1 , 2 2 3 Stphanie Delaune , Steve Kremer and Ma rk Ry - - PowerPoint PPT Presentation
▶
SMART_READER_LITE
LIVE PREVIEW
1 , 2 2 3 Stphanie Delaune , Steve Kremer and Ma rk Ry - - PowerPoint PPT Presentation
Jul 03, 2023 103 likes •409 views
Co erion-Resistane and Reeipt-F reeness in Eletroni V oting 1 , 2 2 3 Stphanie Delaune , Steve Kremer and Ma rk Ry an 1 LSV, ENS de Cahan, CNRS & INRIA, F rane 2 F rane Tlom R&D 3 Sho
SLIDE 1Co er ion-Resistan e and Re eipt-F reeness in Ele troni V
ting
Stphanie Delaune 1, 2 , Steve Kremer 2 and Ma rk Ry an 3 1 LSV, ENS de Ca han, CNRS & INRIA, F ran e 2 F ran e Tl om R&D 3 S ho
l
f
Computer S ien e, Universit y
f
Birmingham, UK S. Delaune (LSV, ENS Ca han) Ele troni V
ting
1 / 22
SLIDE 2Ele troni voting A dvantages: Convenient, E ient fa ilities fo r tallying votes. Dra wba ks: Risk
f
la rge-s ale and undete table fraud, Su h p roto
ls
a re extremely erro r-p rone. "A 15-y ea r-old in a ga rage
uld
manufa ture sma rt a rds and sell them
n
the Internet that w
uld
allo w fo r multiple votes" A vi Rubin P
ssible
issue: fo rmal metho ds abstra t analysis
f
the p roto
l
against fo rmally-stated p rop erties S. Delaune (LSV, ENS Ca han) Ele troni V
ting
2 / 22
SLIDE 3Exp e ted p rop erties Priva y: the fa t that a pa rti ula r voted in a pa rti ula r w a y is not revealed to any
ne
Re eipt-freeness: a voter annot p rove that she voted in a ertain w a y (this is imp
rtant
to p ro- te t voters from
er ion)
Co er ion-resistan e: same as re eipt-freeness, but the
er er
intera ts with the voter during the p roto
l,
e.g. b y p repa ring messages S. Delaune (LSV, ENS Ca han) Ele troni V
ting
3 / 22
SLIDE 4Summa ry Observations: Denitions
f
se urit y p rop eties a re
ften
insu iently p re ise No lea r distin tion b et w een re eipt-freeness and
er ion-resistan e
Goal: Prop
se
the rst fo rmal metho ds denitions
f
re eipt-freeenes and
er ion-resistan e
Results: F
rmalisation
f
re eipt-freenes and
er ion-resistan e
as some kind
f
bservational
equivalen e in the applied pi- al ulus, Co er ion-Resistan e ⇒ Re eipt-F reeness ⇒ Priva y , Case study: p roto
l
due to Lee et al. [Lee et al., 03℄ S. Delaune (LSV, ENS Ca han) Ele troni V
ting
4 / 22
SLIDE 5Summa ry Observations: Denitions
f
se urit y p rop eties a re
ften
insu iently p re ise No lea r distin tion b et w een re eipt-freeness and
er ion-resistan e
Goal: Prop
se
the rst fo rmal metho ds denitions
f
re eipt-freeenes and
er ion-resistan e
Results: F
rmalisation
f
re eipt-freenes and
er ion-resistan e
as some kind
f
bservational
equivalen e in the applied pi- al ulus, Co er ion-Resistan e ⇒ Re eipt-F reeness ⇒ Priva y , Case study: p roto
l
due to Lee et al. [Lee et al., 03℄ S. Delaune (LSV, ENS Ca han) Ele troni V
