Automatic Verification of Remote Electronic Voting Protocols · Remote electronic voting • Seems even cheaper and even more convenient • Promises better security (than voting

Automatic Verification of Remote Electronic

Voting Protocols

The 21st IEEE Computer Security Foundations Symposium, Pittsburgh, June 2008

Michael Backes, Cătălin Hrițcu, Matteo MaffeiSaarland University, Saarbrücken, Germany

0%

2%

4%

6%

8%

10%

12%

14%

16%

18%

20%

1957 ... 1990 1994 1998 2002 2005

18.7%18.0%

16.0%

13.4%

9.4%

4.9%

Did you know that ...• ... in Germany, in the latest parliamentary elections 18.7% of the votes were cast by post?

0%

2%

4%

6%

8%

10%

12%

14%

16%

18%

20%

1957 ... 1990 1994 1998 2002 2005

18.7%18.0%

16.0%

13.4%

9.4%

4.9%

Did you know that ...• ... in Germany, in the latest parliamentary elections 18.7% of the votes were cast by post?

• this is a form of remote voting

Remote voting (by post)

• More convenient than supervised voting

• This should increase voter participation




• Voting by post raises many security concerns

‣ An autograph signature does not authenticate the voter

‣ An envelope does not guarantee secrecy or integrity

‣ The post is not always a secure channel

‣ Extremely easy to sell your vote

‣ You can coerce voters to vote as you like




• Voting by post raises many security concerns

‣ An autograph signature does not authenticate the voter

‣ An envelope does not guarantee secrecy or integrity

‣ The post is not always a secure channel

‣ Extremely easy to sell your vote

‣ You can coerce voters to vote as you like

• Still, this has been used in Germany for 50+ years

Remote electronic voting

• Seems even cheaper and even more convenient

• Promises better security (than voting by post at least)

• the security properties can be cryptographically enforced

• Different security risks

• Easier to launch large-scale attacks and erase evidence

• Clients are the weakest link: e.g. remotely exploitable software flaws, viruses, Internet worms, trojans, lack of physical security, social engineering attacks, etc.

• Network also vulnerable: e.g. voter demographic-based DDOS, cache poisoning DNS attacks, etc.

!"#$%&!'()*!$+!&,*!-'&$%(.%!/0!1.#)2!

!

!3.14!'()*!$+!&,*!-'&$%(.%!/0!1.#)2!

!

5,*!+#$%&!'()*!$+!&,*!1.#)!1$%&.(%'!&,*!1.#)!,$6)*#7'!'(8%.&9#*!.%)!:,$&$;!.%)!.6'$!&,*!

+$66$<(%8!).&.=!

!" %.>*!$+!1.#)!,$6)*#!

!" :*#'$%.6!1$)*!?%.&($%.6!/0!1$)*@!$+!1.#)!,$6)*#!

!" 1.#)!,$6)*#!A(#&,!&(>*!

!" 1.#)!,$6)*#!'*B!

!" 1.#)!,$6)*#!1(&(C*%',(:!

!" 1.#)!%9>A*#!

!" 1.#)!D.6()(&E!*%)!

!

5,*!A.14!'()*!1$%&.(%'!&,*!+$66$<(%8!).&.=!

!" 1.#)!,$6)*#!A(#&,!:6.1*!

!" 1.#)!(''9(%8!).&*!

!" #*'()*%1*!:*#>(&!)*&.(6'!.%)!$&,*#!(%+$#>.&($%!?(+!.::6(1.A6*@!

!" 1.#)!.%)!,$6)*#!).&.!(%!>.1,(%*F#*.).A6*!?/GHI@!+$#>.&!

!"#$%&'()$*+,%,*'(*$,&+*

-.1,!/0!1.#)!1$%&.(%'!D.#($9'!:(*1*'!$+!).&.2!H66!&,*!.A$D*!).&.!*B1*:&!:,$&$!.%)!

,.%)<#(&&*%!'(8%.&9#*!.#*!.6'$!:#*'*%&!$%!&,*!1.#)!(%!*6*1&#$%(1!+$#>;!(%!.!':*1(.6!

