Analysis of an Electronic Boardroom Voting System

Size: px

Start display at page:

Download "Analysis of an Electronic Boardroom Voting System"

Nelson Hunter
7 years ago
Views:

1 Analysis of an Electronic Boardroom Voting System Mathilde Arnaud Véronique Cortier Cyrille Wiedling VoteID 13 July 18th 2013

2 The Family of Electronic Voting

3 The Family of Electronic Voting Voting Machines Authentication at the polling place. Speed up the process (voting, tally). Better accessibility for people. Proprietary systems often subject to attacks: > Diebold Machines, [Halderman et al., EVT 07] > Indian Voting Machines, [Gonggrijp et al., CCS 10]

4 The Family of Electronic Voting Authentication from anywhere. Systems often difficult to understand for non-cryptographers. Internet Voting Numerous solutions (proprietary and academic): > Helios [Adida, SS 08] > Civitas [Clarkson et al., S&P 08] > FOO, Belenios, etc. Assume to trust the voter s computer.

5 Different Interesting Properties Verifiability Anonymity and more... Usability Easy-to- Understand

6 And Boardroom Voting? Everyone in the same room (authentication by others). Efficiency of the voting process is necessary. Confidence in the result. There are solutions, but... > Often in black box, > With no verifiability,... A new proposal from a subgroup of members of a CNRS commitee to achieve: Boardroom Voting > Simplicity, > Privacy, > Full Verifiability.

7 Setting A boardroom (including all the voters)

8 Setting A boardroom (including all the voters) E-Voting Devices

9 Setting A boardroom (including all the voters) E-Voting Devices Link to Central Device

10 Setting A boardroom (including all the voters) E-Voting Devices Link to Central Device Links to Screen (Visible by all)

11 Setting A boardroom (including all the voters) E-Voting Devices Link to Central Device Links to An assessor (One voter, can be anyone) Screen (Visible by all)

12 A First Approach How it works?

13 A First Approach How it works?

14 A First Approach How it works?

15 A First Approach How it works?

16 A First Approach How it works?

17 A First Approach How it works? Blue Wins!

18 A First Approach How it works? Blue Wins!?

19 A First Approach Aye! How it works? Aye! Blue Wins! Aye!?

20 But... A possible attack Similar to Clash Attacks [Küsters et al., S&P 12].

21 But... A possible attack Similar to Clash Attacks [Küsters et al., S&P 12].

22 But... A possible attack Similar to Clash Attacks [Küsters et al., S&P 12].

23 But... A possible attack Similar to Clash Attacks [Küsters et al., S&P 12].

24 But... A possible attack Similar to Clash Attacks [Küsters et al., S&P 12].

25 But... A possible attack Similar to Clash Attacks [Küsters et al., S&P 12].

26 But... A possible attack Orange Wins!? Similar to Clash Attacks [Küsters et al., S&P 12].

27 But... Aye! A possible attack Aye! Orange Wins! Aye!? Similar to Clash Attacks [Küsters et al., S&P 12].

28 Two New Versions 1 F2FV : Randomness genererated by the central device

29 Two New Versions 2 F2FV : One more randomness generated by the voter. The system still has privacy issues when central device is corrupted.

30 Two New Versions 3 F2FV : Randomness only generated by the voter. We need that voters generate actual random numbers.

31 Contributions We have three (slightly) different protocols for boardroom voting. > None of them ensures privacy when BB is corrupted. > All of them are easy to understand. In this paper, we provide: > Proofs of privacy of F2FV2 and F2FV3 assuming that infrastructure players are honest. > Proofs of correctness in the case of a dishonest ballot box (central device).

32 Did you say «proofs»? Proof in a symbolic model. We model the protocols using applied pi-calculus. In the presence of an attacker who : can read every message sent on the network, can intercept messages, can create and send new messages. can vote himself.

