Electronic Voting: practice and theorymdr/research/projects/05-ElectronicVoting/policy09.pdfThe...
Transcript of Electronic Voting: practice and theorymdr/research/projects/05-ElectronicVoting/policy09.pdfThe...
The potential and the current situation Desired properties Some protocols Verification Conclusions
Electronic Voting: practice and theory
Mark RyanUniversity of Birmingham
based on joint work with
Stephanie DelauneSteve Kremer
Mounira KourjiehBen Smyth
POLICY 2009
The potential and the current situation Desired properties Some protocols Verification Conclusions
Outline
1 The potential and the current situation
2 Desired properties
3 Some protocols
4 Verification
5 Conclusions
The potential and the current situation Desired properties Some protocols Verification Conclusions
Electronic voting: potential
Electronic voting potentially offers
Efficiency
higher voter participationgreater accuracylower costs
Better security
vote-privacy even in presenceof corrupt election authoritiesvoter verification, i.e. theability of voters and observersto check the declaredoutcome against the votescast.
Governments world over havebeen trialling e-voting, e.g.USA, UK, Canada, Brasil, theNetherlands and Estonia.
Can also be useful forsmaller-scale elections(student guild, shareholdervoting, trade union ballots,local government).
The potential and the current situation Desired properties Some protocols Verification Conclusions
Current situation
The potential benefits have turned out to be hard to realise.
In UK
May 2007 elections included 5 local authorities that piloted a rangeof electronic voting machines.
Electoral Commission report concluded that the implementation andsecurity risk was significant and unacceptable and recommends thatno further e-voting take place until a sufficiently secure andtransparent system is available.
In USA:
Diebold controversy since 2003 when code leaked on internet.
Kohno/Stubblefield/Rubin/Wallach analysis concluded Dieboldsystem far below even most minimal security standards. Voterswithout insider privileges can cast unlimited votes without beingdetected.
The potential and the current situation Desired properties Some protocols Verification Conclusions
Current situation in USA, continued
In 2007, Secr. of State for California commissioned“top-to-bottom” review by computer science academics ofthe four machines certified for use in the state. Result is acatalogue of vulnerabilities, including
appalling software engineering practices, such as hardcoding cryptokeys in source code; bypassing OS protection mechanisms, . . .
susceptibility of voting machines to viruses that propogate frommachine to machine, and that could maliciously cause votes to berecorded incorrectly or miscounted
“weakness-in-depth”, architecturally unsound systems in which evenas known flaws are fixed, new ones are discovered.
In response to these reports, she decertified all four types of votingmachine for regular use in California, on 3 August 2007.
The potential and the current situation Desired properties Some protocols Verification Conclusions
Situation in USA – 2008 election
Several other states followed California’s lead, and decertifiedelectronic voting machines.
But other states have continued to use touch-screen systems, havinginvested massively. (E.g., the state of Colorado spent $41M onelectronic voting systems for its 3M voters, on machines thatCalifornia has now decertified. . . )
Diebold, one of the main suppliers, tried unsuccessfully to sell theire-voting business. Instead, they rebranded it ‘Premier ElectionSolutions’ and revised their forecasts downwards.
The potential and the current situation Desired properties Some protocols Verification Conclusions
Current situation in Estonia
Estonia is a tiny former Soviet republic (pop. 1.4M), nicknamed“e-Stonia” because of its tech-savvy character.
Oct. 2005 local election allowed voters to cast ballots on internet.There were 9,317 electronic votes cast out of 496,336 votes in total(1.9%) participated online.
Officials hailed the experiment a success. Said no reports of hackingor flaws. System based on linux.
Voters need special ID smartcard, a $24 device that reads the card,and a computer with internet access. About 80% of Estonian votershave the cards anyway, also used since 2002 for online banking andtax records.
Feb. 2007 general election: 30,275 voters used internet voting.
The potential and the current situation Desired properties Some protocols Verification Conclusions
Internet voting and coercion resistance
The possibility of coercion (e.g. by family members) seems very hard toavoid for internet voting.
