Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Automatic Verification of Remote Electronic
Voting Protocols
The 21st IEEE Computer Security Foundations Symposium, Pittsburgh, June 2008
Michael Backes, Cătălin Hrițcu, Matteo MaffeiSaarland University, Saarbrücken, Germany
0%
2%
4%
6%
8%
10%
12%
14%
16%
18%
20%
1957 ... 1990 1994 1998 2002 2005
18.7%18.0%
16.0%
13.4%
9.4%
4.9%
Did you know that ...• ... in Germany, in the latest parliamentary elections 18.7% of the votes were cast by post?
0%
2%
4%
6%
8%
10%
12%
14%
16%
18%
20%
1957 ... 1990 1994 1998 2002 2005
18.7%18.0%
16.0%
13.4%
9.4%
4.9%
Did you know that ...• ... in Germany, in the latest parliamentary elections 18.7% of the votes were cast by post?
• this is a form of remote voting
Remote voting (by post)
• More convenient than supervised voting
• This should increase voter participation
Remote voting (by post)
• More convenient than supervised voting
• This should increase voter participation
• Voting by post raises many security concerns
‣ An autograph signature does not authenticate the voter
‣ An envelope does not guarantee secrecy or integrity
‣ The post is not always a secure channel
‣ Extremely easy to sell your vote
‣ You can coerce voters to vote as you like
Remote voting (by post)
• More convenient than supervised voting
• This should increase voter participation
• Voting by post raises many security concerns
‣ An autograph signature does not authenticate the voter
‣ An envelope does not guarantee secrecy or integrity
‣ The post is not always a secure channel
‣ Extremely easy to sell your vote
‣ You can coerce voters to vote as you like
• Still, this has been used in Germany for 50+ years
Remote electronic voting
• Seems even cheaper and even more convenient
• Promises better security (than voting by post at least)
• the security properties can be cryptographically enforced
• Different security risks
• Easier to launch large-scale attacks and erase evidence
• Clients are the weakest link: e.g. remotely exploitable software flaws, viruses, Internet worms, trojans, lack of physical security, social engineering attacks, etc.
• Network also vulnerable: e.g. voter demographic-based DDOS, cache poisoning DNS attacks, etc.
!"#$%&!'()*!$+!&,*!-'&$%(.%!/0!1.#)2!
!
!3.14!'()*!$+!&,*!-'&$%(.%!/0!1.#)2!
!
5,*!+#$%&!'()*!$+!&,*!1.#)!1$%&.(%'!&,*!1.#)!,$6)*#7'!'(8%.&9#*!.%)!:,$&$;!.%)!.6'$!&,*!
+$66$<(%8!).&.=!
!" %.>*!$+!1.#)!,$6)*#!
!" :*#'$%.6!1$)*!?%.&($%.6!/0!1$)*@!$+!1.#)!,$6)*#!
!" 1.#)!,$6)*#!A(#&,!&(>*!
!" 1.#)!,$6)*#!'*B!
!" 1.#)!,$6)*#!1(&(C*%',(:!
!" 1.#)!%9>A*#!
!" 1.#)!D.6()(&E!*%)!
!
5,*!A.14!'()*!1$%&.(%'!&,*!+$66$<(%8!).&.=!
!" 1.#)!,$6)*#!A(#&,!:6.1*!
!" 1.#)!(''9(%8!).&*!
!" #*'()*%1*!:*#>(&!)*&.(6'!.%)!$&,*#!(%+$#>.&($%!?(+!.::6(1.A6*@!
!" 1.#)!.%)!,$6)*#!).&.!(%!>.1,(%*F#*.).A6*!?/GHI@!+$#>.&!
!"#$%&'()$*+,%,*'(*$,&+*
-.1,!/0!1.#)!1$%&.(%'!D.#($9'!:(*1*'!$+!).&.2!H66!&,*!.A$D*!).&.!*B1*:&!:,$&$!.%)!
