A Modular Multi-Modal Specification of Real-Timed, End-To-End Voter-Verifiable Voting Systems

We propose a modular multi-modal specification of real-timed, end-to-end voter-verifiable voting systems, i.e., a formal but intuitive specification of real-timed voting systems that are accountable (and thus trustworthy) to their users. Our specification is expressed as a single but well-compounded formula in a logical language of temporal, epistemic, and provability modalities. The intuitiveness of the specification is the fruit of its modular and multi-modal form. This means that the specification can be appreciated compound-wise, as a logical conjunction of separate sub-requirements, each of which achieving the ideal of a formal transcription of a suitable natural-language formulation, thanks to powerful descriptive idioms in the form of our multiple modalities. The modular form reduces our proof of the satisfiability (consistency) and thus implementability of the specification to a proof by inspection, and induces the parallelisability of implementation-correctness verifications. The specification also pinpoints the implementation-specific part of particular voting systems, reuses a generic definition of accountability inducing trust in a formal sense, and, last but not least, counter-balances by its implementability some previous results about the contradictory conjunction of certain desirable property pairs of voting systems. So in some sense, ideal voting systems do exist. Our specific formalisation principles are agent correctness, i.e., the behavioural correctness of the voting-system-constituting agents, and data adequacy, i.e., the soundness and (relative) completeness of the voting data processed by the system

Clash Attacks on the Verifiability of E-Voting Systems

Verifiability is a central property of modern e-voting systems. Intuitively, verifiability means that voters can check that their votes were actually counted and that the published result of the election is correct, even if the voting machine/authorities are (partially) untrusted. In this paper, we raise awareness of a simple attack, which we call a clash attack, on the verifiability of e-voting systems. The main idea behind this attack is that voting machines manage to provide different voters with the same receipt. As a result, the voting authorities can safely replace ballots by new ballots, and by this, manipulate the election without being detected. This attack does not seem to have attracted much attention in the literature. Even though the attack is quite simple, we show that, under reasonable trust assumptions, it applies to several e-voting systems that have been designed to provide verifiability. In particular, we show that it applies to the prominent ThreeBallot and VAV voting systems as well as to two e-voting systems that have been deployed in real elections: the Wombat Voting system and a variant of the Helios voting system. We discuss countermeasures for each of these systems and for (various variants of) Helios provide a formal analysis based on a rigorous definition of verifiability. More precisely, our analysis of Helios is with respect to the more general and in the area of e-voting often overlooked notion of accountability