ting
4 / 22
SLIDE 6Outline
f
the talk 1 Intro du tion 2 Applied π
al ulus
3 F
rmalisation
f
Priva y and Re eipt-F reeness 4 F
rmalisation
f
Co er ion-Resistan e 5 Con lusion and F uture W
rks
S. Delaune (LSV, ENS Ca han) Ele troni V
ting
5 / 22
SLIDE 7Outline
f
the talk 1 Intro du tion 2 Applied π
al ulus
3 F
rmalisation
f
Priva y and Re eipt-F reeness 4 F
rmalisation
f
Co er ion-Resistan e 5 Con lusion and F uture W
rks
S. Delaune (LSV, ENS Ca han) Ele troni V
ting
6 / 22
SLIDE 8Motivation fo r using the applied π
al ulus
Applied pi- al ulus: [Abadi & F
urnet,
01℄ basi p rogramming language with
nstru ts
fo r
n urren y
and
mmuni ation
based
n
the π
al ulus
[Milner et al., 92℄ in some w a ys simila r to the spi- al ulus [Abadi & Go rdon, 98℄ A dvantages: allo ws us to mo del less lassi al ryptographi p rimitives b
th
rea habilit y and equivalen e-based sp e i ation
f
p rop erties automated p ro
fs
using ProV erif to
l
[Blan het℄ p
w
erful p ro
f
te hniques fo r hand p ro
fs
su essfully used to analyze a va riet y
f
se urit y p roto
ls
S. Delaune (LSV, ENS Ca han) Ele troni V
ting
7 / 22
SLIDE 9Motivation fo r using the applied π
al ulus
Applied pi- al ulus: [Abadi & F
urnet,
01℄ basi p rogramming language with
nstru ts
fo r
n urren y
and
mmuni ation
based
n
the π
al ulus
[Milner et al., 92℄ in some w a ys simila r to the spi- al ulus [Abadi & Go rdon, 98℄ A dvantages: allo ws us to mo del less lassi al ryptographi p rimitives b
th
rea habilit y and equivalen e-based sp e i ation
f
p rop erties automated p ro
fs
using ProV erif to
l
[Blan het℄ p
w
erful p ro
f
te hniques fo r hand p ro
fs
su essfully used to analyze a va riet y
f
se urit y p roto
ls
S. Delaune (LSV, ENS Ca han) Ele troni V
ting
7 / 22
SLIDE 10The applied π
al ulus
n
an example Syntax: Equational theo ry: de ( en ( x, y), y) = x Pro ess: P = ν s, k.( out( 1, en ( s, k)) | in( 1, y). out( 2, de ( y, k))). Semanti s: Op erational semanti s → : P → ν s,
k. out(
2, s) Op erational lab eled semanti s α
→ :
P
ν
x 1.
ut(
1, x 1)
− − − − − − − − → ν
s, k.( in( 1, y). out( 2, de ( y, k))) | {en ( s, k)/x 1}) in( 1, x 1)
− − − − − → ν
s, k.( out( 2, s) | {en ( s, k)/x 1}
. . .
S. Delaune (LSV, ENS Ca han) Ele troni V
ting
8 / 22
SLIDE 11The applied π
al ulus
n
an example Syntax: Equational theo ry: de ( en ( x, y), y) = x Pro ess: P = ν s, k.( out( 1, en ( s, k)) | in( 1, y). out( 2, de ( y, k))). Semanti s: Op erational semanti s → : P → ν s,
k. out(
2, s) Op erational lab eled semanti s α
→ :
P
ν
x 1.
ut(
1, x 1)
− − − − − − − − → ν
s, k.( in( 1, y). out( 2, de ( y, k))) | {en ( s, k)/x 1}) in( 1, x 1)
− − − − − → ν
s, k.( out( 2, s) | {en ( s, k)/x 1}
. . .
