verifying electronic voting protocols in the applied pi
play

Verifying Electronic Voting Protocols in the Applied Pi Calculus - PowerPoint PPT Presentation

Jul 01, 2023 •424 likes •763 views

Verifying Electronic Voting Protocols in the Applied Pi Calculus Mark Ryan University of Birmingham joint work with St ephanie Delaune and Steve Kremer LSV Cachan, France SoCS Seminar November 2007 Outline Electronic voting Electronic

  2. Verifying Electronic Voting Protocols in the Applied Pi Calculus Mark Ryan University of Birmingham joint work with St´ ephanie Delaune and Steve Kremer LSV Cachan, France SoCS Seminar November 2007

  3. Outline

  4. Electronic voting Electronic voting has the potential to provide more efficient elections with higher voter participation, greater accuracy and lower costs compared to manual methods. better security than manual methods, such as vote-privacy even in presence of corrupt election authorities voter verification, i.e. the ability of voters and observers to check the declared outcome against the votes cast. Governments world over have been trialling e-voting, e.g. USA, UK, Canada, Brasil, the Netherlands and Estonia.

  5. Current situation The potential benefits have turned out to be hard to realise. In UK May 2007 elections included 5 local authorities that piloted a range of electronic voting machines. Electoral Commission report concluded that the implementation and security risk was significant and unacceptable and recommends that no further e-voting take place until a sufficiently secure and transparent system is available. In USA: Diebold controversy since 2003 when code leaked on internet. Kohno/Stubblefield/Rubin/Wallach analysis concluded Diebold system far below even most minimal security standards. Voters without insider privileges can cast unlimited votes without being detected.

  6. Current situation in USA, continued In 2007, Secr. of State for California commissioned “top-to-bottom” review by computer science academics of the four machines certified for use in the state. Result is a catalogue of vulnerabilities, including appalling software engineering practices, such as hardcoding crypto keys in source code; bypassing OS protection mechanisms, . . . susceptibility of voting machines to viruses that propogate from machine to machine, and that could maliciously cause votes to be recorded incorrectly or miscounted “weakness-in-depth”, architecturally unsound systems in which even as known flaws are fixed, new ones are discovered. In response to these reports, she decertified all four types of voting machine for regular use in California, on 3 August 2007.

  7. Voting system: desired properties Eligibility: only legitimate voters can vote, and only once (This also implies that the voting authorities cannot insert votes) Fairness no early results can be obtained which could influence the remaining voters Privacy: the fact that a particular voted in a particular way is not revealed to anyone Receipt-freeness: a voter cannot later prove to a coercer that she voted in a certain way Coercion-resistance: a voter cannot interactively cooperate with a coercer to prove that she voted in a certain way Individual verifiability: a voter can verify that her vote was really counted Universal verifiability: a voter can verify that the published outcome really is the sum of all the votes . . . and all this even in the presence of corrupt election authorities!

  8. Are these properties even simultaneously satisfiable? Contradiction? Eligibility: only legitimate voters can vote, and only once Effectiveness: the number of votes for each candidate is Contradiction? published after the election Receipt-freeness: a voter Privacy: the fact that a cannot later prove to a coercer particular voted in a particular that she voted in a certain way way is not revealed to anyone Individual verifiability: a (not even the election voter can verify that her vote authorities) was really counted Individual verifiability (stronger): . . . , and if her vote wasn’t counted, she can prove that .

  9. How could it be secure?

  10. Security by trusted client software → → → → → → → → → → trusted by user not trusted by user does not need to be doesn’t need to be trusted by authorities trusted by anyone or other voters

  11. FOO 92 protocol [FujiokaOkamotoOhta92] Alice aDministrator Collector { } blind ( commit ( v , c ), b ) − 1 A I { } ( ( , ), ) blind commit v c b − 1 D { } (...) = ( , ) unblind commit v c − 1 D II { } ( , ) commit v c − 1 D . ( , ( , )) publ l commit v c ( c , ) l III open (...) = v publ . v

  12. LBDKYY’03 protocol [LeeBoydDawsonKimYangYoo] Alice Administrator Collector ( ) { } Coll , c Sign v Alice 1 reencrypt ( ) { } c Coll , Sign v Admin 2 ( ) 1 , { } { } c c DVP v = v 2 Coll Coll ( ) { } Coll , c Sign v Admin 2

  13. Attacker model Ideally, we want to model a very powerful attacker: It has “Dolev-Yao” capabilities, i.e. it completely controls the communication channels, so it is able to record, alter, delete, insert, redirect, reorder, and reuse past or current messages, and inject new messages (The network is the attacker) manipulate data in arbitrary ways, including applying crypto operations provided has the necessary keys It includes the election authorities. It includes the other voters.

