Formal Veri cation of Selene with the Tamarin prover€¦ · Selene [Ryan et al. (2016)] - Overview Selene lets the voter verify that her vote has been taken into account, using atracking

Formal Verification of Selene with the Tamarin prover(E-Vote-ID - PhD Colloquium)

Marie-Laure Zollinger

Universite du Luxembourg

October 2, 2018

Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 1 / 18

Outline

1 Introduction

2 Formal verification with Tamarin-prover

3 Selene e-voting protocol

4 Formal model for Selene

5 Work in progress


Introduction (1/2)

A [voting] protocol consists of a set of rules that determine the exchange of messages betweenparticipants.A security protocol, e.g. a voting protocol, uses cryptography to achieve security goals(authentication, secrecy, ...).

Voting protocols

Use advanced cryptographic primitiveshomomorphic encryption, zero-knowledge proofs, commitments schemes, thresholdcryptography

Designed regarding security propertiesballot secrecy, receipt-freeness, coercion-resistance, e2e-verifiability


Introduction(2/2)

Formal verificationTools to create a security proof of a protocol.⇒ ProVerif, DEEPSEC, Tamarin, ...Constraints of the tool:

Unbounded number of sessions

False attacks detection

Limited number of cryptographic primitives

⇒ Selene e-voting protocol uses plenty of cryptographic primitives that do not allow us tomodel a complete version of the protocol.⇒ New Tamarin extensions might allow us to go further in automated verification of votingprotocols.


Tamarin - Definitions

Tamarin and term rewritingTerm rewriting is a formalism used for representing messages and protocols in Tamarin.Tamarin uses labeled multiset rewriting rules: (id, l, a, r) with id : l

a−→ rwhere l, a, r are multisets of Facts, l and r are consumed or produced while a is recorded as atrace to specify properties of the model.

Example: setup rule for voter’s keyrule setup: [ Fr(vk) ] --> [ Out(pk(vk)), St V(’voter’, pk(vk), vk) ]

Equational theoryAn equational theory E is a set of equations of the form t = t′ for t, t′ terms built usingfunctions and variables for a given environment.

Example: Symmetric encryptiondec(enc(m, k), k) = m


Tamarin - Attacker model

The adversary can:

Control the network

read, intercept, send messagesapply composition and decomposition rules with available keys

Be a participant of the protocol

⇒ Dolev-Yao

Adversary Knowledge and Deduction

Fr(x)

K(x),Out(x)

K(x),K(x)

In(x),K(t1) · · ·K(tk)

K(f(t1, · · · , tk))


Tamarin - Security properties in voting

Privacy properties

Ballot-Secrecy: the protocol must not reveal the voter’s choice.

Receipt-Freeness: the protocol must not reveal the voter’s choice even when revealingprivate information.

Coercion-Resistance: the protocol must not reveal the voter’s choice even when followingadversary’s instructions.

Verifiability properties

Cast-as-intended}

Individual VerifiabilityRecorded-as-cast

Tallied-as-recorded } Universal Verifiability


Tamarin - Automated verification

Specify a property with tracesSemantics of a protocol P is a set of traces traces(P ).Security property φ is also defined with a set of traces traces(φ).Attack traces: traces(φattack) = traces(P ) \ traces(φ)Traces are specified with given actions on rules.

Specify a property with observational equivalenceTwo systems appear the same to the environment.⇒ Privacy as Indistinguishability with diff(·, ·) operator.⇒ A trace for observational equivalence is automatically created.

Example: define two values for the voter’s vote and see if the adversary can distinguishbetween the two executions diff(’candA’, ’candB’)


Selene [Ryan et al. (2016)] - Overview

Selene lets the voter verify that her vote has been taken into account, using a trackingnumber.

1 The voter casts a vote online

2 After the election outcome has been published, the voter receives a tracking number andis able to verify that her vote is correct.


Selene [Ryan et al. (2016)] - Overview

Selene lets the voter verify that her vote has been taken into account, using a trackingnumber.

