10-01-2012, 02:07 PM
Civitas Security Requirements
[attachment=15948]
Civitas
Features:
Designed for remote voting, coercion resistance, verifiability
Supports plurality, approval, Condorcet methods
Status:
Paper in Oakland 2008
Publicly available: 21,000 LOC (Jif, Java, and C)
Prototype
…Suitable for IACR?
Security Model
No trusted supervision of polling places
Including voters, procedures, hardware, software
Voting could take place anywhere
Remote voting
Generalization of “Internet voting” and “postal voting”
Interesting problem to solve!
Adversary
Always:
May perform any polynomial time computation
May corrupt all but one of each type of election authority
Distributed trust
Almost always:
May control network
May coerce voters, demanding secrets or behavior, remotely or physically
Security properties:
Confidentiality, integrity, availability
Confidentiality
Voter coercion:
Employer, spouse, etc.
Coercer can demand any behavior (vote buying)
Coercer can observe and interact with voter during remote voting
Must prevent coercers from trusting their own observations
[attachment=15948]
Civitas
Features:
Designed for remote voting, coercion resistance, verifiability
Supports plurality, approval, Condorcet methods
Status:
Paper in Oakland 2008
Publicly available: 21,000 LOC (Jif, Java, and C)
Prototype
…Suitable for IACR?
Security Model
No trusted supervision of polling places
Including voters, procedures, hardware, software
Voting could take place anywhere
Remote voting
Generalization of “Internet voting” and “postal voting”
Interesting problem to solve!
Adversary
Always:
May perform any polynomial time computation
May corrupt all but one of each type of election authority
Distributed trust
Almost always:
May control network
May coerce voters, demanding secrets or behavior, remotely or physically
Security properties:
Confidentiality, integrity, availability
Confidentiality
Voter coercion:
Employer, spouse, etc.
Coercer can demand any behavior (vote buying)
Coercer can observe and interact with voter during remote voting
Must prevent coercers from trusting their own observations