Electronic voting: how logic can help? Vronique Cortier Journes du - - PowerPoint PPT Presentation

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Electronic voting: how logic can help?

Véronique Cortier

Journées du GdR-IM 2016

January 18-20, 2016, Villetaneuse Funded by

1/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Electronic voting

2/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Two main families for electronic voting

Voting machines Voters attend a polling station ; Standard authentication (id cards, etc.) Internet Voting Voters vote from home ; Using their own computer (or phone, tablet, ...)

3/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Internet voting is used in trials in various countries

France : National Assembly for the French from abroad (2012) Australia : New South Wales state (more than 280 000 votes cast by Internet) Estonia : municipal elections (2005, 2009, and 2013), in national parliamentary elections (2007 and 2011), European Parliament elections (2009 and 2014) Switzerland : several trials, a new regulation since 2013 that introduced several levels of security. Canada : municipal election in Ontario (since 2003) and Nova Scotia (since 2006)

4/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

...banned in other countries !

Netherland : 2008, electronic voting is abolished (voting machine and Internet) Germany : 2009, the voting machines (Nedap) are rejected, do not comply with the constitution It must be possible for a citizen to check the main steps of a voting process, with ni special expertise. Norway : trials ended in 2013 The fear of voters that their vote might become public may undermine the democratic process.

5/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Widely used in non political election

professional elections (banks, Éducation Nationale, ...) health care administration councils scientific councils

6/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

vote at UMP

7/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Numerous attacks !

Pilot project for overseas US military voters Alex Halderman and his team were able to : retrieve all the electoral material

8/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Numerous attacks !

Pilot project for overseas US military voters Alex Halderman and his team were able to : retrieve all the electoral material change the votes

8/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Numerous attacks !

Pilot project for overseas US military voters Alex Halderman and his team were able to : retrieve all the electoral material change the votes take the control of the surveillance camera

8/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Numerous attacks !

Pilot project for overseas US military voters Alex Halderman and his team were able to : retrieve all the electoral material change the votes take the control of the surveillance camera finally add their University hymn (Michigan)

8/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Numerous attacks ! (bis)

Machines in India built a clip-on memory manipulator designed attacks that control the display screen

9/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Numerous attacks ! (bis)

Machines in India built a clip-on memory manipulator designed attacks that control the display screen Sequoia Machines AVC Edge (USA) change the memory card without tampering with the seals installation of Pac-Man

9/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Numerous attacks ! (bis)

Machines in India built a clip-on memory manipulator designed attacks that control the display screen Sequoia Machines AVC Edge (USA) change the memory card without tampering with the seals installation of Pac-Man → watch the (hilarious) videos from Alex Halderman ! (YouTube and MOOC)

9/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

What is a good voting system ?

10/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Confidentiality of the votes

Vote privacy "No one should know how I voted"

11/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Confidentiality of the votes

Vote privacy "No one should know how I voted" Better : Receipt-free / Coercion-resistant "No one should know how I voted, even if I am willing to tell my vote ! "

11/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Confidentiality of the votes

Vote privacy "No one should know how I voted" Better : Receipt-free / Coercion-resistant "No one should know how I voted, even if I am willing to tell my vote ! " vote buying coercion

11/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Confidentiality of the votes

Vote privacy "No one should know how I voted" Better : Receipt-free / Coercion-resistant "No one should know how I voted, even if I am willing to tell my vote ! " vote buying coercion Everlasting privacy : no one should know my vote, even when the cryptographic keys will be eventually broken.

11/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Verifiability

Individual Verifiability : Each voter can check that his/her ballot is in the ballot box. Universal Verifiability : Everyone can check that the result corresponds to the content of the ballot box. Eligibility Verifiability : Everyone can check that the ballots have been casted by legitimate voters.

12/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Verifiability

Individual Verifiability : Each voter can check that his/her ballot is in the ballot box. Universal Verifiability : Everyone can check that the result corresponds to the content of the ballot box. Eligibility Verifiability : Everyone can check that the ballots have been casted by legitimate voters. You should verify the election, not the system.

12/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

And many more properties

Availability : servers available at any time Accessibility : easy to use, adapted to people with various issues ...

13/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

What does the CNIL say ?