,.%)<#(&&*%!'(8%.&9#*!.#*!.6'$!:#*'*%&!$%!&,*!1.#)!(%!*6*1&#$%(1!+$#>;!(%!.!':*1(.6!
:9A6(16E!#*.).A6*!).&.!+(6*2!/%!.))(&($%;!&,*!1.#)!1$%&.(%'!&<$!1*#&(+(1.&*'!.%)!&,*(#!
.''$1(.&*)!:#(D.&*!4*E'!:#$&*1&*)!<(&,!J/K!1$)*'2!5,*!1*#&(+(1.&*'!1$%&.(%!$%6E!&,*!
,$6)*#7'!%.>*!.%)!:*#'$%.6!1$)*!?%.&($%.6!/0!1$)*@2!/%!.))(&($%;!&,*!.9&,*%&(1.&($%!
5,*!-'&$%(.%!/0!G.#)!.%)!0(8(&.6!L(8%.&9#*!G$%1*:&!
M9%*!N;!OPPQ!R
Remote electronic voting
• Seems even cheaper and even more convenient
• Promises better security (than voting by post at least)
• the security properties can be cryptographically enforced
• Different security risks
• Easier to launch large-scale attacks and erase evidence
• Clients are the weakest link: e.g. remotely exploitable software flaws, viruses, Internet worms, trojans, lack of physical security, social engineering attacks, etc.
• Network also vulnerable: e.g. voter demographic-based DDOS, cache poisoning DNS attacks, etc.
desired properties
eligibilitynon-reusabilityinalterability
fairness
completeness correctness
vote-privacyno forced-abstention attacks
receipt-freeness
coercion-resistance
universal verifiabilityindividual verifiability
robustnessfault tolerance
availabilityscalability
accuracy democracy
desired properties
eligibilitynon-reusabilityinalterability
fairness
completeness correctness
vote-privacyno forced-abstention attacks
receipt-freeness
coercion-resistance
universal verifiabilityindividual verifiability
robustnessfault tolerance
availability
• Careful formalization and automatic verification of these properties important before widespread adoption
scalability
accuracy democracy
eligibilitynon-reusabilityinalterability
vote-privacyno forced-abstention attacks
receipt-freeness
coercion-resistance
• Careful formalization and automatic verification of these properties important before widespread adoption
eligibilitynon-reusabilityinalterability
vote-privacyno forced-abstention attacks
receipt-freeness
coercion-resistance
• Careful formalization and automatic verification of these properties important before widespread adoption
soundness
eligibilitynon-reusabilityinalterability
vote-privacyno forced-abstention attacks
receipt-freeness
coercion-resistance
• Careful formalization and automatic verification of these properties important before widespread adoption
soundness
privacy
What we did
• General technique for
• modeling remote electronic voting protocols(in the applied pi-calculus)
• and automatically verifying their security
• New formal definitions of
• soundness - trace property
• coercion-resistance - observational equivalence
• both definitions amenable to automation (e.g. ProVerif)
• Proved that our coercion-resistance implies vote-privacy, immunity to forced-abstention attacks & receipt-freeness
• Automatically verified the security of the JCJ protocol
Tallier
Hi, I’m Alice
Soundness (eligibility, non-reusability, inalterability)
Tallier
Hi, I’m Aliceeligible(Alice)
Soundness (eligibility, non-reusability, inalterability)
Tallier
Hi, I’m Aliceeligible(Alice)
Soundness (eligibility, non-reusability, inalterability)
Tallier
Hi, I’m Aliceeligible(Alice)
vote(Alice, pink)
pinkblue
Soundness (eligibility, non-reusability, inalterability)
Tallier
Hi, I’m Aliceeligible(Alice)
vote(Alice, pink)
pinkblue
Soundness (eligibility, non-reusability, inalterability)
Tallier
Hi, I’m Aliceeligible(Alice)
vote(Alice, pink)
pinkblue
Soundness (eligibility, non-reusability, inalterability)
Tallier
Hi, I’m Aliceeligible(Alice)
vote(Alice, pink)pinkblue
Soundness (eligibility, non-reusability, inalterability)
Tallier
Hi, I’m Aliceeligible(Alice)
vote(Alice, pink)pinkblue
Soundness (eligibility, non-reusability, inalterability)
Tallier
Hi, I’m Aliceeligible(Alice)
vote(Alice, pink)pinkblue
tally(pink)
Soundness (eligibility, non-reusability, inalterability)
Tallier
Hi, I’m Alice
pinkblue
tally(pink)Trace: t1 eligible(Alice) t2 vote(Alice, pink) t3 tally(pink)
Soundness (eligibility, non-reusability, inalterability)
Tallier
Hi, I’m Alice
pinkblue
tally(pink)!!!
