Where Is My Vote?: Formal Analysis of Electronic Voting Protocols

Where is my Vote?
Formal Analysis of Electronic Voting Protocols
Steve Kremer
(based on joint work with S. Delaune, M. Ryan and B. Smyth)
INRIA Nancy - Grand Est
Sminaire Mthodes Formelles et Scurit 18/11/2011
S. Kremer (INRIA)
18/11/2011
1 / 30
Cryptographic protocols everywhere!

Cryptographic protocol:
a distributed program which uses cryptographic primitives (e.g. encryption, digital signatures, . . . ) to ensure a security property (e.g. condentiality, authentication, anonymity, . . . )
S. Kremer (INRIA)
18/11/2011
2 / 30

a distributed program which uses cryptographic primitives (e.g. encryption, digital signatures, . . . ) to ensure a security property (e.g. condentiality, authentication, anonymity, . . . )
FEVAD
2010 key numbers fdration du e-commerce et de la vente distance
78% of French people use remote selling 82% of remote selling over the Internet online transactions: 25 billion of euros
S. Kremer (INRIA)
18/11/2011
2 / 30

a distributed program which uses cryptographic primitives (e.g. encryption, digital signatures, . . . ) to ensure a security property (e.g. condentiality, authentication, anonymity, . . . ) Legally binding Internet elections in Europe in 2011 parliamentary elections in Switzerland (several cantons) parliamentary election in Estonia (all eligible voters) municipal and county elections in Norway (selected municipalities, selected voter groups)
S. Kremer (INRIA)
18/11/2011
2 / 30
A simple handshake protocol
Alice aenc(sign(k, ska), pk(dkb)) senc(s, k)
Bob
Question: When Bob (thinks he) executes the protocol with Alice is k shared only between Bob and Alice?
S. Kremer (INRIA)
18/11/2011
3 / 30
A simple handshake protocol
Alice
aenc(sign(k, ska), pk(dki))
Intruder
aenc(sign(k, ska), pk(dkb))
Bob
senc(s, k)
Question: When Bob (thinks he) executes the protocol with Alice is k shared only between Bob and Alice? NO! There is a man-in-the-middle attack.
S. Kremer (INRIA)
18/11/2011
3 / 30
Symbolic verication of security protocols

Does
Modelling
the protocol
satisfy
a security property?
|=
S. Kremer (INRIA)
18/11/2011
4 / 30
Symbolic verication of security protocols

