Reasoning about Protocols with Human Participants - UMD - October 2016
PI(s): Jonathan Katz, Poorvi L. Vora
Researchers: Hua Wu and Siyuan Feng (graduate students)
HARD PROBLEM(S) ADDRESSED
Hard Problem 5: Understanding and Accounting for Human Behaviour
ACCOMPLISHMENT HIGHLIGHTS
A. Fundamental Research
Our purpose is to rigorously derive security properties of network-security protocols involving human participants and physical objects, where the limited computational capabilities of human participants and the physical properties of the objects affect the security properties of the protocols.
We first consider the example problem of electronic voting. This is an important example because cryptographic voting protocols involving human voters and paper have been used in real governmental elections in the US and in Victoria, Australia. There are efforts (in Travis County, Texas) to use similar protocols in larger elections.
We first consider the example problem of electronic voting. This is an important example because cryptographic voting protocols involving human voters and paper have been used in real governmental elections in the US and in Victoria, Australia. There are efforts (in Travis County, Texas) to use similar protocols in larger elections.
The standard voting model assumes that all interacting parties are computers (probabilistic polynomial-time interactive Turing machines) and can, for example, encrypt and digitally sign messages. Human voters are not explicitly taken into account since it is (implicitly) assumed that each voter has access to a trusted computer while voting. In our work we do not make this assumption, because voters voting from home might have malware on their computers that could be used to throw an election.
Some more recent voting protocols have been designed for human participants voting from untrusted computers, some relying on paper or other physical objects to obtain security guarantees. These protocols have either been used in real governmental elections (the City of Takoma Park, MD, 2009 and 2011---PI Vora was part of the team that deployed the voting system for these elections; vVote in Victoria, Australia, 2014) or are being proposed for such use (STAR-Vote in Travis County, Texas). However, the security properties of these protocols are not well understood. We need a well-developed model to reason about these properties. Such a model would incorporate a human's computational capabilities and the properties of the physical objects. The model would then be used to reason about, and prove security of, the integrity and privacy properties of remote voting protocols such as Remotegrity (used for absentee voting by the City of Takoma Park for its 2011 municipal election).
In the short term, this project has focused on the development of the model of humans and the use of physical obects such as paper, and on the security properties of remote voting protocol Remotegrity. In the longer term it will also examine possible new protocols that overcome disadvantages of existing ones for humans. In the longer term---in addition to the general problem of the voting protocol---there are other problems where it is important to consider the fact that all protocol participants are not computers. For example, when a human logs into a website to make a financial transaction (such as a bank website, or a retirement account, or an e-commerce site), the human uses an untrusted computer and hence cannot be expected to correctly encrypt or sign messages. Can one use the techniques developed for electronic voting to develop simple and more secure protocols using physical objects and paper while using the untrusted computer to make the transaction? Can one prove the security properties of the proposed protocols?
Some more recent voting protocols have been designed for human participants voting from untrusted computers, some relying on paper or other physical objects to obtain security guarantees. These protocols have either been used in real governmental elections (the City of Takoma Park, MD, 2009 and 2011---PI Vora was part of the team that deployed the voting system for these elections; vVote in Victoria, Australia, 2014) or are being proposed for such use (STAR-Vote in Travis County, Texas). However, the security properties of these protocols are not well understood. We need a well-developed model to reason about these properties. Such a model would incorporate a human's computational capabilities and the properties of the physical objects. The model would then be used to reason about, and prove security of, the integrity and privacy properties of remote voting protocols such as Remotegrity (used for absentee voting by the City of Takoma Park for its 2011 municipal election).
In the short term, this project has focused on the development of the model of humans and the use of physical obects such as paper, and on the security properties of remote voting protocol Remotegrity. In the longer term it will also examine possible new protocols that overcome disadvantages of existing ones for humans. In the longer term---in addition to the general problem of the voting protocol---there are other problems where it is important to consider the fact that all protocol participants are not computers. For example, when a human logs into a website to make a financial transaction (such as a bank website, or a retirement account, or an e-commerce site), the human uses an untrusted computer and hence cannot be expected to correctly encrypt or sign messages. Can one use the techniques developed for electronic voting to develop simple and more secure protocols using physical objects and paper while using the untrusted computer to make the transaction? Can one prove the security properties of the proposed protocols?
B. Accomplishments
In accomplishments this quarter we have had a paper accepted at E-Vote-ID, perhaps the premier conference focusing on electronic voting since the discontinuation of Usenix workshop EVT-WOTE. The paper describes a new voting protocol that addresses a problem with the Helios voting protocol used by the IACR and ACM for their elections. We are continuing the work on a journal paper for formal specification and proof of security for Remotegrity. We are considering a venue for a systematization of knowledge paper (that is ready) on the insecurity of internet voting.
C. Community Interaction
PI Vora is part of the technical team for the end-to-end verifiable internet voting (E2E VIV) project (examining the feasibility of secure internet voting) of the overseas vote foundation (OVF). She contributes the observations of this project to the discussions and the report. She has been contributing to a description of end-to-end independently-verifiable cryptographic voting systems meant for non-technical readers including election officials. The project report was released on July 11, 2015: "The Future of Voting: End-to-End Verifiable Internet Voting - Specification and Feasibility Study", see https://www.usvotefoundation.org/E2E-VIV
PI Vora gave an invited talk---and participated in a panel---at the Remote Voting Conference 2016, on July 20-21, 2016, in Pune, India. The conference was organized to explore the possibility of internet voting for Indian elections. Other speakers included the Chief of India's Election Commission (charged with carrying out elections and choosing election technology), other elections commissioners, and top bureaucrats in its technology ministry.
PI Vora was recently quoted in a Wired article on online voting in the Republican Utah caucus. See: Issie Lapowsky, "Utah’s Online Caucus Gives Security Experts Heart Attacks", 3-21-16
PI Vora testified to the MD State Board of Elections on 14 September 2016, advising the Board to not expand the use of MD's online ballot marking tool and its online ballot delivery system.
PI Vora was quoted on MD's proposal to expand its online ballot delivery and online ballot marking tool to all voters in a Capital News Service article picked up by the Washington Post and other media outlets including CBS Baltimore, the Miami Herald, the Roanoke Times, the Sacramento Bee, the Kansas City Star, the Charlotte Observer, the Idaho Statesman and many others. See:
Robbie Greenspan, AP, "Security experts question Maryland’s online ballot system", September 30, 2016.
PI Vora participated in a panel on for the monthly seminar of the Washington Statistical Society on October 4, 2016. The topic of the panel was "Possible Irregularities in the 2016 Presidential Election". She spoke about constructive approaches towards election verification, including those proposed by statisticians and cryptographers.
Groups: