Post on 17-Nov-2020
Formal Verification of Selene with the Tamarin prover(E-Vote-ID - PhD Colloquium)
Marie-Laure Zollinger
Universite du Luxembourg
October 2, 2018
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 1 / 18
Outline
1 Introduction
2 Formal verification with Tamarin-prover
3 Selene e-voting protocol
4 Formal model for Selene
5 Work in progress
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 2 / 18
Introduction (1/2)
A [voting] protocol consists of a set of rules that determine the exchange of messages betweenparticipants.A security protocol, e.g. a voting protocol, uses cryptography to achieve security goals(authentication, secrecy, ...).
Voting protocols
Use advanced cryptographic primitiveshomomorphic encryption, zero-knowledge proofs, commitments schemes, thresholdcryptography
Designed regarding security propertiesballot secrecy, receipt-freeness, coercion-resistance, e2e-verifiability
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 3 / 18
Introduction(2/2)
Formal verificationTools to create a security proof of a protocol.⇒ ProVerif, DEEPSEC, Tamarin, ...Constraints of the tool:
Unbounded number of sessions
False attacks detection
Limited number of cryptographic primitives
⇒ Selene e-voting protocol uses plenty of cryptographic primitives that do not allow us tomodel a complete version of the protocol.⇒ New Tamarin extensions might allow us to go further in automated verification of votingprotocols.
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 4 / 18
Tamarin - Definitions
Tamarin and term rewritingTerm rewriting is a formalism used for representing messages and protocols in Tamarin.Tamarin uses labeled multiset rewriting rules: (id, l, a, r) with id : l
a−→ rwhere l, a, r are multisets of Facts, l and r are consumed or produced while a is recorded as atrace to specify properties of the model.
Example: setup rule for voter’s keyrule setup: [ Fr(vk) ] --> [ Out(pk(vk)), St V(’voter’, pk(vk), vk) ]
Equational theoryAn equational theory E is a set of equations of the form t = t′ for t, t′ terms built usingfunctions and variables for a given environment.
Example: Symmetric encryptiondec(enc(m, k), k) = m
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 5 / 18
Tamarin - Attacker model
The adversary can:
Control the network
read, intercept, send messagesapply composition and decomposition rules with available keys
Be a participant of the protocol
⇒ Dolev-Yao
Adversary Knowledge and Deduction
Fr(x)
K(x),Out(x)
K(x),K(x)
In(x),K(t1) · · ·K(tk)
K(f(t1, · · · , tk))
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 6 / 18
Tamarin - Security properties in voting
Privacy properties
Ballot-Secrecy: the protocol must not reveal the voter’s choice.
Receipt-Freeness: the protocol must not reveal the voter’s choice even when revealingprivate information.
Coercion-Resistance: the protocol must not reveal the voter’s choice even when followingadversary’s instructions.
Verifiability properties
Cast-as-intended}
Individual VerifiabilityRecorded-as-cast
Tallied-as-recorded } Universal Verifiability
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 7 / 18
Tamarin - Automated verification
Specify a property with tracesSemantics of a protocol P is a set of traces traces(P ).Security property φ is also defined with a set of traces traces(φ).Attack traces: traces(φattack) = traces(P ) \ traces(φ)Traces are specified with given actions on rules.
Specify a property with observational equivalenceTwo systems appear the same to the environment.⇒ Privacy as Indistinguishability with diff(·, ·) operator.⇒ A trace for observational equivalence is automatically created.
Example: define two values for the voter’s vote and see if the adversary can distinguishbetween the two executions diff(’candA’, ’candB’)
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 8 / 18
Selene [Ryan et al. (2016)] - Overview
Selene lets the voter verify that her vote has been taken into account, using a trackingnumber.
1 The voter casts a vote online
2 After the election outcome has been published, the voter receives a tracking number andis able to verify that her vote is correct.
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 9 / 18
Selene [Ryan et al. (2016)] - Overview
Selene lets the voter verify that her vote has been taken into account, using a trackingnumber.