  14. Where are we?

  15. The applied π -calculus Applied pi-calculus: [Abadi & Fournet, 01] basic programming language with constructs for concurrency and communication based on the π -calculus [Milner et al. , 92] in some ways similar to the spi-calculus [Abadi & Gordon, 98], but more general w.r.t. cryptography Advantages: naturally models a Dolev-Yao attacker allows us to model less classical cryptographic primitives both reachability and equivalence-based specification of properties automated proofs using ProVerif tool [Blanchet] powerful proof techniques for hand proofs successfully used to analyze a variety of security protocols

  16. How to verify protocols in the applied-pi framework 1. Create equations to model the cryptography. Examples Encryption and signatures 1 decrypt( encrypt(m,pk(k)), k ) = m checksign( sign(m,k), m, pk(k) ) = ok

  17. How to verify protocols in the applied-pi framework 1. Create equations to model the cryptography. Examples Encryption and signatures 1 decrypt( encrypt(m,pk(k)), k ) = m checksign( sign(m,k), m, pk(k) ) = ok Blind signatures 2 unblind( sign( blind(m,r), sk ), r ) = sign(m,sk)

  18. How to verify protocols in the applied-pi framework 1. Create equations to model the cryptography. Examples Encryption and signatures 1 decrypt( encrypt(m,pk(k)), k ) = m checksign( sign(m,k), m, pk(k) ) = ok Blind signatures 2 unblind( sign( blind(m,r), sk ), r ) = sign(m,sk) Designated verifier proof of re-encryption 3 The term dvp(x,rencrypt(x,r),r,pkv) represents a proof designated for the owner of pkv that x and rencrypt(x,r) have the same plaintext. checkdvp(dvp(x,rencrypt(x,r),r,pkv),x,rencrypt(x,r),pkv) = ok checkdvp( dvp(x,y,z,skv), x, y, pk(skv) ) = ok.

  19. How to verify protocols in the applied-pi framework 1. Create equations to model the cryptography. 2. For each property to be verified, decide who is protected, i.e. for whom the property will be verified; must be honest in order to guarantee the property; may be dishonest, i.e. may be controlled by the DY attacker. Examples: Protocol property protected must be honest may be dishonest FOO eligibility voters other voters admin, collector fairness voters other voters admin, collector privacy voters same voters admin, collector Lee et al. privacy voters same voters, admin collector receipt voters same voters, admin, other voters -freeness collector

  20. How to verify protocols in the applied-pi framework 1. Create equations to model the cryptography. 2. For each property to be verified, decide who is protected / must be honest / may be dishonest 3. Code the honest parties as processes. Example ([FOO’92]): Alice aDministrator Collector { } processV = blind ( commit ( v , c ), b ) − 1 A new b; new c; { } ( ( , ), ) blind commit v c b D − 1 let bcv = blind(commit(v,c),b) in out(ch, (sign(bcv, skv))); { } unblind (...) = commit ( v , c ) − 1 D in(ch,m2); { } commit ( v , c ) if getMess(m2,pka)=bcv then − 1 D let scv = unblind(m2,b) in phase 1; publ . ( l , commit ( v , c )) ( c l , ) out(ch, scv); in(ch,(l, =scv)); phase 2; open (...) = v out(ch,(l,c)). publ . v

  21. How to verify protocols in the applied-pi framework 1. Create equations to model the cryptography. 2. For each property to be verified, decide who is protected / must be honest / may be dishonest 3. Code the honest parties as processes. 4. Code the intended property, as a reachability property, or an observational equivalence property. Examples: Property type intuition Eligibility reachab. ineligible vote not published Fairness reachab. without last phase, no votes published Privacy obs. eq. undetectable whether A,B swap votes Receipt-freeness obs. eq. even if A cooperates with attacker, unde- tectable whether A,B swap votes

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Analysis of electronic voting protocols in applied pi calculus Mark Ryan University of

Analysis of electronic voting protocols in applied pi calculus Mark Ryan University of

Analysis of electronic voting protocols in applied pi calculus Mark Ryan University of Birmingham based on joint work with Ben Smyth Steve Kremer Mounira Kourjieh IFIP WG 1.3, Udine, Italy September 2009 Outline Electronic voting Applied

695 views • 30 slides
Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale

Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale

Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale electronic voting protocol: Primarily Internet-based Users voting from their own devices (such as home PC/laptop) Aimed toward actual

721 views • 21 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
Electronic Voting Electronic voting at a precinct Analysis of an Internet Voting Focus

Electronic Voting Electronic voting at a precinct Analysis of an Internet Voting Focus

Electronic Voting Electronic voting at a precinct Analysis of an Internet Voting Focus is on preventing fraud on the part of Protocol people building and running system. Electronic voting over the internet Dale Neal Must

508 views • 5 slides
A Comprehensive Analysis Of Quantum E-voting Protocols M. Arapinis, N. Lamprou, E. Kashefi, A.