S. Delaune (LSV, ENS Ca han) Ele troni V
ting
8 / 22
SLIDE 12Stati equivalen e
n
frames
passive
atta k er F rame A frame is a p ro ess
f
the fo rm ν˜ n.({ M 1/ x 1} | . . . | { M n/ x n}) . Example P = ν s, k.( out( 2, s) | {en ( s, k)/x 1}
φ( P) = ν
s, k.{en ( s, k)/x 1} Stati equivalen e
n
frames (≈ s )
ϕ ≈
s ψ when dom(ϕ) = dom(ψ) (the frames
in ide
n
unrestri ted va riables), fo r all terms U, V , ( U = E V )ϕ i ( U = E V )ψ S. Delaune (LSV, ENS Ca han) Ele troni V
ting
9 / 22
SLIDE 13Stati equivalen e
n
frames
passive
atta k er F rame A frame is a p ro ess
f
the fo rm ν˜ n.({ M 1/ x 1} | . . . | { M n/ x n}) . Example P = ν s, k.( out( 2, s) | {en ( s, k)/x 1}
φ( P) = ν
s, k.{en ( s, k)/x 1} Stati equivalen e
n
frames (≈ s )
ϕ ≈
s ψ when dom(ϕ) = dom(ψ) (the frames
in ide
n
unrestri ted va riables), fo r all terms U, V , ( U = E V )ϕ i ( U = E V )ψ Example 1:
ν
k.({ en (a, k)/ x} | { k/ y}) ≈ s ν n.({ en (b, k)/ x} | { k/ y}) S. Delaune (LSV, ENS Ca han) Ele troni V
ting
9 / 22
SLIDE 14Stati equivalen e
n
frames
passive
atta k er F rame A frame is a p ro ess
f
the fo rm ν˜ n.({ M 1/ x 1} | . . . | { M n/ x n}) . Example P = ν s, k.( out( 2, s) | {en ( s, k)/x 1}
φ( P) = ν
s, k.{en ( s, k)/x 1} Stati equivalen e
n
frames (≈ s )
ϕ ≈
s ψ when dom(ϕ) = dom(ψ) (the frames
in ide
n
unrestri ted va riables), fo r all terms U, V , ( U = E V )ϕ i ( U = E V )ψ Example 2:
ν
k.{ en (a, k)/ x} ≈ s ν n.{ en (b, k)/ x} S. Delaune (LSV, ENS Ca han) Ele troni V
ting
9 / 22
SLIDE 15Lab eled bisimulation
n
p ro esses
a tive
atta k er Lab eled bisimulation (≈ℓ ) Lab eled bisimila rit y is the la rgest symmetri relation R
n
losed extended p ro esses, su h that A R B implies 1 φ( A) ≈ s φ( B) , 2 if A → A′ , then B →∗ B′ and A′ R B′ fo r some B′ , 3 if A α
→
A′ , then B →∗ α
→→∗
B′ and A′ R B′ fo r some B′ . Theo rem (Abadi & F
urnet,
01) A ≈ℓ B ⇔ no
ntext
an distinguish the t w
p
ro esses A and B . S. Delaune (LSV, ENS Ca han) Ele troni V
ting
10 / 22
SLIDE 16V
ting
p roto
ls
in the applied π
al ulus
Denition (V
ting
p ro ess) VP ≡ ν˜ n.( V σ 1 | · · · | V σ n | A 1 | · · · | A m) V σ i : voter p ro ess and v ∈ dom(σ i) refers to the value
f
his vote A j : ele tion autho rit y
˜
n : hannel names The
ut ome
f
the vote is made publi , i.e. there exists B su h that VP (→∗ α
− →∗)∗
B with φ( B) ≡ ϕ | { vσ 1/ x 1, . . . , vσ n/ x n} fo r some ϕ.
