Presentation is loading. Please wait.

Presentation is loading. Please wait.

Motivation Civitas RCF Security Properties of E-Voting protocols

Published bySara Walton Modified over 6 years ago

Similar presentations

Presentation on theme: "Motivation Civitas RCF Security Properties of E-Voting protocols"— Presentation transcript:

1 Motivation Civitas RCF Security Properties of E-Voting protocols
Overview Motivation Civitas RCF Security Properties of E-Voting protocols

2 Why (Remote) E-Voting? fast convenient provably secure?

3 Why Type-based Verification?
Necessary to prove correctness and security of protocol By hand, error prone, tedious.... Instead: Build abstract model Prove properties on this model Calculi for modeling: Applied Pi, ProVerif, RCF Why RCF? to reason about implementations (F#) Why types? predictable termination behaviour + modularity in particular good for recursive data structures like lists

4 Civitas, A Remote E-Voting Protocol
Developed by Michael R. Clarkson, Stephen Chong, Andrew C. Myers in 2008 at Cornell University First implemented voting system that offers universal verifiability and coercion resistance Relies heavily on zero-knowledge proofs

5 Civitas: Overview blue red Alice Bob Charlie ... blue red

6 Civitas: Registration Phase
Hi, I'm Alice (cred, DVRP) 𝑐𝑟𝑒𝑑, 𝑟 1 } 𝑒𝑘 𝑇𝑇

7 Civitas: Voting Phase 𝑣𝑜𝑡𝑒, 𝑟 2 } 𝑒𝑘 𝑇𝑇 ,{𝑐𝑟𝑒𝑑, 𝑟 3 } 𝑒𝑘 𝑇𝑇 , 𝑍𝐾 𝑣1 , 𝑍𝐾 𝑣2

8 Civitas: Tallying Phase
𝑐𝑜𝑚𝑚𝑖𝑡 𝑠𝑘 𝐵𝐵𝑜𝑥 𝑏𝑎𝑙𝑙𝑜𝑡𝑠 ballots ∀𝑏𝑎𝑙𝑙𝑜𝑡𝑠 TT jointly: - eliminate invalid proofs - eliminate duplicates - mix and re-encrypt - eliminate invalid creds - decrypt ballots public credentials results

9 RCF (Refined concurrent FPC)
Developed by Bengtson, Bhagavan, Fournet, Gordon, Maffeis at Microsoft Research (2008) Fixpoint calculus (Gunther, 1992) with concurrency + refinement types Tailored to reasoning about implementations Similar to ML, F# can be (partially) encoded in RCF (see Gordon et al.) Extended with Union and Intersection Types by Backes, Hrițcu, Maffei, Tarrach (2009) support for ZK Well-typed programs enforce authorization policies can encode complex datatypes like lists/options, simple like bool or complex functions (recursive and polymorphic)

10 RCF: Small Example assume start(A,B,n) assert end(A,B,n) Some types:
𝐴,𝐵,𝑛 } 𝑠𝑘 𝐴 assume start(A,B,n) assert end(A,B,n) really simple protocol to show what RCF is capable of and to demonstrate the syntax a little rcf is modular, the different components e.g. Alice and Bob are type-checked independent. Hence we need to transfer the assumption that Alice made somehow to Bob, that's why we include it as a refinement in the message send from A to B Some types: (A, B, n): {a:Un * b:Un * n:Private | start(a,b,n)} =: Tmsg skA: sk<Tmsg> sign function: (xsk: sk<Tmsg>) → (y: Tmsg) → {z:Un | signed(xsk,y,z)}

11 Security Properties of E-Voting Protocols
Eligibility, Non-Alterability Coercion-Resistance Receipt-Freeness Resistance to randomization attacks Individual Verifiability Universal Verifiability Non-Reusability A lot of these properties are not yet formally defined

12 RCF: Robust Safety Safety:
A closed expression A is safe iff in all evaluations of A, all assertions succeed Opponent: An opponent is a closed expression which contains no assertions Robust Safety: A closed expression A is robustly safe iff the application O A is safe for all opponents O exists type sytem, public, private, kinding to pub or tnt, refinement types

13 Eligibility & Inalterability in RCF
blue assert VoteOk(vote,pubcred) red Alice Bob Charlie ... assume Id(Alice) assume BeginVote(Alice,vote,pubcred) assume ∀𝑖𝑑,𝑣,𝑐:𝐼𝑑 𝑖𝑑 ∧𝐵𝑒𝑔𝑖𝑛𝑉𝑜𝑡𝑒 𝑖𝑑,𝑣,𝑐 ⇒𝑉𝑜𝑡𝑒𝑂𝐾 𝑣,𝑐

14 Individual Verifiability in RCF
blue assume EndVote(vote,pubcred) red Alice Bob Charlie ... assume BeginVote(Alice,vote,pubcred) assert CountedVote(vote,pubcred) assume ∀𝑣,𝑐:𝐸𝑛𝑑𝑉𝑜𝑡𝑒 𝑣,𝑐 ⇒𝐶𝑜𝑢𝑛𝑡𝑒𝑑𝑉𝑜𝑡𝑒 𝑣,𝑐

15 Non-Reusability in RCF
assume EndVote(vote,pubcred) blue red check uniqueness of pubcred Alice Bob Charlie ... assume BeginVote(Alice,vote,pubcred) assert CountedVote(vote,pubcred) assume ∀𝑣,𝑐:𝐸𝑛𝑑𝑉𝑜𝑡𝑒 𝑣,𝑐 ⇒𝐶𝑜𝑢𝑛𝑡𝑒𝑑𝑉𝑜𝑡𝑒 𝑣,𝑐

16 Properties: Non-Reusability
Each voter can cast at most one valid vote For each public credential pubcred there should be only one EndVote(vote,pubcred) Idea: pubcred should be of linear type additionally the list of public credentials needs refinement that all of its elements are different New type system for linear types needed!

