Problemática de saneamiento en la Comunidad Buenos Aires

All Mix Net constructions in the literature and verifiable electronic voting schemes, such as Prˆet `a Voter [RP05], Scantegrity II [CCC+08], Civitas [CCM08] and vVote [BCH+_{12a, BCH}+_{12b], have been proposed under the assumption that}

there exists a trusted, public and accessible to all Web Bulletin Board (WBB), where all the produced data are posted. Moreover, it is a robust broadcast chan- nel that anyone can read information from and only the participants (voters and mix servers) can write on it. Heather and Lundin [HL08] identified the required properties of an append-only _{WBB in the sense that no one should be able to} erase, alter or modify the posted data and that all the new data should be placed at the end of the sequence of messages. Any attempt to go against these specifi- cations needs to be detectable. Wikstr¨om first formalised the notion of a _WBB in [Wik04].

The assumption of the existence of a _{WBB that supervises the mixing process} is considered to be an additional weakness in the Mix Nets literature. Each mix server reads what is posted on the WBB, operates on what was read and posts back to the_{WBB. Most of the constructions are based on the strong assumption} that the WBB is authenticated, tamper-proof and resistant to denial-of-service attacks. However, the possibility of constructing a practical_{WBB with the char-} acteristics typically assumed in the literature is questionable. In any case, as a single point of trust and a single point of failure, if a WBB is made this runs counter to the aim of reducing the amount of trust imparted in any individual component. That is, under these circumstances, even if all the mix servers faith- fully follow the protocol, but the WBB becomes unavailable, the entire process stops and the Mix Net does not complete or produce an output.

4.3. Web Bulletin Board 73

In verifiable voting systems, the WBB is the place where all the encrypted bal- lots are posted along with a proof of correct construction in such a way that an external observer cannot tell whom the voter has voted for. The ballot casting and tallying processes are performed on the _{WBB. After the elections close, the} election authorities anonymise and aggregate the encrypted data using a Mix Net, then they produce a tally of the votes posted on theWBB. This is accompanied by proofs of correctness, so anyone can see and verify, thus achieving verifia- bility of the system. For example, in all variants of the Prˆet `a Voter election scheme [CRS05, RP05, RS06, XSHT08, RBH+09, XCH+10, DHvdG+13], a voter can verify whether her vote has been recorded by simply checking whether the obtained receipt is displayed correctly on the _{WBB and if not, she can raise a} complaint. Finally, the decrypted votes will be announced on the WBB in a fashion that any interested party can verify the decryption process. In the case where the WBB is not accessible, the verifiability and robustness properties are lost.

Undoubtedly, aWBB vulnerable to denial-of-service attacks would violate the de- sired requirements that Mix Nets and voting schemes should fulfil. Constructing a secure and robust_{WBB then becomes one of the most challenging engineering} aspects when designing such cryptographic systems. A peeredWBB protocol for achieving robustness by distributing the trust among the peers would be a solu- tion to this problem. Culnane and Schneider [CS14] proposed a scheme in which when 2/3 of the peers act honestly, then correctness is ensured. Moreover, for first time they formally verified it in Event-B [Abr10] under a Dolev-Yao [DY81] intruder, who controls the network and a minority of the peers. Their approach is analogous to that adopted for the current research and presented in Chap- ters 8, 9 and 10, in that there is no reliance on a single point of trust and instead power is given to the mix servers (resp. peers) to operate on the data and reach an agreement on a correct output, under the existence of a modified Dolev-Yao based intruder model. However, there are distinct differences between the in- truder model used in [CS14] and in Section 7.5. In particular, in [CS14], an untrusted medium is introduced and corrupt peers can prevent or delay messages being received (asynchronous communication), whereas in Section 7.5 the com- munication medium between the mix severs is not controlled by the intruder and synchronous communication is employed in that any sent message will eventually arrive its destination. Additionally, in [CS14] the adversary handles all commu- nications and thus has access to all messages passed between the agents, whereas in Section 7.5 the intruder can only see messages that arrive to (or send by) him. In both cases, the adversary is able to generate new messages to introduce into protocol executions. In particular, he can sign any message with any key that he

possesses, he can extract a message from a signature and he can add and remove messages from a set of messages he has received during the execution. In its general form, the problem presented in this thesis is analogous to the Lamport et al.’s Byzantine Generals Problem [LSP82], where correctness is ensured when more than 2/3 of the participants can be corrupt or absent themselves from the protocol. However, as presented in Chapter 10, instead of adapting an existing solution to a distributed consensus, which would enable the mix servers to agree on a specific mix in each round, it is proposed that a new protocol that is spe- cific to Mix Nets, operating in a stronger threat environment and requiring fewer messages to be sent between the mix servers than Lamport et al.’s solution to the Byzantine Generals Problem, is employed.

In what follows, in Chapters 9 and 10, some notion of aWBB is retained only for publication of the final mixed data from each mix server. This is simply because the final result of the mix needs somehow to be published, for obviously, if there is no way at all of making something available permanently for public consump- tion then there is no way of effectively completing the mix. However, this is a much weaker assumption than that of its existence during mixing. The final pub- lication problem can be solved by putting the mix data up, suitably signed, on various news organisations’ Web sites, for example, or releasing it on BitTorrent, but these mechanisms are not appropriate for live communication between mix servers during the mixing process. Essentially, the_{WBB that is used in this work} to publish the final mix data corresponds simply to an assumption that after the mix servers have done their work, the honest servers have a reliable way of getting the message ‘out there’.