Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
On the Security of Election Audits with Low Entropy Randomness Eric Rescorla [email protected] EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 1 Overview • Secure auditing requires random sampling – The units to be audited must be verifiably unpredictable – Simple physical methods (dice, coins, etc.) are expensive • “Stretching” approaches – Randomness tables [CWD06] – Cryptographic pseudorandom number generators (CSPRNGs) [CHF08] • These techniques must be seeded with verifiably random values • Small (but natural) seeds give the attacker an advantage EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 2 Formalizing the Problem: The Auditing Game Audit units (U) Attacked (K) Audit units (U) Audited (V) V ∩ K = 0: / Attacker wins Attacked (K) Audited (V) V ∩ K 6= 0: / Attacker loses • Two players: Attacker and Auditor • U audit units (U0 ,U1 , ...UN−1 ) • Attacker selects K ⊂ U to attack (|K| = k) – Selection is made before preliminary results are posted • Auditor selects V ⊂ U to audit (|V| = v) EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 3 Auditing Game Strategy • If the auditor’s selections are random and i.i.d then: v−1 (N − i − k) Pr(detection) = 1 − ∏ N −i i=0 • No matter how the attacker chooses K • This is the auditor’s optimal strategy • What about intermediate cases? – Attacker has incomplete information about V EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 4 Example: A Million Random Digits [RAN02] • Pick a random starting group and read forward – This process has log2 (#entries) bits of entropy EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 5 Random Number Tables Bias and Attacker Advantage • Random number tables aren’t the same as random numbers – The attacker knows the table – But not the starting point • Two effects give the attacker an advantage – Natural variation in the occurrences of each value – Clustering of values EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 6 Natural Variation 0.025 • Binomially distributed counts 0.015 0.000 0.005 0.010 Probability 0.020 • Expected value = T /N 160 180 200 220 240 Number of occurrences (n) EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 7 Natural Variation 0.025 • Binomially distributed counts 0.015 • Attacker selects k least frequent units Area=k/N 0.000 0.005 0.010 Probability 0.020 • Expected value = T /N 160 180 200 220 240 Number of occurrences (n) EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 8 0.025 Natural Variation • Binomially distributed counts n_k 0.015 • Attacker selects k least frequent units • The kth least frequent unit appears nk times k nk = min n : cdf(n) ≥ N Area=k/N 0.000 0.005 0.010 Probability 0.020 • Expected value = T /N 160 180 200 220 240 Number of occurrences (n) EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 9 Auditing with Natural Variation • Total entries in table corresponding to k least frequent units† : nk Tbad = N ∑ nϕ(n) n=0 • This is just a standard sampling problem – Each “good” sample removes approximately F entries: T − Tbad N −k • Probability of detection of least frequent k units: F= v−1 T − iF − Tbad T − iF i=0 Pr(detection) = 1 − ∏ † Semi-accurate EVT/WOTE 2009 approximation; see paper. On the Security of Election Audits with Low Entropy Randomness 10 Clustering Effects • We’re not really sampling the table randomly – We read entries in sequence – The order of the entries matters 0 1 6 8 2 4 6 8 2 4 0 1 7 9 3 5 7 9 3 5 0 1 8 2 4 6 8 2 4 6 0 1 9 3 5 7 9 3 5 7 0 1 2 4 6 8 2 4 6 8 0 1 3 5 7 9 3 5 7 9 0 1 4 6 8 2 4 6 8 2 0 1 5 7 9 3 5 7 9 3 0 1 6 8 2 4 6 8 2 4 0 1 7 9 3 5 7 9 3 5 A table constructed to minimize detection EVT/WOTE 2009 0 0 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 1 1 6 6 6 6 6 6 6 6 6 6 7 7 7 7 7 7 7 7 7 7 8 8 8 8 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 A table constructed to maximize detection On the Security of Election Audits with Low Entropy Randomness 11 Simulation Studies • No good analytic model for clustering effect – Though some potential avenues • Easiest to study via simulation – Generate a random table (using CSPRNG) – Generate an attack set of size k – Determine which offsets will sample at least one element of K • Two kinds of attack sets – Random (should have expected statistics) – Randomly selected from least frequent 2k units† • Results averaged over multiple tables (5–25) † This is heuristic. We don’t have a good algorithm here either. EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 12 0.8 0.6 0.4 0.2 Expected Under Attack 0.0 Probability of Detecting Attack 1.0 Example 0 100 200 300 400 500 600 Number of Sampled Precincts 200,000 entries, 1000 precincts, 10 attacked EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 13 The Attacker’s View: Modest Advantage • Still very likely to be detected – In the above example: about 4x more chance of success at 99% – Biggest gap around 80% nominal detection rate (71.4% actual) • Probably not enough to make or break an attack – But worth doing if you’re going to attack anyway EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 14 The Auditor’s View: Higher Work Factor Detection Units to Audit Units to Audit Difference Probability (projected) (under attack)† (percent) 80% 148 190 28 90% 205 270 32 95% 258 340 32 99% 368 540 47 Required audit levels: 200,000 entries, 1000 precincts, 10 attacked precincts EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 15 General Trends • More entries per unit decrease attacker advantage – Larger tables – Fewer units • Higher attack rates decrease attacker advantage – Need to select increasingly probable values EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 16 0.8 0.6 0.4 0.2 Expected Under Attack 0.0 Probability of Detecting Attack 1.0 A Big Table 0 100 200 300 400 Number of Sampled Precincts 1,000,000 entries, 1000 precincts, 10 attacked precincts EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 17 0.8 0.6 0.4 0.2 Expected Under attack (permuted) Under attack (random) 0.0 Probability of Detecting Attack 1.0 Permuted Tables 0 100 200 300 400 500 600 Number of Sampled Precincts 200,000 entries, 1000 precincts, 10 attacked precincts EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 18 Potential Improvements • New tables – Bigger (107 entries?) – Permuted rather than random – Generated using a PRNG? • Existing tables – Individual addressing – Random offsets – Multiple starting points – All of these need analysis EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 19 What about CSPRNGs? • CSPRNGs have big state spaces no matter what the seed size – Stronger than tables for the same seed entropy – Intuition: sequences don’t overlap • Cryptographic applications require very large seeds – Not necessary here – Need unpredictability, not unsearchability EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 20 1.0 Security of PRNGs by Seed Size (nominal 99% level) ● ● ● ● ● ● ● ● ● 0.8 ● 0.4 0.6 ● ● 0.2 0.0 Probability of Detecting Attack ● ● ● ● 5 10 15 Bits of entropy Probability of detection for PRNGs: 1000 precincts, 10 attacked EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 21 Summary • Secure auditing requires verifiably unpredictable random values • Generating them directly seems expensive • Natural stretching approaches may not deliver their expected security • Not clear if randomness tables can be used safely • PRNGs appear safe with modest-sized seeds EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 22 References [CHF08] Joseph A. Calandrino, J. Alex Halderman, and Edward W. Felten. In Defense of Pseudorandom Sample Selection. In Proceedings of the 2008 Electronic Voting Technology Workshop, 2008. http://www.usenix.org/events/evt08/tech/full_ papers/calandrino/calandrino.pdf. [CWD06] Arel Cordero, David Wagner, and David Dill. The role of dice in election audits—extended abstract. IAVoSS Workshop on Trustworthy Elections 2006 (WOTE 2006), June 2006. http://www.cs.berkeley.edu/~daw/papers/dice-wote06.pdf. [RAN02] RAND Corporation. A Million Random Digits with 100,000 Normal Deviates. American Book Publishers, 2002. EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 23