In Estonia, the threat is somewhat mitigated:
Election system allows multiple online votes to be cast by the sameperson during the days of advance voting, with each vote cancellingthe previous one.
System gives priority to paper ballots; a paper ballot cancels anyprevious online ballot by the same person.
The potential and the current situation Desired properties Some protocols Verification Conclusions
Where are we?
1 The potential and the current situation
2 Desired properties
3 Some protocols
4 Verification
5 Conclusions
The potential and the current situation Desired properties Some protocols Verification Conclusions
Voting system: desired properties
Eligibility: only legitimate voters can vote, and at most once (This also
implies that the voting authorities cannot insert votes)
Fairness: no early results can be obtained
Privacy: the fact that a particular voter in a particular way is not
revealed to anyone
Receipt-freeness: a voter cannot later prove to a coercer that she voted
in a certain way
Coercion-resistance: a voter cannot interactively cooperate with a
coercer to prove that she voted in a certain way
Individual verifiability: a voter can verify that her vote was really counted
Universal verifiability: a voter can verify that the published outcome
really is the sum of all the votes
. . . and all this even in the presence of corrupt election authorities!
The potential and the current situation Desired properties Some protocols Verification Conclusions
Are these properties even simultaneously satisfiable?
Contradiction?
Eligibility: only legitimate
voters can vote, and only once
Effectiveness: the number of
votes for each candidate is
published after the election
Privacy: the fact that a
particular voted in a particular
way is not revealed to anyone
(not even the election
authorities)
Contradiction?
Receipt-freeness: a voter
cannot later prove to a coercer
that she voted in a certain way
Individual verifiability: a
voter can verify that her vote
was really counted
The potential and the current situation Desired properties Some protocols Verification Conclusions
How could it be secure?
The potential and the current situation Desired properties Some protocols Verification Conclusions
Security by trusted client software
→ → → → → → → → → →
trusted by user
does not need to betrusted by authoritiesor other voters
not trusted by user
doesn’t need to betrusted by anyone
The potential and the current situation Desired properties Some protocols Verification Conclusions
Where are we?
1 The potential and the current situation
2 Desired properties
3 Some protocols
4 Verification
5 Conclusions
The potential and the current situation Desired properties Some protocols Verification Conclusions
First, some cryptoraphy
Blind signatures
Normally, when Alice signs amessage M, creatingSignSKA
(M), she knows whatthe message M is.
In a blind signature, Bob canask her to sign a blinded versionof the message, blindb(M).
After she signs it, he canunblind it.
unblindb(SignSKA(blindb(M))) =
SignSKA(M)
Commitments
Alice can send Bob acommitment commitc(M) to amessage M.
Later, she can reveal c and M,and Bob can verify that it isindeed the correct M that shecommitted to.
Alice cannot lie, e.g., cannotfind some other c ′ and M ′ thathave the same commitmentcommitc′(M ′).
The potential and the current situation Desired properties Some protocols Verification Conclusions
FOO 92 protocol [FujiokaOkamotoOhta92]
Alice aDministrator Collector
{ } 1)),,(( −Abcvcommitblind
{ } 1)),,(( −Dbcvcommitblind
{ } 1),((...) −= Dcvcommitunblind
{ } 1),( −Dcvcommit
vpubl.
)),(,(. cvcommitlpubl),( cl
I
III
II
vopen =(...)
The potential and the current situation Desired properties Some protocols Verification Conclusions
FOO 92 properties
Eligibility X
Fairness X
Privacy X
Receipt-freeness ×Coercion-resistance ×Individual verifiability X
Universal verifiability half
FOO usability in a real election: an exercise for the reader!
The potential and the current situation Desired properties Some protocols Verification Conclusions
Verification
The potential and the current situation Desired properties Some protocols Verification Conclusions
Attacker model
Ideally, we want to model a very powerful attacker:
It has “Dolev-Yao” capabilities, i.e.
it completely controls thecommunication channels, so it is able torecord, alter, delete, insert, redirect,reorder, and reuse past or currentmessages, and inject new messages(The network is the attacker)
manipulate data in arbitrary ways,including applying crypto operationsprovided has the necessary keys
It includes the election authorities.
