Download On the Security of Election Audits with Low Entropy Randomness Eric Rescorla

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
Document related concepts

Randomness wikipedia , lookup

History of randomness wikipedia , lookup

Transcript 
On the Security of Election Audits with
Low Entropy Randomness
Eric Rescorla
[email protected]
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
1
Overview
• Secure auditing requires random sampling
– The units to be audited must be verifiably unpredictable
– Simple physical methods (dice, coins, etc.) are expensive
• “Stretching” approaches
– Randomness tables [CWD06]
– Cryptographic pseudorandom number generators
(CSPRNGs) [CHF08]
• These techniques must be seeded with verifiably random values
• Small (but natural) seeds give the attacker an advantage
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
2
Formalizing the Problem: The Auditing Game
Audit units
(U)
Attacked
(K)
Audit units
(U)
Audited
(V)
V ∩ K = 0:
/ Attacker wins
Attacked
(K)
Audited
(V)
V ∩ K 6= 0:
/ Attacker loses
• Two players: Attacker and Auditor
• U audit units (U0 ,U1 , ...UN−1 )
• Attacker selects K ⊂ U to attack (|K| = k)
– Selection is made before preliminary results are posted
• Auditor selects V ⊂ U to audit (|V| = v)
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
3
Auditing Game Strategy
• If the auditor’s selections are random and i.i.d then:
v−1
(N − i − k)
Pr(detection) = 1 − ∏
N −i
i=0
• No matter how the attacker chooses K
• This is the auditor’s optimal strategy
• What about intermediate cases?
– Attacker has incomplete information about V
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
4
Example: A Million Random Digits [RAN02]
• Pick a random starting group and read forward
– This process has log2 (#entries) bits of entropy
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
5
Random Number Tables Bias and Attacker Advantage
• Random number tables aren’t the same as random numbers
– The attacker knows the table
– But not the starting point
• Two effects give the attacker an advantage
– Natural variation in the occurrences of each value
– Clustering of values
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
6
Natural Variation
0.025
• Binomially distributed counts
0.015
0.000
0.005
0.010
Probability
0.020
• Expected value = T /N
160
180
200
220
240
Number of occurrences (n)
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
7
Natural Variation
0.025
• Binomially distributed counts
0.015
• Attacker selects k least frequent
units
Area=k/N
0.000
0.005
0.010
Probability
0.020
• Expected value = T /N
160
180
200
220
240
Number of occurrences (n)
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
8
0.025
Natural Variation
• Binomially distributed counts
n_k
0.015
• Attacker selects k least frequent
units
• The kth least frequent unit appears nk times
k
nk = min n : cdf(n) ≥
N
Area=k/N
0.000
0.005
0.010
Probability
0.020
• Expected value = T /N
160
180
200
220
240
Number of occurrences (n)
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
9
Auditing with Natural Variation
• Total entries in table corresponding to k least frequent units† :
nk
Tbad = N
∑ nϕ(n)
n=0
• This is just a standard sampling problem
– Each “good” sample removes approximately F entries:
T − Tbad
N −k
• Probability of detection of least frequent k units:
F=
v−1
T − iF − Tbad
T − iF
i=0
Pr(detection) = 1 − ∏
† Semi-accurate
EVT/WOTE 2009
approximation; see paper.
On the Security of Election Audits with Low Entropy Randomness
10
Clustering Effects
• We’re not really sampling the table randomly
– We read entries in sequence
– The order of the entries matters
0
1
6
8
2
4
6
8
2
4
0
1
7
9
3
5
7
9
3
5
0
1
8
2
4
6
8
2
4
6
0
1
9
3
5
7
9
3
5
7
0
1
2
4
6
8
2
4
6
8
0
1
3
5
7
9
3
5
7
9
0
1
4
6
8
2
4
6
8
2
0
1
5
7
9
3
5
7
9
3
0
1
6
8
2
4
6
8
2
4
0
1
7
9
3
5
7
9
3
5
A table constructed to minimize detection
EVT/WOTE 2009
0
0
0
0
0
0
0
0
0
0
2
2
2
2
2
2
2
2
2
2
3
3
3
3
3
3
3
3
3
3
4
4
4
4
4
4
4
4
4
4
5
5
5
5
5
5
5
5
5
5
1
1
1
1
1
1
1
1
1
1
6
6
6
6
6
6
6
6
6
6
7
7
7
7
7
7
7
7
7
7
8
8
8
8
8
8
8
8
8
8
9
9
9
9
9
9
9
9
9
9
A table constructed to maximize detection
On the Security of Election Audits with Low Entropy Randomness
11
Simulation Studies
• No good analytic model for clustering effect
– Though some potential avenues
• Easiest to study via simulation
– Generate a random table (using CSPRNG)
– Generate an attack set of size k
– Determine which offsets will sample at least one element of K
• Two kinds of attack sets
– Random (should have expected statistics)
– Randomly selected from least frequent 2k units†
• Results averaged over multiple tables (5–25)
† This
is heuristic. We don’t have a good algorithm here either.
