Electronic Voting SystemDiebold System AnalysisVoteHere System AnalysisRelated LiteratureFOO92 Voting SchemeEAS College Voting SystemVotingDRE: Direct Recording by ElectronicWhat Makes Voting So Hard?Failure Detection/Recovery ProcessIncentiveEnd-to-End VotingEnd-to-End Verifiability (E2EV)Advantage of E2EVBulletin Board of VotesCasting and Tallying ProcessesCryptographic VotingSecret Voter ReceiptTallying the BallotsRandomize Threshold Public-Key EncryptionTallying under the Covers of EncryptionHomomorphic public-key encryptionShaking the Virtual Ballot BoxMixnet vs. HomomorphicElectronic Voting System Electronic Voting System Electronic Voting System Electronic Voting System Tadayoshi Kohno, Adam Stubblefield, Aviel D. RubinTadayoshi Kohno, Adam Stubblefield, Aviel D. RubinDan S. Wallach Dan S. Wallach IEEE Symp. On Security and Privacy IEEE Symp. On Security and Privacy 20042004VoteHere System Analysis, VoteHere System Analysis, Philip Edward Varner’s thesisPhilip Edward Varner’s thesisAdvances in Cryptographic Voting Systems, Ben Adida MIT Ph.D. Disseration 9/2006EVS 10/11/2006chow 2Diebold System AnalysisDiebold System AnalysisDiebold System AnalysisDiebold System AnalysisTadayoshi Kohno, Adam Stubblefield, Aviel D. RubinTadayoshi Kohno, Adam Stubblefield, Aviel D. RubinDan S. Wallach Dan S. Wallach IEEE Symp. On Security and Privacy 2004IEEE Symp. On Security and Privacy 2004 Present a security analysis of the source code of a paper less Present a security analysis of the source code of a paper less electronic voting system (Diebold).3 electronic voting system (Diebold).3 Show this voting system far below even the most minimal Show this voting system far below even the most minimal security standards applicable in other context. security standards applicable in other context. (strong words)(strong words)Problems include:Problems include:unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes.They demonstrate thatVoter can cast unlimited votes without being detectedInsider Attacks: Modify the votesViolate voter privacy by matching vote with voters.Better solution: EVS with “voter-verifiable audit trail” (print a paper ballot that can be read and verified by voters.EVS 10/11/2006chow 3VoteHere System AnalysisVoteHere System AnalysisVoteHere System AnalysisVoteHere System AnalysisPhilip Edward Varner’s thesis.Philip Edward Varner’s thesis.Some companies claimed online voting Some companies claimed online voting technical problems are solved, only technical problems are solved, only political/sociological ones remained.political/sociological ones remained.Analyze VoteHere system, include attrack Analyze VoteHere system, include attrack tree analysis/attacker models; abuse casestree analysis/attacker models; abuse casesPhilip Edward Varner’s thesis.Philip Edward Varner’s thesis.Some companies claimed online voting Some companies claimed online voting technical problems are solved, only technical problems are solved, only political/sociological ones remained.political/sociological ones remained.Analyze VoteHere system, include attrack Analyze VoteHere system, include attrack tree analysis/attacker models; abuse casestree analysis/attacker models; abuse casesEVS 10/11/2006chow 4Related LiteratureRelated LiteratureRelated LiteratureRelated LiteraturePublic Key CryptographyPublic Key CryptographyHomomorphic EncryptionHomomorphic Encryption Zero Knowledge ProofsZero Knowledge Proofs (Shamir How to (Shamir How to share a Secret, CACM 79 paper). share a Secret, CACM 79 paper). Cryptographic Voting ProtocolCryptographic Voting ProtocolPublic Key CryptographyPublic Key CryptographyHomomorphic EncryptionHomomorphic Encryption Zero Knowledge ProofsZero Knowledge Proofs (Shamir How to (Shamir How to share a Secret, CACM 79 paper). share a Secret, CACM 79 paper). Cryptographic Voting ProtocolCryptographic Voting ProtocolEVS 10/11/2006chow 5FOO92 Voting SchemeFOO92 Voting SchemeFOO92 Voting SchemeFOO92 Voting SchemeRequirements of a secure election:Requirements of a secure election:Completeness: All voters are counted correctly.Completeness: All voters are counted correctly.Soundness: A dishonest voter cannot disrupt Soundness: A dishonest voter cannot disrupt votingvotingPrivacy: All votes must be secretPrivacy: All votes must be secretUnreusability: no voter can vote twiceUnreusability: no voter can vote twiceEligibility: no one who isn’t allowed to vote can Eligibility: no one who isn’t allowed to vote can votevoteFairness: nothing must affect the voting Fairness: nothing must affect the voting (DDoS?)(DDoS?)Verifiability: no one can falsify the result of Verifiability: no one can falsify the result of voting.voting.Validator and CounterValidator and CounterRequirements of a secure election:Requirements of a secure election:Completeness: All voters are counted correctly.Completeness: All voters are counted correctly.Soundness: A dishonest voter cannot disrupt Soundness: A dishonest voter cannot disrupt votingvotingPrivacy: All votes must be secretPrivacy: All votes must be secretUnreusability: no voter can vote twiceUnreusability: no voter can vote twiceEligibility: no one who isn’t allowed to vote can Eligibility: no one who isn’t allowed to vote can votevoteFairness: nothing must affect the voting Fairness: nothing must affect the voting (DDoS?)(DDoS?)Verifiability: no one can falsify the result of Verifiability: no one can falsify the result of voting.voting.Validator and CounterValidator and CounterEVS 10/11/2006chow 6EAS College Voting EAS College Voting SystemSystemEAS College Voting EAS College Voting SystemSystemCan we trust EAS IT?Can we trust EAS IT?For some non-critical, non-sensitive voting, vote For some non-critical, non-sensitive voting, vote integrity/convenient can be enforced with just integrity/convenient can be enforced with just EAS IT.EAS IT.Can we trust 3Can we trust 3rdrd party server(s) to issue the party server(s) to issue the votes, authenticate voters, and collect votes, authenticate voters, and collect votes?votes?Possibility of using campus IT servers, or other Possibility of using campus IT servers, or other EAS lab servers.EAS lab servers.Should we separate voter authentication Should we separate voter authentication system (VAS) with vote counting system system (VAS) with vote counting system (VCS)?(VCS)?How to ensure the VAS does not