:9A6(16E!#*.).A6*!).&.!+(6*2!/%!.))(&($%;!&,*!1.#)!1$%&.(%'!&<$!1*#&(+(1.&*'!.%)!&,*(#!

.''$1(.&*)!:#(D.&*!4*E'!:#$&*1&*)!<(&,!J/K!1$)*'2!5,*!1*#&(+(1.&*'!1$%&.(%!$%6E!&,*!

,$6)*#7'!%.>*!.%)!:*#'$%.6!1$)*!?%.&($%.6!/0!1$)*@2!/%!.))(&($%;!&,*!.9&,*%&(1.&($%!

5,*!-'&$%(.%!/0!G.#)!.%)!0(8(&.6!L(8%.&9#*!G$%1*:&!

M9%*!N;!OPPQ!R

Remote electronic voting

• Seems even cheaper and even more convenient

• Promises better security (than voting by post at least)

• the security properties can be cryptographically enforced

• Different security risks

• Easier to launch large-scale attacks and erase evidence

• Clients are the weakest link: e.g. remotely exploitable software flaws, viruses, Internet worms, trojans, lack of physical security, social engineering attacks, etc.

• Network also vulnerable: e.g. voter demographic-based DDOS, cache poisoning DNS attacks, etc.

desired properties

eligibilitynon-reusabilityinalterability

fairness

completeness correctness

vote-privacyno forced-abstention attacks

receipt-freeness

coercion-resistance

universal verifiabilityindividual verifiability

robustnessfault tolerance

availabilityscalability

accuracy democracy

desired properties


fairness

completeness correctness


receipt-freeness

coercion-resistance

universal verifiabilityindividual verifiability

robustnessfault tolerance

availability

• Careful formalization and automatic verification of these properties important before widespread adoption

scalability

accuracy democracy



receipt-freeness

coercion-resistance




receipt-freeness

coercion-resistance


soundness



receipt-freeness

coercion-resistance


soundness

privacy

What we did

• General technique for

• modeling remote electronic voting protocols(in the applied pi-calculus)

• and automatically verifying their security

• New formal definitions of

• soundness - trace property

• coercion-resistance - observational equivalence

• both definitions amenable to automation (e.g. ProVerif)

• Proved that our coercion-resistance implies vote-privacy, immunity to forced-abstention attacks & receipt-freeness

• Automatically verified the security of the JCJ protocol

Tallier

Hi, I’m Alice

Soundness (eligibility, non-reusability, inalterability)

Tallier

Hi, I’m Aliceeligible(Alice)


Tallier



Tallier


vote(Alice, pink)

pinkblue


Tallier


vote(Alice, pink)

pinkblue


Tallier


vote(Alice, pink)

pinkblue


Tallier


vote(Alice, pink)pinkblue


Tallier




Tallier



tally(pink)


Tallier

Hi, I’m Alice

pinkblue

tally(pink)Trace: t1 eligible(Alice) t2 vote(Alice, pink) t3 tally(pink)


Tallier

Hi, I’m Alice

pinkblue

tally(pink)!!!

Trace: t1 eligible(Alice) t2 vote(Alice, pink) t3 tally(pink)


Tallier

Hi, I’m Alice

pinkblue

tally(pink)!!!

Trace: t1 eligible(Alice) t2 vote(Alice, pink) t3 tally(pink)

and the trace t1 t2 t3 is also sound (injective matching)


Vote-privacy

Voters

AliceBobCharlie

Vote-privacy

Voters

AliceBobCharlie

Results

pink party |blue party ||

Vote-privacy

“Detailed” results

Alice ............ pink partyBob .............. blue partyCharlie ........ blue party

Voters

AliceBobCharlie

Results


Vote-privacy

“Detailed” results

Alice ............ pink partyBob .............. blue partyCharlie ........ blue party

Voters

AliceBobCharlie

Results


]

Definition of vote-privacy

S[ pinkblue

]S[ pinkblue

[Delaune, Kremer & Ryan; CSF ’06]

indistinguishable from

]


S[ pinkblue

]S[ pinkblue

[

[

]

]

∀[Delaune, Kremer & Ryan; CSF ’06]

]


S[~~

pinkblue

]S[ pinkblue


]