Does
Modelling
the protocol
satisfy
a security property?
|=
protocol is executed in adversarial environment in this talk: protocols are modelled in the applied pi calculus attackers are any process which can be written in the applied pi calculus partial automation using the verication tool ProVerif
S. Kremer (INRIA)
18/11/2011
4 / 30
Symbolic analysis
Symbolic techniques (going back to [Dolev&Yao82]) have been widely used to nd errors in protocols prove their correctness (in the given abstract model) Main ingredients of symbolic models messages = terms enc pair s1 s2 k
perfect cryptography (deduction rules, rewrite systems/equational theories) dec(enc(x, y ), y ) = x fst(pair(x, y )) = x snd(pair(x, y )) = y unbounded adversary (no computational restrictions) the network is the attacker
S. Kremer (INRIA)
18/11/2011
5 / 30
State-of-the-art
Protocols for condentiality and authentication have been well studied. In general, secrecy and authentication preservation is undecidable
S. Kremer (INRIA)
18/11/2011
6 / 30
State-of-the-art
Protocols for condentiality and authentication have been well studied. In general, secrecy and authentication preservation is undecidable But decidable for restricted classes For a bounded number of sessions, secrecy is co-NP-complete [RusinowitchTuruani01] several tools for detecting attacks (Casper, Avispa, . . . ) small system theorems: security for bounded number of sessions implies security for unbounded number of sessions [Lowe98], [Arapinis,K.,Delaune07] For an unbounded number of sessions
for one-copy protocols, secrecy is DEXPTIME-complete [Cortier,Comon03] [Seidl,Verma04] for message-length bounded protocols, secrecy is DEXPTIME-complete [Durgin et al.99] [Chevalier et al.03]
Why care about decidability? ProVerif [Blanchet] is an ecient tool, that has been used for analyzing industrial-scale protocols: no termination guarantee, false attacks possible
S. Kremer (INRIA)
18/11/2011
6 / 30
State-of-the-art
Protocols for condentiality and authentication have been well studied. In general, secrecy and authentication preservation is undecidable But decidable for restricted classes For a bounded number of sessions, secrecy is co-NP-complete [RusinowitchTuruani01] several tools for detecting attacks (Casper, Avispa, . . . ) small system theorems: security for techniques of the implies Our aim: apply such formalbounded number tosessionsanalysis of security for unbounded number electronic voting protocolsof sessions [Lowe98], [Arapinis,K.,Delaune07] For an unbounded number of sessions
for one-copy protocols, secrecy is DEXPTIME-complete [Cortier,Comon03] [Seidl,Verma04] for message-length bounded protocols, secrecy is DEXPTIME-complete [Durgin et al.99] [Chevalier et al.03]
Why care about decidability? ProVerif [Blanchet] is an ecient tool, that has been used for analyzing industrial-scale protocols: no termination guarantee, false attacks possible
S. Kremer (INRIA) Formal Analysis of Electronic Voting Protocols 18/11/2011 6 / 30
Electronic voting
Elections are a security-sensitive process which is the cornerstone of modern democracy Electronic voting promises Convenient, ecient and secure facility for recording and tallying votes for a variety of types of elections: from small committees or on-line communities through to full-scale national elections But: Risk of large scale, undetected fraud!
S. Kremer (INRIA)
18/11/2011
7 / 30
Electronic voting
Elections are a security-sensitive process which is the cornerstone of modern democracy Electronic voting promises Convenient, ecient and secure facility for recording and tallying votes for a variety of types of elections: from small committees or on-line communities through to full-scale national elections But: Risk of large scale, undetected fraud!
Our goal
precise denitions of security properties, which allow rigorous analysis of privacy properties veriability and to explicit trust assumptions
A variety of properties
S. Kremer (INRIA)
18/11/2011
8 / 30
Fairness: no early results can be obtained which could inuence the remaining
voters
Eligibility: only legitimate voters can vote, and only once
S. Kremer (INRIA)
18/11/2011
9 / 30
voters
Eligibility: only legitimate voters can vote, and only once Privacy: the fact that a particular voted in a particular way is not revealed to
anyone
Receipt-freeness / Coercion-resistance: a voter cannot prove that she voted in a certain way (this is important to protect voters from coercion)
S. Kremer (INRIA)
18/11/2011
9 / 30
voters
Eligibility: only legitimate voters can vote, and only once Privacy: the fact that a particular voted in a particular way is not revealed to
anyone
Receipt-freeness / Coercion-resistance: a voter cannot prove that she voted in a certain way (this is important to protect voters from coercion) Individual veriability: a voter can verify that her vote was really counted Universal veriability: anyone can verify that the published outcome really is the
sum of all votes
Eligibility veriability: anyone can verify that all counted votes correspond to
elligible voters
S. Kremer (INRIA)
18/11/2011
9 / 30
The FOO protocol
S. Kremer (INRIA)
18/11/2011
10 / 30
Modeling protocols: the applied -calculus

Applied pi-calculus: [Abadi & Fournet, 01] basic programming language with constructs for concurrency, communication and cryptographic primitives based on the -calculus [Milner et al., 92] Advantages: naturally models a Dolev-Yao attacker allows us to model less classical cryptographic primitives both reachability and indistinguishability-based specication of properties
Observational equivalence
automated proofs (not complete, termination not guaranteed) using ProVerif tool [Blanchet] powerful proof techniques for hand proofs
S. Kremer (INRIA)
18/11/2011
11 / 30
The applied pi-calculus on an example

Syntax: Equational theory: dec(enc(x, y ), y ) = x Process: P = s, k.(out(c1 , enc(s, k)) | in(c1 , y ).out(c2 , dec(y , k))).
S. Kremer (INRIA)
18/11/2011
12 / 30

Syntax: Equational theory: dec(enc(x, y ), y ) = x Process: P = s, k.(out(c1 , enc(s, k)) | in(c1 , y ).out(c2 , dec(y , k))). Semantics: Operational semantics : closed by structural equivalence () and application of evaluation contexts such that Comm Then Else out(a, x).P | in(a, x).Q P | Q if M = M then P else Q P if M = N then P else Q Q (M =E N)
S. Kremer (INRIA)
18/11/2011
12 / 30