3 In case of coercion, the voter can pick another tracker related to the candidate thecoercer asked her to vote for.


Selene - Cryptographic primitives

Homomorphic encryption

Transcryption

→ α-terms are shared between t Tellers: αi =∏

j∈[1,t] αi,j .→ Commitments Ci are published on the bulletin board before the elections start.


Selene - Cryptographic primitives

Homomorphic encryption

Transcryption

→ α-terms are shared between t Tellers: αi =∏

j∈[1,t] αi,j .→ Commitments Ci are published on the bulletin board before the elections start.


Selene - Against Coercion

EncPK(ti) = (αi, Ci)⇒ ti =Ci

αski

tj =Ci

αskfake

⇔ αfake = (Ci

tj)sk

−1


Formal Model for Selene

Bruni et al. (2017) proposed a formal model on a simplified version of Selene (no distributedtrust and additional trust assumptions).They proved Vote-Privacy and Receipt-Freeness of the protocol.They described an equational theory for the commitments used in Selene.

Equational Theory

open(commit(t, r, pk(sk)), r, sk) = t

commit(t2, fake(t1, r, sk, t2), pk(sk)) = commit(t1, r, pk(sk))

open(commit(t1, r, pk(sk)), fake(t1, r, sk, t2), sk) = t2

fake(t2, fake(t1, r, sk, t2), sk, t3) = fake(t1, r, sk, t3)


Formal Model - New ideas

Our goal

1 Propose a formal model with distributed trust for α-terms.

2 Check security properties such as Vote-Privacy, Receipt-Freeness, Verifiability.

First step: describe the protocol as a labeled transition system using rewriting rules.

⇒ Define states and relations for each participant for every step of the protocol· Participants: voter 1, voter 2, election authority (EA), teller 1, teller 2· Actual trust assumptions: protocol is honest except the attacker, one voter and one tellerbeing coerced

Actual implementation inspired from existing model [Bruni et al. (2017)]


Formal Model - Distributed Trust

XOR operation ⊕ [Dreier et al. (2018)]A new equational theory defined by the following equations:

x⊕x = 0 x⊕(y⊕ z) = (x⊕ y)⊕ z x⊕ 0 = x

x⊕ y = y⊕x x⊕x⊕ y = y

Idea: use this operation to model distributed trust on the α-terms.

⇒ The random term in the commitment equation can be built from 2 terms.

Fr(r1) Fr(r2) EA 0(t, pkV )

commit(t, r1⊕ r2, pkV )

where r1 and r2 are the α-terms shared between Tellers.


Formal Model - Rules with 2 voters, 2 tellers, 1 EA

Setup generates the keys and initiatesall participants.

EA1 generates trackers and shufflesthem.

T1 creates and posts commitmentsfrom trackers, with 2 α-terms.

V1 creates and sends votes.

EA2 receives votes.

EA sync shuffles and posts votes.

T2 sends α-term to voters.

V2 receives α-term and openstrackers.


Formal Model - Security properties

Ballot Secrecy

Indistinguishability between instances with swapped votes with diff operator.

Receipt-Freeness

Output secret information for the adversary: vote, tracker, α-terms

Voter 1 is coerced and fake the tracker.Voter 2 is the adversary or collude with the adversary, and output his real data.Teller 1 is coerced and output his α-term.

Individual Verifiabilitylemma ind verif:

" All id vote1 vote2 t ]i ]j. Vote(id, vote1)@i & Lookup(id, t, vote2)@j

==> vote1 = vote2 & ]i < ]j "


Formal Model - Execution


Work in progress

Done so far...

Improved (but limited) model for Selene with distributed trust on α-terms to retrievetrackers.

Proofs for ballot-secrecy and individual verifiability

To be continued...

Proof for receipt-freeness

Model distributed trust on election keys and check security properties

Diffie-Hellman equational theory: for tracker?’g’ ˆ∼t


Documents

Formal Veri cation of Selene with the Tamarin prover€¦ · Selene [Ryan et al. (2016)] - Overview Selene lets the voter verify that her vote has been taken into account, using atracking