S[~~

pinkblue

]S[ pinkblue

pink party |||blue party ||||

pink party ||||blue party |||


]


S[ |~~

pinkblue

]S[ |pinkblue

pinkblue

pinkblue


]

Immunity to forced-abstention

S[~~

S[ pinkblue

pinkblue|

| ]

S[

S[

]

Receipt-freeness

~~pinkblue

pinkblue

pinkblue|

| ]pinkblue

blue

blue

• Cryptographic setting [Benaloh & Tuinstra; STOC ’94]

S[

S[

]

Receipt-freeness

~~pinkblue

pinkblue

pinkblue|

| ]pinkblue

blue

blue

• We adapted definition by [Delaune, Kremer & Ryan; CSF ’06] to remote voting

• Cryptographic setting [Benaloh & Tuinstra; STOC ’94]

S[

Coercion-resistance

S[~~|

|pinkblue

pinkblue

pinkblue ]

]

• Cryptographic setting [Juels, Catalano & Jakobsson; WPES 2005]

receipt-freeness (up to abstraction) ⇒

S[

Coercion-resistance

S[~~|

|

|

|

pinkblue

pinkblue

pinkblue

pinkblue

pinkblue

]

]


receipt-freeness (up to abstraction) ⇒

S[

Coercion-resistance

S[~~|

|

|

|

pinkblue

pinkblue

pinkblue

pinkblue

pinkblue

]

]


receipt-freeness (up to abstraction) ⇒• Proved: coercion-resistance ⇒ no forced-abstention ⇒ vote-privacy

Definitions of coercion-resistanceJCJ-WPES’05 DKR-CSF’06 DKR-TR’08 current

setting

automation

vote-privacy

no simulation attacks

no forced- abstention

no randomization attacks (?)

receipt-freeness

remote voting supervised voting

supervised voting remote voting

no (crypto) no (adaptive simulation) no (∀C. P≈Q) yes (≈)

yes yes yes yes

yes n/a n/a yes

yes no no yes

yes no no no

yes yes yes yes (up to abstraction)

Analysis of JCJ

• first coercion-resistant protocol for remote voting[Juels, Catalano & Jakobsson; WPES ’05]

• forms the basis of many recent protocols(e.g. Civitas [Clarkson, Chong & Myers; S&P ’08])

• Analysis performed with ProVerif

• automatic protocol analyzer using Horn-clause resolution

• we use our symbolic abstraction of zero-knowledge[Backes, Maffei & Unruh; S&P ’08]

• analyzing observational equivalence required (re)writing the specification in the shape of a biprocess

• verification of JCJ succeeds, which yields security guarantees for unbounded number of voters, sessions, etc.

Future work

• Curently: analyzing a model of Civitas

Future work


• Curently: defining and analyzing other properties

• Individual verifiability (trace property)

• Immunity to randomization attacks (privacy property)

Future work





• Different techniques for trace properties

• type systems - e.g. our type system for ZK [WITS ’08]

Future work







• Different techniques for observational equivalence

• for instance using symbolic bisimulation [DKR, SecCo ’07]

Future work







• Different techniques for observational equivalence

• for instance using symbolic bisimulation [DKR, SecCo ’07]

• More accurate protocol models

• The ultimate goal is to analyze implementations

Backup slides

Hi, I’m Alice

Simplified JCJ protocol

Hi, I’m Alice

cred {cred, r1}pk(kT )


(private channel)

Hi, I’m Alice



{cred, r2}pk(kT ), {pink}pk(kT ),ZK

(private channel)

Hi, I’m Alice




(private channel)

Hi, I’m Alice




(private channel)

Hi, I’m Alice


Tallier



(private channel)

Hi, I’m Alice


pink

Tallier



(private channel)

~~|

|

|

|

pinkblue

pinkblue

pinkblue

pinkblue

pinkblue

1 2 3

1 2 3pinkblue

pinkblue

pinkblue

pinkblue

BobAliceBruce

Alice Bob Bruce| |

||

Documents

Automatic Verification of Remote Electronic Voting Protocols · Remote electronic voting • Seems even cheaper and even more convenient • Promises better security (than voting