֒ →
S is a
ntext
whi h is as VP but has a hole instead
f
t w
f
the V σ i S. Delaune (LSV, ENS Ca han) Ele troni V
ting
11 / 22
SLIDE 17Outline
f
the talk 1 Intro du tion 2 Applied π
al ulus
3 F
rmalisation
f
Priva y and Re eipt-F reeness 4 F
rmalisation
f
Co er ion-Resistan e 5 Con lusion and F uture W
rks
S. Delaune (LSV, ENS Ca han) Ele troni V
ting
12 / 22
SLIDE 18F
rmalisation
f
p riva y Classi ally mo deled as
bservational
equivalen es b et w een t w
slightly
dierent p ro esses P 1 and P 2 , but hanging the identit y do es not w
rk,
as identities a re revealed hanging the vote do es not w
rk,
as the votes a re revealed at the end Solution: [Kremer & Ry an, 05℄
֒ →
nsider
2 honest voters and sw ap their votes A voting p roto
l
resp e ts p riva y if S[ V A{ a/ v} | V B{ b/ v}] ≈ℓ S[ V A{ b/ v} | V B{ a/ v}] . S. Delaune (LSV, ENS Ca han) Ele troni V
ting
13 / 22
SLIDE 19F
rmalisation
f
p riva y Classi ally mo deled as
bservational
equivalen es b et w een t w
slightly
dierent p ro esses P 1 and P 2 , but hanging the identit y do es not w
rk,
as identities a re revealed hanging the vote do es not w
rk,
as the votes a re revealed at the end Solution: [Kremer & Ry an, 05℄
֒ →
nsider
2 honest voters and sw ap their votes A voting p roto
l
resp e ts p riva y if S[ V A{ a/ v} | V B{ b/ v}] ≈ℓ S[ V A{ b/ v} | V B{ a/ v}] . S. Delaune (LSV, ENS Ca han) Ele troni V
ting
13 / 22
SLIDE 20Leaking se rets to the
er er
T
mo
del re eipt-freeness w e need to sp e ify that a
er ed
voter
p
erates with the
er er
b y leaking se rets
n
a hannel h W e denote b y V h the p ro ess built from the p ro ess V as follo ws: h
=
0,
( P |
Q) h
=
P h | Q h ,
(ν
n. P)
h
= ν
n. out( h,
n). P h ,
( in( u,
x). P) h
=
in( u, x). out( h, x). P h ,
( out( u,
M). P) h
=
ut( u,
M). P h , . . . W e denote b y V \ out( h ,·)
= ν
h .( V |!in( h , x) . S. Delaune (LSV, ENS Ca han) Ele troni V
ting
14 / 22
SLIDE 21Re eipt-freeness Denition (Re eipt-freeness) A voting p roto
l
is re eipt-free if there exists a p ro ess V ′ , satisfying V ′\ out( h ,·) ≈ℓ V A{ a/ v}, S[ V A{ / v} h | V B{ a/ v}] ≈ℓ S[ V ′ | V B{ / v}] . Intuitively , there exists a p ro ess V ′ whi h do es vote a , leaks (p
ssibly
fak e) se rets to the
er er,
and mak es the
er er
b elieve he voted S. Delaune (LSV, ENS Ca han) Ele troni V
ting
15 / 22
SLIDE 22Some results Let VP b e a voting p roto
l.
W e have fo rmally sho wn that: VP is re eipt-free =
⇒
VP resp e ts p riva y. Case study: Lee et al. p roto
l
W e have p roved re eipt-freeness b y exhibiting V ′ sho wing that V ′\ out( h ,·) ≈ℓ V A{ a/ v} sho wing that S[ V A{ / v} h | V B{ a/ v}] ≈ℓ S[ V ′ | V B{ / v}] S. Delaune (LSV, ENS Ca han) Ele troni V
ting
16 / 22
SLIDE 23Outline
f
the talk 1 Intro du tion 2 Applied π
al ulus
3 F
rmalisation
f
Priva y and Re eipt-F reeness 4 F
rmalisation
f
Co er ion-Resistan e 5 Con lusion and F uture W
rks
S. Delaune (LSV, ENS Ca han) Ele troni V
ting
17 / 22
SLIDE 24Intera ting with the
er er
T
mo
del
er ion-resistan e,
w e need to mo del intera tion b et w een the
er er
and the voter: 1 se rets a re leak ed to the
er er
n
a hannel 1 , and 2
utputs
a re p repa red b y the
er er
