clash attacks and the star-vote system · clash attacks and star - oct. 2017 15 conclusion clash...

UCL Crypto GroupMicroelectronics Laboratory Clash Attacks and STAR - Oct. 2017 1

Clash Attacks and the STAR-Vote System

Olivier Pereira – Dan S. WallachRice University – UCLouvain

October 2017

Clash Attacks on Verifiability [KTV12]

Proposed for E2E verifiable voting systems

1. Find two voters voting in the same way

2. Corrupted voting system gives them identical receipts⇒ individual verification works!

3. Corrupted voting system creates different ballot for 2nd voterThat new ballot will not be verified by anyone!Total number of ballots remains correct

bid1, v1bid2, v2

ElectronicVote Records

CorruptedVoting System

Ballot Level Risk Limiting Audits

v1bid1 v2

bid2 v3bid3

I Records voter intent

I Produces VVPAT

I Includes unique ballot id

v1 v2 v3

Paperballots

Ballot Box

v∗1 , bid

v∗2 , bid

v∗3 , bid

RLA Process:I Pick random ballot, compare paper and e-record with same bidI Repeat until you can stop with high condidence in election resultI Very efficient: 1% election margin ⇒ picking ≈ 100 ballots is good

enough, even for a nation-wide election

Clash Attacks against Ballot-level RLA

Break the 1-on-1 bid link made for the RLA:

v1bid1

Voter-VerifiedPaper Records

v1, bid1v2, bid2

CorruptedDRE/Scanner/. . .

Could something like this work on real system designs?

Case Study: STAR-Vote [BBB+13]

As depicted in Discover Magazine:

The STAR-Vote Voter Experience

1. Enter choices:

I Standard tablet encrypts choices+ chain and replicate ciphertexts on all machines

I Thermal printer prints ballot

STAR-Vote Printed Ballot

Boarding-pass style:

National Election 2016

Question 1: YesQuestion 2: NoQuestion 3: Yes

NationalElection

Your ballotfingerprint:54A2yt98db34

I Left-hand part checked by voter and castHigh-entropy ballot id bid used for audit against anonymizedelectronic records

I Right-hand part has current state of hash chain as take-home receiptChecking receipt online confirms content of electronic ballot box

STAR-Vote Printed Ballot

Boarding-pass style:

National Election 2016

Question 1: YesQuestion 2: NoQuestion 3: Yes

NationalElection

Your ballotfingerprint:54A2yt98db34

I Left-hand part checked by voter and castHigh-entropy ballot id bid used for audit against anonymizedelectronic records

I Right-hand part has current state of hash chain as take-home receiptChecking receipt online confirms content of electronic ballot box

The STAR-Vote Voter Experience

2. Cast ballot :

I Only if voter is happy with printed ballot

I Can also decide to spoil ballot⇒ human readable part will be audited against electronic record

STAR-Vote Verifiability

Verification features in STAR-Vote:

E2E: Voter take-home receipt and ballot spoiling process can be matchedwith full hash chain published at the end of the election

RLA: Paper ballots can be matched with anonymized electronic voterecords

Can we mount clash attacks against STAR-Vote?

1. Can the E2E part of STAR-Vote spot clash attacks?

2. Can the RLA part of STAR-Vote spot clash attacks?

STAR-Vote Verifiability

Verification features in STAR-Vote:

E2E: Voter take-home receipt and ballot spoiling process can be matchedwith full hash chain published at the end of the election

RLA: Paper ballots can be matched with anonymized electronic voterecords

Can we mount clash attacks against STAR-Vote?

1. Can the E2E part of STAR-Vote spot clash attacks?

2. Can the RLA part of STAR-Vote spot clash attacks?

Clash Attacks against E2E part of STAR-Vote

Two scenarios:

Hash Machines Voters

castcast cA

spoilspoil cA?

Hash Machines Votersv

spoilspoil cA?

I Left scenario: Spoiling creates inconsistency in chainI Right scenario: A may compain that her ballot is spoiled

⇒ Cast-or-spoil mechanism of crucial importance⇒ Check full chain history, not just encryption of current ballot!

Clash Attacks against E2E part of STAR-Vote

Two scenarios:

Hash Machines Voters

castcast cA

spoilspoil cA?

