1. Type-based Verification of Electronic Voting Systems
Language-Based Security
Master Seminar
Type-based Verification of Electronic Voting Systems
Fabienne Eigner
Saarland University

2. Motivation Civitas RCF Security Properties of E-Voting protocols
Overview
Motivation
Civitas
RCF
Security Properties of E-Voting protocols

3. Why (Remote) E-Voting?
fast
convenient
provably secure?

4. Why Type-based Verification?
Necessary to prove correctness and security of protocol
By hand: error prone, tedious, ...
Instead:
Build abstract model
Calculi for modeling: Applied Pi, ProVerif, RCF
Prove properties on this model
Why RCF?
To reason about implementations (F#)
Why types?
Predictable termination behaviour + modularity
In particular good for recursive data structures like lists

5. Civitas, A Remote E-Voting Protocol
Developed by Michael R. Clarkson, Stephen Chong, Andrew C. Myers in 2008 at Cornell University
First implemented voting system that offers
Universal verifiability
Coercion resistance
Relies heavily on zero-knowledge proofs

6. Civitas: Overview ZK blue red Alice Bob Charlie ... ZK ZK ZK ZK blue

7. RCF (Refined concurrent FPC)
Developed by Bengtson, Bhargavan, Fournet, Gordon, Maffeis at Microsoft Research (2008)
Fixpoint calculus (Gunther, 1992) with concurrency + refinement types
Tailored to reasoning about implementations
Similar to ML, F# can be (partially) encoded in RCF (see Gordon et al.)
Extended with Union and Intersection Types by Backes, Hrițcu, Maffei, Tarrach (2009)
Support for ZK
Well-typed programs enforce authorization policies
can encode complex datatypes like lists/options, simple like bool
or complex functions (recursive and polymorphic)

8. RCF: Small Example assume start(A,B,n) assert end(A,B,n) Some types:
𝐴,𝐵,𝑛 } 𝑠𝑘 𝐴
assert end(A,B,n)
really simple protocol to show what RCF is capable of and to demonstrate the syntax a little
rcf is modular, the different components e.g. Alice and Bob are type-checked independent. Hence we need to transfer the assumption that Alice made somehow to Bob, that's why we include it as a refinement in the message send from A to B
∀ 𝑖𝑑 1, 𝑖𝑑 2, 𝑛:𝑠𝑡𝑎𝑟𝑡 𝑖𝑑 1, 𝑖𝑑 2, 𝑛 ⇒𝑒𝑛𝑑 𝑖𝑑 1, 𝑖𝑑 2, 𝑛
Some types:
Tmsg := {a:Un * b:Un * n:Private | start(a,b,n)}
skA: sk<Tmsg>
sign function: (xsk: sk<Tmsg>) → (y: Tmsg) → Un

9. RCF: Small Example assume start(A,B,n) assert end(A,B,n) Some types:
𝐴,𝐵,𝑛 } 𝑠𝑘 𝐴
assert end(A,B,n)
really simple protocol to show what RCF is capable of and to demonstrate the syntax a little
rcf is modular, the different components e.g. Alice and Bob are type-checked independent. Hence we need to transfer the assumption that Alice made somehow to Bob, that's why we include it as a refinement in the message send from A to B
∀ 𝑖𝑑 1, 𝑖𝑑 2, 𝑛:𝑠𝑡𝑎𝑟𝑡 𝑖𝑑 1, 𝑖𝑑 2, 𝑛 ⇒𝑒𝑛𝑑 𝑖𝑑 1, 𝑖𝑑 2, 𝑛
Some types:
Tmsg := {a:Un * b:Un * n:Private | start(a,b,n)}
vkA: vk<Tmsg>
check function: (xvk: vk<Tmsg>) → (y: Un) → Tmsg

10. RCF: Robust Safety Safety:
A closed expression A is safe iff in all evaluations of A, all assertions succeed
Opponent:
An opponent is a closed expression which contains no assertions
Robust Safety:
A closed expression A is robustly safe iff the application O A is safe for all opponents O

11. Security Properties of E-Voting Protocols
Eligibility, Non-Alterability
Coercion-Resistance
Receipt-Freeness
Individual Verifiability
Universal Verifiability
Non-Reusability …
Many of these properties are not yet formally defined
A lot of these properties are not yet formally defined

12. Eligibility & Inalterability in RCF
blue
assert VoteOk(vote,pubcred)
red
Alice
Bob
Charlie
...
assume Id(Alice)
assume BeginVote(Alice,vote,pubcred)
assume
∀𝑖𝑑,𝑣,𝑐:𝐼𝑑 𝑖𝑑 ∧𝐵𝑒𝑔𝑖𝑛𝑉𝑜𝑡𝑒 𝑖𝑑,𝑣,𝑐 ⇒𝑉𝑜𝑡𝑒𝑂𝐾 𝑣,𝑐

13. Individual Verifiability in RCF
blue
assume EndVote(vote,pubcred)
red
Alice
Bob
Charlie
...
assume BeginVote(Alice,vote,pubcred)
assert CountedVote(vote,pubcred)
assume
∀𝑣,𝑐:𝐸𝑛𝑑𝑉𝑜𝑡𝑒 𝑣,𝑐 ⇒𝐶𝑜𝑢𝑛𝑡𝑒𝑑𝑉𝑜𝑡𝑒 𝑣,𝑐

