Hugo Jonker

Formalising receipt-freeness

Receipt-freeness is the property of voting protocols that a voter cannot create a receipt which proves how she voted. Since Benaloh and Tuinstra introduced this property, there has been a large amount of work devoted to the construction of receipt-free voting protocols. This paper provides a generic and uniform formalism that captures the notion of a receipt. The formalism is then applied to analyse the receipt-freeness of a number of voting protocols.

Nuovo DRM paradiso: towards a verified fair DRM scheme

We formally specify the recent DRM scheme of Nair et al. in the µCRL process algebraic language. The security requirements of the scheme are formalized and using them as the basis, the scheme is verified. The verification shows the presence of security weaknesses in the original protocols, which are then addressed in our proposed extension to the scheme. A finite model of the extended scheme is subsequently model checked and shown to satisfy its design requirements, including secrecy, fairness and resisting content masquerading. Our analysis was distributed over a cluster of machines, allowing us to check the whole extended scheme despite its complexity and high non-determinacy.

FP-Block: Usable Web Privacy by Controlling Browser Fingerprinting

Online tracking of users is used for benign goals, such as detecting fraudulent logins, but also to invade user privacy. We posit that for non-oppressed users, tracking within one website does not have a substantial negative impact on privacy, while it enables legitimate benefits. In contrast, cross-domain tracking negatively impacts user privacy, while being of little benefit to the user.

Measuring Voter-Controlled Privacy

In voting, the notion of receipt-freeness has been proposed to express that a voter cannot gain any information to prove that she has voted in a certain way. Receipt-freeness aims to prevent vote buying, even when a voter chooses to renounce her privacy. In this paper, we distinguish various ways that a voter can communicate with the intruder to reduce her privacy and classify them according to their ability to reduce the privacy of a voter. We develop a formal framework combining knowledge reasoning and trace equivalences to formally model voting protocols and define vote privacy for the voters. Our framework is quantitative, in the sense that it defines a measure for the privacy of a voter. Therefore, the framework can precisely measure the level of privacy for a voter for each of the identified privacy classes. The quantification allows our framework to capture receipts that reduce, but not nullify, the privacy of the voter. This has not been identified and dealt with by other formal approaches.

Formal modelling and analysis of receipt-free auction protocols in applied pi

We formally study two privacy-type properties for e-auction protocols: bidding-price-secrecy and receipt-freeness. These properties are formalised as observational equivalences in the applied pi calculus. We analyse two receipt-free auction protocols: one proposed by Abe and Suzuki in 2002 (AS02) and the other by Howlader etal. in 2014 (HRM14). Bidding-price-secrecy of the AS02 protocol is verified using the automatic verifier ProVerif, whereas receipt-freeness of the two protocols, as well as bidding-price-secrecy of the HRM14 protocol, are proved manually.

Anonymity in voting revisited

According to international law, anonymity of the voter is a fundamental precondition for democratic elections. In electronic voting, several aspects of voter anonymity have been identified. In this paper, we re-examine anonymity with respect to voting, and generalise existing notions of anonymity in e-voting. First, we identify and categorise the types of attack that can be a threat to anonymity of the voter, including different types of vote buying and coercion. This analysis leads to a categorisation of anonymity in voting in terms of a) the strength of the anonymity achieved and b) the extent of interaction between voter and attacker. Some of the combinations, including weak and strong receipt-freeness, are formalised in epistemic logic.

Compliance of RIES to the proposed e-voting protection profile

The RIES-KOA e-voting system was used in the Netherlands as an additional system for the elections by expatriates for the Tweede Kamer (roughly: the Dutch House of Commons) elections in 2006. Although the system has been used in other elections in the Netherlands as well, there have been few independent evaluations of the system. In this paper, we apply the recently proposed Protection Profile for e-voting systems to the RIES-KOA system. This serves a two-fold purpose: it is an independent analysis of RIES-KOA and it is the first application of the Protection Profile. We indicate several issues with RIES-KOA and the Protection Profile, respectively, as learned during the analysis.

Investigating Fingerprinters and Fingerprinting-Alike Behaviour of Android Applications.

Fingerprinting of browsers has been thoroughly investigated. In contrast, mobile phone applications offer a far wider array of attributes for profiling, yet fingerprinting practices on this platform have hardly received attention.

A Security Perspective on Publication Metrics (Transcript of Discussion)

The presentation began with discussing the application of Goodhart’s Law to metrics used in academia. Goodhart’s Law says “when a measure becomes a target, it ceases to be a good measure.” Due to the widespread use of various metrics to gauge academic performance, Goodhart’s Law is slowly coming into effect. This warrants looking at the metrics from a security perspective: how can they be exploited, and what can we do against such shenanigans?

A Security Perspective on Publication Metrics

The importance of publication metrics, such as the h-index [9], has increased dramatically in recent years. Unfortunately, as Goodhart [7] already remarked: “when a measure becomes a target, it ceases to be a good measure”. And indeed: hiring, grants and tenure decisions depend more and more on performing well in publication metrics. This leads to a perverse incentive for individual researchers and journals to “optimise” their perfomance. However, such behaviour undermines the utility of the measure itself, in the extreme case nullifying its value. The underlying cause is that besides the functional requirements on a measurement, there are also security requirements on them. As is often the case, these security objectives remain implicit. In this paper, we provide a much-needed security perspective on publication metrics.