Description of some case studies

Privacy is a general requirement that needs to be studied in different contexts. In a previous report, we identify some applications for wich privacy plays an important role, and with significant interest in terms of societal impact. In this report, we describe some case studies that we will use as a guideline for our research agenda. Our goal is to establish a repository of protocols that are representative of the selected applications chosen in Task 2. We decide to concentrate our efforts on electronic voting protocols and RFID protocols. In addition, we consider two real case studies: the ICAO standard that specifies the protocols involved in the e-passport application, and the UMTS standard used in 3G mobile phone systems. 1 Some electronic voting protocols Privacy-type properties play an important role in e-voting protocols. We consider two protocols that rely on different mechanisms to ensure some privacy-type properties such as anonymity or receipt-freeness. They all involve some unusual cryptographic primitives and can not be analyse using APTE [5] or SPEC [11]. Moreover, the equivalence checked by Proverif is too strong. The only existing tool that is able to handle these examples (or at least a simplified version of these protocols) is AKISS [4]. The two protocols we consider highly rely on two specific cryptographic schemes: bit-commitment and blind signature. For modelling these schemes, we must deal with complex algebraic relations which are out of the scope of existing tools except AKISS. Bit-commitment. This scheme allows a voter to commit a message containing an hidden value to an agent such that (i) the voter can reveal the value later on; (ii) the agent is ensured that the revealed value is the same as the one contained in the message. Blind Signature. With this scheme, an authority S is able to blindly sign a message created by a voter. S sends a blind signature to the voter who is then able to use it to sign a message. The agent S can now verify the signature but the message remains hidden. 1.1 FOO protocol In this section we give an informal description of a protocol due to Fujioka, Okamoto and Ohta [7]. The protocol involves voters, an administrator, verifying that only eligible voters can cast votes, and a collector, collecting and publishing the votes. The whole protocol is summarized in Figure 1. Phase 1. In a first phase, the voter gets a signature on a commitment to his vote from the administrator. To ensure privacy, blind signatures are used, i.e. the administrator does not learn the commitment of the vote. – Voter V selects a vote v and computes the commitment x = commit(v, r) using a random key r; – V computes the message e = blind(x, b) using a random blinding factor b; – V digitally signs e and sends her signature sign(e, priv(V )) to the administrator A together with her identity; – A verifies that V has the right to vote, has not voted yet and that the signature is valid; if all these tests hold, A digitally signs e and sends his signature sign(e, priv(A)) to V ; Phase 2. The second phase of the protocol is the actual voting phase. – V now unblinds sign(e, priv(A)) and obtains y = sign(x, priv(A)), i.e. a signed commitment to V ’s vote. – V sends y, A’s signature on the commitment to V ’s vote, to the collector C using an anonymous channel; – C checks correctness of the signature y and, if the test succeeds, enters (l, x, y) into a list as an l-th item. Phase 3. The last phase of the voting protocol starts, once the collector decides that he received all votes, e.g. after a fixed deadline. In this phase the voters reveal the random key r which allows C to open the votes and publish them. – C publishes the list (li, xi, yi) of commitments he obtained; – V verifies that her commitment is in the list and sends l, r to C via an anonymous channel; – C opens the l-th ballot using the random r and publishes the vote v. Vote privacy. This scheme has been shown to satisfy the notion of privacy. To ensure privacy, secrecy of the keys are not needed, and actually it is not necessary to make some assumptions about the correctness of the administrator or the collector, who may be corrupt. It is however important to ensure that voters use the same public key for the administrator. The use of phases is also crucial for privacy to be respected. When we omit the synchronisation after the registration phase with the administrator, privacy is violated. Indeed, consider the following scenario with two voters VA and VB . Voter VA contacts the administrator. As no synchronisation is considered, voter VA can send his committed vote to the collector before voter VB contacts the administrator. As voter VB could not have submitted the committed vote, the attacker can link this commitment to the first voters identity.