S. Delaune, S. Kremer, and M. Ryan
                          302
                           processV =
                                                               (* parameters : skvCh , v *)
                               (* her private key *)
                               in ( skvCh , skv ) .
                               (* public keys of the administrator *)
                               in ( pkaCh1 , pubka ) .
                               ν bl in der . ν r.
                               let committedvote = commit ( v , r ) in
                               let bl i ndedcom m i ttedvote=b l i n d ( committedvote , b l i n d e r ) in
                               out ( ch1 , ( pk ( skv ) , si gn ( blindedcommittedvote , skv ) ) ) .
                               in (ch2 ,m2) .
                               let r e s u l t = checksi gn (m2, pubka ) in
                               if r e s u l t = bl i ndedcom m i ttedvote then
                               let signedcommittedvote=unbl i nd (m2, b l i n d e r ) in
                               synch 1 .
                               out ( ch3 , ( committedvote , signedcommittedvote )) .
                               synch 2 .
                               in ( ch4 , ( l ,= committedvote ,= signedcommittedvote )) .
                               out (ch5 , ( l , r ))
                                                  Process 2. Voter process


                            Our model also includes a dedicated process for generating and distributing
                          keying material modelling a PKI (processK), a process for the administrator and
                          another one for the collector (those processes are not given here, see [9]).

                          5.3  Analysis
                          Vote-privacy. According to our definition, to show that the protocol respects
                          privacy, we need to show that
                                                                   b
                                              a
                                                                            a
                                                       b
                                        S[V A { / v }| V B { / v }] ≈ S[V A { / v }| V B { / v }]  (1)
                                             skvaCh                     skvbCh
                          where V A = processV{    / skvCh }, V B = processV{  / skvCh }.We do not
                          require that any of the authorities are honest, so they are not modelled in S,
                          but rather left as part of the attacker context. However, we have to ensure that
                          both voters use the same public key for the administrator. Therefore, we send
                          this public key on a private channel (pkaCh1), although the public key and its
                          counterpart are known by the attacker. Actually, we show that
                                                                 b
                                                       a
                                           νpkaCh1.(V A { / v }| V B { / v }| processK)
                                                            ≈                               (2)
                                                                a
                                                       b
                                           νpkaCh1.(V A { / v }| V B { / v }| processK)
                          The proof, detailed in [9], uses the (equivalent) definition of labelled bisimula-
                          tion instead of observational equivalence. We were able to automate parts of the
                          proof (the static equivalence relations) using the ProVerif tool [5]. The remain-
                          ing of the proof (the bisimulation part) is established manually by considering