and given to the voter via 2 . W e denote b y V 1, 2 the p ro ess built from V as follo ws: 1, 2
=
0,
( P |
Q) 1, 2
=
P 1, 2 | Q 1, 2 ,
(ν
n. P)
1, 2
= ν
n. out(
1, n). P 1, 2 ,
( in( u,
x). P) 1, 2
=
in( u, x). out( 1, x). P 1, 2 ,
( out( u,
M). P) 1, 2
=
in( 2, x). out( u, x). P 1, 2 (x is a fresh va riable), . . . S. Delaune (LSV, ENS Ca han) Ele troni V
ting
18 / 22
SLIDE 25Co er ion-resistan e (1) First app ro ximation: VP is
er ion-resistant
if there exists a p ro ess V ′ su h that S[ V A{ / v} 1, 2 | V B{ a/ v}] ≈ℓ S[ V ′ | V B{ / v}] . Problem: the
er er
uld
blige
V A{ / v} 1, 2 to vote ′ = , the p ro ess V B{ / v} w
uld
not
unterbalan e
the
ut ome
Solution:
֒ →
a new relation w e have alled adaptive simulation (A a B) S. Delaune (LSV, ENS Ca han) Ele troni V
ting
19 / 22
SLIDE 26Co er ion-resistan e (1) First app ro ximation: VP is
er ion-resistant
if there exists a p ro ess V ′ su h that S[ V A{ / v} 1, 2 | V B{ a/ v}] ≈ℓ S[ V ′ | V B{ / v}] . Problem: the
er er
uld
blige
V A{ / v} 1, 2 to vote ′ = , the p ro ess V B{ / v} w
uld
not
unterbalan e
the
ut ome
Solution:
֒ →
a new relation w e have alled adaptive simulation (A a B) S. Delaune (LSV, ENS Ca han) Ele troni V
ting
19 / 22
SLIDE 27Co er ion-resistan e (2) Denition (Co er ion-resistan e) A voting p roto
l
is
er ion-resistant
if there exists a p ro ess V ′ and an evaluation
ntext
C satisfying S[ V A{ / v} 1, 2 | V B{ a/ v}] a S[ V ′ | V B{ x/ v}] ,
ν
1,
2. C[ V
A{ / v} 1, 2] ≈ℓ V A{ / v} h ,
ν
1,
2. C[ V ′]\ out( h ,·) ≈ℓ
V A{ a/ v}, where x is a fresh free va riable. Intuitively , V B{ x/ v} an adapt his vote and
unter-balan e
the
ut ome,
w e require that when w e apply a
ntext
C (the
er er
requesting V A{ / v} 1, 2 to vote ) the p ro ess V ′ in the same
ntext
C votes a . S. Delaune (LSV, ENS Ca han) Ele troni V
ting
20 / 22
SLIDE 28Some results Let VP b e a voting p roto
l.
W e have fo rmally sho wn that: VP is
er ion-resistant =
⇒
VP resp e ts re eipt-free.
֒ →
ree ts the intuition but the p ro
f
is te hni al Case study: Lee et al. p roto
l
Co ersion-resistan e dep ends
n
implementation details: en ryption with integrit y he k
֒ →
fault atta k: the p roto
l
is not
er ion-resistant
en ryption without integrit y he k
֒ →
the p roto
l
is
er ion-resistant
S. Delaune (LSV, ENS Ca han) Ele troni V
ting
21 / 22
SLIDE 29Con lusion and F uture W
rks
Con lusion: rst fo rmal denitions
f
re eipt-freeness and
er ion-resistan e
er ion-resistan e ⇒
re eipt-freeness ⇒ p riva y , a ase study giving interesting insights F uture W
rks:
de ision p ro edure fo r
bservational
equivalen e fo r p ro esses without repli ation
ther
p rop erties based
n
not b eing able to p rove individual/universal veriabilit y S. Delaune (LSV, ENS Ca han) Ele troni V
ting
22 / 22
SLIDE 30Con lusion and F uture W
rks
Con lusion: rst fo rmal denitions
f
re eipt-freeness and
er ion-resistan e
er ion-resistan e ⇒
re eipt-freeness ⇒ p riva y , a ase study giving interesting insights F uture W
rks:
de ision p ro edure fo r
bservational
equivalen e fo r p ro esses without repli ation
ther
p rop erties based
n
not b eing able to p rove individual/universal veriabilit y S. Delaune (LSV, ENS Ca han) Ele troni V
