Reasoning about Protocols with Human Participants - UMD - January 2017
PI(s): Jonathan Katz, Poorvi L. Vora
Researchers: Hua Wu and Siyuan Feng (graduate students)
HARD PROBLEM(S) ADDRESSED
Hard Problem 5: Understanding and Accounting for Human Behaviour
ACCOMPLISHMENT HIGHLIGHTS
A. Fundamental Research
Our purpose is to rigorously derive security properties of network-security protocols involving human participants and physical objects, where the limited computational capabilities of human participants and the physical properties of the objects affect the security properties of the protocols.
We first consider the example problem of electronic voting. This is an important example because cryptographic voting protocols involving human voters and paper have been used in real governmental elections in the US and in Victoria, Australia. There are efforts (in Travis County, Texas) to use similar protocols in larger elections.
We first consider the example problem of electronic voting. This is an important example because cryptographic voting protocols involving human voters and paper have been used in real governmental elections in the US and in Victoria, Australia. There are efforts (in Travis County, Texas) to use similar protocols in larger elections.
The standard voting model assumes that all interacting parties are computers (probabilistic polynomial-time interactive Turing machines) and can, for example, encrypt and digitally sign messages. Human voters are not explicitly taken into account since it is (implicitly) assumed that each voter has access to a trusted computer while voting. In our work we do not make this assumption, because voters voting from home might have malware on their computers that could be used to throw an election.
Some more recent voting protocols have been designed for human participants voting from untrusted computers, some relying on paper or other physical objects to obtain security guarantees. These protocols have either been used in real governmental elections (the City of Takoma Park, MD, 2009 and 2011---PI Vora was part of the team that deployed the voting system for these elections; vVote in Victoria, Australia, 2014) or are being proposed for such use (STAR-Vote in Travis County, Texas). However, the security properties of these protocols are not well understood. We need a well-developed model to reason about these properties. Such a model would incorporate a human's computational capabilities and the properties of the physical objects. The model would then be used to reason about, and prove security of, the integrity and privacy properties of remote voting protocols such as Remotegrity (used for absentee voting by the City of Takoma Park for its 2011 municipal election).
In the short term, this project has focused on the development of the model of humans and the use of physical obects such as paper, and on the security properties of remote voting protocol Remotegrity. In the longer term it will also examine possible new protocols that overcome disadvantages of existing ones for humans. In the longer term---in addition to the general problem of the voting protocol---there are other problems where it is important to consider the fact that all protocol participants are not computers. For example, when a human logs into a website to make a financial transaction (such as a bank website, or a retirement account, or an e-commerce site), the human uses an untrusted computer and hence cannot be expected to correctly encrypt or sign messages. Can one use the techniques developed for electronic voting to develop simple and more secure protocols using physical objects and paper while using the untrusted computer to make the transaction? Can one prove the security properties of the proposed protocols?
Some more recent voting protocols have been designed for human participants voting from untrusted computers, some relying on paper or other physical objects to obtain security guarantees. These protocols have either been used in real governmental elections (the City of Takoma Park, MD, 2009 and 2011---PI Vora was part of the team that deployed the voting system for these elections; vVote in Victoria, Australia, 2014) or are being proposed for such use (STAR-Vote in Travis County, Texas). However, the security properties of these protocols are not well understood. We need a well-developed model to reason about these properties. Such a model would incorporate a human's computational capabilities and the properties of the physical objects. The model would then be used to reason about, and prove security of, the integrity and privacy properties of remote voting protocols such as Remotegrity (used for absentee voting by the City of Takoma Park for its 2011 municipal election).
In the short term, this project has focused on the development of the model of humans and the use of physical obects such as paper, and on the security properties of remote voting protocol Remotegrity. In the longer term it will also examine possible new protocols that overcome disadvantages of existing ones for humans. In the longer term---in addition to the general problem of the voting protocol---there are other problems where it is important to consider the fact that all protocol participants are not computers. For example, when a human logs into a website to make a financial transaction (such as a bank website, or a retirement account, or an e-commerce site), the human uses an untrusted computer and hence cannot be expected to correctly encrypt or sign messages. Can one use the techniques developed for electronic voting to develop simple and more secure protocols using physical objects and paper while using the untrusted computer to make the transaction? Can one prove the security properties of the proposed protocols?
B. Accomplishments
In accomplishments this quarter we have submitted a journal version of the paper accepted at E-Vote-ID (perhaps the premier conference focusing on electronic voting since the discontinuation of Usenix workshop EVT-WOTE) last quarter. The paper describes a new voting protocol that addresses a problem with the Helios voting protocol used by the IACR and ACM for their elections. We are continuing the work on a journal paper for formal specification and proof of security for Remotegrity. We are considering a venue for a systematization of knowledge paper (that is ready) on the insecurity of internet voting.
C. Publications
-
Richard T. Carback, David Chaum, Jeremy Clark, Aleksander Essex, Travis Mayberry, Stefan Popoveniuc, Ronald L. Rivest, Emily Shen, Alan T. Sherman, Poorvi L. Vora, John Wittrock, Filip Zagorski, "The Scantegrity Voting System and its Use in the Takoma Park Elections", invited chapter, Real-world Electronic Voting: Design, Analysis and Deployment, edited by Feng Hao and Peter Y. A. Ryan.