Trace: t1 eligible(Alice) t2 vote(Alice, pink) t3 tally(pink)
Soundness (eligibility, non-reusability, inalterability)
Tallier
Hi, I’m Alice
pinkblue
tally(pink)!!!
Trace: t1 eligible(Alice) t2 vote(Alice, pink) t3 tally(pink)
and the trace t1 t2 t3 is also sound (injective matching)
Soundness (eligibility, non-reusability, inalterability)
Vote-privacy
Voters
AliceBobCharlie
Vote-privacy
Voters
AliceBobCharlie
Results
pink party |blue party ||
Vote-privacy
“Detailed” results
Alice ............ pink partyBob .............. blue partyCharlie ........ blue party
Voters
AliceBobCharlie
Results
pink party |blue party ||
Vote-privacy
“Detailed” results
Alice ............ pink partyBob .............. blue partyCharlie ........ blue party
Voters
AliceBobCharlie
Results
pink party |blue party ||
]
Definition of vote-privacy
S[ pinkblue
]S[ pinkblue
[Delaune, Kremer & Ryan; CSF ’06]
indistinguishable from
]
Definition of vote-privacy
S[ pinkblue
]S[ pinkblue
[
[
]
]
∀[Delaune, Kremer & Ryan; CSF ’06]
]
Definition of vote-privacy
S[~~
pinkblue
]S[ pinkblue
[Delaune, Kremer & Ryan; CSF ’06]
]
Definition of vote-privacy
S[~~
pinkblue
]S[ pinkblue
pink party |||blue party ||||
pink party ||||blue party |||
[Delaune, Kremer & Ryan; CSF ’06]
]
Definition of vote-privacy
S[ |~~
pinkblue
]S[ |pinkblue
pinkblue
pinkblue
[Delaune, Kremer & Ryan; CSF ’06]
]
Immunity to forced-abstention
S[~~
S[ pinkblue
pinkblue|
| ]
S[
S[
]
Receipt-freeness
~~pinkblue
pinkblue
pinkblue|
| ]pinkblue
blue
blue
• Cryptographic setting [Benaloh & Tuinstra; STOC ’94]
S[
S[
]
Receipt-freeness
~~pinkblue
pinkblue
pinkblue|
| ]pinkblue
blue
blue
• We adapted definition by [Delaune, Kremer & Ryan; CSF ’06] to remote voting
• Cryptographic setting [Benaloh & Tuinstra; STOC ’94]
S[
Coercion-resistance
S[~~|
|pinkblue
pinkblue
pinkblue ]
]
• Cryptographic setting [Juels, Catalano & Jakobsson; WPES 2005]
receipt-freeness (up to abstraction) ⇒
S[
Coercion-resistance
S[~~|
|
|
|
pinkblue
pinkblue
pinkblue
pinkblue
pinkblue
]
]
• Cryptographic setting [Juels, Catalano & Jakobsson; WPES 2005]
receipt-freeness (up to abstraction) ⇒
S[
Coercion-resistance
S[~~|
|
|
|
pinkblue
pinkblue
pinkblue
pinkblue
pinkblue
]
]
• Cryptographic setting [Juels, Catalano & Jakobsson; WPES 2005]
receipt-freeness (up to abstraction) ⇒• Proved: coercion-resistance ⇒ no forced-abstention ⇒ vote-privacy
Definitions of coercion-resistanceJCJ-WPES’05 DKR-CSF’06 DKR-TR’08 current
setting
automation
vote-privacy
no simulation attacks
no forced- abstention
no randomization attacks (?)
