A formal analysis of the Norwegian E-voting protocol

Norway used e-voting in its last political election both in September 2011 and September 2013, with more than 28,000 voters using the e-voting option in 2011, and 70,000 in 2013. While some other countries use a black-box, proprietary voting solution, Norway has made its system publicly available. The underlying protocol, designed by Scytl, involves several authorities (a ballot box, a receipt generator, a decryption service, and an auditor). Of course, trusting the correctness and security of e-voting protocols is crucial in that context. In this paper, we propose a formal analysis of the protocol used in Norway, w.r.t. ballot secrecy, considering several corruption scenarios. We use a state-of-the-art definition of ballot secrecy, based on equivalence properties and stated in the applied pi-calculus. Used in September 2011 and September 2013 for municipality and county elections in Norway [25], E-voting was tested in ten municipalities. During this nationwide local elections, more than 28,000 voters did use internet to cast their vote in 2011 and 70,000 in 2013. While many countries use black-box proprietary solutions, Norway made the protocol publicly available [23]. One key feature of this system is that voters can check that their votes have correctly reached the ballot box (" cast-as-intended " property) without anyone else knowing their vote. The goal of this paper is to conduct a thorough analysis of the Norwegian protocol for the ballot secrecy property: does this system guarantee that no one can know how some voter voted? Formal methods have been successfully applied to security protocols with the development of several tools such as ProVerif [10], Avispa [4], or Scyther [20] that can automatically analyse both protocols of the literature and fully deployed protocols such as TLS [9]. We therefore chose to model and analyse the Norwegian protocols in a symbolic model named the applied pi-calculus model [1]. A first issue comes from the fact that the underlying encryption primitive is non standard and rather complex. Indeed, the decryption key is split in two shares a 1 and a 2 with a 3 = a 1 + a 2. Each of these three keys a 1 , a 2 , a 3 is given to one administration authority. As further explained in Section 1, this allows for re-encryption and is crucial for the " cast-as-intended " property of the protocol.

[1]  Eric Wustrow,et al.  Security analysis of India's electronic voting machines , 2010, CCS '10.

[2]  Ralf Sasse,et al.  Automated Symbolic Proofs of Observational Equivalence , 2015, CCS.

[3]  Vanessa Teague,et al.  The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election , 2015, VoteID.

[4]  Mark Ryan,et al.  Verifying Privacy-Type Properties of Electronic Voting Protocols: A Taster , 2010, Towards Trustworthy Elections.

[5]  Ben Smyth,et al.  Adapting Helios for Provable Ballot Privacy , 2011, ESORICS.

[6]  Philip B. Stark,et al.  STAR-Vote: A Secure, Transparent, Auditable, and Reliable Voting System , 2012, EVT/WOTE.

[7]  Véronique Cortier,et al.  A Method for Proving Observational Equivalence , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[8]  Byoungcheon Lee,et al.  Providing Receipt-Freeness in Mixnet-Based Voting Protocols , 2003, ICISC.

[9]  Mark Ryan,et al.  Election Verifiability in Electronic Voting Protocols , 2010, ESORICS.

[10]  Ariel J. Feldman,et al.  Security Analysis of the Diebold AccuVote-TS Voting Machine , 2007, EVT.

[11]  Ben Smyth,et al.  Attacking and Fixing Helios: An Analysis of Ballot Secrecy , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[12]  Véronique Cortier,et al.  A formal analysis of the Norwegian E-voting protocol , 2012, J. Comput. Secur..

[13]  Ralf Küsters,et al.  An Epistemic Approach to Coercion-Resistance for Electronic Voting Protocols , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[14]  Jia Liu,et al.  A Proof of Coincidence of Labeled Bisimilarity and Observational Equivalence in Applied Pi Calculus , 2011 .

[15]  Ronald Cramer,et al.  A Secure and Optimally Efficient Multi-Authority Election Scheme ( 1 ) , 2000 .

[16]  Alwen Tiu,et al.  Automating Open Bisimulation Checking for the Spi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[17]  Tatsuaki Okamoto,et al.  Receipt-Free Electronic Voting Schemes for Large Scale Elections , 1997, Security Protocols Workshop.

[18]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[19]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[20]  Jeremy Clark,et al.  Scantegrity II: End-to-End Verifiability by Voters of Optical Scan Elections Through Confirmation Codes , 2009, IEEE Transactions on Information Forensics and Security.

[21]  Ralf Küsters,et al.  Proving Coercion-Resistance of Scantegrity II , 2010, ICICS.

[22]  Rohit Chadha,et al.  Automated Verification of Equivalence Properties of Cryptographic Protocols , 2012, ACM Trans. Comput. Log..

[23]  Jeremy Clark,et al.  Scantegrity Mock Election at Takoma Park , 2010, Electronic Voting.

[24]  Mark Ryan,et al.  Reduction of Equational Theories for Verification of Trace Equivalence: Re-encryption, Associativity and Commutativity , 2012, POST.

[25]  Véronique Cortier,et al.  When Are Three Voters Enough for Privacy Properties? , 2016, ESORICS.

[26]  Vincent Cheval,et al.  Trace equivalence decision: negative tests and non-determinism , 2011, CCS '11.

[27]  Kristian Gjøsteen,et al.  Analysis of an internet voting protocol , 2010, IACR Cryptol. ePrint Arch..

[28]  Atsushi Fujioka,et al.  An Improvement on a Practical Secret Voting Scheme , 1999, ISW.

[29]  Ralf Küsters,et al.  A Game-Based Definition of Coercion-Resistance and Its Applications , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[30]  Atsushi Fujioka,et al.  A Practical Secret Voting Scheme for Large Scale Elections , 1992, AUSCRYPT.

[31]  Mark Ryan,et al.  Verifying privacy-type properties of electronic voting protocols , 2009, J. Comput. Secur..

[32]  Cédric Fournet,et al.  Cryptographically verified implementations for TLS , 2008, CCS.

[33]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[34]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[35]  Bogdan Warinschi,et al.  How Not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios , 2012, ASIACRYPT.