A Comprehensive Analysis Of Quantum E-voting Protocols M. Arapinis, N. Lamprou, E. Kashefi, A.

A Comprehensive Analysis Of Quantum E-voting Protocols M. Arapinis, N. Lamprou, E. Kashefi, A. Pappa 29 August 2018 Electronic Voting compared to manual procedures, could provide: higher voter participation better accuracy enhanced

478 views • 29 slides
Source Paper An Anonymous Electronic Voting Protocol An Electronic Voting Protocol for

Source Paper An Anonymous Electronic Voting Protocol An Electronic Voting Protocol for

Source Paper An Anonymous Electronic Voting Protocol An Electronic Voting Protocol for Voting Over the Internet, Indrajit Ray, (revisited) Indrakshi Ray, Natarajan Narasimhamurthi Paul Valiant extending work by Dale Neal &

441 views • 5 slides
Some issues in verifying e-voting systems Mark D. Ryan Present-day e-voting offers few

Some issues in verifying e-voting systems Mark D. Ryan Present-day e-voting offers few

Some issues in verifying e-voting systems Mark D. Ryan Present-day e-voting offers few security properties [KohnoStubblefieldRubinWallach2004] compared to what is desirable: Eligibility: only eligible voters can vote, and only once.

406 views • 7 slides
Electronic Voting Ronald L. Rivest MIT CSAIL NSA June 3, 2004 Outline Introduction /

Electronic Voting Ronald L. Rivest MIT CSAIL NSA June 3, 2004 Outline Introduction /

Electronic Voting Ronald L. Rivest MIT CSAIL NSA June 3, 2004 Outline Introduction / Voting Voting using mix-nets Randomized Partial Checking (Jakobsson/Juels/Rivest USENIX 02) Pedagogic variant of Chaums proposal Voting

758 views • 36 slides
The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with

The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with

The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with Martijn Warnier jesseh@cs.kun.nl University of Nijmegen The Coinductive Approach to Verifying Cryptographic Protocols p.1/27 Outline I.

1.95k views • 184 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo,

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo,

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo, Amira Barki, Solenn Brunet and Jacques Traor 1st Workshop on Advances in Secure Electronic Voting Schemes VOTING16 February 26th, 2016

532 views • 23 slides
Detecting Voter Fraud Context in an Electronic Voting Context Introduction: Relevance of An

Detecting Voter Fraud Context in an Electronic Voting Context Introduction: Relevance of An

Detecting Voter Fraud in an Electronic Voting Detecting Voter Fraud Context in an Electronic Voting Context Introduction: Relevance of An Analysis of the Unlimited Reelection Vote in Venezuela Election Forensics Previous Research Ines

686 views • 45 slides
Towards an Ecosystem for Verifying Implementations of BFT protocols Ivana Vukotic, Vincent Rahli,

Towards an Ecosystem for Verifying Implementations of BFT protocols Ivana Vukotic, Vincent Rahli,

Towards an Ecosystem for Verifying Implementations of BFT protocols Ivana Vukotic, Vincent Rahli, Marcus Vlp and Paulo Esteves-Verssimo PhD start: April 2017 Areas: BFT & Formal verification Univ. of Luxembourg SnT Luxembourg

314 views • 10 slides
Fair Exchange Protocols Steve Kremer and Mark Ryan Fair Exchnage Protocols p.1 Examples of

Fair Exchange Protocols Steve Kremer and Mark Ryan Fair Exchnage Protocols p.1 Examples of

Fair Exchange Protocols Steve Kremer and Mark Ryan Fair Exchnage Protocols p.1 Examples of fair exchange protocols Electronic purchase of goods exchange of an electronic item against an electronic payment Digital contract signing exchange

353 views • 20 slides
Extending ProVerifs Resolution Algorithm for Verifying Group Protocols Miriam Paiola

Extending ProVerifs Resolution Algorithm for Verifying Group Protocols Miriam Paiola