14. Non-Reusability in RCF
assume EndVote(vote,pubcred)
blue
red
check uniqueness of pubcred
Alice
Bob
Charlie
...
Each voter can cast at most one valid vote
For each public credential pubcred there should be only one EndVote(vote,pubcred)
Idea: pubcred should be of linear type
additionally the list of public credentials needs refinement that all of its elements are different
New type system for linear types needed!
assume BeginVote(Alice,vote,pubcred)
assert CountedVote(vote,pubcred)
assume
∀𝑣,𝑐:𝐸𝑛𝑑𝑉𝑜𝑡𝑒 𝑣,𝑐 ⇒𝐶𝑜𝑢𝑛𝑡𝑒𝑑𝑉𝑜𝑡𝑒 𝑣,𝑐

15. My model of Civitas So far: One registration tallier Several voters
One tabulation tallier
One ballot box
Bulletin board
All participants are honest
To do:
Several (dishonest) tabulation talliers
Several (dishonest) registration talliers
Coerced voters
Multiple ballot boxes

16. Goals of the Thesis and Future Work
Faithful, implementation based model of Civitas in functional RCF calculus
Formal definition of previously undefined properties such as
Individual Verifiability
Non-Reusability
Novel type system & application of existing type system to show these properties for the model of Civitas

17. Literature Civitas: Toward a Secure Voting System
M. Clarkson, S. Chong, A. Myers. 2008
Link
Refinement Types for Secure Implementations
J. Bengtson, K. Bhargavan, C. Fournet, A. Gordon, and S. Maffeis. 2008
Type-checking Implementations of Protocols Based on Zero-knowledge Proofs
M. Backes, C. Hrițcu, M. Maffei, T. Tarrach. 2009

18. Thank you!

19. RCF: Syntax a, b, c names x, y, z variables h ::= constructor
inl, inr for sum type
fold for recursive type
M, N ::= value
a name
z variable
() unit
function
(M,N) pair
h M construction
polymorphic value
A, B ::= expression
M value
M N function application
type instantiation
if M = N then A else B equality check
let x = A in B let
let (x,y) = M in A pair split
match M with h x the A else B constructor match
for in do A intro intersection types
case x = M in a eliminate union types
(new a:T) A restriction
A | B fork
a!M transmission of M on channel a
a? receive message on channel a
assume C / assert C
𝑀 𝑇
intuition what inl inr fold are good for (for types like options, lists etc α
𝑇 ; 𝑈
λ𝑥:𝑇.𝐴
Λα.𝐴

20. Properties: Eligibility & Inalterability
Only eligible voters are allowed to vote and no one can change a cast vote
Formal definition (on traces):
A trace t guarantees eligibility and inalterability if and only if the following condition holds:
for any t1, t2, v, c such that t = t1 :: okVote(v,c) :: t2 ,
there exists t', t'', t''', id such that
t1 = t' :: Id(id) :: t'' :: BeginVote(id,v,c) :: t''',
t' :: t'' :: t''' :: t2 guarantees eligibility and inalterability

21. RCF: Type System
Type system used to enforce authorization policies on RCF program EXAMPLE
Allows refinement types, e. g. Teven= {x: int | x even}
Rules for subtyping (e. g. Teven<: int) and kinding
Two kinds: tainted and public
tainted: everything that might come from an attacker
public: everything that might be known to the attacker
Example for type that is neither tainted nor public: private

22. Properties: (Individual) Verifiability
At the end of the election, each voter can verify that his or her vote has been counted
Formal definition (on traces):
A trace t guarantees verifiability if and only if the following condition holds:
for any t1, t2, v, c such that t = t1 :: CountedVote(v,c) :: t2 ,
there exists t', t'' such that
t1 = t' :: EndVote(v,c) :: t'',
t' :: t'' :: t2 guarantees verifiability

23. RCF: Small Example let A = mkUn() in let B = mkUn() in
let dkB= mkDK<mtype> () in
let ekB= mkEK<mtype> dkB in
(new c: un);
(let n = mkPriv() in | let ctext1 = c? in
assume start(B,n) in let mess1 = decrypt<mtype> dkB ctext1 in let mess = ((A,B),n) in let (ids,n1) = mess1 in
let ctext = encrypt<mtype> ekB mess in let (id1,id2) = ids in
c!ctext; assert start(B,n);
if id2 = B then Qsuccess
else Qfail )
typedef mtype = {(a:un * b:un) * n:priv | start(b,n)}

24. Properties: Non-Reusability
Each voter can cast at most one valid vote
For each public credential pubcred there should be only one EndVote(vote,pubcred)
Idea: pubcred should be of linear type
additionally the list of public credentials needs refinement that all of its elements are different
New type system for linear types needed!

25. Civitas: Registration Phase
Hi, I'm Alice
(credi, DVRPi )
𝑐𝑟𝑒𝑑 𝑖 , 𝑟 𝑖 } 𝑒𝑘 𝑇𝑇
cred = cred1 x … x credn

26. Civitas: Voting Phase
𝑣𝑜𝑡𝑒,𝑟′ } 𝑒𝑘 𝑇𝑇 ,{𝑐𝑟𝑒𝑑,𝑟′′ } 𝑒𝑘 𝑇𝑇 , 𝑍𝐾 𝑣1 , 𝑍𝐾 𝑣2

27. Civitas: Tallying Phase
𝑐𝑜𝑚𝑚𝑖𝑡 𝑠𝑘 𝐵𝐵𝑜𝑥 𝑏𝑎𝑙𝑙𝑜𝑡𝑠
ballots
∀𝑏𝑎𝑙𝑙𝑜𝑡𝑠
TT jointly:
- eliminate invalid proofs
- eliminate duplicates
- mix and re-encrypt
- eliminate invalid creds
- decrypt ballots
public credentials
results