Validation formelle de protocoles de sécurité: le vote électronique de Scytl pour la Suisse Méthodes formelles et Cyber-Sécurité LAAS, Mardi 31 Janvier 2017, Toulouse Mathieu Turuani LORIA - INRIA, Nancy, France M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 1 / 17
Two Paradigms Voter point of view Trust client : Open Source, Self-made (!) No trust in the Ballot Box or Tally Example : Helios / Benelios Authority point of view Almost no trust in client : Virus, Trojan, etc... Strong confidence in the Servers : audited, protected... Example : Scytl voting protocol The same security concerns Is my vote confidential? Is my vote counted in the result? Is the result no more than the real votes? M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 2 / 17
Context Scytl s needs : Push their electronic voting protocol into the validation process of the Federal authorities of Switzerland; Need proofs by formal methods. ProVerif tool : Proves security for unbounded number of sessions, using over approximations; Allows to check for observational equivalence. Local expertise available to overcome the expected tool limitations. Security v.s. the Dolev-Yao intruder : Active intruder who can read/write on all public channels; May uses all the deduction methods defined in the model. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 3 / 17
Initialization : Scytl s voting protocol M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 4 / 17
Initialization Data Each client receives : Election Public key (PKe); Private/Public Key pair (Sk/Pk); Return Code for each candidate (RC1,RC2,...); Confirmation Code (CC) & Finalization Code (FC); The Ballot Box receives : The election Public Key (Pke); Private audit Key (Ska); For each voter, set of Reference Values (RF) i.e. all hashed Return Codes for all candidates. Public FC verification key (Pks); M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 5 / 17
Initialization Data Each client receives : Election Public key (PKe); Private/Public Key pair (Sk/Pk); Return Code for each candidate (RC1,RC2,...); Confirmation Code (CC) & Finalization Code (FC); The Ballot Box receives : The election Public Key (Pke); Private audit Key (Ska); For each voter, set of Reference Values (RF) i.e. all hashed Return Codes for all candidates. Public FC verification key (Pks); M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 5 / 17
Sketch of the voting Scheme M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 6 / 17
Server & Voter s precautions The server checks : Pke was used to create the ballot B (verife); The voter did not already vote (no ballot stored for him); The voting options matches the return codes (verifp); The return codes / voting options are valid (RF ); The confirmation code in valid v.s. FC (verifs). The voter checks : The ballot stored in the box contains all his choices (RC); Why no more? Uses many voting options for blank choices; The submitted ballot was accepted (FC). If something goes wrong : Voter calls hotline / use paper vote. Note: No electronic revote allowed due to FC. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 7 / 17
Algebraic Properties Verify an Encryption : Verify a Signature : verife(pkey, enc(pkey, m, r)) = verifs(pub(skey), m, sign(skey, m)) = Verify the Zero-knowledge Proof : verifp(pke, Pk, C, w(skid, C), W 1, W 2,.., P) = verifp(pke, Pk, C, enc(pke, phi(w 1, W 2,..)), W 1, W 2,.., P) =... with C = enc(pke, phi(v1, v2,..)) and Wi = w(sk, vi) and P = zkp(pke, Pk, C, w(skid, C), W 1, W 2,.., Sk) But : cannot model commutativity inside phi(..) or w(sk, v) = v Sk. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 8 / 17
Algebraic Properties Verify an Encryption : Verify a Signature : verife(pkey, enc(pkey, m, r)) = verifs(pub(skey), m, sign(skey, m)) = Verify the Zero-knowledge Proof : verifp(pke, Pk, C, w(skid, C), W 1, W 2,.., P) = verifp(pke, Pk, C, enc(pke, phi(w 1, W 2,..)), W 1, W 2,.., P) =... with C = enc(pke, phi(v1, v2,..)) and Wi = w(sk, vi) and P = zkp(pke, Pk, C, w(skid, C), W 1, W 2,.., Sk) But : cannot model commutativity inside phi(..) or w(sk, v) = v Sk. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 8 / 17
Algebraic Properties Verify an Encryption : Verify a Signature : verife(pkey, enc(pkey, m, r)) = verifs(pub(skey), m, sign(skey, m)) = Verify the Zero-knowledge Proof : verifp(pke, Pk, C, w(skid, C), W 1, W 2,.., P) = verifp(pke, Pk, C, enc(pke, phi(w 1, W 2,..)), W 1, W 2,.., P) =... with C = enc(pke, phi(v1, v2,..)) and Wi = w(sk, vi) and P = zkp(pke, Pk, C, w(skid, C), W 1, W 2,.., Sk) But : cannot model commutativity inside phi(..) or w(sk, v) = v Sk. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 8 / 17
Computes the results M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 9 / 17
Verifiability Properties Cast-as-Intended For any voter, even with corrupted voting device : if the ballot is accepted by the server, then it contains exactly the choices intended by the voter. Modeled as a ProVerif query : HasVoted(Id, B, FC) Confirmed(Id, J 1,..J k ) & B contains cipher text C & C contains voting opt. V 1..V k & {V 1..V k } = {v(j 1 )..v(j k )} Events HasVoted : when the server accepts a ballot; Confirmed : when the voter confirms his vote. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 10 / 17
Attack found Pb : Lack of thread synchronization, table tests not enough. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 11 / 17
Cast-as-intended corrected Input material : No thread synchronization in the protocol description; No information about the server s implementation. Issued recommendation #1 The Ballot Box s implementation must guaranty that two different ballots b 1 b 2 cannot be recorded for the same Id. With corrected model & prop, we get : Cast-as-intended Assuming recommendation #1 is fulfilled, the Scytl s voting protocol validates Cast-as-intended v.s. the Dolev-Yao intruder. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 12 / 17
Verifiability Properties Tallied-as-Cast For any voter, even with corrupted voting device : if the voter accepts the server s Finalization Code, then her ballot recorded in the server will be accepted by the tally and it contains her intended voting choices. Modeled as a ProVerif query : HappyUser(Id, J 1,..J k ) HasVoted(Id, B, FC) & B contains cipher text C & C contains voting opt. V 1..V k & {V 1..V k } = {v(j 1 )..v(j k )} & All the Tally s checks are satisfied HappyUser : when the voter finishes successfully; M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 13 / 17
Privacy property Ballot Privacy For any voter which voting device was not corrupted : no one can learn other information his voting options that what can be learned from the election result. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 14 / 17
Difficulties with the Privacy property Problem : ProVerif cannot allow a Tally so generic Number of incoming ballots unknown; Size of the mix-net unknown. External result Use result by M. Arapinis, V. Cortier, S. Kremer : Three voters are enough for privacy properties. Privacy The Scytl s voting protocol validates Ballot Privacy v.s. the Dolev-Yao intruder. Note : All results for unbounded number of voting options and voters, and limited number of voter choices. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 15 / 17
Consequences of voter s mistakes What if the voter votes for one choice twice? The ballot would be invalid; The corrupted device can silently make it valid by voting for more candidates. What if the voter votes for less choices? The ballot might be valid; The corrupted device can silently add more candidates in the ballot. Issued recommendation #2 & #3 The voter must be aware that he : must fill his choices with blank options, all different; must check the Return Codes also of the blank options. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 16 / 17
Conclusion Questions? Qu est-ce qu un bon système de vote? by Véronique Cortier, on Blog Binaire, Le Monde.fr http://binaire.blog.lemonde.fr/2015/01/19/ quest-ce-quun-bon-systeme-de-vote/ M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 17 / 17