Vanessa Teague

Rational secret sharing and multiparty computation: extended abstract

We consider the problems of secret sharing and multiparty computation, assuming that agents prefer to get the secret (resp., function value) to not getting it, and secondarily, prefer that as few as possible of the other agents get it. We show that, under these assumptions, neither secret sharing nor multiparty function computation is possible using a mechanism that has a fixed running time. However, we show that both are possible using randomized mechanisms with constant expected running time.

Anti-persistence: history independent data structures

Many data structures give away much more information than they were intended to. Whenever privacy is important, we need to be concerned that it might be possible to infer information from the memory representation of a data structure that is not available through its “legitimate” interface. Word processors that quietly maintain old versions of a document are merely the most egregious example of a general problem. We deal with data structures whose current memory representation does not reveal their history. We focus on dictionaries, where this means revealing nothing about the order of insertions or deletions. Our first algorithm is a hash table based on open addressing, allowing O(1) insertion and search. We also present a history independent dynamic perfect hash table that uses space linear in the number of elements inserted and has expected amortized insertion and deletion time O(1). To solve the dynamic perfect hashing problem we devise a general scheme for history independent memory allocation. For fixed-size records this is quite efficient, with insertion and deletion both linear in the size of the record. Our variable-size record scheme is efficient enough for dynamic perfect hashing but not for general use. The main open problem we leave is whether it is possible to implement a variable-size record scheme with low overhead.

Probabilistic Bisimulation and Equivalence for Security Analysis of Network Protocols

Using a probabilistic polynomial-time process calculus designed for specifying security properties as observational equivalences, we develop a form of bisimulation that justifies an equational proof system. This proof system is sufficiently powerful to derive the semantic security of El Gamal encryption from the Decision Diffie-Hellman (DDH) assumption. The proof system can also derive the converse: if El Gamal is secure, then DDH holds. While these are not new cryptographic results, these example proofs show the power of probabilistic bisimulation and equational reasoning for protocol security.

A Secure Event Agreement (SEA) protocol for peer-to-peer games

Secure updates in a peer-to-peer game where all of the players are untrusted offers a unique challenge. We analyse the NEO protocol which was designed to accomplish the exchange of update information among players in a fair and authenticated manner. We show that of the five forms of cheating it was designed to prevent, it prevents only three. We then propose an improved protocol which we call Secure Event Agreement (SEA) which prevents all five types of cheating as well as meeting some additional security criteria. We also show that the performance of SEA is at worst equal to NEO and in some cases better.

A Probabilistic Polynomial-time Calculus For Analysis of Cryptographic Protocols: (Preliminary Report)

We prove properties of a process calculus that is designed for an- alyzing security protocols. Our long-term goal is to develop a form of protocol analysis, consistent with standard cryptographic assumptions, that provides a language for expressing probabilistic polynomial-time protocol steps, a spec- iflcation method based on a compositional form of equivalence, and a logical basis for reasoning about equivalence. The process calculus is a variant of CCS, with bounded replication and probabilistic polynomial-time expressions allowed in messages and boolean tests. To avoid inconsistency between security and nondeterminism, messages are scheduled probabilistically instead of nondeterministically. We prove that evaluation of any process expression halts in probabilistic polynomial time and deflne a form of asymptotic protocol equivalence that allows security proper- ties to be expressed using observational equivalence, a standard relation from programming language theory that involves quantifying over possible environ- ments that might interact with the protocol. We develop a form of probabilistic bisimulation and use it to establish the soundness of an equational proof system based on observational equivalences. The proof system is illustrated by a formation derivation of the assertion, well-known in cryptography, that ElGamal encryptions semantic security is equivalent to the (computational) Decision Di-e-Hellman assumption. This example demonstrates the power of probabilistic bisimulation and equational reasoning for protocol security.

A Secure Group Agreement (SGA) Protocol for Peer-to-Peer Applications

The lack of a trusted central authority poses a unique security challenge to peer-to-peer networks. It must be assumed that some fraction of all peers in a network are corrupt and may collude to try to derive an advantage. Nonetheless, in some circumstances it is necessary to select a subset of the peer-to-peer network in such a way that all members of the selected group can be confident that most group members are honest. We propose a secure protocol for the selection of a subset of peers from the network without a trusted authority. Our protocol ensures, with any desired probability, that the percentage of corrupt members in the subset is no greater than a selected limit (up to the total percentage of corrupt peers). We then discuss the use of this protocol in the context of a peer-to-peer game.

Linear Arboricity and Linear k-Arboricity of Regular Graphs

Abstract. We find upper bounds on the linear k-arboricity of d-regular graphs using a probabilistic argument. For small k these bounds are new. For large k they blend into the known upper bounds on the linear arboricity of regular graphs.

Shuffle-Sum: Coercion-Resistant Verifiable Tallying for STV Voting

There are many advantages to voting schemes in which voters rank all candidates in order, rather than just choosing their favorite. However, these schemes inherently suffer from a coercion problem when there are many candidates, because a coercer can demand a certain permutation from a voter and then check whether that permutation appears during tallying. Recently developed cryptographic voting protocols allow anyone to audit an election (universal verifiability), but existing systems are either not applicable to ranked voting at all, or reveal enough information about the ballots to make voter coercion possible. We solve this problem for the popular single transferable vote (STV) ranked voting system, by constructing an algorithm for the verifiable tallying of encrypted votes. Our construction improves upon existing work because it extends to multiple-seat STV and reveals less information than other schemes. The protocol is based on verifiable shuffling of homomorphic encryptions, a well-studied primitive in the voting arena. Our protocol is efficient enough to be practical, even for a large election.

The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election

In the worlds largest-ever deployment of online voting, the iVote Internet voting system was trusted for the return of 280,000 ballots in the 2015 state election in New South Wales, Australia. During the election, we performed an independent security analysis of parts of the live iVote system and uncovered severe vulnerabilities that could be leveraged to manipulate votes, violate ballot privacy, and subvert the verification mechanism. These vulnerabilities do not seem to have been detected by the election authorities before we disclosed them, despite a pre-election security review and despite the system having run in a live state election for five days. One vulnerability, the result of including analytics software from an insecure external server, exposed some votes to complete compromise of privacy and integrity. At least one parliamentary seat was decided by a margin much smaller than the number of votes taken while the system was vulnerable. We also found protocol flaws, including vote verification that was itself susceptible to manipulation. This incident underscores the difficulty of conducting secure elections online and carries lessons for voters, election officials, and the e-voting research community.

vVote: A Verifiable Voting System

The Prêt à Voter cryptographic voting system was designed to be flexible and to offer voters a familiar and easy voting experience. In this article, we present our development of the Prêt à Voter design to a practical implementation used in a real state election in November 2014, called vVote. As well as solving practical engineering challenges, we have also had to tailor the system to the idiosyncrasies of elections in the Australian state of Victoria and the requirements of the Victorian Electoral Commission. This article includes general background, user experience, and details of the cryptographic protocols and human processes. We explain the problems, present solutions, then analyze their security properties and explain how they tie in to other design decisions.