Performance modelling of a secure voting algorithm

Jeremy Bradley (Imperial College London)

Stephen Gilmore (University of Edinburgh)

Nigel Thomas (Newcastle University)

Contents

• Motivation• Fujioka (FOO) voting scheme• PEPA• The model• Results• Conclusions

Motivation

• To analyse systems using time based metrics derived from stochastic models.

• To use e-voting as a case study for our analysis.• To investigate the scalability of the FOO scheme

and the analysis techniques.

• Use stochastic process algebra for both correctness and performance analysis.

• To consider performance based attacks against this (and other) e-voting schemes.

Fujioka (FOO) schemeConsists of

– 3 (possibly 4) class of entity• Voters• Administrator• Teller (collector & counter)

– 6 phases:• Preparation (voters)• Administration (administrator)• Voting (voters)• Collecting (counter)• Opening (voters)• Counting (counter)

Voter iVoter i

Voter iVoter i

Voter iVoter i

Collector /

Counter

1. Prepared ballot

2. Signed

3. Publish (multicast) 5. Revelation (or appeal?) – via anonymous channel

Communication

Administrator

4. Vote - via anonymous channel

PEPA

• PEPA is a Markovian process algebra.• Interaction of components which engage, singly

or multiply in activities. • Each component may be atomic or composed of

other components. • Each activity a = ( , r) has a type and a rate r. • Each activity is exponentially distributed with rate

r or passive with distinguished rate T.• A model in PEPA specifies a continuous time

Markov chain.

PEPA constructs

Experiment 1• Use “traditional” modelling and analysis to derive

the steady state distribution.– System is modelled cyclically (infinitely

repeated elections).– Solve simultaneous equations to find the

average proportion of time spent in each “state”.

– From this we can derive metrics such as average number of completed votes and average time for a voter to complete a vote.

• Model parameters were derived from an implementation of the FOO scheme (by Oliver Davis).

Experiment 2

• Uses tools from computational biology to analyse very large models.– Uses a continuous state approximation.– The model concerns a single election.– Each “solution” is a single trace of a simulated

election.– Within a trace we count the number of

components performing each behaviour.• Same parameters used as in experiment 1.

Conclusions• Using PEPA it is possible to accurately depict the

behaviour of a complex e-voting scheme.

– Using traditional analysis techniques (even with approximation), this leads to state space problems.

– Using novel techniques it is possible to analyse models of O(1010000) states.

• The analysis shows the Administrator has scalability issues and may be vulnerable to a denial of service type attack – multiple administrator versions of the scheme have been proposed.

Questions and Comments

• Is this style of analysis of any use or interest to this community?

• What measures should we be deriving?