receipt-freeness
remote voting supervised voting
supervised voting remote voting
no (crypto) no (adaptive simulation) no (∀C. P≈Q) yes (≈)
yes yes yes yes
yes n/a n/a yes
yes no no yes
yes no no no
yes yes yes yes (up to abstraction)
Analysis of JCJ
• first coercion-resistant protocol for remote voting[Juels, Catalano & Jakobsson; WPES ’05]
• forms the basis of many recent protocols(e.g. Civitas [Clarkson, Chong & Myers; S&P ’08])
• Analysis performed with ProVerif
• automatic protocol analyzer using Horn-clause resolution
• we use our symbolic abstraction of zero-knowledge[Backes, Maffei & Unruh; S&P ’08]
• analyzing observational equivalence required (re)writing the specification in the shape of a biprocess
• verification of JCJ succeeds, which yields security guarantees for unbounded number of voters, sessions, etc.
Future work
• Curently: analyzing a model of Civitas
Future work
• Curently: analyzing a model of Civitas
• Curently: defining and analyzing other properties
• Individual verifiability (trace property)
• Immunity to randomization attacks (privacy property)
Future work
• Curently: analyzing a model of Civitas
• Curently: defining and analyzing other properties
• Individual verifiability (trace property)
• Immunity to randomization attacks (privacy property)
• Different techniques for trace properties
• type systems - e.g. our type system for ZK [WITS ’08]
Future work
• Curently: analyzing a model of Civitas
• Curently: defining and analyzing other properties
• Individual verifiability (trace property)
• Immunity to randomization attacks (privacy property)
• Different techniques for trace properties
• type systems - e.g. our type system for ZK [WITS ’08]
• Different techniques for observational equivalence
• for instance using symbolic bisimulation [DKR, SecCo ’07]
Future work
• Curently: analyzing a model of Civitas
• Curently: defining and analyzing other properties
• Individual verifiability (trace property)
• Immunity to randomization attacks (privacy property)
• Different techniques for trace properties
• type systems - e.g. our type system for ZK [WITS ’08]
• Different techniques for observational equivalence
• for instance using symbolic bisimulation [DKR, SecCo ’07]
• More accurate protocol models
• The ultimate goal is to analyze implementations
Backup slides
Hi, I’m Alice
Simplified JCJ protocol
Hi, I’m Alice
cred {cred, r1}pk(kT )
Simplified JCJ protocol
(private channel)
Hi, I’m Alice
cred {cred, r1}pk(kT )
Simplified JCJ protocol
{cred, r2}pk(kT ), {pink}pk(kT ),ZK
(private channel)
Hi, I’m Alice
cred {cred, r1}pk(kT )
Simplified JCJ protocol
{cred, r2}pk(kT ), {pink}pk(kT ),ZK
(private channel)
Hi, I’m Alice
cred {cred, r1}pk(kT )
Simplified JCJ protocol
{cred, r2}pk(kT ), {pink}pk(kT ),ZK
(private channel)
Hi, I’m Alice
cred {cred, r1}pk(kT )
Tallier
Simplified JCJ protocol
{cred, r2}pk(kT ), {pink}pk(kT ),ZK
(private channel)
Hi, I’m Alice
cred {cred, r1}pk(kT )
pink
Tallier
Simplified JCJ protocol
{cred, r2}pk(kT ), {pink}pk(kT ),ZK
(private channel)
~~|
|
|
|
pinkblue
pinkblue
pinkblue
pinkblue
pinkblue
1 2 3
1 2 3pinkblue
pinkblue
pinkblue
pinkblue
BobAliceBruce
Alice Bob Bruce| |
||