Syntax: Equational theory: dec(enc(x, y ), y ) = x Process: P = s, k.(out(c1 , enc(s, k)) | in(c1 , y ).out(c2 , dec(y , k))). Semantics: Operational semantics : closed by structural equivalence () and application of evaluation contexts such that Comm Then Else out(a, x).P | in(a, x).Q P | Q if M = M then P else Q P if M = N then P else Q Q (M =E N)
Example: P s, k.out(c2 , s)
S. Kremer (INRIA)
18/11/2011
12 / 30
The handshake protocol in the applied pi calculus

Alice
m1 = aenc(sign(k, ska ), pkb ), pk(ska ) m2 = senc(s, xk )
Bob
S. Kremer (INRIA)
18/11/2011
13 / 30
The handshake protocol in the applied pi calculus

Alice
in(c, pkb ). k. out(c, m1 ). in(c, x). let s = sdec(x, k) in P
Bob
m1 = aenc(sign(k, ska ), pkb ), pk(ska ) in(c, x, pka ). m2 = senc(s, xk )
let xs = adec(x, dkb ) in if check(xs , pka ) = then let xk = getmsg(xs , pka ) in new s. out(c, senc(s, xk ))
Phandshake = ska . dkB . out(c, pk(ska ), pk(dkB ) ). (!Alice | !Bob)
S. Kremer (INRIA)
18/11/2011
13 / 30
Modelling properties in applied pi

Condentiality can be modelled as a reachability property :
Condentiality (P s)
for all processes A we have that: if P | A Q then Q out(c, s).Q1 | Q2
S. Kremer (INRIA)
18/11/2011
14 / 30

Anonymity properties are generally modelled as indistinguishability properties :
Observational equivalence (P Q)
for all processes A, we have that: A | P c if, and only if, A | Q c P c when P can send a message on the channel c.
S. Kremer (INRIA)
18/11/2011
14 / 30

for all processes A, we have that: A | P c if, and only if, A | Q c P c when P can send a message on the channel c. out(a, s) out(a, s )
Example 1:
S. Kremer (INRIA)
18/11/2011
14 / 30

for all processes A, we have that: A | P c if, and only if, A | Q c P c when P can send a message on the channel c. out(a, s) out(a, s ) A = in(a, x).if x = s then out(c, ok)
Example 1:
S. Kremer (INRIA)
18/11/2011
14 / 30

for all processes A, we have that: A | P c if, and only if, A | Q c P c when P can send a message on the channel c. s.out(a, enc(s, k)).out(a, enc(s, k )) s, s .out(a, enc(s, k)).out(a, enc(s , k ))
Example 2:
S. Kremer (INRIA)
18/11/2011
14 / 30

for all processes A, we have that: A | P c if, and only if, A | Q c P c when P can send a message on the channel c. s.out(a, enc(s, k)).out(a, enc(s, k )) s, s .out(a, enc(s, k)).out(a, enc(s , k ))
Example 2:
A = in(a, x).in(a, y ).if (dec(x, k) = dec(y , k )) then out(c, ok)
S. Kremer (INRIA)
18/11/2011
14 / 30

for all processes A, we have that: A | P c if, and only if, A | Q c P c when P can send a message on the channel c.
Example 3: s.out(a, s) s.k.out(a, enc(s, k))
S. Kremer (INRIA)
18/11/2011
14 / 30
How to verify protocols in the applied-pi framework

1. Use equations to model the cryptography. Examples 1 Encryption and signatures
decrypt( encrypt(m,pk(k)), k ) checksign( sign(m,k), m, pk(k) ) = = m ok
S. Kremer (INRIA)
18/11/2011
15 / 30

decrypt( encrypt(m,pk(k)), k ) checksign( sign(m,k), m, pk(k) )
2
= = =
m ok sign(m,sk)
Blind signatures
unblind( sign( blind(m,r), sk ), r )
S. Kremer (INRIA)
18/11/2011
15 / 30

decrypt( encrypt(m,pk(k)), k ) checksign( sign(m,k), m, pk(k) )
2
= = =
m ok sign(m,sk)
Blind signatures
unblind( sign( blind(m,r), sk ), r )
Designated verier proof of re-encryption The term dvp(x,rencrypt(x,r),r,pkv) represents a proof designated for the owner of pkv that x and rencrypt(x,r) have the same plaintext.
checkdvp(dvp(x,rencrypt(x,r),r,pkv),x,rencrypt(x,r),pkv) = ok checkdvp( dvp(x,y,z,skv), x, y, pk(skv) ) = ok.
S. Kremer (INRIA)
18/11/2011
15 / 30

