Vote-Independence: A Powerful Privacy Notion for Voting Protocols

Size: px

Start display at page:

Download "Vote-Independence: A Powerful Privacy Notion for Voting Protocols"

Randall Hampton
6 years ago
Views:

1 : Powerful Privacy Notion for Voting Protocols Université Grenoble 1, CNRS, Verimag FPS 2011: May 13, 2011

2 Plan Introduction 1 Introduction What is electronic voting? n ttack on Privacy in Helios 2 Privacy 3 4 5

3 Plan Introduction What is electronic voting? n ttack on Privacy in Helios 1 Introduction What is electronic voting? n ttack on Privacy in Helios 2 Privacy 3 4 5

4 Plan Introduction What is electronic voting? n ttack on Privacy in Helios 1 Introduction What is electronic voting? n ttack on Privacy in Helios 2 Privacy 3 4 5

5 Introduction What is electronic voting? n ttack on Privacy in Helios Voting machines are not a recent technology They have been in use in the US for over 100 years!

6 Introduction What is electronic voting? n ttack on Privacy in Helios Electronic voting machines are used all over the world

7 Internet voting Introduction What is electronic voting? n ttack on Privacy in Helios vailable in Estonia France Switzerland...

8 Security Requirements What is electronic voting? n ttack on Privacy in Helios Eligibility Fairness Individual Verifiability Universal Verifiability Security Requirements Robustness Privacy Receipt-Freeness Coercion-Resistance

9 Security Requirements What is electronic voting? n ttack on Privacy in Helios Eligibility Fairness Individual Verifiability Universal Verifiability Security Requirements Robustness Privacy Receipt-Freeness Coercion-Resistance

10 Plan Introduction What is electronic voting? n ttack on Privacy in Helios 1 Introduction What is electronic voting? n ttack on Privacy in Helios 2 Privacy 3 4 5

11 ttack on Privacy in Helios [?] What is electronic voting? n ttack on Privacy in Helios Helios [?] is a web based open-source voting system based on homomorphic encryption. Server lice ob =,

12 ttack on Privacy in Helios [?] What is electronic voting? n ttack on Privacy in Helios Helios [?] is a web based open-source voting system based on homomorphic encryption. Server lice ob =,

13 ttack on Privacy in Helios [?] What is electronic voting? n ttack on Privacy in Helios Helios [?] is a web based open-source voting system based on homomorphic encryption. Server lice ob =,

14 ttack on Privacy in Helios [?] What is electronic voting? n ttack on Privacy in Helios Helios [?] is a web based open-source voting system based on homomorphic encryption. Server lice ob + =,

15 ttack on Privacy in Helios [?] What is electronic voting? n ttack on Privacy in Helios Eve can attack lice s privacy by copying her vote: Server lice ob Eve =,, To prevent this attack, we have to enforce.

16 ttack on Privacy in Helios [?] What is electronic voting? n ttack on Privacy in Helios Eve can attack lice s privacy by copying her vote: Server lice ob Eve =,, To prevent this attack, we have to enforce.

17 ttack on Privacy in Helios [?] What is electronic voting? n ttack on Privacy in Helios Eve can attack lice s privacy by copying her vote: Server lice ob Eve =,, To prevent this attack, we have to enforce.

18 ttack on Privacy in Helios [?] What is electronic voting? n ttack on Privacy in Helios Eve can attack lice s privacy by copying her vote: Server lice ob Eve =,, To prevent this attack, we have to enforce.

19 ttack on Privacy in Helios [?] What is electronic voting? n ttack on Privacy in Helios Eve can attack lice s privacy by copying her vote: Server lice ob Eve =,, To prevent this attack, we have to enforce.

20 ttack on Privacy in Helios [?] What is electronic voting? n ttack on Privacy in Helios Eve can attack lice s privacy by copying her vote: Server lice ob + + Eve =,, To prevent this attack, we have to enforce.

21 Plan Introduction Privacy 1 Introduction What is electronic voting? n ttack on Privacy in Helios 2 Privacy 3 4 5

22 Plan Introduction Privacy 1 Introduction What is electronic voting? n ttack on Privacy in Helios 2 Privacy 3 4 5

23 Defining Vote-Privacy [?] Privacy Main idea: Observational equivalence between two situations. lice ob Vote l Vote

24 Defining Receipt-Freeness [?] Privacy gain: Observational equivalence between two situations, but lice tries to create a receipt or a fake. Mallory lice ob Secret Data Fake Data l

25 Defining Receipt-Freeness [?] Privacy gain: Observational equivalence between two situations, but lice tries to create a receipt or a fake. Mallory lice ob Secret Data Fake Data l

26 Defining Coercion-Resistance [?] Privacy Observational equivalence between two situations, but lice is under control by Mallory or only pretends to be so. Mallory Orders lice ob Secret Data Fake Data l

27 Defining Coercion-Resistance [?] Privacy Observational equivalence between two situations, but lice is under control by Mallory or only pretends to be so. Mallory Orders lice ob Secret Data Fake Data l

28 Plan Introduction Privacy 1 Introduction What is electronic voting? n ttack on Privacy in Helios 2 Privacy 3 4 5

29 Defining Privacy Main idea: Privacy, but with a voter under control of the attacker. If he can relate his vote to e.g. lice s vote, Mallory can distinguish both sides. Orders Mallory lice ob Chuck Vote l Vote??

