Validation formelle de protocoles de sécurité: le vote électronique de Scytl pour la Suisse

Similar documents
Swiss E-Voting Workshop 2010

General Framework of Electronic Voting and Implementation thereof at National Elections in Estonia

Union Elections. Online Voting. for Credit. Helping increase voter turnout & provide accessible, efficient and secure election processes.

The Economist Case Study: Blockchain-based Digital Voting System. Team UALR. Connor Young, Yanyan Li, and Hector Fernandez

Estonian National Electoral Committee. E-Voting System. General Overview

Ballot Reconciliation Procedure Guide

Secure Electronic Voting

Addressing the Challenges of e-voting Through Crypto Design

Formal Verification of Selene with the Tamarin prover

Rules for the Election of Directors

Voting Protocol. Bekir Arslan November 15, 2008

Int. J. of Security and Networks, Vol. x, No. x, 201X 1, Vol. x, No. x, 201X 1

CRYPTOGRAPHIC PROTOCOLS FOR TRANSPARENCY AND AUDITABILITY IN REMOTE ELECTRONIC VOTING SCHEMES

Security Analysis on an Elementary E-Voting System

City of Greater Sudbury 2018 Municipal and School Board Election Voting and Vote Counting Procedures

Cryptographic Voting Protocols: Taking Elections out of the Black Box

Privacy in evoting (joint work with Erik de Vink and Sjouke Mauw)

Individual Verifiability in Electronic Voting

Distributed Protocols at the Rescue for Trustworthy Online Voting

How to challenge and cast your e-vote

Scytl Secure Electronic Voting

Colorado Secretary of State Election Rules [8 CCR ]

Privacy of E-Voting (Internet Voting) Erman Ayday

Ronald L. Rivest MIT CSAIL Warren D. Smith - CRV

Key Considerations for Implementing Bodies and Oversight Actors

The problems with a paper based voting

Key Considerations for Oversight Actors

E-Poll Books: The Next Certification Frontier

The usage of electronic voting is spreading because of the potential benefits of anonymity,

Between Law and Technology: Internet Voting, Secret Suffrage and the European Electoral Heritage

Electronic Voting and Civil Referendums in Hong Kong

SoK: Verifiability Notions for E-Voting Protocols

PRIVACY PRESERVING IN ELECTRONIC VOTING

The name or number of the polling location; The number of ballots provided to or printed on-demand at the polling location;

Uncovering the veil on Geneva s internet voting solution

Voting: You Can t Have Privacy without Individual Verifiability


Ad Hoc Voting on Mobile Devices

AUDIT & RETABULATION OF BALLOTS IN PRECINCTS WHERE A DISCREPANCY EXISTS

L9. Electronic Voting

Global Conditions (applies to all components):

Ballot secrecy with malicious bulletin boards

An Object-Oriented Framework for Digital Voting

Protocol to Check Correctness of Colorado s Risk-Limiting Tabulation Audit

Using Prêt à Voter in Victorian State Elections. EVT August 2012

WHY, WHEN AND HOW SHOULD THE PAPER RECORD MANDATED BY THE HELP AMERICA VOTE ACT OF 2002 BE USED?

Secure Electronic Voting: New trends, new threats, new options. Dimitris Gritzalis

The Board of Elections in the City of New York. Canvass/Recanvass Procedures Manual Canvass/Recanvass Section

IMPLEMENTATION OF SECURE PLATFORM FOR E- VOTING SYSTEM

Design and Prototype of a Coercion-Resistant, Voter Verifiable Electronic Voting System

E-voting at Expatriates MPs Elections in France

Barrington Heights Homeowners Association ASSOCIATION MEMBERSHIP MEETING AND VOTING RULES (Civil Code Section ) Effective October 16, 2008

Instructions for Closing the Polls and Reconciliation of Paper Ballots for Tabulation (Relevant Statutes Attached)

Paper-based electronic voting

Nevada Republican Party

CENTRAL COUNTING STATION

City of Toronto Election Services Internet Voting for Persons with Disabilities Demonstration Script December 2013

Johns Hopkins University Security Privacy Applied Research Lab

Many irregularities occurred as Travis County conducted the City of Austin s City Council Runoff election:

The Impact of Technology on Election Observation

E- Voting System [2016]

Netvote: A Blockchain Voting Protocol

arxiv: v3 [cs.cr] 3 Nov 2018

Pretty Good Democracy for more expressive voting schemes

Election Inspector Training Points Booklet

Part E Verifying and counting the votes

ARKANSAS SECRETARY OF STATE

Receipt-Free Homomorphic Elections and Write-in Voter Verified Ballots

Security Assets in E-Voting

Electronic Voting. Mohammed Awad. Ernst L. Leiss

PROCESSING, COUNTING AND TABULATING EARLY VOTING AND GRACE PERIOD VOTING BALLOTS

Thoughts On Appropriate Technologies for Voting

Policy 610 Ratification Checklists

THE MUNICIPAL CORPORATION OF THE TOWNSHIP OF RYERSON MUNICIPAL ELECTION - VOTE BY MAIL POLICIES & PROCEDURES

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

Draft of Agreement on Data Processing (research) between (org nr...) og Akershus University Hospital HF (org nr )

