Model Checkers Are Cool: How to Model Check Voting Protocols in Uppaal

The design and implementation of an e-voting system is a challenging task. Formal analysis can be of great help here. In particular, it can lead to a better understanding of how the voting system works, and what requirements on the system are relevant. In this paper, we propose that the state-of-art model checker Uppaal provides a good environment for modelling and preliminary verification of voting protocols. To illustrate this, we present an Uppaal model of Pr\^et \`a Voter, together with some natural extensions. We also show how to verify a variant of receipt-freeness, despite the severe limitations of the property specification language in the model checker

Inductive analysis of security protocols in Isabelle/HOL with applications to electronic voting

Security protocols are predefined sequences of message exchanges. Their uses over computer networks aim to provide certain guarantees to protocol participants. The sensitive nature of many applications resting on protocols encourages the use of formal methods to provide rigorous correctness proofs. This dissertation presents extensions to the Inductive Method for protocol verification in the Isabelle/HOL interactive theorem prover. The current state of the Inductive Method and of other protocol analysis techniques are reviewed. Protocol composition modelling in the Inductive Method is introduced and put in practice by holistically verifying the composition of a certification protocol with an authentication protocol. Unlike some existing approaches, we are not constrained by independence requirements or search space limitations. A special kind of identity-based signatures, auditable ones, are specified in the Inductive Method and integrated in an analysis of a recent ISO/IEC 9798-3 protocol. A side-by-side verification features both a version of the protocol with auditable identity-based signatures and a version with plain ones. The largest part of the thesis presents extensions for the verification of electronic voting protocols. Innovative specification and verification strategies are described. The crucial property of voter privacy, being the impossibility of knowing how a specific voter voted, is modelled as an unlinkability property between pieces of information. Unlinkability is then specified in the Inductive Method using novel message operators. An electronic voting protocol by Fujioka, Okamoto and Ohta is modelled in the Inductive Method. Its classic confidentiality properties are verified, followed by voter privacy. The approach is shown to be generic enough to be re-usable on other protocols while maintaining a coherent line of reasoning. We compare our work with the widespread process equivalence model and examine respective strengths

Formal Methods for Trustworthy Voting Systems : From Trusted Components to Reliable Software

Voting is prominently an important part of democratic societies, and its outcome may have a dramatic and broad impact on societal progress. Therefore, it is paramount that such a society has extensive trust in the electoral process, such that the system’s functioning is reliable and stable with respect to the expectations within society. Yet, with or without the use of modern technology, voting is full of algorithmic and security challenges, and the failure to address these challenges in a controlled manner may produce fundamental flaws in the voting system and potentially undermine critical societal aspects. In this thesis, we argue for a development process of voting systems that is rooted in and assisted by formal methods that produce transparently checkable evidence for the guarantees that the final system should provide so that it can be deemed trustworthy. The goal of this thesis is to advance the state of the art in formal methods that allow to systematically develop trustworthy voting systems that can be provenly verified. In the literature, voting systems are modeled in the following four comparatively separable and distinguishable layers: (1) the physical layer, (2) the computational layer, (3) the election layer, and (4) the human layer. Current research usually either mostly stays within one of those layers or lacks machine-checkable evidence, and consequently, trusted and understandable criteria often lack formally proven and checkable guarantees on software-level and vice versa. The contributions in this work are formal methods that fill in the trust gap between the principal election layer and the computational layer by a reliable translation of trusted and understandable criteria into trustworthy software. Thereby, we enable that executable procedures can be formally traced back and understood by election experts without the need for inspection on code level, and trust can be preserved to the trustworthy system. The works in this thesis all contribute to this end and consist in five distinct contributions, which are the following: (I) a method for the generation of secure card-based communication schemes, (II) a method for the synthesis of reliable tallying procedures, (III) a method for the efficient verification of reliable tallying procedures, (IV) a method for the computation of dependable election margins for reliable audits, (V) a case study about the security verification of the GI voter-anonymization software. These contributions span formal methods on illustrative examples for each of the three principal components, (1) voter-ballot box communication, (2) election method, and (3) election management, between the election layer and the computational layer. Within the first component, the voter-ballot box communication channel, we build a bridge from the communication channel to the cryptography scheme by automatically generating secure card-based schemes from a small formal model with a parameterization of the desired security requirements. For the second component, the election method, we build a bridge from the election method to the tallying procedure by (1) automatically synthesizing a runnable tallying procedure from the desired requirements given as properties that capture the desired intuitions or regulations of fairness considerations, (2) automatically generating either comprehensible arguments or bounded proofs to compare tallying procedures based on user-definable fairness properties, and (3) automatically computing concrete election margins for a given tallying procedure, the collected ballots, and the computed election result, that enable efficient election audits. Finally, for the third and final component, the election management system, we perform a case study and apply state-of-the-art verification technology to a real-world e-voting system that has been used for the annual elections of the German Informatics Society (GI – “Gesellschaft für Informatik”) in 2019. The case study consists in the formal implementation-level security verification that the voter identities are securely anonymized and the voters’ passwords cannot be leaked. The presented methods assist the systematic development and verification of provenly trustworthy voting systems across traditional layers, i.e., from the election layer to the computational layer. They all pursue the goal of making voting systems trustworthy by reliable and explainable formal requirements. We evaluate the devised methods on minimal card-based protocols that compute a secure AND function for two different decks of cards, a classical knock-out tournament and several Condorcet rules, various plurality, scoring, and Condorcet rules from the literature, the Danish national parliamentary elections in 2015, and a state-of-the-art electronic voting system that is used for the German Informatics Society’s annual elections in 2019 and following

