Results 1  10
of
11
Election verifiability in electronic voting protocols
, 2010
"... We present a symbolic definition of election verifiability for electronic voting protocols in the context of the applied pi calculus. Our definition is given in terms of boolean tests which can be performed on the data produced by an election. The definition distinguishes three aspects of verifiabil ..."
Abstract

Cited by 39 (16 self)
 Add to MetaCart
(Show Context)
We present a symbolic definition of election verifiability for electronic voting protocols in the context of the applied pi calculus. Our definition is given in terms of boolean tests which can be performed on the data produced by an election. The definition distinguishes three aspects of verifiability, which we call individual verifiability, universal verifiability, and eligibility verifiability. It also allows us to determine precisely which aspects of the system’s hardware and software must be trusted for the purpose of election verifiability. In contrast with earlier work our definition is compatible with a large class of electronic voting schemes, including those based on blind signatures, homomorphic encryption and mixnets. We demonstrate the applicability of our formalism by analysing two protocols which have been deployed; namely Helios 2.0, which is based on homomorphic encryption, and Civitas, which uses mixnets. In addition we consider the FOO protocol which is based on blind signatures.
Attacking and fixing helios: An analysis of ballot secrecy
, 2010
"... Helios 2.0 is an opensource webbased endtoend verifiable electronic voting system, suitable for use in lowcoercion environments. In this paper, we analyse ballot secrecy and discover a vulnerability which allows an adversary to compromise the privacy of voters. This vulnerability has been success ..."
Abstract

Cited by 36 (16 self)
 Add to MetaCart
(Show Context)
Helios 2.0 is an opensource webbased endtoend verifiable electronic voting system, suitable for use in lowcoercion environments. In this paper, we analyse ballot secrecy and discover a vulnerability which allows an adversary to compromise the privacy of voters. This vulnerability has been successfully exploited to break privacy in a mock election using the current Helios implementation. Moreover, the feasibility of an attack is considered in the context of French legislative elections and, based upon our findings, we believe it constitutes a real threat to ballot secrecy in such settings. Finally, we present a fix and show that our solution satisfies a formal definition of ballot secrecy using the applied pi calculus.
Formal analysis of anonymity in ECCbased Direct Anonymous Attestation schemes
"... A definition of usercontrolled anonymity is introduced for Direct Anonymous Attestation schemes. The definition is expressed as an equivalence property suited to automated reasoning using ProVerif and the practicality of the definition is demonstrated by examining the ECCbased Direct Anonymous Att ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
A definition of usercontrolled anonymity is introduced for Direct Anonymous Attestation schemes. The definition is expressed as an equivalence property suited to automated reasoning using ProVerif and the practicality of the definition is demonstrated by examining the ECCbased Direct Anonymous Attestation protocol by Brickell, Chen & Li. We show that this scheme is secure under the assumption that the adversary obtains no advantage from reblinding a blind signature.
Formal analysis of privacy in Direct Anonymous Attestation schemes
, 2012
"... This article introduces a definition of privacy for Direct Anonymous Attestation schemes. The definition is expressed as an equivalence property suited to automated reasoning using ProVerif and the practicality of the definition is demonstrated by analysing the RSAbased Direct Anonymous Attestation ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
This article introduces a definition of privacy for Direct Anonymous Attestation schemes. The definition is expressed as an equivalence property suited to automated reasoning using ProVerif and the practicality of the definition is demonstrated by analysing the RSAbased Direct Anonymous Attestation protocol by Brickell, Camenisch & Chen. The analysis discovers a vulnerability in the RSAbased scheme which can be exploited by a passive adversary and, under weaker assumptions, corrupt administrators. A security fix is identified and the revised protocol is shown to satisfy our definition of privacy.
New abstractions in applied picalculus and automated verification of protected executions
"... Abstract—Protocols for the protected execution of programs, like those based on a hardware root of trust, will become of fundamental importance for computer security. In parallel to such protocols, there is therefore a need to develop models and tools that allow formal specification and automated ve ..."
Abstract
 Add to MetaCart
Abstract—Protocols for the protected execution of programs, like those based on a hardware root of trust, will become of fundamental importance for computer security. In parallel to such protocols, there is therefore a need to develop models and tools that allow formal specification and automated verification of the desired security properties. Still, current protocols lack realistic models and automated proofs of security. This is due to several challenges that we address in this paper. We consider the classical setting of applied picalculus and ProVerif, that we enrich with several generic models that allow verification of protocols designed for a given computing platform. Our contributions include models for specifying platform states and for dynamically loading and executing protected programs. We also propose a new method to make ProVerif terminate on a challenging search space the one obtained by allowing an unbounded number of extensions and resets for the platform configuration registers of the TPM. We illustrate our methods with the case study of a protocol for a dynamic root of trust (based on a TPM), which includes dynamic loading, measurement and protected execution of programs. We prove automatically with ProVerif that code integrity and secrecy of sealed data hold for the considered protocol. I.