30 Defining Privacy Main idea: Privacy, but with a voter under control of the attacker. If he can relate his vote to e.g. lice s vote, Mallory can distinguish both sides. Orders Mallory lice ob Chuck Vote l Vote??

31 Privacy with Passive Collaboration Receipt-Freeness with Chuck : Orders Mallory lice ob Chuck Secret Data? l Fake Data?

32 Privacy with Passive Collaboration Receipt-Freeness with Chuck : Orders Mallory lice ob Chuck Secret Data? l Fake Data?

33 Privacy with active Collaboration Coercion-Resistance with Chuck : Orders Mallory Orders lice ob Chuck Secret Data? l Fake Data?

34 Privacy with active Collaboration Coercion-Resistance with Chuck : Orders Mallory Orders lice ob Chuck Secret Data? l Fake Data?

35 Plan Introduction 1 Introduction What is electronic voting? n ttack on Privacy in Helios 2 Privacy 3 4 5

36 The pplied Pi Calculus [?] Syntax P, Q, R := processes 0 null process P Q parallel composition!p replication νn.p name restriction ( new ) if M = N then P else Q conditional in(u, x) message input out(u, x) message output { M /x} substitution

37 Modeling a voting protocol Definition (Voting Process [?]) voting process is a closed plain process VP νñ.(v σ 1... V σ n 1... m ). We define an evaluation context S which is like VP, but has a hole instead of three V σ i, and an evaluation context S which is like VP, but has a hole instead of two V σ i.

38 Vote-Privacy: The formal definition Definition (Vote-Privacy [?]) voting process respects Vote-Privacy (P) if for all votes a and b we have S [V { a /v} V { b /v}] l S [V { b /v} V { a /v}]

39 (without Collaboration): The formal definition Definition () voting process respects (VI) if for all votes a and b we have S [ V { a /v} V { b /v} V c 1,c 2 C ] l S [ V { b /v} V { a /v} V c 1,c 2 ] C

40 Receipt-Freeness: The formal definition Definition (Receipt-Freeness [?]) voting process respects Receipt-Freeness (RF) if there exists a closed plain process V such that for all votes a and c we have V \out(chc, ) l V { a /v} and [ ] S V { b /v} chc V { a /v} l S [ V V { b /v} ]

41 with Passive Collaboration: The formal definition Definition ( with Passive Collaboration) voting process respects with Passive Collaboration (VI-PC) if there exists a closed plain process V such that for all votes a and c we have V \out(chc, ) l V { a /v} and [ ] S V { b /v} chc V { a /v} V c 1,c 2 C l S [ V V { b /v} V c 1,c 2 ] C

42 Plan Introduction 1 Introduction What is electronic voting? n ttack on Privacy in Helios 2 Privacy 3 4 5

43 Relations among the notions CR VI-C RF VI-PC VP VI

44 Examples Introduction CR [?] VI-C [?] RF VI-PC [?] VP VI [?]

45 Plan Introduction 1 Introduction What is electronic voting? n ttack on Privacy in Helios 2 Privacy 3 4 5

46 Introduction ttack on Helios Extended threat model Formal definition of Strictly stronger than standard Vote-Privacy Generalized to passive and active collaboration Case studies: even Coercion-Resistant protocols may not ensure

47 Future Work Introduction Generalized definition of voting protocols Tools to automate and/or verify the proofs (at least partly) Computational definition

48 Thank you for your attention! Questions?

49 en dida, Olivier De Marneffe, Olivier Pereira, and Jean-Jacques Quisquater. Electing a university president using open-audit voting: analysis of real-world use of helios. In Proceedings of the 2009 conference on Electronic voting technology/workshop on trustworthy elections, EVT/WOTE 09, pages 10 10, erkeley, C, US, USENIX ssociation. Martín badi and Cédric Fournet. Mobile values, new names, and secure communication. In Proceedings of the 28th CM SIGPLN-SIGCT symposium on Principles of programming languages, POPL 01, pages , New York, CM. Jens-Matthias ohli, Jörn Müller-Quade, and Stefan Röhrich.

50 ingo voting: Secure and coercion-free voting using a trusted random number generator. In mmar lkassar and Melanie Volkamer, editors, E-Voting and Identity, volume 4896 of Lecture Notes in Computer Science, pages Springer erlin / Heidelberg, Stéphanie Delaune, Steve Kremer, and Mark Ryan. Verifying privacy-type properties of electronic voting protocols. Journal of Computer Security, 17: , December tsushi Fujioka, Tatsuaki Okamoto, and Kazuo Ohta. practical secret voting scheme for large scale elections. In Jennifer Seberry and Yuliang Zheng, editors, dvances in Cryptology USCRYPT 92, volume 718 of Lecture Notes in Computer Science, pages Springer erlin / Heidelberg, 1992.