3 In case of coercion, the voter can pick another tracker related to the candidate thecoercer asked her to vote for.
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 9 / 18
Selene - Cryptographic primitives
Homomorphic encryption
Transcryption
→ α-terms are shared between t Tellers: αi =∏
j∈[1,t] αi,j .→ Commitments Ci are published on the bulletin board before the elections start.
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 10 / 18
Selene - Cryptographic primitives
Homomorphic encryption
Transcryption
→ α-terms are shared between t Tellers: αi =∏
j∈[1,t] αi,j .→ Commitments Ci are published on the bulletin board before the elections start.
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 10 / 18
Selene - Against Coercion
EncPK(ti) = (αi, Ci)⇒ ti =Ci
αski
tj =Ci
αskfake
⇔ αfake = (Ci
tj)sk
−1
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 11 / 18
Formal Model for Selene
Bruni et al. (2017) proposed a formal model on a simplified version of Selene (no distributedtrust and additional trust assumptions).They proved Vote-Privacy and Receipt-Freeness of the protocol.They described an equational theory for the commitments used in Selene.
Equational Theory
open(commit(t, r, pk(sk)), r, sk) = t
commit(t2, fake(t1, r, sk, t2), pk(sk)) = commit(t1, r, pk(sk))
open(commit(t1, r, pk(sk)), fake(t1, r, sk, t2), sk) = t2
fake(t2, fake(t1, r, sk, t2), sk, t3) = fake(t1, r, sk, t3)
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 12 / 18
Formal Model - New ideas
Our goal
1 Propose a formal model with distributed trust for α-terms.
2 Check security properties such as Vote-Privacy, Receipt-Freeness, Verifiability.
First step: describe the protocol as a labeled transition system using rewriting rules.
⇒ Define states and relations for each participant for every step of the protocol· Participants: voter 1, voter 2, election authority (EA), teller 1, teller 2· Actual trust assumptions: protocol is honest except the attacker, one voter and one tellerbeing coerced
Actual implementation inspired from existing model [Bruni et al. (2017)]
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 13 / 18
Formal Model - Distributed Trust
XOR operation ⊕ [Dreier et al. (2018)]A new equational theory defined by the following equations:
x⊕x = 0 x⊕(y⊕ z) = (x⊕ y)⊕ z x⊕ 0 = x
x⊕ y = y⊕x x⊕x⊕ y = y
Idea: use this operation to model distributed trust on the α-terms.
⇒ The random term in the commitment equation can be built from 2 terms.
Fr(r1) Fr(r2) EA 0(t, pkV )
commit(t, r1⊕ r2, pkV )
where r1 and r2 are the α-terms shared between Tellers.
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 14 / 18
Formal Model - Rules with 2 voters, 2 tellers, 1 EA
Setup generates the keys and initiatesall participants.
EA1 generates trackers and shufflesthem.
T1 creates and posts commitmentsfrom trackers, with 2 α-terms.
V1 creates and sends votes.
EA2 receives votes.
EA sync shuffles and posts votes.
T2 sends α-term to voters.
V2 receives α-term and openstrackers.
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 15 / 18
Formal Model - Security properties
Ballot Secrecy
Indistinguishability between instances with swapped votes with diff operator.
Receipt-Freeness
Output secret information for the adversary: vote, tracker, α-terms
Voter 1 is coerced and fake the tracker.Voter 2 is the adversary or collude with the adversary, and output his real data.Teller 1 is coerced and output his α-term.
Individual Verifiabilitylemma ind verif:
" All id vote1 vote2 t ]i ]j. Vote(id, vote1)@i & Lookup(id, t, vote2)@j
==> vote1 = vote2 & ]i < ]j "
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 16 / 18
Formal Model - Execution
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 17 / 18
Work in progress
Done so far...
Improved (but limited) model for Selene with distributed trust on α-terms to retrievetrackers.
Proofs for ballot-secrecy and individual verifiability
To be continued...
Proof for receipt-freeness
Model distributed trust on election keys and check security properties
Diffie-Hellman equational theory: for tracker?’g’ ˆ∼t
Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 18 / 18