Excepts from the recommendation of 2010 Confidentiality The system must guaranty that the identity of the voter cannot be related to his vote... The Commission considers that the number of encryption keys should be three at minimum, two out of three keys being necessary to decrypt.

14/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

What does the CNIL say ?

Excepts from the recommendation of 2010 Confidentiality The system must guaranty that the identity of the voter cannot be related to his vote... The Commission considers that the number of encryption keys should be three at minimum, two out of three keys being necessary to decrypt. Verifiability : overlooked ! The expertise should be performed by an independent expert The systems should guarantee the sincerity of the electoral process, the true surveillance of the vote and the a posteriori control of the election authority New recommendations expected for 2016.

14/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

I should not be able to prove how I voted, yet I should be able to check that my vote has been counted...

15/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

I should not be able to prove how I voted, yet I should be able to check that my vote has been counted... Let see how this can be realized.

15/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Building blocks : cryptography

16/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Asymetric encryption

• W. Diffie
• M. Hellman

Invented in the 80s Encryption Decryption public key private key Hello Obawbhe Hello Encryption with the public key and decryption with the private key.

17/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

A lot of inventivity - Shared decryption

→ Several keys are needed to decrypt.

18/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Threshold decryption

The decryption key is shared between several authorities. Simple case : Encryption with a key built from n keys Decryption with any of the n keys

19/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Threshold decryption

The decryption key is shared between several authorities. Simple case : Encryption with a key built from n keys Decryption with any of the n keys More complex (threshold decryption) Encryption with a key built from n keys Decryption with k out of the n keys

19/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Threshold decryption

The decryption key is shared between several authorities. Simple case : Encryption with a key built from n keys Decryption with any of the n keys More complex (threshold decryption) Encryption with a key built from n keys Decryption with k out of the n keys → The decryption key is never present on a single computer, neither during the key generation nor the decryption !

19/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Chiffrement à seuil - au Texas

http ://www.flickr.com/photos/86078043@N08/7880120310/

20/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Chiffrement à seuil - au Texas

http ://www.flickr.com/photos/86078043@N08/7880120310/

20/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Voting protocol Belenios

Developed at Loria, team Cassis/Pesto and Caramel/Caramba (P. Gaudry) Developer : Stéphane Glondu Variant of Helios, developed and used at Louvain-la-Neuve University (start-up BlueKrypt) http://belenios.gforge.inria.fr/ confidentiality of the votes verifiability of the voting process → The ballot box is public at any time. → The operations (tally, ...) can be checked by anyone.

21/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

How Belenios works (simplified)

Phase 1 : vote Ballot Box Alice {vA}pub(E) vA = 0 or 1 Bob {vB}pub(E) vB = 0 or 1 Chris {vC}pub(E) vC = 0 or 1 Phase 2 : Tally - homomorphic encryption (El Gamal) {v1}pub(E) × · · · × {vn}pub(E) = {v1 × · · · × vn}pub(E) → Only the final result needs to be decrypted ! pub(E) : public key, the private keys are shared among the authorities.

22/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

How Belenios works (simplified)

Phase 1 : vote

{vD}pk(E)

Ballot Box Alice {vA}pub(E) vA = 0 or 1 Bob {vB}pub(E) vB = 0 or 1 Chris {vC}pub(E) vC = 0 or 1 Phase 2 : Tally - homomorphic encryption (El Gamal) {v1}pub(E) × · · · × {vn}pub(E) = {v1 × · · · × vn}pub(E) → Only the final result needs to be decrypted ! pub(E) : public key, the private keys are shared among the authorities.

22/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

How Belenios works (simplified)

Phase 1 : vote Ballot Box Alice {vA}pub(E) vA = 0 or 1 Bob {vB}pub(E) vB = 0 or 1 Chris {vC}pub(E) vC = 0 or 1 David {vD}pub(E) vD = 0 or 1 Phase 2 : Tally - homomorphic encryption (El Gamal) {v1}pub(E) × · · · × {vn}pub(E) = {v1 × · · · × vn}pub(E) → Only the final result needs to be decrypted ! pub(E) : public key, the private keys are shared among the authorities.