51 youngcheon Lee, Colin oyd, Ed Dawson, Kwangjo Kim, Jeongmo Yang, and Seungjae Yoo. Providing receipt-freeness in mixnet-based voting protocols. In Jong In Lim and Dong Hoon Lee, editors, Information Security and Cryptology - ICISC 2003, volume 2971 of Lecture Notes in Computer Science, pages Springer erlin / Heidelberg, Tatsuaki Okamoto. n electronic voting scheme. In Proceedings of the IFIP World Conference on IT Tools, pages 21 30, en Smyth and Veronique Cortier. ttacking and fixing helios: n analysis of ballot secrecy. Cryptology eprint rchive, Report 2010/625,

52 Coercion-Resistance: The formal definition Definition (Coercion-Resistance [?]) voting process respects Coercion-Resistance (CR) if there exists a closed plain process V such that for any C = νc 1.νc 2.(_ P) satisfying ñ fn(c) = and S [C [V {? /v} c 1,c 2 ] ] V { a /v}] l S [V { b /v} chc V { a /v} and for all votes a and c we have C [ V ] \out(chc, ) l V { a /v} and S [C [V {? /v} c 1,c 2 ] V { a /v}] l S [ C [ V ] V { b /v} ]

53 with ctive Collaboration: The formal definition Definition ( with ctive Collaboration) voting process respects with ctive Collaboration (VI-C) if there exists a closed plain process V such that for any C = νc 1.νc 2.(_ P) satisfying ñ fn(c) = and S [ C [V {? /v} c 1,c 2 ] V { a /v} V c 3,c 4 ] C [ ] l S V { b /v} chc V { a /v} V c 3,c 4 C and for all votes a and c we have C [V ] \out(chc, ) l V { a /v} S [ C [V {? /v} c 1,c 2 ] V { a /v} V c 3,c 4 ] C l S [ C [V ] V { b /v} V c 3,c 4 C ]

54 Definition (Process P ch [?]) Let P be a process and ch be a channel. We define P ch as follows: 0 ch ˆ= 0, (P Q) ch ˆ= P ch Q ch, (νn.p) ch ˆ= νn.out(ch, n).p ch when n is a name of base type, (νn.p) ch ˆ= νn.p ch otherwise, (in(u, x).p) ch ˆ= in(u, x).out(ch, x).p ch when x is a variable of base type, (in(u, x).p) ch ˆ= in(u, x).p ch otherwise, (out(u, M).P) ch ˆ= out(u, M).P ch, (!P) ch ˆ=!P ch, (if M = N then P else Q) ch ˆ= if M = N then P ch else Q ch.

55 Definition (Process P c 1,c 2 [?]) Let P be a process, c 1, c 2 channels. We define P c 1,c 2 0 c 1,c2 ˆ= 0, (P Q) c 1,c2 ˆ= P c 1,c 2 Q c 1,c 2, as follows: (νn.p) c 1,c2 ˆ= νn.out(c 1, n).p c 1,c 2 if n is a name of base type, (νn.p) c 1,c2 ˆ= νn.p c 1,c 2 otherwise, (in(u, x).p) c 1,c2 ˆ= in(u, x).out(c 1, x).p c 1,c 2 if x is a variable of base type & x is a fresh variable, (in(u, x).p) c 1,c2 ˆ= in(u, x).p c 1,c 2 otherwise, (out(u, M).P) c 1,c2 ˆ= in(c 2, x).out(u, x).p c 1,c 2, (!P) c 1,c2 ˆ=!P c 1,c 2, (if M = N then P else Q) c 1,c2 ˆ= in(c 2, x).if x = true then P c 1,c 2 else Q c 1,c 2 where x is a fresh variable and true is Jannik Dreier, a constant. Pascal Lafourcade, Yassine Lakhnech

56 Definition (Process \out(ch, ) [?]) Let be an extended process. We define the process \out(ch, ) as νch.(!in(ch, x)).

57 Definition (Equivalence in a Frame) Two terms M and N are equal in the frame φ, written (M = N)φ, if and only if φ νñ.σ, Mσ = Nσ, and {ñ} (fn(m) fn(n)) = for some names ñ and some substitution σ. Definition (Static Equivalence ( s )) Two closed frames φ and ψ are statically equivalent, written φ s ψ, when dom(φ) =dom(ψ) and when for all terms M and N (M = N)φ if and only if (M = N)ψ. Two extended processes and are statically equivalent ( s ) if their frames are statically equivalent.

58 Definition (Labelled isimilarity ( l )) Labelled bisimilarity is the largest symmetric relation R on closed extended processes, such that R implies 1 s, 2 if, then and R for some, 3 if α and fv(α) dom() and bn(α) fn() =, then α and R for some.

Vote-Independence: A Powerful Privacy Notion for Voting Protocols

Vote-Independence: A Powerful Privacy Notion for Voting Protocols Verimag Research Report n o TR-2011-8 April 19, 2011 Updated July 13, 2011 Reports are downloadable at the following address http://www-verimag.imag.fr