Analysis of electronic voting protocols in applied pi calculus Mark - PowerPoint PPT Presentation

Analysis of electronic voting protocols in applied pi calculus Mark Ryan University of Birmingham based on joint work with Ben Smyth Steve Kremer Mounira Kourjieh IFIP WG 1.3, Udine, Italy September 2009

Outline Electronic voting Applied pi calculus Privacy properties and verifiability properties Case studies

Voting system: desired properties Eligibility: only legitimate voters can vote, and at most once (This also implies that the voting authorities cannot insert votes) Fairness: no early results can be obtained Privacy: the fact that a particular voter in a particular way is not revealed to anyone △ Receipt-freeness: a voter cannot later prove to a coercer that she voted in a certain way Coercion-resistance: a voter cannot interactively cooperate with a coercer to prove that she voted in a certain way △ Individual verifiability: a voter can verify that her vote was really counted Universal verifiability: a voter can verify that the published outcome really is the sum of all the votes . . . and all this even in the presence of corrupt election authorities!

Electronic voting: current situation Country Status UK

Electronic voting: current situation Country Status UK Worrying

Electronic voting: current situation Country Status UK Worrying Germany

Electronic voting: current situation Country Status UK Worrying Germany Abandoned

Electronic voting: current situation Country Status UK Worrying Germany Abandoned Netherlands

Electronic voting: current situation Country Status UK Worrying Germany Abandoned Netherlands Abandoned

Electronic voting: current situation Country Status UK Worrying Germany Abandoned Netherlands Abandoned USA

Electronic voting: current situation Country Status UK Worrying Germany Abandoned Netherlands Abandoned USA Disaster

How could it be secure?

Security by trusted client software → → → → → → → → → trusted by user not trusted by user does not need to be doesn’t need to be trusted by authorities trusted by anyone or other voters

The applied π -calculus Applied pi-calculus: [Abadi & Fournet, 01] basic programming language with constructs for concurrency and communication based on the π -calculus [Milner et al. , 92] in some ways similar to the spi-calculus [Abadi & Gordon, 98], but more general w.r.t. cryptography Advantages: naturally models a Dolev-Yao attacker allows us to model less classical cryptographic primitives both reachability-bases and equivalence-based specification of properties automated proofs using ProVerif tool [Blanchet] powerful proof techniques for hand proofs successfully used to analyze a variety of security protocols

Equations to model the cryptography: examples Encryption and signatures 1 decrypt( encrypt(m,pk(k)), k ) = m checksign( sign(m,k), m, pk(k) ) = ok Blind signatures 2 unblind( sign( blind(m,r), sk ), r ) = sign(m,sk) Designated verifier proof of re-encryption 3 The term dvp(x,renc(x,r),r,pkv) represents a proof designated for the owner of pkv that x and renc(x,r) have the same plaintext. checkdvp(dvp(x,renc(x,r),r,pkv),x,renc(x,r),pkv) = ok checkdvp( dvp(x,y,z,skv), x, y, pk(skv) ) = ok. Zero-knowledge proofs of knowledge 4 pf(k,x,y) represents proof that I know k such that dec(x,k)=y. checkpf( pf(k,x,dec(x,k)), x, dec(x,k) ) = ok.

Applied pi calculus: Grammar [Abadi/Fournet 02] L , M , N , T , U , V ::= terms a , b , c , k , m , n , s , t , r , . . . name x , y , z variable g ( M 1 , . . . , M l ) function P , Q , R ::= processes A , B , C ::= extended processes 0 null process plain process P P | Q parallel composition A | B parallel composition ! P replication ν n . A name restriction ν n . P name restriction ν x . A variable restriction u ( x ) . P message input { M / x } active substitution u � M � . P message output if M = N then P else Q conditional

Applied pi calculus: Operational semantics I [Abadi/Fournet 02] ≡ A | 0 Par-0 A A | ( B | C ) ≡ ( A | B ) | C Par-A A | B ≡ B | A Par-C ! P ≡ P | ! P Repl New-0 ν n . 0 ≡ 0 New-C ν u .ν w . A ≡ ν w .ν u . A New-Par A | ν u . B ≡ ν u . ( A | B ) where u �∈ fv ( A ) ∪ fn ( A ) ν x . { M / x } ≡ Alias 0 { M / x } | A ≡ { M / x } | A { M / x } Subst { M / x } ≡ { N / x } Rewrite where M = E N c � x � . P | c ( x ) . Q − → P | Q Comm if N = N then P else Q − → P Then if L = M then P else Q − → Q Else for ground terms L , M where L � = E M