An untraceable, universally verifiable voting scheme

Rules of Procedure for Shareholders' Meetings

E-Voting: Switzerland's Projects and their Legal Framework in a European Context

Voting in New South Wales Australia Bicameral Parliament hence two contests per election held every 4 years Lower House single candidate per

MUNICIPAL ELECTIONS 2014 Voting Day Procedures & Procedures for the Use of Vote Tabulators

RULES OF SECRETARY OF STATE CHAPTER ELECTRONIC VOTING MACHINES RULES AND REGULATIONS TABLE OF CONTENTS

GAO ELECTIONS. States, Territories, and the District Are Taking a Range of Important Steps to Manage Their Varied Voting System Environments

COMPUTING SCIENCE. University of Newcastle upon Tyne. Verified Encrypted Paper Audit Trails. P. Y. A. Ryan TECHNICAL REPORT SERIES

M-Vote (Online Voting System)

Electronic Voting Service Using Block-Chain

Colorado Secretary of State Election Rules [8 CCR ]

A MULTIPLE BALLOTS ELECTION SCHEME USING ANONYMOUS DISTRIBUTION

Internet Voting: Experiences From Five Elections in Estonia

Online Ballots. Configuration and User Guide INTRODUCTION. Let Earnings Edge Assist You with Your Online Ballot CONTENTS

Remote Internet voting: developing a secure and efficient frontend

Charter Township of Canton

PROCEDURES FOR USE OF VOTE TABULATORS. Municipal Elections Township of Norwich

INSTRUCTION GUIDE FOR POLLING STATION MEMBERS ABROAD

If your answer to Question 1 is No, please skip to Question 6 below.

Audits: an in-depth review of Venezuela s automatic voting

PROCEDURES FOR THE USE OF VOTE COUNT TABULATORS

Information Technology (Amendment) Act, 2008

Guide to Electronic Voting Election Runner

Chuck R. Venvertloh Adams County Clerk/Recorder 507 Vermont St. Quincy, IL 62301

Transcription:

Validation formelle de protocoles de sécurité: le vote électronique de Scytl pour la Suisse Méthodes formelles et Cyber-Sécurité LAAS, Mardi 31 Janvier 2017, Toulouse Mathieu Turuani LORIA - INRIA, Nancy, France M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 1 / 17

Two Paradigms Voter point of view Trust client : Open Source, Self-made (!) No trust in the Ballot Box or Tally Example : Helios / Benelios Authority point of view Almost no trust in client : Virus, Trojan, etc... Strong confidence in the Servers : audited, protected... Example : Scytl voting protocol The same security concerns Is my vote confidential? Is my vote counted in the result? Is the result no more than the real votes? M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 2 / 17

Context Scytl s needs : Push their electronic voting protocol into the validation process of the Federal authorities of Switzerland; Need proofs by formal methods. ProVerif tool : Proves security for unbounded number of sessions, using over approximations; Allows to check for observational equivalence. Local expertise available to overcome the expected tool limitations. Security v.s. the Dolev-Yao intruder : Active intruder who can read/write on all public channels; May uses all the deduction methods defined in the model. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 3 / 17

Initialization : Scytl s voting protocol M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 4 / 17

Initialization Data Each client receives : Election Public key (PKe); Private/Public Key pair (Sk/Pk); Return Code for each candidate (RC1,RC2,...); Confirmation Code (CC) & Finalization Code (FC); The Ballot Box receives : The election Public Key (Pke); Private audit Key (Ska); For each voter, set of Reference Values (RF) i.e. all hashed Return Codes for all candidates. Public FC verification key (Pks); M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 5 / 17

Initialization Data Each client receives : Election Public key (PKe); Private/Public Key pair (Sk/Pk); Return Code for each candidate (RC1,RC2,...); Confirmation Code (CC) & Finalization Code (FC); The Ballot Box receives : The election Public Key (Pke); Private audit Key (Ska); For each voter, set of Reference Values (RF) i.e. all hashed Return Codes for all candidates. Public FC verification key (Pks); M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 5 / 17

Sketch of the voting Scheme M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 6 / 17

Server & Voter s precautions The server checks : Pke was used to create the ballot B (verife); The voter did not already vote (no ballot stored for him); The voting options matches the return codes (verifp); The return codes / voting options are valid (RF ); The confirmation code in valid v.s. FC (verifs). The voter checks : The ballot stored in the box contains all his choices (RC); Why no more? Uses many voting options for blank choices; The submitted ballot was accepted (FC). If something goes wrong : Voter calls hotline / use paper vote. Note: No electronic revote allowed due to FC. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 7 / 17