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extending ProVerifs Resolution Algorithm for Verifying Group Protocols Miriam Paiola miriam.paiola@ens.fr Ecole Normale Sup

692 views • 56 slides
TPM Meets DRE: Reducing the Trust Base for Electronic Voting Using Trusted Platform Modules

TPM Meets DRE: Reducing the Trust Base for Electronic Voting Using Trusted Platform Modules

TPM Meets DRE: Reducing the Trust Base for Electronic Voting Using Trusted Platform Modules Russell A. Fink, Alan T. Sherman, and Richard Carback Direct Recording Electronic (DRE) Higher usability compared to paper ballot Multi-language

299 views • 15 slides
ELECTOR: Evaluator for long reads correction methods Camille Marchet 1 , , Pierre Morisse 2 , ,

ELECTOR: Evaluator for long reads correction methods Camille Marchet 1 , , Pierre Morisse 2 , ,

ELECTOR: Evaluator for long reads correction methods Camille Marchet 1 , , Pierre Morisse 2 , , Lolita Lecompte 3 , Antoine Limasset 1 , Arnaud Lefebvre 2 , Thierry Lecroq 2 , Pierre Peterlongo 3 1 Univ. Lille, CNRS, Inria, UMR 9189 - CRIStAL. 2

384 views • 24 slides
Training and development Workshop Region 8 Young Professionals Team Activity 1 In your groups,

Training and development Workshop Region 8 Young Professionals Team Activity 1 In your groups,

Training and development Workshop Region 8 Young Professionals Team Activity 1 In your groups, introduce your AG to the others, based on the worksheet you filled in previously. MGA Operations Manual Section 9.9 -5 pages long AGs officers

454 views • 16 slides
ACS Board Meeting 04/09/2018 Agenda Time Topic Presenter 7:00 Call to Order, Approve Minutes

ACS Board Meeting 04/09/2018 Agenda Time Topic Presenter 7:00 Call to Order, Approve Minutes

American Chemical Society April Midland Section ACS Board Meeting 04/09/2018 Agenda Time Topic Presenter 7:00 Call to Order, Approve Minutes Wenyi 7:05 CERM2019 Updates Dimi 7:15 Centennial Exhibit Updates Gina 7:25

925 views • 58 slides
Last Weeks Election: What Happened? The Results What Changed? Who Shifted? Is 2016 a

Last Weeks Election: What Happened? The Results What Changed? Who Shifted? Is 2016 a

Last Weeks Election: What Happened? The Results What Changed? Who Shifted? Is 2016 a Realignment? Probably not! 1992: total Dem control 2002: total GOP control 2008: total Dem control 2016: total GOP control

150 views • 10 slides
on Voting in Congressional and Presidential Elections Jon A. Krosnick, Bo MacInnis, Ana Villar

on Voting in Congressional and Presidential Elections Jon A. Krosnick, Bo MacInnis, Ana Villar

American Public Opinion on Climate Change and Its Impact on Voting in Congressional and Presidential Elections Jon A. Krosnick, Bo MacInnis, Ana Villar Stanford University Funded by Woods Institute for the Environment at Stanford University ABC

1.07k views • 96 slides
What is LACNIC? Internet Numbers? Internet Week Guyana 9/13 October 2017 Pegasus Hotel,

What is LACNIC? Internet Numbers? Internet Week Guyana 9/13 October 2017 Pegasus Hotel,

What is LACNIC? Internet Numbers? Internet Week Guyana 9/13 October 2017 Pegasus Hotel, Georgetown, Guyana kevon@lacnic.net Internet Numbers (briefly) Internet numbers Internet Protocol Numbers: IPv4 & IPv6 Autonomous System

1.15k views • 28 slides
Regenerative Medicine Annu Navani, MD Medical Director, Comprehensive Spine and Sports Ctr

Regenerative Medicine Annu Navani, MD Medical Director, Comprehensive Spine and Sports Ctr

Regenerative Medicine Annu Navani, MD Medical Director, Comprehensive Spine and Sports Ctr Advisor, Le Reve Regenerative Wellness www.cssctr.com S Disclosures S None relevant to this talk Regenerative Medicine in News http://www.foxsportsnor

398 views • 37 slides
Applications and issues of large scale transcriptome profiling experiments Outline

Applications and issues of large scale transcriptome profiling experiments Outline

Applications and issues of large scale transcriptome profiling experiments Outline Co-expression and expression conservation Reshaping of the maize transcriptome by domestication (Swanson-Wagner et al PNAS 2012) Variation among

529 views • 25 slides

More recommend