Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
186 CHAPTER 7. VOTER VERIFIABILITY FOR E-VOTING PROTOCOLS<br />
board from the administrators). To model the possibility <strong>of</strong> dishonest administrators,<br />
we allow the attacker to supply ˜y by means <strong>of</strong> the substitution<br />
τ. The test is required to return true if <strong>and</strong> only if the declaration<br />
corresponds to the votes actually cast.<br />
Definition 60 (Voter verifiability) A voting process specification 〈V, P, ˜s, ˜t, ˜m〉 satisfies<br />
voter verifiability if <strong>and</strong> only if for all n <strong>and</strong> votes ¯v1, . . . , ¯vn <strong>of</strong> type C<strong>and</strong>idate,<br />
there exist tests R IV , R UV , such that (fv(R IV ) ∪ fv(R UV )) ∩ {x ′ 1, x ′ 2, . . .} = fn(R IV ) ∪<br />
fn(R UV ) = ∅ <strong>and</strong> for all irreducible extended processes B where φ(B) = ν ñ.σ,<br />
if<br />
a) � V P ({¯v1/u}, . . . , {¯vn/u})(−→ ∗ α −→−→ ∗ ) ∗ B; <strong>and</strong><br />
b) dom(σ) = {x ′ 1, . . . , x ′ k·n };<br />
where k is defined such that k · n is the number <strong>of</strong> occurrences <strong>of</strong> c〈M〉 in<br />
�V P ({¯v1/u}, . . . , {¯vn/u}) for c �∈ ñ,<br />
then there exists injective maps f1, . . . , fk : {1, . . . , n} → {1, . . . , k · n} where the<br />
ranges <strong>of</strong> f1, . . . , fk are pairwise disjoint <strong>and</strong> the conditions below are satisfied.<br />
Moreover, we require the existence <strong>of</strong> B satisfying Conditions a) & b).<br />
1. Individual verifiability. For all i1, . . . , ik, j, v ′ we have:<br />
R IV {v ′<br />
/u, x ′<br />
f1(i1)/x1, . . . , x ′<br />
fk(ik)/xk, ˜s ′ j/˜z}σ<br />
⇔ i1 = i2 = . . . = ik = j ∧ v ′ = ¯vj<br />
where ˜s ′ j = (s1,j, . . . , s|˜s|,j, kpcj).<br />
2. Universal verifiability. For all ˜v ′ we have:<br />
∃τ.(dom(σ) ∩ dom(τ) = ∅ ∧<br />
R UV {˜v ′<br />
/ũ, ˜x ′ f1/˜x1, . . . , ˜x ′ f k/˜xk}τ ◦ σ)<br />
⇔ ˜v ′ = (¯v1, . . . , ¯vn)<br />
We recall that � V P is a modification <strong>of</strong> V P which stores all inputs the voter receives<br />
on the frame. Public channel inputs a(x) are stored without modifications,<br />
whereas private channel inputs a ′ (y) are stored in the form senc(y, k). The<br />
RIV test for the original protocol V P can be extracted by replacing such inputs<br />
x <strong>and</strong> y into the test.<br />
For convenience we use the shorth<strong>and</strong> RIV Φ for<br />
RIV {v ′ /u, x ′<br />
f1(i1)/x1, . . . , x ′<br />
fk(ik)/xk, ˜sj/˜z}σ.<br />
Similarly we write RUV Φ for RUV {˜v ′ /ũ, ˜x ′ f1/˜x1, . . . , ˜x ′ fk/˜xk}τ ◦ σ.