17 My model of Civitas So far: one registration tallier several voters
one tabulation tallier one ballot box bulletin board all participants are honest To do: several (dishonest) tabulation talliers coerced voters multiple ballot boxes

18 Goals of the Thesis and Future Work
Faithful, implementation based model of Civitas in functional RCF calculus To give a formal definition of previously undefined properties such as Individual Verifiability and Non- Reusability Use existing type system and develop new type system to prove these properties for the model of Civitas

19 Literature

20 Thank you!

21 RCF: Syntax a, b, c names x, y, z variables h ::= constructor
inl, inr for sum type fold for recursive type M, N ::= value a name z variable () unit function (M,N) pair h M construction polymorphic value A, B ::= expression M value M N function application type instantiation if M = N then A else B equality check let x = A in B let let (x,y) = M in A pair split match M with h x the A else B constructor match for in do A intro intersection types case x = M in a eliminate union types (new a:T) A restriction A | B fork a!M transmission of M on channel a a? receive message on channel a assume C / assert C 𝑀 𝑇 intuition what inl inr fold are good for (for types like options, lists etc α 𝑇 ; 𝑈 λ𝑥:𝑇.𝐴 Λα.𝐴

22 Properties: Eligibility & Inalterability
Only eligible voters are allowed to vote and no one can change a cast vote Formal definition (on traces): A trace t guarantees eligibility and inalterability if and only if the following condition holds: for any t1, t2, v, c such that t = t1 :: okVote(v,c) :: t2 , there exists t', t'', t''', id such that t1 = t' :: Id(id) :: t'' :: BeginVote(id,v,c) :: t''', t' :: t'' :: t''' :: t2 guarantees eligibility and inalterability

23 RCF: Type System Type system used to enforce authorization policies on RCF program EXAMPLE Allows refinement types, e. g. Teven= {x: int | x even} Rules for subtyping (e. g. Teven<: int) and kinding Two kinds: tainted and public tainted: everything that might come from an attacker public: everything that might be known to the attacker Example for type that is neither tainted nor public: private

24 Properties: (Individual) Verifiability
At the end of the election, each voter can verify that his or her vote has been counted Formal definition (on traces): A trace t guarantees verifiability if and only if the following condition holds: for any t1, t2, v, c such that t = t1 :: CountedVote(v,c) :: t2 , there exists t', t'' such that t1 = t' :: EndVote(v,c) :: t'', t' :: t'' :: t2 guarantees verifiability

25 RCF: Small Example let A = mkUn() in let B = mkUn() in
let dkB= mkDK<mtype> () in let ekB= mkEK<mtype> dkB in (new c: un); (let n = mkPriv() in | let ctext1 = c? in assume start(B,n) in let mess1 = decrypt<mtype> dkB ctext1 in let mess = ((A,B),n) in let (ids,n1) = mess1 in let ctext = encrypt<mtype> ekB mess in let (id1,id2) = ids in c!ctext; assert start(B,n); if id2 = B then Qsuccess else Qfail ) typedef mtype = {(a:un * b:un) * n:priv | start(b,n)}

Download ppt "Motivation Civitas RCF Security Properties of E-Voting protocols"

Similar presentations

Sml2java a source to source translator Justin Koser, Haakon Larsen, Jeffrey Vaughan PLI 2003 DP-COOL.

Sml2java a source to source translator Justin Koser, Haakon Larsen, Jeffrey Vaughan PLI 2003 DP-COOL.
Functions Reading: Epp Chp 7.1, 7.2, 7.4

Functions Reading: Epp Chp 7.1, 7.2, 7.4
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Individual Position Slides: Jonathan Katz (University of Maryland) (Apologies I can’t be here in person)

Individual Position Slides: Jonathan Katz (University of Maryland) (Apologies I can’t be here in person)
Pretty Good Democracy James Heather, University of Surrey

Pretty Good Democracy James Heather, University of Surrey
Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.

Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.
Cs776 (Prasad)L4Poly1 Polymorphic Type System. cs776 (Prasad)L4Poly2 Goals Allow expression of “for all types T” fun I x = x I : ’a -> ’a Allow expression.

Cs776 (Prasad)L4Poly1 Polymorphic Type System. cs776 (Prasad)L4Poly2 Goals Allow expression of “for all types T” fun I x = x I : ’a -> ’a Allow expression.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,

Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.

1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.

1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
11111 Functional Program Verification CS 4311 A. M. Stavely, Toward Zero Defect Programming, Addison-Wesley, 1999. Y. Cheon and M. Vela, A Tutorial on.

11111 Functional Program Verification CS 4311 A. M. Stavely, Toward Zero Defect Programming, Addison-Wesley, Y. Cheon and M. Vela, A Tutorial on.
CSE341: Programming Languages Lecture 16 Datatype-Style Programming With Lists or Structs Dan Grossman Winter 2013.

CSE341: Programming Languages Lecture 16 Datatype-Style Programming With Lists or Structs Dan Grossman Winter 2013.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
A Pairing-Based Blind Signature

A Pairing-Based Blind Signature
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.

ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Similar presentations

Ads by Google