formal veri cation of selene with the tamarin prover€¦ · selene [ryan et al. (2016)] - overview...

Formal Verification of Selene with the Tamarin prover(E-Vote-ID - PhD Colloquium)

Marie-Laure Zollinger

Universite du Luxembourg

October 2, 2018

Marie-Laure Zollinger Formal Verification of Selene with the Tamarin prover 1 / 18

Outline

1 Introduction

2 Formal verification with Tamarin-prover

3 Selene e-voting protocol

4 Formal model for Selene

5 Work in progress

Introduction (1/2)

A [voting] protocol consists of a set of rules that determine the exchange of messages betweenparticipants.A security protocol, e.g. a voting protocol, uses cryptography to achieve security goals(authentication, secrecy, ...).

Voting protocols

Use advanced cryptographic primitiveshomomorphic encryption, zero-knowledge proofs, commitments schemes, thresholdcryptography

Designed regarding security propertiesballot secrecy, receipt-freeness, coercion-resistance, e2e-verifiability

Introduction(2/2)

Formal verificationTools to create a security proof of a protocol.⇒ ProVerif, DEEPSEC, Tamarin, ...Constraints of the tool:

Unbounded number of sessions

False attacks detection

Limited number of cryptographic primitives

⇒ Selene e-voting protocol uses plenty of cryptographic primitives that do not allow us tomodel a complete version of the protocol.⇒ New Tamarin extensions might allow us to go further in automated verification of votingprotocols.

Tamarin - Definitions

Tamarin and term rewritingTerm rewriting is a formalism used for representing messages and protocols in Tamarin.Tamarin uses labeled multiset rewriting rules: (id, l, a, r) with id : l

a−→ rwhere l, a, r are multisets of Facts, l and r are consumed or produced while a is recorded as atrace to specify properties of the model.

Example: setup rule for voter’s keyrule setup: [ Fr(vk) ] --> [ Out(pk(vk)), St V(’voter’, pk(vk), vk) ]

Equational theoryAn equational theory E is a set of equations of the form t = t′ for t, t′ terms built usingfunctions and variables for a given environment.

Example: Symmetric encryptiondec(enc(m, k), k) = m

Tamarin - Attacker model

The adversary can:

Control the network

read, intercept, send messagesapply composition and decomposition rules with available keys

Be a participant of the protocol

⇒ Dolev-Yao

Adversary Knowledge and Deduction

K(x),Out(x)

K(x),K(x)

In(x),K(t1) · · ·K(tk)

K(f(t1, · · · , tk))

Tamarin - Security properties in voting

Privacy properties

Ballot-Secrecy: the protocol must not reveal the voter’s choice.

Receipt-Freeness: the protocol must not reveal the voter’s choice even when revealingprivate information.

Coercion-Resistance: the protocol must not reveal the voter’s choice even when followingadversary’s instructions.

Verifiability properties

Cast-as-intended}

Individual VerifiabilityRecorded-as-cast

Tallied-as-recorded } Universal Verifiability

Tamarin - Automated verification

Specify a property with tracesSemantics of a protocol P is a set of traces traces(P ).Security property φ is also defined with a set of traces traces(φ).Attack traces: traces(φattack) = traces(P ) \ traces(φ)Traces are specified with given actions on rules.

Specify a property with observational equivalenceTwo systems appear the same to the environment.⇒ Privacy as Indistinguishability with diff(·, ·) operator.⇒ A trace for observational equivalence is automatically created.

Example: define two values for the voter’s vote and see if the adversary can distinguishbetween the two executions diff(’candA’, ’candB’)

Selene [Ryan et al. (2016)] - Overview

Selene lets the voter verify that her vote has been taken into account, using a trackingnumber.

1 The voter casts a vote online

2 After the election outcome has been published, the voter receives a tracking number andis able to verify that her vote is correct.

Selene [Ryan et al. (2016)] - Overview

Selene lets the voter verify that her vote has been taken into account, using a trackingnumber.

3 In case of coercion, the voter can pick another tracker related to the candidate thecoercer asked her to vote for.

Selene - Cryptographic primitives

Homomorphic encryption

Transcryption

→ α-terms are shared between t Tellers: αi =∏

j∈[1,t] αi,j .→ Commitments Ci are published on the bulletin board before the elections start.

