Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
190 CHAPTER 7. VOTER VERIFIABILITY FOR E-VOTING PROTOCOLS<br />
2. Universal verifiability. We observe that RUV �<br />
Φ =<br />
n<br />
i=1 eq(open(nth3 2(〈li, commit(¯vi, ri), sign(commit(¯vi, ri), skA)〉), ri), v ′ i) =E<br />
�n i=1 eq(open(commit(¯vi, ri), ri), v ′ i) =E eq(¯vi, v ′ i) <strong>and</strong> hence has a single<br />
solution for v ′ 1, . . . , v ′ n <strong>and</strong> namely ˜v ′ = (¯v1, . . . , ¯vn), concluding our pro<strong>of</strong>.<br />
Moreover, by inspection <strong>of</strong> the voting process specification, we have<br />
�V P ({¯v1/u}, . . . , {¯vn/u})(−→ ∗ α −→−→ ∗ ) ∗ B <strong>and</strong> dom(σ) = {x ′ 1, . . . , x ′ 7·n}.<br />
7.5.4 Protocol due to Lee et al.<br />
Description The protocol [141] involves an administrator, voters, mixers, talliers<br />
<strong>and</strong> a trusted r<strong>and</strong>omisation service (in practice the r<strong>and</strong>omisation service<br />
is implemented as a secure smart card called a tamper resistant r<strong>and</strong>omiser).<br />
The voter encrypts her ballot <strong>and</strong> sends it to the r<strong>and</strong>omisation service using a<br />
private channel. The r<strong>and</strong>omisation service re-encrypts the ballot <strong>and</strong> returns<br />
the signed re-encrypted ballot along with a designated verifier pro<strong>of</strong> which<br />
demonstrates the re-encrypted ballot is indeed a re-encryption <strong>of</strong> the voter’s<br />
encrypted ballot. The additional r<strong>and</strong>omisation ensures the voter cannot reconstruct<br />
her ballot <strong>and</strong> hence is unable to create a receipt for a potential coercer.<br />
The voter signs her ballot <strong>and</strong> posts it on the bulletin board. The administrator<br />
verifies the double signed ballots <strong>and</strong> publishes valid ballots on the bulletin<br />
board. The mixers then perform a secret shuffle. Finally the talliers use signature<br />
pro<strong>of</strong>s <strong>of</strong> knowledge to reveal an (t, n)-threshold decryption key for each<br />
ballot.<br />
Applied pi formalism The voting specification <strong>of</strong> this protocol is defined as<br />
〈voter, registrar, ˜s, ˜t, ˜m〉 where ˜s = (r), ˜t = (skV , skR), ˜m = (aV) <strong>and</strong> processes<br />
voter,registrar are defined below.<br />
voter � aV(skV , pkR, pkT )<br />
let b = penc(u, r, pkT ) in<br />
aVR〈b〉.aVR(sb ′ , dvp)<br />
if checkdvp(dvp, b, getmsg(sb ′ ), P k(skV )) then<br />
if checksign(sb ′ , pkR) then<br />
bb〈sign(sb ′ , skV )〉<br />
registrar � aV〈skV , P k(skR), P k(skT )〉 | aR〈skR〉 |<br />
bb〈〈P k(skV ), P k(skR), P k(skT )〉〉<br />
For simplicity we consider (1, n)-threshold decryption. In addition we assume<br />
the existence <strong>of</strong> a secure mixer <strong>and</strong> hence do not verify the shuffle.<br />
In [141] it is suggested that the protocol makes use <strong>of</strong> the ElGamal encryption<br />
scheme which we model by the following equations for decryption <strong>and</strong>