1. Use equations to model the cryptography. 2. For each property to be veried, decide who is protected, i.e. for whom the property will be veried; may be dishonest, i.e. may be controlled by the DY attacker. Examples:
Protocol FOO property eligibility fairness privacy Lee et al. privacy receipt -freeness protected voters voters voters voters voters may be dishonest admin, collector admin, collector admin, collector collector other voters
S. Kremer (INRIA)
18/11/2011
15 / 30

1. Use equations to model the cryptography. 2. For each property to be veried, decide who is protected / must be honest / may be dishonest 3. Code the honest parties as processes. Example ([FOO92]):
processV = new b; new c; let bcv = blind(commit(v,c),b) in out(ch, (sign(bcv, skv))); in(ch,m2); if getMess(m2,pka)=bcv then let scv = unblind(m2,b) in phase 1; out(ch, scv); in(ch,(l, =scv)); phase 2; out(ch,(l,c)).
S. Kremer (INRIA)
18/11/2011
15 / 30

1. Use equations to model the cryptography. 2. For each property to be veried, decide who is protected / must be honest / may be dishonest 3. Code the honest parties as processes. 4. Code the intended property, as a reachability property, or an observational equivalence property. Examples: Property Eligibility Fairness Privacy Receipt-freeness type reachab. reachab. obs. eq. obs. eq. intuition ineligible vote not published without last phase, no votes published undetectable whether A,B swap votes even if A cooperates with attacker, undetectable whether A,B swap votes
18/11/2011 15 / 30
S. Kremer (INRIA)
Formalisation of privacy
[K., Ryan: ESOP05]
Classically anonymity properties are modeled as observational equivalences between two slightly dierent processes P1 and P2 , but changing the identity does not work, as identities are revealed changing the vote does not work, as the votes are revealed at the end a correct protocol respecting privacy may in some situation reveal how a participant voted: the case of unanimity
S. Kremer (INRIA)
18/11/2011
16 / 30
Formalisation of privacy
[K., Ryan: ESOP05]
Classically anonymity properties are modeled as observational equivalences between two slightly dierent processes P1 and P2 , but changing the identity does not work, as identities are revealed changing the vote does not work, as the votes are revealed at the end a correct protocol respecting privacy may in some situation reveal how a participant voted: the case of unanimity Solution: consider 2 honest voters and swap their votes
Vote privacy
A voting protocol respects privacy if S[VA {a /v } | VB {b /v }] S[VA {b /v } | VB {a /v }]
S. Kremer (INRIA)
18/11/2011
16 / 30
Leaking secrets to the coercer
[Delaune, K. & Ryan, CSFW06,JCS09]
To model receipt-freeness we need to specify that a coerced voter cooperates with the coercer by leaking secrets on a channel ch P ::= 0 P|Q n.P in(u, x).P out(u, M).P if M = N then P else P ...
P ch in terms of P
0ch = 0 (P | Q)ch = P ch | Q ch (n.P)ch = n.out(ch, n).P ch (in(u, x).P)ch = in(u, x).out(ch, x).P ch (out(u, M).P)ch = out(u, M).P ch ...
We denote by P \out(chc,) the process chc.(P |!in(chc, x)). Lemma: (P ch )\out(chc,) P
S. Kremer (INRIA)
18/11/2011
17 / 30
Receipt-freeness
Intuition
There exists a process V which votes a, leaks (possibly fake) secrets to the coercer, and makes the coercer believe she voted c
Denition (Receipt-freeness)
A voting protocol is receipt-free if there exists a process V , satisfying V \out(chc,) VA {a /v }, S[VA {c /v }chc | VB {a /v }] S[V | VB {c /v }]. Case study: Lee et al. protocol We prove receipt-freeness by exhibiting V showing that V \out(chc,) VA {a /v } showing that S[VA {c /v }chc | VB {a /v }] S[V | VB {c /v }]
S. Kremer (INRIA)
18/11/2011
18 / 30
Coercion resistance
Like receipt-freeness, but: voter interacts with the coercer during the protocol (instead of just supplying data at the end).
Proposition
Let VP be a voting protocol. Then VP is coercion-resistant VP is receipt-free VP respects privacy [ChadhaDelauneKremer09]: a denition of privacy given in an epistemic logic shown to be equivalent.
S. Kremer (INRIA)
18/11/2011
19 / 30
Results on case studies
Property Vote-privacy trusted authorities Receipt-freeness trusted authorities Coercion-resistance trusted authorities
Fujioka et al. none n/a n/a
Okamoto et al. timeliness mbr. timeliness mbr. n/a
Lee et al. administrator admin. & collector admin. & collector
Currently, proofs are done by hand (and some lemmas proved by ProVerif)
S. Kremer (INRIA)
18/11/2011
20 / 30
Towards proving observational equivalence . . .

