the outline version of the CERN logo.

PARADOXES WITH DICE AND ELECTIONS

GAME THEORY Day 5. Section 7.4

(ii) Methodologies employed for evaluating the inventive step

Mohammad Hossein Manshaei 1394

The number theory behind cryptography

Unconditionally secure quantum key distribution over 50km of satndard telecom fibre

Microeconomics of Banking: Lecture 4

Narrow misère Dots-and-Boxes

How to Implement a Random Bisection Cut

A Lightweight Implementation of a Shuffle Proof for Electronic Voting Systems

Dr. Eng. Nabila Bounceur PhD. in Science - Engineer in Automatic

EXPLICIT AND NORMAL FORM GAMES

SR&ED for the Software Sector Northwestern Ontario Innovation Centre

Medians of permutations and gene orders

MASTER THESIS PROJECT PROPOSALS: SIGNAL PROCESSING FOR WIRELESS AND SATELLITE COMMUNICATIONS

Ch. 653a ULTIMATE TEXAS HOLD EM POKER a.1. CHAPTER 653a. ULTIMATE TEXAS HOLD EM POKER

Lecture 11 Strategic Form Games

CSE 573 Problem Set 1. Answers on 10/17/08

Internet 0: Past, Present, and Future October 1, 2004 SPEAKER BIOGRAPHIES

JINX - 2 Players / 15 Minutes

Introduction to Cryptography

(e) Each 3 Card Blitz table shall have a drop box and a tip box attached to it on the same side of the table as, but on opposite sides of the dealer.

EE 418: Network Security and Cryptography

Cryptology and Graph Theory

Professor Alan H. Stein

Game Theory and Algorithms Lecture 3: Weak Dominance and Truthfulness

Public Key Encryption

AP Statistics Ch In-Class Practice (Probability)

Note that there are questions printed on both sides of each page!

10 GIGABIT ETHERNET CONSORTIUM

Election Notice. Upcoming FINRA Board of Governors Election. April 27, Petitions for Candidacy Due: June 11, 2015.

"If You Want A Cheat-Sheet On How To Get Loads Of Traffic From Instagram Then Enter Your Information Below To Download It Right Away!

Detailed Solutions of Problems 18 and 21 on the 2017 AMC 10 A (also known as Problems 15 and 19 on the 2017 AMC 12 A)

Example 1. An urn contains 100 marbles: 60 blue marbles and 40 red marbles. A marble is drawn from the urn, what is the probability that the marble

Best of luck on the exam!

Date. Probability. Chapter

Majority Rule: Each voter votes for one candidate. The candidate with the majority of the votes wins. Majority means MORE than half.

Wireless Network Security Spring 2015

Transcription:

Protocoles de vote end-to-end Analyse de sécurité basée sur la simulation Olivier de Marneffe, Olivier Pereira, Jean-Jacques Quisquater Université catholique de Louvain, Belgium 19 mars 2008 Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 1

Voting systems What do we expect from a voting system? a tool to reflect the opinion of the voters accuracy vote secrecy... and?? Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 2

Voting systems image source: Ben Adida s PhD Thesis Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 3

Voting systems image source: Ben Adida s PhD Thesis Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 4

End-to-end verifiable voting systems image source: Ben Adida s PhD Thesis Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 5

Formal security analysis of voting systems A need for security analysis of voting protocols to prove the system does what we want to help us structure our approach of the system Definitions of security properties are needed, but: hard to formalize often conceived in different ways difficult to handle Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 6

Simulation-based approach: the big picture Real World Real protocol P Adversary A P A Ideal World Ideal functionality F Simulator S S Adversary A F vote A Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 7

Secure emulation definition A protocol emulates the functionality if S using this ideal functionality: A, A can not distinguish btw interacting: with the real protocol with this S and the ideal functionality Since the ideal functionality is safe, S does no harm when playing with it A does not learn anything unexpected... Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 8

A pedagogic example: ThreeBallot voting system [Fr ].{Ballot de Paille} = [En].{Straw Bundle} UCL Crypto Group Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 9

A pedagogic example: ThreeBallot voting system BALLOT BALLOT BALLOT Alice Alice Bob Bob Carol Carol David David Ed Ed Alice Bob Carol David Ed 397124768 519372049 109374926 Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 10

A pedagogic example: ThreeBallot voting system BALLOT BALLOT BALLOT Alice Alice Bob Bob Carol Carol David David Ed Ed Alice Bob Carol David Ed 397124768 519372049 109374926 Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 11

A pedagogic example: ThreeBallot voting system BALLOT Alice Bob Carol David Ed 397124768 Receipt is a copy of one part of the ballot Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 12

A pedagogic example: ThreeBallot voting system Ballots are shuffled and published on a Public Bulletin Board (PBB) Voter can check her receipt is on the PBB Final tally can be done by anyone: count the number of bullets each candidate got subtract the number of voters No crypto at all... Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 13

Simulation-based security approach Definition of what we want the protocol to do definition of a functionality in an ideal world V i (U i, x i ) f (x 1,..., x n )/FAIL F vote π S π reveals what information can be leaked Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 14

Modeling the ThreeBallot protocol REAL WORLD r i U i,multi-ballot i, j x i req i V i r i check complain f (x 1,..., x n )/ FAIL U i BB PS BB A check PBB Auth Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 15

Simulatability of ThreeBallot Simulation can be achieved if: we can build a S such that A sees no difference between being in the Real World the Ideal World reqi U i U i req i U i BB A f (x 1,..., x n ) r F i v S A BB BB OK/FAIL BB ri Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 16

ThreeBallot system: receipts distribution Consider two candidates: Multi-ballots for Alice ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ Multi-ballots for Bob ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 17

Receipts distribution and election outcome Receipts r = [ ] r = [ ] r = [ ] r = [ ] 100% Alice 2/9 4/9 1/9 2/9 Tie 2/9 5/18 5/18 2/9 100% Bob 2/9 1/9 4/9 2/9 Prop. p for Alice 2 9 1 9 + p 3 1 + 1 p 9 3 Distribution of receipts in the real world Simulation is not possible... :-( 2 9 Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 18

Modifying the ThreeBallot protocol (1/3) Simple idea: No information about the vote is on the receipt Select the receipt before you fill in your vote In practice: 1. Fill one bullet per row 2. Choose your receipt 3. Add one bullet to row(s) of your choice Only on the non-receipt part of the ballot Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 19

Modifying the ThreeBallot protocol (2/3) Receipts r = [ ] Probability 4 9 r = [ ] r = [ ] r = [ ] Distribution of the receipts modified protocol 2 9 2 9 1 9 Independent of the outcome simulator can generate receipts Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 20

Modifying the ThreeBallot protocol (3/3) Attacker can modify a ballot on the BB Original ThreeBallot protocol Probability of being caught: 1/3 for any ballot Modified version of the protocol Probability of being caught depends on the ballot Worst case for security is 1/9 How to ensure the voter follows the procedure? (not modifying the receipt part of the ballot) Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 21

Modified protocol emulates F vote S can produce indistinguishable BB S can handle BB modifications Under two assumptions: Short Ballot Assumption is satisfied the number of receipts known by the adversary is small in front of the number of voters Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 22

Conclusion Simulation-based security analysis of voting protocols We defined a template for E2E system ideal functionality ThreeBallot protocol: Define π we like Show TB does NOT emulate this definition Fix the protocol Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 23

Protocoles de vote end-to-end Analyse de sécurité basée sur la simulation Olivier de Marneffe, Olivier Pereira, Jean-Jacques Quisquater Université catholique de Louvain, Belgium 19 mars 2008 Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 24

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback