Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

186 CHAPTER 7. VOTER VERIFIABILITY FOR E-VOTING PROTOCOLS board from the administrators). To model the possibility of dishonest administrators, we allow the attacker to supply ˜y by means of the substitution τ. The test is required to return true if and only if the declaration corresponds to the votes actually cast. Definition 60 (Voter verifiability) A voting process specification 〈V, P, ˜s, ˜t, ˜m〉 satisfies voter verifiability if and only if for all n and votes ¯v1, . . . , ¯vn of type Candidate, there exist tests R IV , R UV , such that (fv(R IV ) ∪ fv(R UV )) ∩ {x ′ 1, x ′ 2, . . .} = fn(R IV ) ∪ fn(R UV ) = ∅ and for all irreducible extended processes B where φ(B) = ν ñ.σ, if a) � V P ({¯v1/u}, . . . , {¯vn/u})(−→ ∗ α −→−→ ∗ ) ∗ B; and b) dom(σ) = {x ′ 1, . . . , x ′ k·n }; where k is defined such that k · n is the number of occurrences of c〈M〉 in �V P ({¯v1/u}, . . . , {¯vn/u}) for c �∈ ñ, then there exists injective maps f1, . . . , fk : {1, . . . , n} → {1, . . . , k · n} where the ranges of f1, . . . , fk are pairwise disjoint and the conditions below are satisfied. Moreover, we require the existence of B satisfying Conditions a) & b). 1. Individual verifiability. For all i1, . . . , ik, j, v ′ we have: R IV {v ′ /u, x ′ f1(i1)/x1, . . . , x ′ fk(ik)/xk, ˜s ′ j/˜z}σ ⇔ i1 = i2 = . . . = ik = j ∧ v ′ = ¯vj where ˜s ′ j = (s1,j, . . . , s|˜s|,j, kpcj). 2. Universal verifiability. For all ˜v ′ we have: ∃τ.(dom(σ) ∩ dom(τ) = ∅ ∧ R UV {˜v ′ /ũ, ˜x ′ f1/˜x1, . . . , ˜x ′ f k/˜xk}τ ◦ σ) ⇔ ˜v ′ = (¯v1, . . . , ¯vn) We recall that � V P is a modification of V P which stores all inputs the voter receives on the frame. Public channel inputs a(x) are stored without modifications, whereas private channel inputs a ′ (y) are stored in the form senc(y, k). The RIV test for the original protocol V P can be extracted by replacing such inputs x and y into the test. For convenience we use the shorthand RIV Φ for RIV {v ′ /u, x ′ f1(i1)/x1, . . . , x ′ fk(ik)/xk, ˜sj/˜z}σ. Similarly we write RUV Φ for RUV {˜v ′ /ũ, ˜x ′ f1/˜x1, . . . , ˜x ′ fk/˜xk}τ ◦ σ.
7.5. CASES STUDIES 187 7.5 Cases studies 7.5.1 Postal ballot voting protocol Consider again the simple “postal ballot” voting protocol (Figure 7.1). Such a protocol should be voter verifiable. Analysis Let tests R IV , R UV be given as follows: RIV = eq(sign(u, sdec(x2, z1)), x3) R ∧ eq(x1, P k(sdec(x2, z1))) UV = �n i=1 eq(getmsg(x3,i), ui) and hence the variable x1 is expected to correspond to the voter’s public key published by the key distribution process; x2 is the voter’s private key distributed on a private channel; and x3 should correspond to the voter’s signed vote. Suppose � V P (1, . . . , n)(−→ ∗ α −→−→ ∗ ) ∗ B = ν ñ.(σ | Q) such that B is irreducible and dom(σ) = {x ′ 1, . . . , x ′ 3·n}. Without loss of generality we have: σ = {P k(skV1)/x ′ l1 , . . . , P k(skVn)/x ′ ln , senc(skV1, kpc1)/x ′ l n+1 , . . . , senc(skVn, kpcn)/x ′ l2n , sign(¯v1, skV1)/x ′ l 2n+1 , . . . , sign(¯vn, skVn)/x ′ l3n } Let f1, f2, f3 be given by f1(j) = lj, f2(j) = ln+j, f3(j) = l2n+j. It follows that: 1. Individual verifiability. We observe R IV Φ is defined as sign(v ′ , sdec(senc(skVi 2 , kpci2), kpcj)) = sign(¯vi3, skVi 3 ) ∧ P k(skVi 1 ) = P k(sdec(senc(skVi 2 , kpci2), kpcj)). For the ⇒ implication suppose R IV Φ holds. It must be the case that i1 = i2 = i3 = j and v ′ = ¯vj. For the ⇐ implication suppose i1 = i2 = i3 = j and v ′ = ¯vj. The result follows immediately. 2. Universal verifiability. For the ⇒ implication suppose R UV Φ holds. We observe R UV Φ = � n i=1 eq(getmsg(sign(¯vi, skVi )), v′ i) =E � n i=1 eq(¯vi, v ′ i) and hence it must be the case that ¯v1 = v ′ 1 ∧. . .∧ ¯vn = v ′ n. It follows immediately that ˜v ′ = (¯v1, . . . , ¯vn). For the ⇐ implication suppose ˜v ′ = (¯v1, . . . , ¯vn). We have RUV Φ = �n i=1 eq(getmsg(sign(¯vi, skVi )), v′ i) =E holds by our hypothesis. � n i=1 eq(¯vi, v ′ i), which Moreover, by inspection of the voting protocol specification we have �V P ({¯v1/u}, . . . , {¯vn/u})(−→ ∗ α −→−→ ∗ ) ∗ ϕ and dom(ϕ) = {x ′ 1, . . . , x ′ 3·n}.
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
112 CHAPTER 5. SATURATED DEDUCTION
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149: 136 CHAPTER 5. SATURATED DEDUCTION
Page 160 and 161: 148 CHAPTER 6. ON THE GROUND ENTAIL
Page 190 and 191: 178 CHAPTER 7. VOTER VERIFIABILITY
Page 210 and 211: 198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213: 200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215: 202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217: 204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219: 206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221: 208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223: 210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225: 212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227: 214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229: 216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?