ProVerif:

[Abadi, Blanchet, Fournet05] tries to prove a ner relation than observational equivalence unbounded number of sessions
relation not coarse enough for electronic voting protocols equational theories for electronic voting protocols not supported Design of a symbolic semantics for the nite applied-pi calculus

[Delaune, K., Ryan07] Correct: symbolic bisimilarity implies observational equivalence Holds for any equational theory (decidability for subterm convergent equational theories) Incomplete but sucient in practice Avoids innite branching
currently no implementation AKiSs: New tool for verifying equivalence properties

[Chadha, iobaca, K.]
many more equational theories automated proof of privacy in the FOO protocol
Formal Analysis of Electronic Voting Protocols 18/11/2011 21 / 30
S. Kremer (INRIA)
Veriability or how to trace my vote?
S. Kremer (INRIA)
18/11/2011
22 / 30
End-to-end veriability
end-to-end
Election results can be fully veried by voters/observers The software provided by election authorities does not need to be trusted The software used to perform the verication can be sourced independently
veriability auditability
S. Kremer (INRIA)
18/11/2011
23 / 30
Election veriability
Verify the election, not the system! Avoid need to trust election software.
Individual veriability
A voter can check her own vote is included in the tally.
Universal veriability
Anyone can check that the declared outcome corresponds to the tally.
Eligibility veriability
Anyone can check that only eligible votes are included in the declared outcome.
Remarks Veriability = correctness What system components need to be trusted to achieve veriability?
We suppose that the protocol involves Voter credentials (typically, a public part and a private part for each voter) A bulletin board, on which are placed entries corresponding to voters outputs.
A protocol satises election veriability if there are tests IV , UV and EV satisfying certain acceptability conditions.
S. Kremer (INRIA)
18/11/2011
25 / 30
We suppose that the protocol involves Voter credentials (typically, a public part and a private part for each voter) A bulletin board, on which are placed entries corresponding to voters outputs.
A protocol satises election veriability if there are tests IV , UV and EV satisfying certain acceptability conditions.
Voting on Satans computer

Extend attacker model to software and hardware, i.e. V , A only represent the trusted parts of the protocol Ideally this is only the interaction between the voter and the terminal! In practice some parts need to be added, motivated by auditing parts, distributed authorities, . . .
Individual and universal veriability
[K., Ryan & Smyth ESORICS10]
A voting protocol satises IV and UV if IV , UV s.t. Soundness. In all possible protocol runs (and resulting Bulletin Boards): a same BB entry cannot validate IV for two dierent voters UV can only validate one outcome if IV s hold on s1 , . . . , sn then UV only validates this outcome Eectiveness. There exists a successfull protocol run such that IV , UV hold
S. Kremer (INRIA)
18/11/2011
26 / 30
Example: FOO
What are the minimal parts of the protocol to be trusted? The voting process Vfoo = rnd .out(c, v ).out(c, rnd ) and
where rnd is intended to be the randomness used for the commitment Remark: Other properties need dierent trust assumptions! The expected BB entry should be r , commit(r , v ) Dene the tests IV = y =E r , commit(r , v ) UV =
1in vi
=E open(1 (y ), 2 (y ))
Theorem
Vfoo satises individual and universal veriability.
S. Kremer (INRIA)
18/11/2011
27 / 30
A voting protocol satises Election Veriability if IV , UV , EV s.t. additionally Soundness. In all possible protocol runs: given a set of ballots, EV holds for a unique list of credentials given a set of creds, EV holds only on these creds if IV s hold for creds c1 , . . . , cn then EV holds only for these creds Eectiveness.There exists a successfull protocol run such that IV , UV and EV hold
S. Kremer (INRIA)
18/11/2011
28 / 30
Results on case studies
3 case studies: Fujioka et al. [FOO92]: IV, UV but not EV Helios 2.0 by Adida et al. [AdMPQ09] Juels et al. [JCJ05] (implemented as CIVITAS in [CCM08]): veries full EV, with several trust assumptions
Helios 2.0 [AdMPQ09]: IV and UV, but not EV

used for electing the university president at Universit Catholique de Louvain-la-Neuve, Belgium and by IACR for electing board members does not intend to guarantee coercion-resistance Voter needs to trust script that constructs the ballot (auditable via cut-and-choose technique) authorities holding key shares (distributed authorities)
S. Kremer (INRIA)
18/11/2011
29 / 30
Conclusion and future work

