Project 09 - Report

Paul Valiant
CS259
"An Electronic Voting Protocol (revisited)"

In this project, my purpose was to understand an electronic voting
protocol and determine its properties with the aid of Murphi.

The protocol was not ideal for analysis because the paper left many
important aspects of it unspecified. The paper in which the protocol is
described is less than three pages long; in this space, it attempts to
motivate, formulate, and verify a fairly lengthy protocol. In order to
understand the protocol, I had to look through several related papers.
One particularly vague thing was the blinded signature.

After unraveling the protocol, I reduced it step by step to a simpler
protocol that was conceptually straightforward, within Murphi's modelling
limits, and verifiably equivalent. I put some heuristic explanations of
these steps on my slides. However, due to the 20 minute time limit of the
presentation, I did not put much detail. Since then, I have gone back and
rigorously justified most of the steps in the derivation (see the slides).

It is interesting to note that the protocol I derived is essentially
compatible with the protocol the other group modelled. Thus the other
group correctly guessed which terms could be removed, and implemented a
Murphi model accordingly.

[Note: Part of the reason I devoted a significant portion of my talk to
explaining the protocol was that the other group did not. To me, a Murphi
model is meaningless unless it explicitly comes from a protocol.
Anecdotally, it would appear that most of the flaws people found in the
protocols presented in class were found in this modelling stage. I'm
slightly surprised that no one else attempted to justify this largest
conceptual step. It would appear that the purpose of automated analysis
is to eradicate such large leaps of faith.]

For the automated analysis I extended the code used by the first group in
a number of ways.

First, there were some conceptual errors in their code. For example, even
the dishonest CA insisted that everyone was a registered voter. However,
they allowed voters to forge their voter certificate, so these two issues
almost cancelled each other out. The problem remains, however, that if
you can forge a voting certificate and have the cooperation of the three
authorities, you can dupe the whole country.

I also extended their code to consider the case when the voters (as
opposed to the authorities) tried to verify the election. This is an
important issue in the paper, that even if some agents dupe the
authorities, the election is still recoverable. I also added several new
abilities to the various agents. For example, a dishonest voter shouldn't
need to steal someone's registration certificate for a dishonest CA to
certify him.

Last updated: March 12, 2004.