Threat Analysis of Cryptographic Voting Schemes

1. Threat Analysis of Cryptographic Voting Schemes Peter Y A Ryan and Thea Peacock University of Newcastle P Y A Ryan and Thea Peacock Prêt à Voter

2. Overview • Cryptographic voting schemes. • Towards a taxonomy of threats and countermeasures. • Conclusions. P Y A Ryan and Thea Peacock Prêt à Voter

3. Cryptographic Voting Schemes • Many voting systems using cryptographic techniques have been proposed recently. • Strive to provide high levels of assurance of accuracy and secrecy with minimal trust in officials, suppliers, software etc. • Verify the election not the system! • Unconditional integrity: guarantees of integrity not dependent on assumptions about adversary computational capabilities. • Voter verifiability: voters can confirm that their vote is accurately counted whilst not being able to prove to a third party which way they voted. P Y A Ryan and Thea Peacock Prêt à Voter

4. Vulnerabilities • These schemes have excellent properties, but various vulnerabilities have been identified. • Vulnerabilities often reside in the (sometimes implicit) assumptions. Often of a socio-technical nature. • See for example Karlof et al, [7], for Chaum and Neff and Peacock and Ryan and Peacock, [5], for Prêt à Voter. • Usually straightforward countermeasures can be proposed once the vulnerability has been identified. • But need a more systematic way to identify vulnerabilities. • Here we take a stab at putting together a taxonomy of known vulnerabilities and counter-measures. P Y A Ryan and Thea Peacock Prêt à Voter

5. Categories • Preliminary and incomplete: • Information flows • Social engineering • Implementation • Denial of service. • Collusion attacks • Coercion/vote-buying. • Psychological P Y A Ryan and Thea Peacock Prêt à Voter

6. A Menagerie of Vulnerabilities • Need to trust Authorities for secrecy (not for accuracy). • Need to protect (pre-printed) ballot form information (chain of custody, chain voting etc.) • Need to trust the auditors (absence of collusion with the tellers). • Need to trust tellers not to leak information (aside from audit info). • Subliminal, side, kleptographic channels, “invisible” dots etc. • “Social engineering” attacks. • Undermining trust. • Enforcing information erasure. • Separation of teller modes, i.e., ensure that each ballot form is processed only once. • Need to constrain the Web Bulletin Board audits, i.e., reveal only L or R links. • Vulnerabilites in implementation of secure web bulletin boards. • Ballot stuffing. • DoS attacks. • Failures of surrounding system: electoral role, voter authentication etc. P Y A Ryan and Thea Peacock Prêt à Voter

7. Subliminal and side channels • Many crypto schemes are potentially vulnerable to subliminal, side and kleptographic channels. • Voter’s choice is communicated in the booth to the encrypting device. Hence the device might leak information via random of semantic or side channels. • In Prèt à Voter, non-determinism is resolved before voter choices are revealed or association between ballot forms and voters is established. • And voter choice is not communicated to the device. P Y A Ryan and Thea Peacock Prêt à Voter

8. Kleptographic channels • These occur where a crypto device may select crypto variables in such a way to leak information to a colluding party. • Prêt à Voter 2005, [3], is vulnerable: The Authority might choose seed values in such a way that a certain keyed hash of the onion value leaks information about the candidate list to a colluding entity (who shared the hash key). • Note: Authority behaviour looks innocent. • Distributed generation of ballot forms will counter this: no single entity determines the crypto variables, see [6]. P Y A Ryan and Thea Peacock Prêt à Voter

9. Social engineering attacks • Cryptographic voting schemes frequently involve moderately complex protocols between the voters and the devices. • Opens up possibilities for a malicious device to fool the voter about the protocol sequence, e.g., turning a cut-and-choose into a choose-and-cut. • Prêt à Voter 2005 seems fairly immune due to extremely simple protocol sequence. • Established crypto protocol analysis tools and techniques may help here (need suitable, Dolev-Yao style models of potentially malicious devices) P Y A Ryan and Thea Peacock Prêt à Voter

10. Psychological attacks • Particularly for systems employing encrypted receipts, there may be potential for psychological attacks: adversary claims (falsely but plausibly) to be able to decrypt receipts. • Difficult to counter other than be education, demonstrations etc. P Y A Ryan and Thea Peacock Prêt à Voter

11. Ballot stuffing • Having the voters check for the appearance of their receipt on the WBB doesn’t detect ballot stuffing: in which the authorities add spurious receipts. • Counter-measures: • Check numbers of votes cast again number posted. • A Verified Encrypted Paper Audit Trial (VEPAT), [5], might help here. • Incorporate voter signatures? P Y A Ryan and Thea Peacock Prêt à Voter

12. Denial of Service • Tricky in general. • Verified Encrypted Paper Audit Trial might help. • Re-encryption mixes help: can bin faulty mix tellers and rerun mixes and audits if necessary. P Y A Ryan and Thea Peacock Prêt à Voter

13. Conclusions • Initial stab at constructing a taxonomy of threats and vulnerabilities for crypto voting schemes. • Much more needs to be done. • A survey of all known threats and vulnerabilities would be useful. • Complete coverage probably impossible • Formal information flow analysis techniques and tools, e.g., identifying where and when and by whom non-determinism is resolved, may help identify potential causal flows. • Protocol analysis tools may help identity social engineering attacks. • To what extent can vulnerabilities be systematically identified by analysis of a model against requirements. • Requires complete, formal requirements. • Requires a complete system model • Both are challenging, arguably impossible: • No consensus on requirements-often driven by threat analysis anyway • Complete models are impossible and need to cover human user aspects etc. P Y A Ryan and Thea Peacock Prêt à Voter

14. References • [1] David Chaum, Secret-Ballot receipts: True Voter-Verifiable Elections, IEEE Security and Privacy Journal, 2(1): 38-47, Jan/Feb 2004. • [2] P Y A Ryan, “A Variant of the Chaum Voter-verifiable Election scheme”, WITS, 10-11 January 2005 Long Beach Ca. • [3] D Chaum, P Y A Ryan, S A Schneider, “A Practical, Voter-Verifiable Election Scheme”, Newcastle TR 880 December 2004, Proceedings ESORICS 2005, LNCS 3679. • [4] B Randell, P Y A Ryan, “Trust and Voting Technology”, NCL CS Tech Report 911, June 2005, to appear IEEE Security and Privacy Magazine. • [5] P Y A Ryan, T Peacock, “Prêt à Voter, A Systems Perspective”, NCL CS Tech Report 929, September 2005, submitted to ESORICS 2006. • [6] P Y A Ryan and Steve A Schneider, “Prêt à Voter with re-encryption mixes”, Newcastle CS TR 956, April 2006, submitted to ESORICS 2006. • [7] C. Karlof and N. Sastry and D. Wagner, "Cryptographic Voting Protocols: A Systems Perspective“, USENIX Security Symposium", LCNS 3444, pp 186-200“, Springer-Verlag 2005. P Y A Ryan and Thea Peacock Prêt à Voter

15. Announcement Workshop On Trustworthy Elections (WOTE 2006) Robinson College, Cambridge, United Kingdom June 29 - June 30, 2006 http://www.wote2006.org P Y A Ryan and Thea Peacock Prêt à Voter