Formal denitions of privacy properties: vote privacy, receipt-freeness, coercion-resistance Formal denitions of election veriability Validated on several case studies Decision procedures and proof techniques for observational equivalence

decision procedures (more equational theories) combination: decidable for E1 and E2 decidable for E1 E2 composition k.P k.Q k.(P | R) k.(Q | R)
Analyse more protocols used in real Internet elections Similar properties in other applications, e.g.

receipt-freeness in auction protocols [Jonker et al.10] privacy properties in RFID protocols [Arapinis et al.10], [Brus et al.10]
S. Kremer (INRIA)
18/11/2011
30 / 30

Where Is My Vote?: Formal Analysis of Electronic Voting Protocols

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Where Is My Vote?: Formal Analysis of Electronic Voting Protocols

Uploaded by

Copyright:

Available Formats

Where is my Vote?

Formal Analysis of Electronic Voting Protocols

Sminaire Mthodes Formelles et Scurit 18/11/2011

Formal Analysis of Electronic Voting Protocols

Cryptographic protocols everywhere!

Formal Analysis of Electronic Voting Protocols

Cryptographic protocols everywhere!

2010 key numbers fdration du e-commerce et de la vente distance

Formal Analysis of Electronic Voting Protocols

Cryptographic protocols everywhere!

Formal Analysis of Electronic Voting Protocols

A simple handshake protocol

Alice aenc(sign(k, ska), pk(dkb)) senc(s, k)

Formal Analysis of Electronic Voting Protocols

A simple handshake protocol

Formal Analysis of Electronic Voting Protocols

Symbolic verication of security protocols

Formal Analysis of Electronic Voting Protocols

Symbolic verication of security protocols

Formal Analysis of Electronic Voting Protocols

Formal Analysis of Electronic Voting Protocols

Formal Analysis of Electronic Voting Protocols

Formal Analysis of Electronic Voting Protocols

Formal Analysis of Electronic Voting Protocols

Formal Analysis of Electronic Voting Protocols

Eligibility: only legitimate voters can vote, and only once

Formal Analysis of Electronic Voting Protocols

Formal Analysis of Electronic Voting Protocols

Formal Analysis of Electronic Voting Protocols

The FOO protocol

Formal Analysis of Electronic Voting Protocols

Modeling protocols: the applied -calculus

Formal Analysis of Electronic Voting Protocols

The applied pi-calculus on an example

Formal Analysis of Electronic Voting Protocols

The applied pi-calculus on an example

Formal Analysis of Electronic Voting Protocols

The applied pi-calculus on an example

Formal Analysis of Electronic Voting Protocols

The handshake protocol in the applied pi calculus

Formal Analysis of Electronic Voting Protocols

The handshake protocol in the applied pi calculus

Phandshake = ska . dkB . out(c, pk(ska ), pk(dkB ) ). (!Alice | !Bob)

Formal Analysis of Electronic Voting Protocols

Modelling properties in applied pi

Formal Analysis of Electronic Voting Protocols

Modelling properties in applied pi

Formal Analysis of Electronic Voting Protocols

Modelling properties in applied pi

Formal Analysis of Electronic Voting Protocols

Modelling properties in applied pi

Formal Analysis of Electronic Voting Protocols

Modelling properties in applied pi

Formal Analysis of Electronic Voting Protocols

Modelling properties in applied pi

A = in(a, x).in(a, y ).if (dec(x, k) = dec(y , k )) then out(c, ok)

Formal Analysis of Electronic Voting Protocols

Modelling properties in applied pi

Example 3: s.out(a, s) s.k.out(a, enc(s, k))

Formal Analysis of Electronic Voting Protocols

How to verify protocols in the applied-pi framework

Formal Analysis of Electronic Voting Protocols