Previous work has shown that early resolution of issues detected by static code analyzers can prevent major costs later on. However, developers often ignore such issues for two main reasons. First, many issues should be interpreted to determine if they correspond to actual flaws in the program. Second, static analyzers often do not present the issues in a way that is actionable. To address these problems, we present Sorald: a novel system that uses metaprogramming templates to transform the abstract syntax trees of programs and suggests fixes for static analysis warnings. Thus, the burden on the developer is reduced from interpreting and fixing static issues, to inspecting and approving full fledged solutions. Sorald fixes violations of 10 rules from SonarJava, one of the most widely used static analyzers for Java. We evaluate Sorald on a dataset of 161 popular repositories on Github. Our analysis shows the effectiveness of Sorald as it fixes 65% (852/1,307) of the violations that meets the repair preconditions. Overall, our experiments show it is possible to automatically fix notable violations of the static analysis rules produced by the state-of-the-art static analyzer SonarJava.

We discuss a new type of attack on voting systems that in contrast to attacks described in the literature does not disrupt the expected behavior of the voting system itself. Instead the attack abuses the normal functionality to link the tallying of the election to disclosing sensitive information assumed to be held by the adversary. Thus the attack forces election officials to choose between two undesirable options: Not to publish the election result or to play into the adversary’s hand and to publicize sensitive information. We stress that the attack is different from extortion and not restricted to electronic voting systems.

We describe several return code schemes for secure vote submission in electronic voting systems. We consider a unified treatment where a return code is generated as a multiparty computation of a secure MAC tag applied on an encrypted message submitted by a voter. Our proposals enjoy a great level of flexibility with respect to various usability, security, and performance tradeoffs.

We introduce a simplified universally composable (UC) security framework in our thesis (2005). In this paper we present an updated more comprehensive and illustrated version. The introduction of our simplified model is motivated by the difficulty to describe and analyze concrete protocols in the full UC framework due to its generality and complexity. The main differences between our formalization and the general UC security framework are that we consider: a fixed number of parties, static corruption, and simple ways to bound the running times of the adversary and environment. However, the model is easy to extend to adaptive adversaries. Authenticated channels become a trivial ideal functionality. We generalize the framework to allow protocols to securely realize other protocols. This allows a natural and modular description and analysis of protocols. We introduce invertible transforms of models that allow us to reduce the proof of the composition theorem to a simple special case and transform any hybrid protocol into a hybrid protocol with at most one ideal functionality. This factors out almost all of the technical details of our framework to be considered when relating our framework to any other security framework, e.g., the UC framework, and makes this easy.

We study mix-nets with randomized partial checking (RPC) as proposed by Jakobsson, Juels, and Rivest (2002). RPC is a technique to verify the correctness of an execution both for Chaumian and homomorphic mix-nets. The idea is to relax the correctness and privacy requirements to achieve a more efficient mix-net. We identify serious issues in the original description of mix-nets with RPC and show how to exploit these to break both correctness and privacy, both for Chaumian and homomorphic mix-nets. Our attacks are practical and applicable to real world mix-net implementations, e.g., the Civitas and the Scantegrity voting systems.

We construct a provably secure mix-net from any CCA2 secure cryptosystem. The mix-net is secure against active adversaries that statically corrupt less than λ out of k mix-servers, where λ is a threshold parameter, and it is robust provided that at most min(λ - 1, k - λ) mix-servers are corrupted. The main component of our construction is a mix-net that outputs the correct result if all mix-servers behaved honestly, and aborts with probability 1 - O(H-(t-1)) otherwise (without disclosing anything about the inputs), where t is an auxiliary security parameter and H is the number of honest parties. The running time of this protocol for long messages is roughly 3tc, where c is the running time of Chaum's mix-net (1981).

We report on the design and implementation of a new cryptographic voting system, designed to retain the "look and feel" of standard, paper-based voting used in our country Israel while enhancing security with end-to-end verifiability guaranteed by cryptographic voting. Our system is dual ballot and runs two voting processes in parallel: one is electronic while the other is paper-based and similar to the traditional process used in Israel. Consistency between the two processes is enforced by means of a new, specially-tailored paper ballot format. We examined the practicality and usability of our protocol through implementation and field testing in two elections: the first being a student council election with over 2000 voters, the second a political party's election for choosing their leader. We present our findings, some of which were extracted from a survey we conducted during the first election. Overall, voters trusted the system and found it comfortable to use.

We study the heuristically secure mix-net proposed by Puiggalí and Guasch (EVOTE 2010). We present practical attacks on both correctness and privacy for some sets of parameters of the scheme. Although our attacks only allow us to replace a few inputs, or to break the privacy of a few voters, this shows that the scheme can not be proven secure.

We study the heuristically secure mix-net proposed by Puiggal´ı and Guasch (EVOTE2010). We present practical attacks on both correctness and privacy for some sets of parametersof the scheme. Although our attacks only allow us to replace a few inputs, or tobreak the privacy of a few voters, this shows that the scheme can not be proven secure.

We study the problem of constructing efficient proofs of knowledge of preimages of general group homomorphisms. We simplify and extend the recent negative results of Bangerter et al. (TCC 2010) to constant round (from three-message) generic protocols over concrete (instead of generic) groups, i.e., we prove lower bounds on both the soundness error and the knowledge error of such protocols. We also give a precise characterization of what can be extracted from the prover in the direct (common) generalization of the Guillou-Quisquater and Schnorr protocols to the setting of general group homomorphisms. Then we consider some settings in which these bounds can be circumvented. For groups with no subgroups of small order we present: (1) a three-move honest verifier zero-knowledge argument under some set-up assumptions and the standard discrete logarithm assumption, and (2) a Σ-proof of both the order of the group and the preimage. The former may be viewed as an offline/online protocol, where all slow cut-andchoose protocols can be moved to an offline phase.