Selene - Cryptographic primitives

Homomorphic encryption

Transcryption

→ α-terms are shared between t Tellers: αi =∏

j∈[1,t] αi,j .→ Commitments Ci are published on the bulletin board before the elections start.

Selene - Against Coercion

EncPK(ti) = (αi, Ci)⇒ ti =Ci

tj =Ci

αskfake

⇔ αfake = (Ci

Formal Model for Selene

Bruni et al. (2017) proposed a formal model on a simplified version of Selene (no distributedtrust and additional trust assumptions).They proved Vote-Privacy and Receipt-Freeness of the protocol.They described an equational theory for the commitments used in Selene.

Equational Theory

open(commit(t, r, pk(sk)), r, sk) = t

commit(t2, fake(t1, r, sk, t2), pk(sk)) = commit(t1, r, pk(sk))

open(commit(t1, r, pk(sk)), fake(t1, r, sk, t2), sk) = t2

fake(t2, fake(t1, r, sk, t2), sk, t3) = fake(t1, r, sk, t3)

Formal Model - New ideas

Our goal

1 Propose a formal model with distributed trust for α-terms.

2 Check security properties such as Vote-Privacy, Receipt-Freeness, Verifiability.

First step: describe the protocol as a labeled transition system using rewriting rules.

⇒ Define states and relations for each participant for every step of the protocol· Participants: voter 1, voter 2, election authority (EA), teller 1, teller 2· Actual trust assumptions: protocol is honest except the attacker, one voter and one tellerbeing coerced

Actual implementation inspired from existing model [Bruni et al. (2017)]

Formal Model - Distributed Trust

XOR operation ⊕ [Dreier et al. (2018)]A new equational theory defined by the following equations:

x⊕x = 0 x⊕(y⊕ z) = (x⊕ y)⊕ z x⊕ 0 = x

x⊕ y = y⊕x x⊕x⊕ y = y

Idea: use this operation to model distributed trust on the α-terms.

⇒ The random term in the commitment equation can be built from 2 terms.

Fr(r1) Fr(r2) EA 0(t, pkV )

commit(t, r1⊕ r2, pkV )

where r1 and r2 are the α-terms shared between Tellers.

Formal Model - Rules with 2 voters, 2 tellers, 1 EA

Setup generates the keys and initiatesall participants.

EA1 generates trackers and shufflesthem.

T1 creates and posts commitmentsfrom trackers, with 2 α-terms.

V1 creates and sends votes.

EA2 receives votes.

EA sync shuffles and posts votes.

T2 sends α-term to voters.

V2 receives α-term and openstrackers.

Formal Model - Security properties

Ballot Secrecy

Indistinguishability between instances with swapped votes with diff operator.

Receipt-Freeness

Output secret information for the adversary: vote, tracker, α-terms

Voter 1 is coerced and fake the tracker.Voter 2 is the adversary or collude with the adversary, and output his real data.Teller 1 is coerced and output his α-term.

Individual Verifiabilitylemma ind verif:

" All id vote1 vote2 t ]i ]j. Vote(id, vote1)@i & Lookup(id, t, vote2)@j

==> vote1 = vote2 & ]i < ]j "

Formal Model - Execution

Work in progress

Done so far...

Improved (but limited) model for Selene with distributed trust on α-terms to retrievetrackers.

Proofs for ballot-secrecy and individual verifiability

To be continued...

Proof for receipt-freeness

Model distributed trust on election keys and check security properties

Diffie-Hellman equational theory: for tracker?’g’ ˆ∼t

formal veri cation of selene with the tamarin prover€¦ · selene [ryan et al. (2016)] - overview...

Documents

tamarin tales volume 7

genetica tamarin-capitulo 1

tamarin tales volume 10

tamarin zakon

dra selene vazquez medina 05/02/2014dra selene vazquez...

tamarin howse exegesis amended compressed copy

mirian selene

golden lion tamarin

selene gadea

tamarin tales volume 11

selene martinez

revista "selene"

the mysterious golden lion tamarin

album selene

petise (selene)

characteristics of geoffroyâ•Žs tamarin (saguinus

tamarin and ecmascript 4

lion tamarin gold

selene araya

proyecto selene