Applied pi calculus: Operational semantics II [Abadi/Fournet 02] c ( M ) c ( x ) . P − − − → P { M / x } In c � u � Out-Atom c � u � . P − − → P c � u � → A ′ − − u � = c A Open-Atom ν u . c � u � − − − − − → A ′ ν u . A α → A ′ − u does not occur in α A Scope α − → ν u . A ′ ν u . A α → A ′ − bv ( α ) ∩ fv ( B ) = bn ( α ) ∩ fn ( B ) = ∅ A Par → A ′ | B α A | B − B ′ ≡ A ′ α → B ′ A ≡ B − B Struct α → A ′ A −

Receipt-freeness

Receipt-freeness: leaking secrets to the coercer To model receipt-freeness we need to specify that a coerced voter cooperates with the coercer by leaking secrets on a channel ch P ::= P ch in terms of P 0 0 ch = 0 P | P ( P | Q ) ch = P ch | Q ch ν n . P in( u , x ) . P ( ν n . P ) ch = ν n . out( ch , n ) . P ch out( u , M ) . P (in( u , x ) . P ) ch = in( u , x ) . out( ch , x ) . P ch if M = N then P else P (out( u , M ) . P ) ch = out( u , M ) . P ch ! P . . . . . . We denote by P \ out ( chc , · ) the process ν chc . ( P | !in( chc , x )). Lemma: ( P ch ) \ out ( chc , · ) ≈ ℓ P

Receipt-freeness: definition Intuition Definition (Receipt-freeness) There exists a A voting protocol is receipt-free if there exists a process V ′ which process V ′ , satisfying votes a , V ′\ out ( chc , · ) ≈ ℓ V A { a / v } , leaks S [ V A { c / v } chc | V B { a / v } ] ≈ ℓ S [ V ′ | V B { c / v } ]. (possibly fake) secrets to the Case study: Lee et al. protocol coercer, We prove receipt-freeness by looks indistin- exhibiting V ′ guishable to showing that V ′\ out ( chc , · ) ≈ ℓ V A { a / v } coercer from situation in showing that S [ V A { c / v } chc | V B { a / v } ] ≈ ℓ S [ V ′ | V B { c / v } ] which she voted c

end-to-end verifiability Election results can be fully verified by voters/observers The software provided by election authorities does not need to be trusted The software used to perform the verification can be sourced independently

Election verifiability Individual Universal Eligibility verifiability verifiability verifiability A voter can Anyone can Anyone can check her own check that the check that only vote is included declared eligible votes are in the tally. outcome included in the corresponds to declared the tally. outcome. Remarks Verifiability � = correctness What system components need to be trusted in order to carry out these checks?

Individual verifiability Intuition: a protocol satisfies individual verifiability if there is a test R IV � � my vote , my data , bb entry that a voter can apply after the election. The test succeeds iff the bulletin board entry corresponds to the voter’s vote and data. Acceptability conditions for R IV For all votes s , there is an execution of the protocol that produces M such that some bulletin board entry T satisfies R IV ( s , ˜ ˜ M , T ). The bulletin board entry determines the vote, that is: � R IV ( s , ˜ M , T ) ∧ R IV ( t , ˜ � ∀ s , t , ˜ M , ˜ N , T N , T ) ⇒ s = t

Universal verifiability Intuition: a protocol satisfies universal verifiability if there is a test R UV � � declared outcome , bb entries , proof that an observer can apply after the election. The test succeeds iff the declared outcome is correct w.r.t. the bb entries and the proof. Acceptability conditions for R UV ˜ T determines ˜ s , that is, R UV ( ˜ T , p 1 ) ∧ R UV ( ˜ s 1 , ˜ s 2 , ˜ T , p 2 ) ⇒ ˜ s 1 = ˜ s 2 The observer opens the bb entry the same way as the voter: R IV ( s , ˜ M , T ) ∧ R UV (˜ T , p ′ ) ⇒ ∃ p ′ . R UV (˜ s , ˜ s ◦ s , ˜ T ◦ T , p ′ )

Election verifiability a . ( P | Q [ c � U � ])] satisfies election verifiability if A voting process C [! ν ˜ voter’s credentials and bulletin board entries are unique and there exists tests R IV , R UV , R EV with fv ( R IV ) ⊆ bv ( P ) ∪ { v , z } fv ( R UV ) ⊆ { v , z } fv ( R EV ) ⊆ { y , z } ( fn ( R UV ) ∪ fn ( R EV )) ∩ bn ( P ) = ∅ such that the augmented voting process satisfies the following conditions: the un reachability assertion: fail � true � . the reachability assertion: pass � true , x � .