It includes the other voters.
The potential and the current situation Desired properties Some protocols Verification Conclusions
The applied π-calculus
Applied pi-calculus: [Abadi & Fournet, 01]
basic programming language with constructs for concurrencyand communication
based on the π-calculus [Milner et al., 92]
in some ways similar to the spi-calculus [Abadi &Gordon, 98], but more general w.r.t. cryptography
Advantages:
naturally models a Dolev-Yao attacker
allows us to model less classical cryptographic primitives
both reachability and equivalence-based specification ofproperties
automated proofs using ProVerif tool [Blanchet]
powerful proof techniques for hand proofs
successfully used to analyze a variety of securityprotocols
The potential and the current situation Desired properties Some protocols Verification Conclusions
Equations to model the cryptography
Examples
1 Encryption and signatures
decrypt( encrypt(m,pk(k)), k ) = m
checksign( sign(m,k), m, pk(k) ) = ok
2 Blind signatures
unblind( sign( blind(m,r), sk ), r ) = sign(m,sk)
3 Designated verifier proof of re-encryptionThe term dvp(x,rencrypt(x,r),r,pkv) represents a proof designated forthe owner of pkv that x and rencrypt(x,r) have the same plaintext.
checkdvp(dvp(x,rencrypt(x,r),r,pkv),x,rencrypt(x,r),pkv) = ok
checkdvp( dvp(x,y,z,skv), x, y, pk(skv) ) = ok.
The potential and the current situation Desired properties Some protocols Verification Conclusions
Coding protocols as processes
Example ([FOO’92]):
processV =
new b; new c;
let bcv = blind(commit(v,c),b) in
out(ch, (sign(bcv, skv)));
in(ch,m2);
if getMess(m2,pka)=bcv then
let scv = unblind(m2,b) in
str phase 1;
out(ch, scv);
in(ch,(l, =scv));
str phase 2;
out(ch,(l,c)).
Alice aDministrator Collector
{ } 1)),,(( −Abcvcommitblind
{ } 1)),,(( −Dbcvcommitblind
{ } 1),((...) −= Dcvcommitunblind
{ } 1),( −Dcvcommit
vpubl.
)),(,(. cvcommitlpubl),( cl
I
III
II
vopen =(...)
The potential and the current situation Desired properties Some protocols Verification Conclusions
Formalisation of vote-privacy
Classically modeled as observational equivalences between two slightlydifferent processes P1 and P2, but
changing the identity does not work, as identities are revealed
changing the vote does not work, as the votes are revealed at the end
↪→ consider two honest voters and swap their votes
Definition (Privacy)
A voting protocol respects privacy if
S [VA{a/v} | VB{b/v}] ≈` S [VA{b/v} | VB{a/v}].
The potential and the current situation Desired properties Some protocols Verification Conclusions
Receipt-freeness: leaking secrets to the coercer
To model receipt-freeness we need to specify that a coerced votercooperates with the coercer by leaking secrets on a channel ch
P ::=0P | Pνn.Pin(u, x).Pout(u,M).Pif M = N then P else P!P. . .
Pch in terms of P
0ch = 0
(P | Q)ch = Pch | Qch
(νn.P)ch = νn.out(ch, n).Pch
(in(u, x).P)ch = in(u, x).out(ch, x).Pch
(out(u,M).P)ch = out(u,M).Pch
. . .
We denote by P\out(chc,·) the process νchc .(P |!in(chc , x)).
Lemma: (Pch)\out(chc,·) ≈` P
The potential and the current situation Desired properties Some protocols Verification Conclusions
Receipt-freeness: definition
Intuition
There exists aprocess V ′
which
votes a,
leaks(possiblyfake)secrets tothe coercer,
and makesthe coercerbelieve shevoted c
Definition (Receipt-freeness)
A voting protocol is receipt-free if there exists aprocess V ′, satisfying
V ′\out(chc,·) ≈` VA{a/v},S [VA{c/v}chc | VB{a/v}] ≈` S [V ′ | VB{c/v}].