The paper addresses Hard Problem 5: Understanding and Accounting for Human Behaviour
-
Dawid Gawel, Maciej Kosarzecki, Poorvi L. Vora, Hua Wu, Filip Zagorski, "Apollo – End-to-End Verifiable Internet Voting with Recovery from Vote Manipulation", E-Vote-ID 2016.
The paper addresses Hard Problem 5: Understanding and Accounting for Human Behaviour
D. Community Interaction
PI Vora is part of the technical team for the end-to-end verifiable internet voting (E2E VIV) project (examining the feasibility of secure internet voting) of the overseas vote foundation (OVF). She contributed the observations of this project to the discussions and the report. The project report was released on July 11, 2015: "The Future of Voting: End-to-End Verifiable Internet Voting - Specification and Feasibility Study", see https://www.usvotefoundation.org/E2E-VIV
In this quarter, she served as a technical expert providing affidavits in support of Jill Stein's petition for a manual recount in the 2016 election in the states of Wisconsin and Michigan.
In this quarter she also served as an expert providing testimony to the Maryland Board of Elections on their proposed audits. She wrote an op-ed article in the Baltimore Sun, with Philip Stark, on why Maryland needed to manually examine paper ballots.
Testimony:
PI Vora testified to the MD State Board of Elections on:
* 14 September 2016, advising the Board to not expand the use of MD's online ballot marking tool and its online ballot delivery system
* 28 October 2016, advising the Board to manually examine paper ballots for the election audit, and explaning why an examination of electronic scans was not sufficient
* 15 December 2016, providing comments on the Clear Ballot audit of the 2016 election in Maryland, explaining why it was not sufficient
Invited Talks:
PI Vora gave the following invited talks:
* Remote Voting Conference 2016, on July 20-21, 2016, in Pune, India. The conference was organized to explore the possibility of internet voting for Indian elections. Other speakers included the Chief of India's Election Commission (charged with carrying out elections and choosing election technology), other elections commissioners, and top bureaucrats in its technology ministry.
* Panelist in "Elections Disrupted", on November 3, 2016, at the University of Maryland, College Park, cosponsored by the Center for International and Security Studies at Maryland, Center for Public Policy and Private Enterprise, Maryland Global Initiative on Cybersecurity and Maryland Cybersecurity Center. Spoke on technical aspects of "Could questions about the legitimacy of results from e-voting systems affect the outcome of the November 8 elections and undermine democracy?"
* Panelist in "Elections Disrupted", on November 3, 2016, at the University of Maryland, College Park, cosponsored by the Center for International and Security Studies at Maryland, Center for Public Policy and Private Enterprise, Maryland Global Initiative on Cybersecurity and Maryland Cybersecurity Center. Spoke on technical aspects of "Could questions about the legitimacy of results from e-voting systems affect the outcome of the November 8 elections and undermine democracy?"
* Panelist in Washington Statistical Society's monthly seminar, October 4, 2016. “Possible Irregularities in the 2016 Presidential Election.” She spoke about constructive approaches toward election verification, including those proposed by statisticians and cryptographers.
Media:
PI Vora quoted:
PI Vora quoted:
* Wired article on online voting in the Republican Utah caucus. See: Issie Lapowsky, "Utah’s Online Caucus Gives Security Experts Heart Attacks", 3-21-16
http://www.wired.com/2016/03/security-experts-arent-going-like-utahs-online-primary/
http://www.wired.com/2016/03/security-experts-arent-going-like-utahs-online-primary/
*Capital News Service article picked up by the Washington Post and other media outlets including CBS Baltimore, the Miami Herald, the Roanoke Times, the Sacramento Bee, the Kansas City Star, the Charlotte Observer, the Idaho Statesman and many others, on MD's proposal to expand its online ballot delivery and online ballot marking tool to all voters. See:
Robbie Greenspan, AP, "Security experts question Maryland’s online ballot system", September 30, 2016.
* Philip B. Stark and Poorvi L. Vora, Maryland voting audit falls short, Baltimore Sun, Saturday, 28 October, 2016.
Other contributors to this op-ed: Harvie Branscomb, Joe Kiniry, Mark Lindeman, Neal McBurnett, Ronald L. Rivest, John Sebes, Pamela Smith, Paul Stokes, Howard Stanislevic, Luther Weeks.
Other contributors to this op-ed: Harvie Branscomb, Joe Kiniry, Mark Lindeman, Neal McBurnett, Ronald L. Rivest, John Sebes, Pamela Smith, Paul Stokes, Howard Stanislevic, Luther Weeks.
*Jon Swaine, Security experts join Jill Stein's 'election changing' recount campaign, The Guardian, 29 November 2016. https://www.theguardian.com/us-news/2016/nov/29/security-experts-join-jill-steins-election-changing-recount-campaign
*T. J. Raphael. So, what does it mean for there to be an election recount?, The Takeaway, Public Radio International, 29 November 2016. Includes 4-minute audio clip. http://www.pri.org/stories/2016-11-29/so-what-does-it-mean-there-be-election-recount
Groups: