Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
192 CHAPTER 7. VOTER VERIFIABILITY FOR E-VOTING PROTOCOLS<br />
<strong>Analysis</strong> Let tests R IV , R UV be given as in Figure 7.3. The tests make the following<br />
assumptions. The variable x1 corresponds to the public/secret keys sent<br />
to the voter by the key distribution process; x2 is the voter’s r<strong>and</strong>omised ballot;<br />
<strong>and</strong> x3 is the signed ballot produced by the r<strong>and</strong>omisation service along with<br />
a designated verifier pro<strong>of</strong> demonstrating the correctness <strong>of</strong> the re-encryption.<br />
The value x4 is the voter’s double signed ballot <strong>and</strong> finally x5 corresponds to the<br />
public keys published by the keying process. Additionally R UV assumes that for<br />
all i ∈ {1, . . . , n} we have y1,i corresponds to the ballot recovered from the double<br />
signed ballot produced by the voter; y2,i is a signature pro<strong>of</strong> <strong>of</strong> knowledge<br />
revealing the ballot’s decryption key; <strong>and</strong> finally y3,i is the decryted ballot (i.e.<br />
the ith voter’s vote).<br />
Suppose � V P (1, . . . , n)(−→ ∗ α −→−→ ∗ ) ∗ ν ñ.(σ | Q) such that Q is irreducible <strong>and</strong><br />
dom(σ) = {x ′ 1, . . . , x ′ 6·n}. Without loss <strong>of</strong> generality we have σ as specified in<br />
Figure 7.3. Let ˜ f be given by fi(j) = l(i−1)·n+j. It follows that:<br />
1. Individual verifiability. The expansion <strong>of</strong> R IV Φ is provided in Figure 7.3.<br />
The result follows immediately since R IV Φ has a single solution for<br />
i1, . . . , i6, j namely i1 = i2 = . . . = i6 = j <strong>and</strong> v ′ = ¯vj.<br />
2. Universal verifiability. We observe R UV {˜v ′ /ũ, ˜x ′ f1/˜x1, . . . , ˜x ′ f k/˜xk}σ evaluates<br />
to the following for all i ∈ {1, . . . , n}:<br />
y1,i = b ′ i ∧ Ver1,3(FL, y2,i)∧<br />
y1,i = Public3(y2,i) ∧ P k(skT ) = Public1(y2,i)∧<br />
y3,i = dec(y1,i, Public2(y2,i)) ∧ v ′ i = y3,i<br />
where b ′ i = penc(¯vi, f(ri, r ′ i), P k(skT )). It follows that R UV Φ holds when<br />
˜v ′ = (¯v1, . . . , ¯vn) <strong>and</strong><br />
τ =E {b ′ 1/y1,1, . . . , b ′ n/y1,n, s1/y2,1, . . . , sn/y2,ns¯v1/y3,1, . . . , ¯vn/y3,n}<br />
with si = SPK1,3((skT ), (pkT , commit(b ′ i, skT ), b ′ i), FL), concluding our pro<strong>of</strong>.<br />
Moreover, we have � V P ({¯v1/u}, . . . , {¯vn/u})(−→ ∗ α −→−→ ∗ ) ∗ ϕ such that dom(ϕ) =<br />
{x ′ 1, . . . , x ′ 6·n}.<br />
7.6 Relates works<br />
The literature is rich in works dealing with formal verification <strong>of</strong> security protocols.<br />
However, there are only few formal works [30, 77, 97, 196, 136, 149] related<br />
to electronic voting protocols. This is mainly due to their lack <strong>of</strong> maturity compared<br />
to other ones such as key distribution or authentication protocols, <strong>and</strong> to