Protocoles de vote end-to-end Analyse de sécurité basée sur la simulation Olivier de Marneffe, Olivier Pereira, Jean-Jacques Quisquater Université catholique de Louvain, Belgium 19 mars 2008 Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 1
Voting systems What do we expect from a voting system? a tool to reflect the opinion of the voters accuracy vote secrecy... and?? Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 2
Voting systems image source: Ben Adida s PhD Thesis Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 3
Voting systems image source: Ben Adida s PhD Thesis Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 4
End-to-end verifiable voting systems image source: Ben Adida s PhD Thesis Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 5
Formal security analysis of voting systems A need for security analysis of voting protocols to prove the system does what we want to help us structure our approach of the system Definitions of security properties are needed, but: hard to formalize often conceived in different ways difficult to handle Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 6
Simulation-based approach: the big picture Real World Real protocol P Adversary A P A Ideal World Ideal functionality F Simulator S S Adversary A F vote A Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 7
Secure emulation definition A protocol emulates the functionality if S using this ideal functionality: A, A can not distinguish btw interacting: with the real protocol with this S and the ideal functionality Since the ideal functionality is safe, S does no harm when playing with it A does not learn anything unexpected... Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 8
A pedagogic example: ThreeBallot voting system [Fr ].{Ballot de Paille} = [En].{Straw Bundle} UCL Crypto Group Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 9
A pedagogic example: ThreeBallot voting system BALLOT BALLOT BALLOT Alice Alice Bob Bob Carol Carol David David Ed Ed Alice Bob Carol David Ed 397124768 519372049 109374926 Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 10
A pedagogic example: ThreeBallot voting system BALLOT BALLOT BALLOT Alice Alice Bob Bob Carol Carol David David Ed Ed Alice Bob Carol David Ed 397124768 519372049 109374926 Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 11
A pedagogic example: ThreeBallot voting system BALLOT Alice Bob Carol David Ed 397124768 Receipt is a copy of one part of the ballot Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 12
A pedagogic example: ThreeBallot voting system Ballots are shuffled and published on a Public Bulletin Board (PBB) Voter can check her receipt is on the PBB Final tally can be done by anyone: count the number of bullets each candidate got subtract the number of voters No crypto at all... Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 13
Simulation-based security approach Definition of what we want the protocol to do definition of a functionality in an ideal world V i (U i, x i ) f (x 1,..., x n )/FAIL F vote π S π reveals what information can be leaked Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 14
Modeling the ThreeBallot protocol REAL WORLD r i U i,multi-ballot i, j x i req i V i r i check complain f (x 1,..., x n )/ FAIL U i BB PS BB A check PBB Auth Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 15
Simulatability of ThreeBallot Simulation can be achieved if: we can build a S such that A sees no difference between being in the Real World the Ideal World reqi U i U i req i U i BB A f (x 1,..., x n ) r F i v S A BB BB OK/FAIL BB ri Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 16
ThreeBallot system: receipts distribution Consider two candidates: Multi-ballots for Alice ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ Multi-ballots for Bob ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 17
Receipts distribution and election outcome Receipts r = [ ] r = [ ] r = [ ] r = [ ] 100% Alice 2/9 4/9 1/9 2/9 Tie 2/9 5/18 5/18 2/9 100% Bob 2/9 1/9 4/9 2/9 Prop. p for Alice 2 9 1 9 + p 3 1 + 1 p 9 3 Distribution of receipts in the real world Simulation is not possible... :-( 2 9 Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 18
Modifying the ThreeBallot protocol (1/3) Simple idea: No information about the vote is on the receipt Select the receipt before you fill in your vote In practice: 1. Fill one bullet per row 2. Choose your receipt 3. Add one bullet to row(s) of your choice Only on the non-receipt part of the ballot Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 19
Modifying the ThreeBallot protocol (2/3) Receipts r = [ ] Probability 4 9 r = [ ] r = [ ] r = [ ] Distribution of the receipts modified protocol 2 9 2 9 1 9 Independent of the outcome simulator can generate receipts Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 20
Modifying the ThreeBallot protocol (3/3) Attacker can modify a ballot on the BB Original ThreeBallot protocol Probability of being caught: 1/3 for any ballot Modified version of the protocol Probability of being caught depends on the ballot Worst case for security is 1/9 How to ensure the voter follows the procedure? (not modifying the receipt part of the ballot) Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 21
Modified protocol emulates F vote S can produce indistinguishable BB S can handle BB modifications Under two assumptions: Short Ballot Assumption is satisfied the number of receipts known by the adversary is small in front of the number of voters Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 22
Conclusion Simulation-based security analysis of voting protocols We defined a template for E2E system ideal functionality ThreeBallot protocol: Define π we like Show TB does NOT emulate this definition Fix the protocol Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 23
Protocoles de vote end-to-end Analyse de sécurité basée sur la simulation Olivier de Marneffe, Olivier Pereira, Jean-Jacques Quisquater Université catholique de Louvain, Belgium 19 mars 2008 Microelectronics Laboratory VETO 08 - CIRM, Luminy 19 mars 2008 24