Type-based Verification of Electronic Voting Systems Language-Based Security Master Seminar Type-based Verification of Electronic Voting Systems Fabienne Eigner Saarland University

Motivation Civitas RCF Security Properties of E-Voting protocols Overview Motivation Civitas RCF Security Properties of E-Voting protocols

Why (Remote) E-Voting? fast convenient provably secure?

Why Type-based Verification? Necessary to prove correctness and security of protocol By hand: error prone, tedious, ... Instead: Build abstract model Calculi for modeling: Applied Pi, ProVerif, RCF Prove properties on this model Why RCF? To reason about implementations (F#) Why types? Predictable termination behaviour + modularity In particular good for recursive data structures like lists

Civitas, A Remote E-Voting Protocol Developed by Michael R. Clarkson, Stephen Chong, Andrew C. Myers in 2008 at Cornell University First implemented voting system that offers Universal verifiability Coercion resistance Relies heavily on zero-knowledge proofs

Civitas: Overview ZK blue red Alice Bob Charlie ... ZK ZK ZK ZK blue

RCF (Refined concurrent FPC) Developed by Bengtson, Bhargavan, Fournet, Gordon, Maffeis at Microsoft Research (2008) Fixpoint calculus (Gunther, 1992) with concurrency + refinement types Tailored to reasoning about implementations Similar to ML, F# can be (partially) encoded in RCF (see Gordon et al.) Extended with Union and Intersection Types by Backes, Hrițcu, Maffei, Tarrach (2009) Support for ZK Well-typed programs enforce authorization policies can encode complex datatypes like lists/options, simple like bool or complex functions (recursive and polymorphic)

RCF: Small Example assume start(A,B,n) assert end(A,B,n) Some types: 𝐴,𝐵,𝑛 } 𝑠𝑘 𝐴 assert end(A,B,n) really simple protocol to show what RCF is capable of and to demonstrate the syntax a little rcf is modular, the different components e.g. Alice and Bob are type-checked independent. Hence we need to transfer the assumption that Alice made somehow to Bob, that's why we include it as a refinement in the message send from A to B ∀ 𝑖𝑑 1, 𝑖𝑑 2, 𝑛:𝑠𝑡𝑎𝑟𝑡 𝑖𝑑 1, 𝑖𝑑 2, 𝑛 ⇒𝑒𝑛𝑑 𝑖𝑑 1, 𝑖𝑑 2, 𝑛 Some types: Tmsg := {a:Un * b:Un * n:Private | start(a,b,n)} skA: sk<Tmsg> sign function: (xsk: sk<Tmsg>) → (y: Tmsg) → Un

RCF: Small Example assume start(A,B,n) assert end(A,B,n) Some types: 𝐴,𝐵,𝑛 } 𝑠𝑘 𝐴 assert end(A,B,n) really simple protocol to show what RCF is capable of and to demonstrate the syntax a little rcf is modular, the different components e.g. Alice and Bob are type-checked independent. Hence we need to transfer the assumption that Alice made somehow to Bob, that's why we include it as a refinement in the message send from A to B ∀ 𝑖𝑑 1, 𝑖𝑑 2, 𝑛:𝑠𝑡𝑎𝑟𝑡 𝑖𝑑 1, 𝑖𝑑 2, 𝑛 ⇒𝑒𝑛𝑑 𝑖𝑑 1, 𝑖𝑑 2, 𝑛 Some types: Tmsg := {a:Un * b:Un * n:Private | start(a,b,n)} vkA: vk<Tmsg> check function: (xvk: vk<Tmsg>) → (y: Un) → Tmsg

RCF: Robust Safety Safety: A closed expression A is safe iff in all evaluations of A, all assertions succeed Opponent: An opponent is a closed expression which contains no assertions Robust Safety: A closed expression A is robustly safe iff the application O A is safe for all opponents O

Security Properties of E-Voting Protocols Eligibility, Non-Alterability Coercion-Resistance Receipt-Freeness Individual Verifiability Universal Verifiability Non-Reusability … Many of these properties are not yet formally defined A lot of these properties are not yet formally defined

Eligibility & Inalterability in RCF blue assert VoteOk(vote,pubcred) red Alice Bob Charlie ... assume Id(Alice) assume BeginVote(Alice,vote,pubcred) assume ∀𝑖𝑑,𝑣,𝑐:𝐼𝑑 𝑖𝑑 ∧𝐵𝑒𝑔𝑖𝑛𝑉𝑜𝑡𝑒 𝑖𝑑,𝑣,𝑐 ⇒𝑉𝑜𝑡𝑒𝑂𝐾 𝑣,𝑐

Individual Verifiability in RCF blue assume EndVote(vote,pubcred) red Alice Bob Charlie ... assume BeginVote(Alice,vote,pubcred) assert CountedVote(vote,pubcred) assume ∀𝑣,𝑐:𝐸𝑛𝑑𝑉𝑜𝑡𝑒 𝑣,𝑐 ⇒𝐶𝑜𝑢𝑛𝑡𝑒𝑑𝑉𝑜𝑡𝑒 𝑣,𝑐