Alice and Bob: Reconciling Formal Models and Implementation
"... Abstract. This paper defines the “ultimate ” formal semantics for Alice and Bob notation, i.e., what actions the honest agents have to perform, in the presence of an arbitrary set of cryptographic operators and their algebraic theory. Despite its generality, this semantics is mathematically simpler ..."
Abstract
 Add to MetaCart
Abstract. This paper defines the “ultimate ” formal semantics for Alice and Bob notation, i.e., what actions the honest agents have to perform, in the presence of an arbitrary set of cryptographic operators and their algebraic theory. Despite its generality, this semantics is mathematically simpler than any previous attempt. For practical applicability, we introduce the language SPS and an automatic translation to robust realworld implementations and corresponding formal models, and we prove this translation correct with respect to the semantics. 1
D41. Formal description of our case study:
"... Helios 2.0 is an opensource webbased endtoend verifiable electronic voting system, suitable for use in lowcoercion environments. In this report, we present a cryptographic description of the Helios protocol and a model in the applied pi calculus, suited to the analysis of privacy. 1 ..."
Abstract
 Add to MetaCart
(Show Context)
Helios 2.0 is an opensource webbased endtoend verifiable electronic voting system, suitable for use in lowcoercion environments. In this report, we present a cryptographic description of the Helios protocol and a model in the applied pi calculus, suited to the analysis of privacy. 1
Secure twoparty computation in applied picalculus: models and verification
"... Secure twoparty computation allows two mutually distrusting parties to compute a function together, without revealing their secret inputs to each other. Traditionally, the security properties desired in this context, and the corresponding security proofs, are based on a notion of simulation, which ..."
Abstract
 Add to MetaCart
Secure twoparty computation allows two mutually distrusting parties to compute a function together, without revealing their secret inputs to each other. Traditionally, the security properties desired in this context, and the corresponding security proofs, are based on a notion of simulation, which can be symbolic or computational. Either way, the proofs of security are intricate, requiring first to find a simulator, and then to prove a notion of indistinguishability. Furthermore, even for classic protocols such as Yao’s (based on garbled circuits and oblivious transfer), we do not have adequate symbolic models for cryptographic primitives and protocol roles, that can form the basis for automated security proofs. We therefore propose new models in applied picalculus in order to address these gaps. Our contributions, formulated in the context of Yao’s protocol, include: an equational theory for specifying the primitives of garbled computation and oblivious transfer; process specifications for the roles of the two parties in Yao’s protocol; definitions of security that are more clear and direct: result integrity, input agreement (both based on correspondence assertions) and input privacy (based on observational equivalence). We put these models together and illustrate their use with ProVerif, providing a first automated verification of security for Yao’s twoparty computation protocol. 1
1.2 Cryptographic Protocols and their Modelling............................... 3
, 2012
"... Automated verification of equivalence properties in cryptographic ..."
(Show Context)
Formal Security Proofs
"... The goal of the lecture is to present some aspects of formal security proofs of protocols. This is a wide area, and there is another lecture (by B. Banchet) on related topics. The idea is therefore to explain in depth one particular technique, that relies on deducibility constraints. We rely mainly ..."
Abstract
 Add to MetaCart
(Show Context)
The goal of the lecture is to present some aspects of formal security proofs of protocols. This is a wide area, and there is another lecture (by B. Banchet) on related topics. The idea is therefore to explain in depth one particular technique, that relies on deducibility constraints. We rely mainly on two introductory documents [8,14]. Actually, the current notes are the beginning of [8]. Here is a roadmap: 1. We introduce the problem with examples and touch a little the question of the validity of the security models (section 1). We describe then a small process algebra, that will serve as a model for the protocols, as well as a few security properties (section 2). 2. The core of the lecture is here: we introduce the attacker model, as a deduction system, and show how to represent any execution in the hostile environment as deducibility constraints. In short, a deducibility constraint is a sequence of proofs, in which some parts are unknown (and formalized with variables) and possibly reused in other constraints. An instance of such a constraints yields an attacker’s strategy. We explain how to solve such constraints in a particular setting of a few cryptographic primitives. This is more or less what is described in the first part of [12] and is detailed in the section 3. Though the lecture aims at being selfcontained, it assumes some familiarity with inference rules / formal proofs (or SOS for programming languages) and terms/ substitutions / unification. Similarly, a knowledge on concurrency is not required, but will make easier the understanding of the model.