Understanding Google: Search Engines and the Changing Nature of Access, Thought and Knowledge within a Global Context

This thesis explores the impact of search engines within contemporary digital culture and, in particular, focuses on the social, cultural, and philosophical influence of Google. Search engines are deeply enmeshed with other recent developments in digital culture; therefore, in addressing their impact these intersections must be recognised, while highlighting the technological and social specificity of search engines. Also important is acknowledging the way that certain institutions, in particular Google, have shaped the web and wider culture around a particular set of economic incentives that have far-reaching consequences for contemporary digital culture. This thesis argues that to understand search engines requires a recognition of its contemporary context, while also acknowledging that Google’s quest to “organize the world's information and make it universally accessible and useful” is part of a much older and broader discourse. Balancing these two viewpoints is important; Google is shaping public discourse on a global scale with unprecedentedly extensive consequences. However, many of the issues addressed by this thesis would remain centrally important even if Google declared bankruptcy or if search engines were abandoned for a different technology. Search engines are a specific technological response to a particular cultural environment; however, their social function and technical operation are embedded within a historical relationship to enquiry and inscription that stretches back to antiquity. This thesis addresses the following broad research questions, while at each stage specifically addressing the role and influence of search engines: how do individuals interrogate and navigate the world around them? How do technologies and social institutions facilitate how we think and remember? How culturally situated is knowledge; are there epistemological truths that transcend social environments? How does technological expansion fit within wider questions of globalisation? How do technological discourses shape the global flows of information and capital? These five questions map directly onto the five chapters of this thesis. Much of the existing study of search engines has been focused on small-scale evaluation, which either addresses Google’s day-by-day algorithmic changes or poses relatively isolated disciplinary questions. Therefore, not only is the number of academics, technicians, and journalists attending to search engines relatively small, given the centrality of search engines to digital culture, but much of the knowledge that is produced becomes outdated with algorithmic changes or the shifting strategies of companies. This thesis ties these focused concerns to wider issues, with a view to encourage and facilitate further enquiry.This thesis explores the impact of Google’s search engine within contemporary digital culture. Search engines have been studied in various disciplines, for example information retrieval, computer science, law, and new media, yet much of this work remains fixed within disciplinary boundaries. The approach of this thesis is to draw on work from a number of areas in order to link a technical understanding of how search engines function with a wider cultural and philosophical context. In particular, this thesis draws on critical theory in order to attend to the convergence of language, programming, and culture on a global scale. The chapter outline is as follows. Chapter one compares search engine queries to traditional questions. The chapter draws from information retrieval research to provide a technical framework that is brought into contact with philosophy and critical theory, including Plato and Hans-Georg Gadamer. Chapter two investigates search engines as memory aids, deploying a history of memory and exploring practices within oral cultures and mnemonic techniques such as the Ars Memoria. This places search engines within a longer historical context, while drawing on contemporary insights from the philosophy and science of cognition. Chapter three addresses Google’s Autocomplete functionality and chapter four explores the contextual nature of results in order to highlight how different characteristics of users are used to personalise access to the web. These chapters address Google’s role within a global context and the implications for identity and community online. Finally, chapter five explores how Google’s method of generating revenue, through advertising, has a social impact on the web as a whole, particularly when considered through the lens of contemporary Post-Fordist accounts of capitalism. Throughout, this thesis develops a framework for attending to algorithmic cultures and outlines the specific influence that Google has had on the web and continues to have at a global scale.Arts and Humanities Research Counci