Nexus Authorization Logic (NAL): Logical Results

Nexus Authorization Logic (NAL) [Schneider et al. 2011] is a logic for reasoning about authorization in distributed systems. A revised version of NAL is given here, including revised syntax, a revised proof theory using localized hypotheses, and a new Kripke semantics. The proof theory is proved sound with respect to the semantics, and that proof is formalized in Coq

Belief Semantics of Authorization Logic

Authorization logics have been used in the theory of computer security to reason about access control decisions. In this work, a formal belief semantics for authorization logics is given. The belief semantics is proved to subsume a standard Kripke semantics. The belief semantics yields a direct representation of principals' beliefs, without resorting to the technical machinery used in Kripke semantics. A proof system is given for the logic; that system is proved sound with respect to the belief and Kripke semantics. The soundness proof for the belief semantics, and for a variant of the Kripke semantics, is mechanized in Coq

Civitas: Implementation of a Threshold Cryptosystem

This paper describes the implementation of a threshold cryptosystem for Civitas, a secure electronic voting system. The cryptosystem improves the availability of Civitas by enabling tabulation to complete despite the failure of some agents. The implementation includes a sophisticated distributed key generation protocol, which was designed by Gennaro, Jarecki, Krawczyk, and Rabin. The cryptosystem is implemented in Jif, a security-typed language

Civitas: Toward a Secure Voting System

Civitas is the first electronic voting system that is coercion-resistant, universally and voter verifiable, and suitable for remote voting. This paper describes the design and implementation of Civitas. Assurance is established in the design through security proofs, and in the implementation through information-flow security analysis. Experimental results give a quantitative evaluation of the tradeoffs between time, cost, and security.Engineering and Applied Science

Quantifying Information Flow with Beliefs

To reason about information flow, a new model is developed that describes how attacker beliefs change due to the attacker's observation of the execution of a probabilistic (or deterministic) program. The model enables compositional reasoning about information flow from attacks involving sequences of interactions. The model also supports a new metric for quantitative information flow that measures accuracy of an attacker's beliefs. Applying this new metric reveals inadequacies of traditional information flow metrics, which are based on reduction of uncertainty. However, the new metric is sufficiently general that it can be instantiated to measure either accuracy or uncertainty. The new metric can also be used to reason about misinformation; deterministic programs are shown to be incapable of producing misinformation. Additionally, programs in which nondeterministic choices are made by insiders, who collude with attackers, can be analyzed

Surveying definitions of election verifiability

We explore definitions of verifiability by Juels et al. (2010), Cortier et al. (2014), and Kiayias et al. (2015). We discover that voting systems vulnerable to attacks can be proven to satisfy each of those definitions and conclude they are unsuitable for the analysis of voting systems. Our results will fuel the exploration for a new definition

A Chemical Composition Survey of the Iron-Complex Globular Cluster NGC 6273 (M 19)

Recent observations have shown that a growing number of the most massive Galactic globular clusters contain multiple populations of stars with different [Fe/H] and neutron-capture element abundances. NGC 6273 has only recently been recognized as a member of this "iron-complex" cluster class, and we provide here a chemical and kinematic analysis of > 300 red giant branch (RGB) and asymptotic giant branch (AGB) member stars using high resolution spectra obtained with the Magellan-M2FS and VLT-FLAMES instruments. Multiple lines of evidence indicate that NGC 6273 possesses an intrinsic metallicity spread that ranges from about [Fe/H] = -2 to -1 dex, and may include at least three populations with different [Fe/H] values. The three populations identified here contain separate first (Na/Al-poor) and second (Na/Al-rich) generation stars, but a Mg-Al anti-correlation may only be present in stars with [Fe/H] > -1.65. The strong correlation between [La/Eu] and [Fe/H] suggests that the s-process must have dominated the heavy element enrichment at higher metallicities. A small group of stars with low [alpha/Fe] is identified and may have been accreted from a former surrounding field star population. The cluster's large abundance variations are coupled with a complex, extended, and multimodal blue horizontal branch (HB). The HB morphology and chemical abundances suggest that NGC 6273 may have an origin that is similar to omega Cen and M 54.Comment: Accepted for Publication in The Astrophysical Journal; 50 pages; 18 figures; 8 tables; higher resolution figures are available upon request or in the published journal articl

Election Verifiability: Cryptographic Definitions and an Analysis of Helios, Helios-C, and JCJ

Election verifiability is defined in the computational model of cryptography. The definition formalizes notions of voters verifying their own votes, auditors verifying the tally of votes, and auditors verifying that only eligible voters vote. The Helios (Adida et al., 2009), Helios-C (Cortier et al., 2014) and JCJ (Juels et al., 2010) election schemes are analyzed using the definition. Neither Helios nor Helios-C satisfy the definition because they do not ensure that recorded ballots are tallied in certain cases when the adversary posts malicious material on the bulletin board. A variant of Helios is proposed and shown to satisfy the definition. JCJ similarly does not ensure that recorded ballots are tallied in certain cases. Moreover, JCJ does not ensure that only eligible voters vote, due to a trust assumption it makes. A variant of JCJ is proposed and shown to satisfy a weakened definition that incorporates the trust assumption. Previous definitions of verifiability (Juels et al., 2010; Cortier et al., 2014; Kiayias et al., 2015) and definitions of global verifiability (Kuesters et al., 2010; Cortier et al., 2016) are shown to permit election schemes vulnerable to attacks, whereas the new definition prohibits those schemes. And a relationship between the new definition and a variant of global verifiability is shown