Case study: Lee et al. protocolWe prove receipt-freeness by
exhibiting V ′
showing that V ′\out(chc,·) ≈` VA{a/v}showing thatS [VA{c/v}chc | VB{a/v}] ≈` S [V ′ | VB{c/v}]
The potential and the current situation Desired properties Some protocols Verification Conclusions
Coercion resistance: talking with the coercer
Like receipt-freness, but: voter interacts with the coercer during theprotocol (instead of just supplying data at the end).
The voting booth makes coercion resistance possible.
Interactively communicating with the coercer:
Pc1,c2 in terms of P
0c1,c2 = 0,
(P | Q)c1,c2 = Pc1,c2 | Qc1,c2
(νn.P)c1,c2 = νn.out(c1, n).Pc1,c2
(in(u, x).P)c1,c2 = in(u, x).out(c1, x).Pc1,c2
(out(u,M).P)c1,c2 = in(c2, x).out(u, x).Pc1,c2
(!P)c1,c2 = !Pc1,c2 ,
(if M = N then P else Q)c1,c2 = in(c2, x). if x = true then Pc1,c2
else Qc1,c2
The potential and the current situation Desired properties Some protocols Verification Conclusions
Coercion resistance: definition
Definition (Coercion resistance)
VP is coercion resistant if there exists aprocess V ′ such that for anyC = νc1.νc2.( | P) satisfying
n ∩ fn(C ) = ∅S [C [VA{?/v}c1,c2] | VB{a/v}] ≈`
S [VA{c/v}chc | VB{a/v}]we have
C [V ′]\out(chc,·) ≈` VA{a/v},S [C [VA{?/v}c1,c2 ] | VB{a/v}] ≈`
S [C [V ′] | VB{c/v}].
Intuitively, C together withthe environment representthe coercer. The definitionsays there’s a strategy V ′
for the voter such that
if the coercer is tryingto force A to vote c
then
A can do V ′, whichwill result in an avote, but will satisfythe coercer.
Doesn’t take account of fault attacks (cf. Kusters/Truderung).
The potential and the current situation Desired properties Some protocols Verification Conclusions
Privacy properties
Proposition
Let VP be a voting protocol. Then
VP is coercion-resistant⇓
VP is receipt-free⇓
VP respects privacy
The potential and the current situation Desired properties Some protocols Verification Conclusions
The potential and the current situation Desired properties Some protocols Verification Conclusions
Election verifiability
Individualverifiability
A voter cancheck her ownvote is includedin the tally.
Universalverifiability
Anyone cancheck that thedeclaredoutcomecorresponds tothe tally.
Eligibilityverifiability
Anyone cancheck that onlyeligible votes areincluded in thedeclaredoutcome.
Remarks
Verifiability 6= correctness
What system components need to be trusted in order to carry outthese checks?
The potential and the current situation Desired properties Some protocols Verification Conclusions
Individual verifiability
Intuition: a protocol satisfies individual verifiability if there is a test
R IV(my vote , my secrets , bb entry
)that a voter can apply after the election.The test succeeds iff the bulletin board entry corresponds to the voter’svote and secrets.
Acceptability conditions
For all votes s, there is an execution of the protocol that producesM such that some bulletin board entry T satisfies R IV (s, M,T ).
The bulletin board entry determines the vote, that is,
R IV (s, M,T ) ∧ R IV (t, N,T )⇒ s = t
The potential and the current situation Desired properties Some protocols Verification Conclusions
Universal and elegibility verifiability
Universal verifiability
There exists a test RUV such thatthe observer can match up votesv1, v2, . . . , vn in the declared outcomewith bulletin board entriesz1, z2, . . . , zn to obtain, for all1 ≤ i ≤ n:
RUV (vi , zi ).
