### Analysis of an Electronic Voting Protocol in the Applied Pi Calculus [chapter]

Steve Kremer, Mark Ryan
2005 Lecture Notes in Computer Science
Electronic voting promises the possibility of a convenient, efficient and secure facility for recording and tallying votes in an election. Recently highlighted inadequacies of implemented systems have demonstrated the importance of formally verifying the underlying voting protocols. The applied pi calculus is a formalism for modelling such protocols, and allows us to verify properties by using automatic tools, and to rely on manual proof techniques for cases that automatic tools are unable to
more » ... ndle. We model a known protocol for elections known as FOO 92 in the applied pi calculus, and we formalise three of its expected properties, namely fairness, eligibility, and privacy. We use the ProVerif tool to prove that the first two properties are satisfied. In the case of the third property, ProVerif is unable to prove it directly, because its ability to prove observational equivalence between processes is not complete. We provide a manual proof of the required equivalence. M. Sagiv (Ed.): ESOP 2005, LNCS 3444, pp. 186-200, 2005. c Springer-Verlag Berlin Heidelberg 2005 Analysis of an Electronic Voting Protocol in the Applied Pi Calculus 187 administrator in order to construct an encryption of her vote. The administrator then exploits homomorphic properties of the encryption algorithm to compute the encrypted tally directly from the encrypted votes. Among the properties which electronic voting protocols may satisfy are the following: Fairness: no early results can be obtained which could influence the remaining voters. Eligibility: only legitimate voters can vote, and only once. Privacy: the fact that a particular voted in a particular way is not revealed to anyone. Individual verifiability: a voter can verify that her vote was really counted. Universal verifiability: the published outcome really is the sum of all the votes. Receipt-freeness: a voter cannot prove that she voted in a certain way (this is important to protect voters from coercion). In this paper, we study a protocol commonly known as the FOO 92 scheme [12] , which works with blind signatures. By informal analysis (e.g., [16] ), it has been concluded that FOO 92 satisfies the first four properties in the list above. Because security protocols are notoriously difficult to design and analyse, formal verification techniques are particularly important. In several cases, protocols which were thought to be correct for several years have, by means of formal verification techniques, been discovered to have major flaws [14, 6] . Our aim in this paper is to use verification techniques to analyse the FOO 92 protocol. We model it in the applied pi calculus [3] , which has the advantages of being based on well-understood concepts. The applied pi calculus has a family of proof techniques which we can use, is supported by the ProVerif tool [4], and has been used to analyse a variety of security protocols [1, 11] .