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
12
0.8
0.6
0.4
0.2
Expected
Under Attack
0.0
Probability of Detecting Attack
1.0
Example
0
100
200
300
400
500
600
Number of Sampled Precincts
200,000 entries, 1000 precincts, 10 attacked
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
13
The Attacker’s View: Modest Advantage
• Still very likely to be detected
– In the above example: about 4x more chance of success at 99%
– Biggest gap around 80% nominal detection rate (71.4% actual)
• Probably not enough to make or break an attack
– But worth doing if you’re going to attack anyway
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
14
The Auditor’s View: Higher Work Factor
Detection
Units to Audit
Units to Audit
Difference
Probability
(projected)
(under attack)†
(percent)
80%
148
190
28
90%
205
270
32
95%
258
340
32
99%
368
540
47
Required audit levels: 200,000 entries, 1000 precincts, 10 attacked precincts
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
15
General Trends
• More entries per unit decrease attacker advantage
– Larger tables
– Fewer units
• Higher attack rates decrease attacker advantage
– Need to select increasingly probable values
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
16
0.8
0.6
0.4
0.2
Expected
Under Attack
0.0
Probability of Detecting Attack
1.0
A Big Table
0
100
200
300
400
Number of Sampled Precincts
1,000,000 entries, 1000 precincts, 10 attacked precincts
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
17
0.8
0.6
0.4
0.2
Expected
Under attack (permuted)
Under attack (random)
0.0
Probability of Detecting Attack
1.0
Permuted Tables
0
100
200
300
400
500
600
Number of Sampled Precincts
200,000 entries, 1000 precincts, 10 attacked precincts
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
18
Potential Improvements
• New tables
– Bigger (107 entries?)
– Permuted rather than random
– Generated using a PRNG?
• Existing tables
– Individual addressing
– Random offsets
– Multiple starting points
– All of these need analysis
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
19
What about CSPRNGs?
• CSPRNGs have big state spaces no matter what the seed size
– Stronger than tables for the same seed entropy
– Intuition: sequences don’t overlap
• Cryptographic applications require very large seeds
– Not necessary here
– Need unpredictability, not unsearchability
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
20
1.0
Security of PRNGs by Seed Size (nominal 99% level)
●
●
●
●
●
●
●
●
●
0.8
●
0.4
0.6
●
●
0.2
0.0
Probability of Detecting Attack
●
●
●
●
5
10
15
Bits of entropy
Probability of detection for PRNGs: 1000 precincts, 10 attacked
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
21
Summary
• Secure auditing requires verifiably unpredictable random values
• Generating them directly seems expensive
• Natural stretching approaches may not deliver their expected
security
• Not clear if randomness tables can be used safely
• PRNGs appear safe with modest-sized seeds
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
22
References
[CHF08] Joseph A. Calandrino, J. Alex Halderman, and Edward W. Felten. In Defense of
Pseudorandom Sample Selection. In Proceedings of the 2008 Electronic Voting
Technology Workshop, 2008. http://www.usenix.org/events/evt08/tech/full_
papers/calandrino/calandrino.pdf.
[CWD06] Arel Cordero, David Wagner, and David Dill. The role of dice in election
audits—extended abstract. IAVoSS Workshop on Trustworthy Elections 2006 (WOTE
2006), June 2006. http://www.cs.berkeley.edu/~daw/papers/dice-wote06.pdf.
[RAN02] RAND Corporation. A Million Random Digits with 100,000 Normal Deviates.
American Book Publishers, 2002.
EVT/WOTE 2009
On the Security of Election Audits with Low Entropy Randomness
23
Related documents
Test 4
Test 4
A.P. STATISTICS LESSON 6
A.P. STATISTICS LESSON 6
Entropy as Measure of Randomness
Entropy as Measure of Randomness
P014 Using Simulation Cell Theory to Calculate the Thermody
P014 Using Simulation Cell Theory to Calculate the Thermody
Energy - Cloudfront.net
Energy - Cloudfront.net
Energy and Matter
Energy and Matter
Chapter 6
Chapter 6
After separation into groups students got working sheets and
After separation into groups students got working sheets and
Lecture 8 , Feb - 16
Lecture 8 , Feb - 16
God and Chance – slides
God and Chance – slides
PY2104 - Introduction to thermodynamics and Statistical physics
PY2104 - Introduction to thermodynamics and Statistical physics
1. (a) Consider that an entropy S is as function of temperature T and
1. (a) Consider that an entropy S is as function of temperature T and
Chapter 6, Sections 1 & 2
Chapter 6, Sections 1 & 2
Decision Trees.
Decision Trees.