22/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

How Belenios works (simplified)

Phase 1 : vote Ballot Box Alice {vA}pub(E) vA = 0 or 1 Bob {vB}pub(E) vB = 0 or 1 Chris {vC}pub(E) vC = 0 or 1 David {vD}pub(E) vD = 0 or 1 ... ... Phase 2 : Tally - homomorphic encryption (El Gamal) {v1}pub(E)×· · ·×{vn}pub(E) = {v1×· · ·×vn}pub(E) since ga×gb = ga+b → Only the final result needs to be decrypted ! pub(E) : public key, the private keys are shared among the authorities.

22/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Oversimplified !

{vD}pk(E)

Ballot Box Alice {vA}pub(E) vA = 0 or 1 Bob {vB}pub(E) vB = 0 or 1 Chris {vC}pub(E) vC = 0 or 1 David {vD}pub(E) ... ... Result : {vA + vB + vC + vD + · · · }pub(E)

23/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Oversimplified !

{vD}pk(E)

Ballot Box Alice {vA}pub(E) vA = 0 or 1 Bob {vB}pub(E) vB = 0 or 1 Chris {vC}pub(E) vC = 0 or 1 David {vD}pub(E) vD = 100 ... ... Result : {vA + vB + vC + 100 + · · · }pub(E) A voter could cheat !

23/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Oversimplified !

{vD}pk(E)

Ballot Box Alice {vA}pub(E) vA = 0 or 1 Bob {vB}pub(E) vB = 0 or 1 Chris {vC}pub(E) vC = 0 or 1 David {vD}pub(E) vD = 100 ... ... Result : {vA + vB + vC + vD + · · · }pub(E) A voter could cheat ! Use a zero-knowledge proof {vD}pub(E), SPK{vD = 0 ou 1}

23/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Still oversimplified

{vD}pk(E)

Ballot box Alice {vA}pub(E) Bob {vB}pub(E) Chris {vC}pub(E) ... ... ...

24/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Still oversimplified

{vD}pk(E)

Ballot box Alice {vA}pub(E) Bob {vB}pub(E) Chris {vC}pub(E) ... {1}pub(E) ... {1}pub(E) The ballot box could add ballots !

24/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Still oversimplified

{vD}pk(E) vk(cred3), vk(cred1), vk(cred2), ...

Ballot box Alice {vA}pub(E) Bob {vB}pub(E) Chris {vC}pub(E) ... ... The ballot box could add ballots ! The voters sign their ballot with a “credential” that have received (a credential = a right to vote)

24/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Still oversimplified

{vD}pk(E) vk(cred3), vk(cred1), vk(cred2), ...

Ballot box Alice [{vA}pub(E)]sk(cred1) Bob [{vB}pub(E)]sk(cred2) Chris [{vC}pub(E)]sk(cred3) ... ... The ballot box could add ballots ! The voters sign their ballot with a “credential” that have received (a credential = a right to vote)

24/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

How to analyse security protocols ?

?

non-repudiation authenticity

| =

confidentiality

Methodology

1 Proposing accurate models

symbolic models cryptographic/computational models

2 Proving security

decidability/undecidability results tools

25/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Modeling messages

Idea 1 : keeping only the structure of the messages →Messages are abstracted by terms. Example : The message {A, Na}K is represented by :

< > {} Na K A

26/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Modeling messages

Idea 1 : keeping only the structure of the messages →Messages are abstracted by terms. Example : The message {A, Na}K is represented by :

< > {} Na K A

Idea 2 : Equations for reflecting the properties of the primitives Decryption dec({x}y, y) = x Homomorphic encryption {x1}y ∗ {x2}y = {x1 + x2}y

26/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Protocols : applied-pi calculus

Applied pi-calculus : Abadi & Fournet, 2001 based on the π-calculus P, Q, R := plain processes null process in(u, x).P message input

• ut(u, M).P

message output if M = N then P else Q conditional νn.P name restriction P | Q parallel !P replication

27/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Security properties : accessibility

Trace properties e.g. safety properties : “something bad never

• ccurs on any execution trace of P”

− → secrecy, authentication, . . .

28/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Security properties : accessibility

Trace properties e.g. safety properties : “something bad never

• ccurs on any execution trace of P”

− → secrecy, authentication, . . .

A lot of existing results :

several procedures to deal with a variety of cryptographic primitives, e.g. encryption, signature, exclusive or, . . . several automatic tools e.g., ProVerif, AVISPA, Scyther, Tamarin . . .

28/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

How to model vote privacy ?