Hash Machines Votersv

spoilspoil cA?

I Left scenario: Spoiling creates inconsistency in chainI Right scenario: A may compain that her ballot is spoiled

⇒ Cast-or-spoil mechanism of crucial importance⇒ Check full chain history, not just encryption of current ballot!

Clash Attacks against RLA part of STAR-Vote

v1bid1

v1, bid1v2, bid2

Two ways to spot an issue:

1. Pick an electronic ballot with a bid that does not exist on paperMay be difficult: search for the paper ballot with a specific bid

2. Pick two paper ballots that have the same bidMay be difficult too: For a 1 million voter election with 1% margin,picking ≈ 100 ballots gives ≈ 0 probability of spotting duplicates

How many do we need to pick?

Clash Attacks against RLA part of STAR-Vote

v1bid1

v1, bid1v2, bid2

Two ways to spot an issue:

1. Pick an electronic ballot with a bid that does not exist on paperMay be difficult: search for the paper ballot with a specific bid

2. Pick two paper ballots that have the same bidMay be difficult too: For a 1 million voter election with 1% margin,picking ≈ 100 ballots gives ≈ 0 probability of spotting duplicates

How many do we need to pick?

Bijection Audit

Purpose: Make sure that bid ’s are unique among paper ballots

Consider 1000 ballot boxes with 1000 ballots each, and 1% marginAssume bid must start with a public ballot box id ⇒ clashes are internalHow can clashes be spread?

Two extreme situations:

1. Make 1% of ballot boxes contain only 1 bid⇒ need to touch ≈ 100 ballot boxes to touch a problematic one

2. Make 1% = 10 duplicates bid ’s in each ballot box⇒ need to pick a large sample of ballots in a single box to spot themE.g., picking 100 ballots in a single box gives only ≈ 16% chancesAnd uneasy to spot a duplicate among 100 ballots

Bijection Audit

Purpose: Make sure that bid ’s are unique among paper ballots

Consider 1000 ballot boxes with 1000 ballots each, and 1% marginAssume bid must start with a public ballot box id ⇒ clashes are internalHow can clashes be spread?

Two extreme situations:

1. Make 1% of ballot boxes contain only 1 bid⇒ need to touch ≈ 100 ballot boxes to touch a problematic one

2. Make 1% = 10 duplicates bid ’s in each ballot box⇒ need to pick a large sample of ballots in a single box to spot themE.g., picking 100 ballots in a single box gives only ≈ 16% chancesAnd uneasy to spot a duplicate among 100 ballots

Bijection Audit

Searching for duplicates in a box:

I Pairwise comparison is expensive: O(n2)

I Sorting may be an overkill: O(n log n)

Grid based solution: O(n)

1. Print a 16× 16 grid

2. For each ballot:I Pick 1st digit as rowI Pick 2nd digit as columnI Write next 2 digits in box

Spots collisions on first 4 digitsPrompts comparison if collisionhappens

Example for bid = 2361181

Bijection Audit

Based on election margin p, repeat O(1/p) times:

Solution 1

1. Pick random ballot box

2. Apply linear grid based solution to rule out the presence of duplicatebid

or, Solution 2

1. Pick random ballot from random ballot box

2. Make a linear pass on that box to detect the presence of anotherballot with the same bid

Bijection Audit

Based on election margin p, repeat O(1/p) times:

Solution 1

1. Pick random ballot box

2. Apply linear grid based solution to rule out the presence of duplicatebid

or, Solution 2

1. Pick random ballot from random ballot box

2. Make a linear pass on that box to detect the presence of anotherballot with the same bid

Conclusion

Clash attacks can be detected by E2E and RLA components

I Quite effective on E2E, sheds new light on the importance of thecast-or-audit process and hash chains

I Much more demanding on RLA part: bijection audit likely to bemuch more expensive than ballot comparison audit

Other possible approaches:

I Ask independent auditors to scan voter receipts on exit, in search forduplicates

I Running the RLA by picking electronic record and searching forcorresponding paper might eventually be as effective as a bijectionaudit

Might be interesting to look at other deployed RLA procedures andsearch for possible clash attacks

Conclusion

clash attacks and the star-vote system · clash attacks and star - oct. 2017 15 conclusion clash...

Documents