33 Abstraction Messages are represented by terms. Nonces, keys : h, i n, m,..., k 1,k 2,... Primitives : n {} hn, {m} k i {m} k, hm 1,m 2 i m k Modeling deduction rules : x y hx, yi hx, yi x hx, yi y x y {x} y y {x} y x

34 Applied Pi-Calculus, ::= formulae M = N M 6= N ^ _ P, Q, R ::= (plain) processes 0 null process P Q parallel composition!p replication n.p name restriction if then P else Q conditional u(x).p message input uhm i.p message output event(m).p event Introduced by Abadi and Fournet A, B, C ::= extended processes P plain process A B parallel composition n.a name restriction x.a variable restriction { M / x } active substitution

35 Modeling the Protocol A simple equationnal theory: fst(pair(x 1,x 2 )) = x 1 snd(pair(x 1,x 2 )) = x 2

36 Modeling the Protocol A simple equationnal theory: fst(pair(x 1,x 2 )) = x 1 snd(pair(x 1,x 2 )) = x 2 A sample, the voter: V n (c, c e,c a,c p,v)= k.c(x). chhx, k, vii. c e (y). if hx, k, vi2 n y then c a hoki else c a hfaili

37 Modeling the Protocol A simple equationnal theory: fst(pair(x 1,x 2 )) = x 1 snd(pair(x 1,x 2 )) = x 2 A sample, the voter: V n (c, c e,c a,c p,v)= k.c(x). chhx, k, vii. c e (y). if hx, k, vi2 n y then c a hoki else c a hfaili B n (c 1 v,...,c n v,c b )= r 1,...,r n. c 1 vhr 1 i..... c n v hr n i. c 1 v(y 1 )..... c n v (y n ). (c b hy 1 i c b hy n i) E n (c b,c e,c p )= c b (t 1 )..... c b (t n ). let r = ht 1,...,t n i in c p hri. (! c e hri) A n (c e,c 1 a,...,c n a,c p )= c e (z 0 ). c 1 a(z 1 )..... c n a(z n ). if n(z 0,z 1,...,z n ) then c p hoki else c p hfaili

38 Property 1: Privacy Privacy: (Delaune, Kremer, Ryan, 2009) P( ) P( )

39 Property 1: Privacy Privacy: (Delaune, Kremer, Ryan, 2009) P( ) P( ) A bit more formally... A process specification P satisfies ballot secrecy iff: P [V A { v 1 / v } V B { v 2 / v }] l P [V A { v 2 / v } V B { v 1 / v }] with l the observational equivalence.

40 Privacy Results Theorem 1 Assuming that the infrastructure players (Ballot Box, Screen, Assessor) are honest and, at least, two voters are honest: F2FV2 and F2FV3 preserve ballot privacy.

41 Privacy Results Theorem 1 Assuming that the infrastructure players (Ballot Box, Screen, Assessor) are honest and, at least, two voters are honest: F2FV2 and F2FV3 preserve ballot privacy. Theorem 2 Even if the Assessor is also dishonest: F2FV2 and F2FV3 still preserve ballot privacy.

42 Property 2: Correctness Correctness: (Catalano et al., 2010) P( )!

43 Property 2: Correctness Correctness: (Catalano et al., 2010) P( )!

44 Property 2: Correctness Correctness: (Catalano et al., 2010) P( )! A bit more formally... 8v 1,...,v m and every execution of the protocol leading to validation of result : P [V 1 (v 1 ) V m (v m )]! ñ. (event(t r ).Q Q 0 ) then and a permutation such that: 9 v m+1,...,v n t r = v (1),...,v (n) t r

45 Correctness Results Theorem 3 Even if the Ballot Box is corrupted, assuming that the Screen and the Assessor are honest: F2FV2 and F2FV3 ensure vote correctness.

46 Results: Summary Results Privacy Correctness \ Corr. Players System \ None Ballot Box Assessor None Ballot Box Assessor F2FV1 F2FV2 F2FV3

47 Conclusion Two versions of a boardroom voting system ensuring privacy and vote correctness in a very convenient way. To ensure vote correctness, we need that: > Voters really use (unpredictable) random numbers. > Voters must cast a vote (even blank) and check it.

48 Conclusion Two versions of a boardroom voting system ensuring privacy and vote correctness in a very convenient way. To ensure vote correctness, we need that: > Voters really use (unpredictable) random numbers. > Voters must cast a vote (even blank) and check it. Future Work Although the system is clearly not coercion-resistant, we may have a form of receipt-freeness.

49 Thank you for your attention! So... What s next...? Hey! I m a voting device! Not a TV remote control!

Le vote électronique : un défi pour la vérification formelle

Le vote électronique : un défi pour la vérification formelle Steve Kremer Loria, Inria Nancy 1 / 17 Electronic voting Elections are a security-sensitive process which is the cornerstone of modern democracy