Acceptability conditions
R IV (s, M, T )⇒ RUV (s, T )
RUV (s, T ) ∧ RUV (t, T )⇒ s = t
Eligibility verifiability
There is a test REV such that theobserver can match up voter publiccredentials y1, y2, . . . , yn with bulletinboard entries z1, z2, . . . , zn to obtain,for all 1 ≤ i ≤ n:
REV (yi , zi ).
Acceptability conditions
REV (U, T ) ∧ REV (V , T )⇒ U = V
If voter with credential U andsecrets M generates bulletin boardentry T thenR IV (s, M, T )⇔ REV (U, T )
The potential and the current situation Desired properties Some protocols Verification Conclusions
Election verifiability
A voting process C [!νa.(P | Q[c〈U〉])] satisfies election verifiability ifthere exists tests R IV ,RUV ,REV with
fv(R IV ) ⊆ bv(P) ∪ {v , z}fv(RUV ) ⊆ {v , z}fv(REV ) ⊆ {y , z}(fnRUV ∪ fnREV ) ∩ bn(P) = ∅
such that the augmented voting process satisfies the following conditions:
the unreachability assertion: fail〈true〉.the reachability assertion: pass〈true, x〉.
Example
In the case of FOO,
R IV = eq(z2, commit(v ′, r)) ∧ checksign(z3, blind(z2, r′), pk(skR))
The potential and the current situation Desired properties Some protocols Verification Conclusions
Augmented process
Given a voting process C [!νa.(P | Q[c〈U〉])] and tests R IV ,RUV ,REV ,the augmented voting process is
νb.(C [!νa, b′.(P | Q)] | R | R ′) | R ′′ | R ′′′
where
P = b(v).P.c(z).b′(y).(pass〈R IV , z〉 | fail〈ψ〉)Q = Q[b′〈U〉 | D〈U〉 | c〈U〉]R = !νs.((!b〈s〉) | c〈s〉)R ′ = b(v ′).b(v ′′).c(x ′).c(x ′′).c(y ′).c(y ′′).c(z ′).fail〈φ′ ∨ φ′′ ∨ φ′′′〉R ′′ = pass(e).pass(e′).fail〈e1 ∧ e′1 ∧ (e2 = e′2)〉R ′′′ = D(e).D(e′).fail〈¬(e = e′)〉
ψ = (R IV ∧ ¬RUV ) ∨ (R IV ∧ ¬REV ) ∨ (¬R IV ∧ REV )
φ′ = R IV {v ′,x′,z′/v ,x,z} ∧ R IV {v ′′,x′′,z′
/v ,x,z} ∧ ¬(v ′ = v ′′)
φ′′ = RUV {v ′,z′/v ,z} ∧ RUV {v ′′,z′
/v ,z} ∧ ¬(v ′ = v ′′)
φ′′′ = REV {y ′,z′/y ,z} ∧ REV {y ′′,z′
/y ,z} ∧ ¬(y ′ =E y ′′)
The potential and the current situation Desired properties Some protocols Verification Conclusions
Results and trustworthiness requirements
Property FOO’92 Oka. ’97 LBDKYY’03 Civitas ’08
Vote-privacy X X X Xtrusted compnts client clt./timel.mbr. clt./admin. client
Receipt-freeness × X X Xtrusted compnts client clt./timel.mbr. clt./admin./coll. client
Coercion resist. × × X Xtrusted compnts clt./admin./coll. client
Individual verif. X Xtrusted compnts client client
Universalal verif. X Xtrusted compnts
Elig. verif. × Xtrusted compnts
The potential and the current situation Desired properties Some protocols Verification Conclusions
Conclusions and future work
Conclusions
First formal definitions ofreceipt-freeness andcoercion-resistance
coercion-resistance ⇒receipt-freeness ⇒ privacy
First generic formaldefinitions of electionverifiability. Suitable forautomation.
Future work
Decision procedure forobservational equivalence forprocesses without replication.
Voting systems that are notclient-crypto-based.