Algebraic Properties Verify an Encryption : Verify a Signature : verife(pkey, enc(pkey, m, r)) = verifs(pub(skey), m, sign(skey, m)) = Verify the Zero-knowledge Proof : verifp(pke, Pk, C, w(skid, C), W 1, W 2,.., P) = verifp(pke, Pk, C, enc(pke, phi(w 1, W 2,..)), W 1, W 2,.., P) =... with C = enc(pke, phi(v1, v2,..)) and Wi = w(sk, vi) and P = zkp(pke, Pk, C, w(skid, C), W 1, W 2,.., Sk) But : cannot model commutativity inside phi(..) or w(sk, v) = v Sk. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 8 / 17

Algebraic Properties Verify an Encryption : Verify a Signature : verife(pkey, enc(pkey, m, r)) = verifs(pub(skey), m, sign(skey, m)) = Verify the Zero-knowledge Proof : verifp(pke, Pk, C, w(skid, C), W 1, W 2,.., P) = verifp(pke, Pk, C, enc(pke, phi(w 1, W 2,..)), W 1, W 2,.., P) =... with C = enc(pke, phi(v1, v2,..)) and Wi = w(sk, vi) and P = zkp(pke, Pk, C, w(skid, C), W 1, W 2,.., Sk) But : cannot model commutativity inside phi(..) or w(sk, v) = v Sk. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 8 / 17

Algebraic Properties Verify an Encryption : Verify a Signature : verife(pkey, enc(pkey, m, r)) = verifs(pub(skey), m, sign(skey, m)) = Verify the Zero-knowledge Proof : verifp(pke, Pk, C, w(skid, C), W 1, W 2,.., P) = verifp(pke, Pk, C, enc(pke, phi(w 1, W 2,..)), W 1, W 2,.., P) =... with C = enc(pke, phi(v1, v2,..)) and Wi = w(sk, vi) and P = zkp(pke, Pk, C, w(skid, C), W 1, W 2,.., Sk) But : cannot model commutativity inside phi(..) or w(sk, v) = v Sk. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 8 / 17

Computes the results M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 9 / 17

Verifiability Properties Cast-as-Intended For any voter, even with corrupted voting device : if the ballot is accepted by the server, then it contains exactly the choices intended by the voter. Modeled as a ProVerif query : HasVoted(Id, B, FC) Confirmed(Id, J 1,..J k ) & B contains cipher text C & C contains voting opt. V 1..V k & {V 1..V k } = {v(j 1 )..v(j k )} Events HasVoted : when the server accepts a ballot; Confirmed : when the voter confirms his vote. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 10 / 17

Attack found Pb : Lack of thread synchronization, table tests not enough. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 11 / 17

Cast-as-intended corrected Input material : No thread synchronization in the protocol description; No information about the server s implementation. Issued recommendation #1 The Ballot Box s implementation must guaranty that two different ballots b 1 b 2 cannot be recorded for the same Id. With corrected model & prop, we get : Cast-as-intended Assuming recommendation #1 is fulfilled, the Scytl s voting protocol validates Cast-as-intended v.s. the Dolev-Yao intruder. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 12 / 17

Verifiability Properties Tallied-as-Cast For any voter, even with corrupted voting device : if the voter accepts the server s Finalization Code, then her ballot recorded in the server will be accepted by the tally and it contains her intended voting choices. Modeled as a ProVerif query : HappyUser(Id, J 1,..J k ) HasVoted(Id, B, FC) & B contains cipher text C & C contains voting opt. V 1..V k & {V 1..V k } = {v(j 1 )..v(j k )} & All the Tally s checks are satisfied HappyUser : when the voter finishes successfully; M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 13 / 17

Privacy property Ballot Privacy For any voter which voting device was not corrupted : no one can learn other information his voting options that what can be learned from the election result. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 14 / 17

Difficulties with the Privacy property Problem : ProVerif cannot allow a Tally so generic Number of incoming ballots unknown; Size of the mix-net unknown. External result Use result by M. Arapinis, V. Cortier, S. Kremer : Three voters are enough for privacy properties. Privacy The Scytl s voting protocol validates Ballot Privacy v.s. the Dolev-Yao intruder. Note : All results for unbounded number of voting options and voters, and limited number of voter choices. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 15 / 17

Consequences of voter s mistakes What if the voter votes for one choice twice? The ballot would be invalid; The corrupted device can silently make it valid by voting for more candidates. What if the voter votes for less choices? The ballot might be valid; The corrupted device can silently add more candidates in the ballot. Issued recommendation #2 & #3 The voter must be aware that he : must fill his choices with blank options, all different; must check the Return Codes also of the blank options. M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 16 / 17

Conclusion Questions? Qu est-ce qu un bon système de vote? by Véronique Cortier, on Blog Binaire, Le Monde.fr http://binaire.blog.lemonde.fr/2015/01/19/ quest-ce-quun-bon-systeme-de-vote/ M.Turuani (INRIA-Nancy) Scytl Voting Prot. September 8, 2016 17 / 17

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback