7 research outputs found
Model Checkers Are Cool: How to Model Check Voting Protocols in Uppaal
The design and implementation of an e-voting system is a challenging task.
Formal analysis can be of great help here. In particular, it can lead to a
better understanding of how the voting system works, and what requirements on
the system are relevant. In this paper, we propose that the state-of-art model
checker Uppaal provides a good environment for modelling and preliminary
verification of voting protocols. To illustrate this, we present an Uppaal
model of Pr\^et \`a Voter, together with some natural extensions. We also show
how to verify a variant of receipt-freeness, despite the severe limitations of
the property specification language in the model checker
Verification of the Socio-Technical Aspects of Voting: The Case of the Polish Postal Vote 2020
Voting procedures are designed and implemented by people, for people, and
with significant human involvement. Thus, one should take into account the
human factors in order to comprehensively analyze properties of an election and
detect threats. In particular, it is essential to assess how actions and
strategies of the involved agents (voters, municipal office employees, mail
clerks) can influence the outcome of other agents' actions as well as the
overall outcome of the election. In this paper, we present our first attempt to
capture those aspects in a formal multi-agent model of the Polish presidential
election 2020. The election marked the first time when postal vote was
universally available in Poland. Unfortunately, the voting scheme was prepared
under time pressure and political pressure, and without the involvement of
experts. This might have opened up possibilities for various kinds of ballot
fraud, in-house coercion, etc. We propose a preliminary scalable model of the
procedure in the form of a Multi-Agent Graph, and formalize selected integrity
and security properties by formulas of agent logics. Then, we transform the
models and formulas so that they can be input to the state-of-art model checker
Uppaal. The first series of experiments demonstrates that verification scales
rather badly due to the state-space explosion. However, we show that a recently
developed technique of user-friendly model reduction by variable abstraction
allows us to verify more complex scenarios
Verification of Multi-Agent Properties in Electronic Voting: A Case Study
Formal verification of multi-agent systems is hard, both theoretically and in
practice. In particular, studies that use a single verification technique
typically show limited efficiency, and allow to verify only toy examples. Here,
we propose some new techniques and combine them with several recently developed
ones to see what progress can be achieved for a real-life scenario. Namely, we
use fixpoint approximation, domination-based strategy search, partial order
reduction, and parallelization to verify heterogeneous scalable models of the
Selene e-voting protocol. The experimental results show that the combination
allows to verify requirements for much more sophisticated models than
previously
Machine-checking the universal verifiability of ElectionGuard
ElectionGuard is an open source set of software components and specifications from Microsoft designed to allow the modification of a number of different e-voting protocols and products to produce public evidence (transcripts) which anyone can verify. The software uses ElGamal, homomorphic tallying and sigma protocols to enable public scrutiny without adversely affecting privacy. Some components have been formally verified (machine-checked) to be free of certain software bugs but there was no formal verification of their cryptographic security.
Here, we present a machine-checked proof of the verifiability guarantees of the transcripts produced and verified according to the ElectionGuard specification. We have also extracted an executable version of the verifier specification, which we proved to be secure, and used it to verify election transcripts produced by ElectionGuard. Our results show that our implementation is of similar efficiency to existing implementations
Efficient mixing of arbitrary ballots with everlasting privacy: How to verifiably mix the PPATC scheme
The long term privacy of voting systems is of increasing concern as quantum computers come closer to reality. Everlasting privacy schemes offer the best way to manage these risks at present. While homomorphic tallying schemes with everlasting privacy are well developed, most national elections, using electronic voting, use mixnets. Currently the best candidate encryption scheme for making these kinds of elections everlastingly private is PPATC, but it has not been shown to work with any mixnet of comparable efficiency to the current ElGamal mixnets. In this work we give a paper proof, and a machine checked proof, that the variant of Wikstrom\u27s mixnet commonly in use is safe for use with the PPATC encryption scheme
Formally Verified Verifiable Electronic Voting Scheme
Since the introduction of secret ballots in Victoria, Australia in 1855, paper (ballots) are widely used around the world to record the preferences of eligible voters. Paper ballots provide three important ingredients: correctness, privacy, and verifiability. However, the paper ballot election brings various other challenges, e.g. it is slow for large democracies like India, error prone for complex voting method like single transferable vote, and poses operational challenges for large countries like Australia. In order to solve these problems and various others, many countries are adopting electronic voting. However, electronic voting has a whole new set of problems. In most cases, the software programs used to conduct the election have numerous problems, including, but not limited to, counting bugs, ballot identification, etc. Moreover, these software programs are treated as commercial in confidence and
are not allowed to be inspected by members of the public. As a consequence, the result produced by these software programs can not be substantiated.
In this thesis, we address the three main concerns posed by electronic voting, i.e. correctness, privacy, and verifiability. We address the correctness concern by using theorem prover to implement the vote counting algorithm,
privacy concern by using cryptography, and verifiability concern by generating a independently checkable scrutiny sheet (certificate). Our work has been carried out in the Coq theorem prover
Verified Verifiers for Verifying Elections
The security and trustworthiness of elections is critical to democracy; alas, securing elections is notoriously hard. Powerful cryptographic techniques for verifying the integrity of electronic voting have been developed and are in increasingly common use. The claimed security guarantees of most of these techniques have been formally proved. However, implementing the cryptographic verifiers which utilize these techniques is a technical and error prone process, and often leads to critical errors appearing in the gap between the implementation and the formally verified design. We significantly reduce the gap between theory and practice by using machine checked proofs coupled with code extraction to produce cryptographic verifiers that are themselves formally verified. We demonstrate the feasibility of our technique by producing a formally verified verifier which we use to check the 2018 International Association for Cryptologic Research (IACR) directors election