Non-Reusability in RCF assume EndVote(vote,pubcred) blue red check uniqueness of pubcred Alice Bob Charlie ... Each voter can cast at most one valid vote For each public credential pubcred there should be only one EndVote(vote,pubcred) Idea: pubcred should be of linear type additionally the list of public credentials needs refinement that all of its elements are different New type system for linear types needed! assume BeginVote(Alice,vote,pubcred) assert CountedVote(vote,pubcred) assume ∀𝑣,𝑐:𝐸𝑛𝑑𝑉𝑜𝑡𝑒 𝑣,𝑐 ⇒𝐶𝑜𝑢𝑛𝑡𝑒𝑑𝑉𝑜𝑡𝑒 𝑣,𝑐

My model of Civitas So far: One registration tallier Several voters One tabulation tallier One ballot box Bulletin board All participants are honest To do: Several (dishonest) tabulation talliers Several (dishonest) registration talliers Coerced voters Multiple ballot boxes

Goals of the Thesis and Future Work Faithful, implementation based model of Civitas in functional RCF calculus Formal definition of previously undefined properties such as Individual Verifiability Non-Reusability Novel type system & application of existing type system to show these properties for the model of Civitas

Literature Civitas: Toward a Secure Voting System M. Clarkson, S. Chong, A. Myers. 2008 Link Refinement Types for Secure Implementations J. Bengtson, K. Bhargavan, C. Fournet, A. Gordon, and S. Maffeis. 2008 Type-checking Implementations of Protocols Based on Zero-knowledge Proofs M. Backes, C. Hrițcu, M. Maffei, T. Tarrach. 2009

Thank you!

RCF: Syntax a, b, c names x, y, z variables h ::= constructor inl, inr for sum type fold for recursive type M, N ::= value a name z variable () unit function (M,N) pair h M construction polymorphic value A, B ::= expression M value M N function application type instantiation if M = N then A else B equality check let x = A in B let let (x,y) = M in A pair split match M with h x the A else B constructor match for in do A intro intersection types case x = M in a eliminate union types (new a:T) A restriction A | B fork a!M transmission of M on channel a a? receive message on channel a assume C / assert C 𝑀 𝑇 intuition what inl inr fold are good for (for types like options, lists etc α 𝑇 ; 𝑈 λ𝑥:𝑇.𝐴 Λα.𝐴

Properties: Eligibility & Inalterability Only eligible voters are allowed to vote and no one can change a cast vote Formal definition (on traces): A trace t guarantees eligibility and inalterability if and only if the following condition holds: for any t1, t2, v, c such that t = t1 :: okVote(v,c) :: t2 , there exists t', t'', t''', id such that t1 = t' :: Id(id) :: t'' :: BeginVote(id,v,c) :: t''', t' :: t'' :: t''' :: t2 guarantees eligibility and inalterability

RCF: Type System Type system used to enforce authorization policies on RCF program EXAMPLE Allows refinement types, e. g. Teven= {x: int | x even} Rules for subtyping (e. g. Teven<: int) and kinding Two kinds: tainted and public tainted: everything that might come from an attacker public: everything that might be known to the attacker Example for type that is neither tainted nor public: private

Properties: (Individual) Verifiability At the end of the election, each voter can verify that his or her vote has been counted Formal definition (on traces): A trace t guarantees verifiability if and only if the following condition holds: for any t1, t2, v, c such that t = t1 :: CountedVote(v,c) :: t2 , there exists t', t'' such that t1 = t' :: EndVote(v,c) :: t'', t' :: t'' :: t2 guarantees verifiability

RCF: Small Example let A = mkUn() in let B = mkUn() in let dkB= mkDK<mtype> () in let ekB= mkEK<mtype> dkB in (new c: un); (let n = mkPriv() in | let ctext1 = c? in assume start(B,n) in let mess1 = decrypt<mtype> dkB ctext1 in let mess = ((A,B),n) in let (ids,n1) = mess1 in let ctext = encrypt<mtype> ekB mess in let (id1,id2) = ids in c!ctext; assert start(B,n); if id2 = B then Qsuccess else Qfail ) typedef mtype = {(a:un * b:un) * n:priv | start(b,n)}

Properties: Non-Reusability Each voter can cast at most one valid vote For each public credential pubcred there should be only one EndVote(vote,pubcred) Idea: pubcred should be of linear type additionally the list of public credentials needs refinement that all of its elements are different New type system for linear types needed!

Civitas: Registration Phase Hi, I'm Alice (credi, DVRPi ) 𝑐𝑟𝑒𝑑 𝑖 , 𝑟 𝑖 } 𝑒𝑘 𝑇𝑇 cred = cred1 x … x credn

Civitas: Voting Phase 𝑣𝑜𝑡𝑒,𝑟′ } 𝑒𝑘 𝑇𝑇 ,{𝑐𝑟𝑒𝑑,𝑟′′ } 𝑒𝑘 𝑇𝑇 , 𝑍𝐾 𝑣1 , 𝑍𝐾 𝑣2

Civitas: Tallying Phase 𝑐𝑜𝑚𝑚𝑖𝑡 𝑠𝑘 𝐵𝐵𝑜𝑥 𝑏𝑎𝑙𝑙𝑜𝑡𝑠 ballots ∀𝑏𝑎𝑙𝑙𝑜𝑡𝑠 TT jointly: - eliminate invalid proofs - eliminate duplicates - mix and re-encrypt - eliminate invalid creds - decrypt ballots public credentials results