How to state formally : "No one should know my vote (0 or 1)" ? Idea 1 : An attacker should not learn the value of my vote.

29/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

How to model vote privacy ?

How to state formally : "No one should know my vote (0 or 1)" ? Idea 1 : An attacker should not learn the value of my vote. But everyone knows 0 and 1 !

29/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

How to model vote privacy ?

How to state formally : "No one should know my vote (0 or 1)" ? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker cannot see the difference when voters are different Voter(A, 0) ≈ Voter(B, 0)

29/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

How to model vote privacy ?

How to state formally : "No one should know my vote (0 or 1)" ? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker cannot see the difference when voters are different Voter(A, 0) ≈ Voter(B, 0) Who voted might be public (cf Helios)

29/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

How to model vote privacy ?

How to state formally : "No one should know my vote (0 or 1)" ? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker cannot see the difference when voters are different Voter(A, 0) ≈ Voter(B, 0) Idea 3 : An attacker cannot see the difference when I vote 0 or 1. Voter(A, 0) ≈ Voter(A, 1)

29/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

How to model vote privacy ?

How to state formally : "No one should know my vote (0 or 1)" ? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker cannot see the difference when voters are different Voter(A, 0) ≈ Voter(B, 0) Idea 3 : An attacker cannot see the difference when I vote 0 or 1. Voter(A, 0) ≈ Voter(A, 1) The attacker always sees the difference since the tally differs. Unanimity does break privacy.

29/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

How to model vote privacy ?

How to state formally : "No one should know my vote (0 or 1)" ? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker cannot see the difference when voters are different Voter(A, 0) ≈ Voter(B, 0) Idea 3 : An attacker cannot see the difference when I vote 0 or 1. Voter(A, 0) ≈ Voter(A, 1) Idea 4 : An attacker cannot see when votes are swapped. Voter(A, 0) | Voter(B, 1) ≈ Voter(A, 1) | Voter(B, 0)

• S. Kremer & M. Ryan

29/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Security properties : indistinguishability

? ? P

?

≈ Q Equivalence based properties “An observer cannot observe any difference between P and Q”

30/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Anonymity of passport holders

An attacker should not distinguish between A and B. Pass(A) ≈ Pass(B) May also model : Anonymity in a network (TOR, group signatures, . . . ) Untraceability (RFIDs, mobile phones, . . . )

31/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Static equivalence - Intuition

The adversary sees sequences of messages φ = {M1/

x1, . . . ,Mℓ/ xℓ}

Static equivalence - Intuition Two sequences of messages are equivalent if the adversary cannot build a test that differentiates them. {enc(yes,k)/

x1} ∼ {enc(no,k)/ x1}

{enc(yes,k)/

x1, k/ x2} ∼ {enc(no,k)/ x1, k/ x2}

Since dec(x2, x1) = yes holds on the left but not on the right. Static equivalence - Definition φ1 ∼E φ2 if for all terms U, V (without names) Uφ1 =E V φ1 ⇔ Uφ2 =E V φ2

32/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Static equivalence - Decidability

Theorem [Abadi,C.] φ1 ∼E φ2 is decidable (PTIME) for convergent subterm theories E. Convergent subterm theories : encryption (symmetric and asymmetric), signatures, hashes, MACs, ... dec(enc(x, y), y) = x adec(aenc(x, pub(y)), y) = x π1(x, y) = x π2(x, y) = y

33/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Blind signatures

First phase : V → A : sign(blind(vote, r), V ) A → V : sign(blind(vote, r), A) Voting phase : V → C : sign(vote, A)

34/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Equational theory for blind signatures

[Kremer Ryan 05] checksign(sign(x, y), pk(y)) = x unblind(blind(x, y), y) = x unblind(sign(blind(x, y), z), y) = sign(x, z)

35/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Other examples of theories

EXclusive Or x ⊕ (y ⊕ z) = (x ⊕ y) ⊕ z x ⊕ y = y ⊕ x x ⊕ x = x ⊕ 0 = x Diffie-Hellmann exp(exp(z, x), y) = exp(exp(z, y), x)

36/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

More decidability results

Problem : M1

?

∼E M2 for the theory E (modeling primitives). PTIME for locally stable convergent theories unblind(sign(blind(x, y), z), y) = sign(x, z) In collaboration with Martin Abadi

37/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

More decidability results

Problem : M1

?

∼E M2 for the theory E (modeling primitives). PTIME for locally stable convergent theories unblind(sign(blind(x, y), z), y) = sign(x, z) In collaboration with Martin Abadi Decidability of monoidal theories with associative and commutative operators, by reduction to classical algebraic problems (e.g. Gröbner basis) x+y = y+x, x+(y+z) = (x+y)+z, h(x+y) = h(x)+h(y) In collaboration with Stéphanie Delaune

37/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

More decidability results

Problem : M1

?

∼E M2 for the theory E (modeling primitives). PTIME for locally stable convergent theories unblind(sign(blind(x, y), z), y) = sign(x, z) In collaboration with Martin Abadi Decidability of monoidal theories with associative and commutative operators, by reduction to classical algebraic problems (e.g. Gröbner basis) x+y = y+x, x+(y+z) = (x+y)+z, h(x+y) = h(x)+h(y) In collaboration with Stéphanie Delaune Combination result : (for E1, E2 disjoint theories) If ≈ is decidable for E1 and for E2 then it is decidable for E1 ∪ E2. In collaboration with Stéphanie Delaune Some tools : YAPA, KISS, ...

37/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

More decidability results

Problem : M1

?

∼E M2 for the theory E (modeling primitives). PTIME for locally stable convergent theories unblind(sign(blind(x, y), z), y) = sign(x, z) In collaboration with Martin Abadi Decidability of monoidal theories with associative and commutative operators, by reduction to classical algebraic problems (e.g. Gröbner basis) x+y = y+x, x+(y+z) = (x+y)+z, h(x+y) = h(x)+h(y) In collaboration with Stéphanie Delaune Combination result : (for E1, E2 disjoint theories) If ≈ is decidable for E1 and for E2 then it is decidable for E1 ∪ E2. In collaboration with Stéphanie Delaune Some tools : YAPA, KISS, ... → This is just w.r.t. a passive adversary (an eavesdropper).

37/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Active case : applied-pi calculus

Applied pi-calculus : Abadi & Fournet, 2001 based on the π-calculus P, Q, R := plain processes null process in(u, x).P message input

• ut(u, M).P

message output if M = N then P else Q conditional νn.P name restriction P | Q parallel !P replication

38/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Active case : applied-pi calculus

Applied pi-calculus : Abadi & Fournet, 2001 based on the π-calculus P, Q, R := plain processes null process in(u, x).P message input

• ut(u, M).P

message output if M = N then P else Q conditional νn.P name restriction P | Q parallel !P replication Trace equivalence - Intuition Two processes P and Q are in trace equivalence P ≈ Q if for any sequence of identical observable actions, the resulting sequences of emitted messages are in static equivalence.

38/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Some results for trace equivalence

P

?

≈ Q Decision procedures / Tools : ProVerif, not guaranteed to terminate, P and Q have to be similar Akiss, not guaranteed to terminate, bounded number of sessions, arbitrary primitives SPEC, bounded number of sessions, standard primitives APTE, bounded number of sessions, standard primitives, else branches

39/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Static equivalence does not account for length differences

{enc(yes,k)/

x1} ∼ {enc(no,k)/ x1}

40/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Static equivalence does not account for length differences

{enc(yes,k)/

x1} ∼ {enc(no,k)/ x1}

And also : {enc(yes,k)/

x} ∼ {enc(yes,yes,k)/ x},

40/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Static equivalence does not account for length differences

{enc(yes,k)/

x1} ∼ {enc(no,k)/ x1}

And also : {enc(yes,k)/

x} ∼ {enc(yes,yes,k)/ x},

{enc(yes,k)/

x} ∼ {enc(yes,yes,yes,yes,k)/ x},

{enc(yes,k)/

x} ∼ {enc(yes,yes,yes,yes,yes,yes,yes,k)/ x},

{enc(yes,k)/

x} ∼ {enc(yes,yes,yes,yes,yes,yes,yes,...,k)/ x}, . . .

40/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Length functions

A length function is a function ℓ : T(F, N, X) → R+.

41/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Length functions

A length function is a function ℓ : T(F, N, X) → R+. A linear length function satisfies : ℓ(f (t1, . . . , tn)) = βf + αf

1ℓ(t1) + . . . + αf nℓ(tn)

41/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Length functions

A length function is a function ℓ : T(F, N, X) → R+. A linear length function satisfies : ℓ(f (t1, . . . , tn)) = βf + αf

1ℓ(t1) + . . . + αf nℓ(tn)

Example : ℓ(k) = 1 ℓ(u, v) = 1 + ℓ(u) + ℓ(v) ℓ(enc(u, v)) = 1 + ℓ(u) + ℓ(v) ℓ(aenc(u, v)) = 2 + ℓ(u) + ℓ(v)

41/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Time and length

joint work with V. Cheval Decidability of trace equivalence A decision procedure for trace equivalence : all the standard primitives (encryption, signature, hash, MACs, etc.) bounded number of sessions

42/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Time and length

joint work with V. Cheval Decidability of trace equivalence A decision procedure for trace equivalence : all the standard primitives (encryption, signature, hash, MACs, etc.) bounded number of sessions active adversary that can measure length and time integrated in the APTE tool http ://projects.lsv.ens-cachan.fr/APTE/

42/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Case study : biometric passport

Passive Authentication protocol of the biometric passport New attack for tracing users : even if data are encrypted Tested (on a small number of passport : ∼ 20) Relies on an usual weakness : messages of variable lengths (e.g. jpeg picture) May be fixed using padding

43/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Back to Belenios

Privacy ∀A, A | Voter1(0) | Voter2(1) ≈ A | Voter1(1) | Voter2(0) Verifiability Individual verifiability Universal verifiability Eleigibility verifiability Still out of reached of existing tools → proof by hand !

44/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Limitations of Belenios

No real booth → Internet voting IS remote voting Requires to trust the computer A compromised computer could

leak the choice of the voter change the vote for another candidate → example of the attack of Laurent Grégoire during the “législatives 2012,for the French from abroad” (code injection).

Belenios is not “receipt free” → A voter can prove how they voted.

45/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Privacy - stronger definitions

Voter(A, 0) | Voter(B, 1) ≈ Voter(A, 0) | Voter(B, 1)

46/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Privacy - stronger definitions

Voter(A, 0) | Voter(B, 1) ≈ Voter(A, 0) | Voter(B, 1) Limitations Does not capture all attacks. We may have Voter(A, 1) | Voter(B, 1) ≈ Voter(A, 0) | Voter(B, 2) Not suitable for more complex schemes with e.g. weighted votes

46/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Privacy - game based definition - Part 1

[Bernhard, C., Pereira, Warinschi 2011]

ε ε A

b=0? b=1?

B C A ε ε π πideal

47/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Privacy - game based definition - Part 1

[Bernhard, C., Pereira, Warinschi 2011]

ε ε A

b=0? b=1?

B C A ε ε π πideal

Limitations : actually incompatible with verifiability ! Either the adversary can check that the result corresponds to the board, in which case, he wins the privacy game Or the scheme is not verifiable : two different results may be promulgated.

47/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Actually, most definitions have limitations or flaws !

48/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Privacy - game based definition - Part 2

Proposition of a new definition of privacy BPRIV : compatible with verifiability takes care of auxiliary zero-knowledge proofs takes care of weeding/cleaning functions

49/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Privacy - game based definition - Part 2

Proposition of a new definition of privacy BPRIV : compatible with verifiability takes care of auxiliary zero-knowledge proofs takes care of weeding/cleaning functions Theorem BPRIV ⇒ entropy-based privacy BPRIV can be used as a tool for proving entropy-based provacy sanity check for our definition !

49/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Ready to use electronic voting ?

Several good systems exist Helios/Belenios : confidentiality and verifiability, no coercion-resistance Civitas : both verifiable and coercion-resistant Hybrid papers : Scantegrity, 3-ballots, Prêt-à-voter, ... Still many limitations Authentication : whoever has access to voters’ credentials (password, etc.) may vote Difficulty to avoid vote buying in practice the voter’s computer may be unsafe :

may leak the vote to anyone may change the vote !

50/51

Context Properties Belenios Model Static equivalence Trace equivalence Privacy Discussion

Challenges

Better e-voting systems secure both in terms of confidentiality and verifiability usability better authentication less trust assumptions (corrupted computers, ...) Verification decision procedures for larger equational theory classes better tools, possibly semi-interactive formalise security properties, possibly identifying new ones → PhD and postdoc positions available !

51/51