Adapting Helios for provable ballot privacy

Recent results show that the current implementation of Helios, a practical e-voting protocol, does not ensure independence of the cast votes, and demonstrate the impact of this lack of independence on vote privacy. Some simple fixes seem to be available and security of the revised scheme has been studied with respect to symbolic models. In this paper we study the security of Helios using computational models. Our first contribution is a model for the property known as ballot privacy that generalizes and extends several existing ones. Using this model, we investigate an abstract voting scheme (of which the revised Helios is an instantiation) built from an arbitrary encryption scheme with certain functional properties. We prove, generically, that whenever this encryption scheme falls in the class of voting-friendly schemes that we define, the resulting voting scheme provably satisfies ballot privacy. We explain how our general result yields cryptographic security guarantees for the revised version of Helios (albeit from non-standard assumptions). Furthermore, we show (by giving two distinct constructions) that it is possible to construct voting-friendly encryption, and therefore voting schemes, using only standard cryptographic tools. We detail an instantiation based on ElGamal encryption and Fiat-Shamir non-interactive zero-knowledge proofs that closely resembles Helios and which provably satisfies ballot privacy

Extending Helios Towards Private Eligibility Verifiability

We show how to extend the Helios voting system to provide eligibility verifiability without revealing who voted which we call private eligibility verifiability. The main idea is that real votes are hidden in a crowd of null votes that are cast by others but are indistinguishable from those of the eligible voter. This extended Helios scheme also improves Helios towards receipt-freeness

Making Sigma-Protocols Non-interactive Without Random Oracles

Damg˚ard, Fazio and Nicolosi (TCC 2006) gave a transformation of Sigma-protocols, 3-move honest verifier zero-knowledge proofs, into efficient non-interactive zero-knowledge arguments for a designated verifier. Their transformation uses additively homomorphic encryption to encrypt the verifier’s challenge, which the prover uses to compute an encrypted answer. The transformation does not rely on the random oracle model but proving soundness requires a complexity leveraging assumption. We propose an alternative instantiation of their transformation and show that it achieves culpable soundness without complexity leveraging. This improves upon an earlier result by Ventre and Visconti (Africacrypt 2009), who used a different construction which achieved weak culpable soundness. We demonstrate how our construction can be used to prove validity of encrypted votes in a referendum. This yields a voting system with homomorphic tallying that does not rely on the Fiat-Shamir heuristic

A Framework for QKD-based Electronic Voting

This paper deals with the security aspect of electronic voting (e-voting) by introducing quantum key distribution (QKD) to the e-voting process. This can offer an extremely high level of security that can be very beneficial for some significant e-voting tasks. Moreover, a framework for the integration of the QKD with the e-voting system is proposed. The Helios voting system, which is considered as one of the open-source and major voting systems, has been chosen for this integration. Investigation of the main design aspects of building a QKD-based e-voting system has been done. Thus, the expected advantages and limitations of the proposal are discussed and analyzed

DEMOS-2:scalable E2E verifiable elections without random oracles

Recently, Kiayias, Zacharias and Zhang-proposed a new E2E verifiable e-voting system called 'DEMOS' that for the first time provides E2E verifiability without relying on external sources of randomness or the random oracle model; the main advantage of such system is in the fact that election auditors need only the election transcript and the feedback from the voters to pronounce the election process unequivocally valid. Unfortunately, DEMOS comes with a huge performance and storage penalty for the election authority (EA) compared to other e-voting systems such as Helios. The main reason is that due to the way the EA forms the proof of the tally result, it is required to {\em precompute} a number of ciphertexts for each voter and each possible choice of the voter. This approach clearly does not scale to elections that have a complex ballot and voters have an exponential number of ways to vote in the number of candidates. The performance penalty on the EA appears to be intrinsic to the approach: voters cannot compute an enciphered ballot themselves because there seems to be no way for them to prove that it is a valid ciphertext. In contrast to the above, in this work, we construct a new e-voting system that retains the strong E2E characteristics of DEMOS (but against computational adversaries) while completely eliminating the performance and storage penalty of the EA. We achieve this via a new cryptographic construction that has the EA produce and prove, using voters' coins, the security of a common reference string (CRS) that voters subsequently can use to affix non-interactive zero-knowledge (NIZK) proofs to their ciphertexts. The EA itself uses the CRS to prove via a NIZK the tally correctness at the end. Our construction has similar performance to Helios and is practical. The privacy of our construction relies on the SXDH assumption over bilinear groups via complexity leveraging

Implementation-level Analysis of the JavaScript Helios Voting Client

We perform the first automated security analysis of the actual JavaScript implementation of the Helios voting client, a state-of-the-art, web-based, open-audit voting system that is continuously being deployed for real-life elections. While its concept has been exhaustively analyzed by the security community, we actively analyze its actual JavaScript implementation. Automatically ascertaining the security of a large-scale JavaScript implementation comes with major technical challenges. By creating a sequence of program transformations, we overcome these challenges, thereby making the Helios JavaScript client accessible to existing static analysis techniques. We then automatically analyze the transformed client using graph slicing, reducing an approximately 7 million node graph representing the information flow of the client’s implementation to a handful of potentially harmful flows, each individually consisting of less than 40 nodes. Our interpretation of this analysis results in the exposure of two thus far undiscovered vulnerabilities affecting the live version of Helios: a serious cross-site scripting attack leading to arbitrary script execution and a browser-dependent execution path that results in ballots being sent in plaintext. These attacks can be mitigated with minor adaptations to Helios. Moreover, our program transformations result in a version of Helios with fewer external dependencies and, accordingly, a reduced attack surface

Receipt Freeness of Prêt à Voter Provably Secure

Prêt à Voter is an end-to-end verifiable voting scheme that is also receipt free. Formal method analysis was used to prove that Prêt à Voter is receipt free. In this paper we use one of the latest versions of Prêt à Voter[XCH+10] to prove receipt freeness of the scheme using computational methods. We use provable security game models for the first time to prove a paper based voting scheme receipt free. In this paper we propose a game model that defines receipt freeness. We show that in order to simulate the game we require IND-CCA2 encryption scheme to create the ballots. The usual schemes used in constructing Prêt à Voter are either exponential ElGamal or Paillier because of their homomorphic properties that are needed for tallying, however both are IND-CPA secure. We propose a new verifiable shuffle ``D-shuffle\u27\u27 to be used together with an IND-CPA encryption schemes that guarantees that the outputs of the shuffle are IND-CCA2 secure ciphertexts and they are used for constructing the ballots. The idea is based on Naor-Yung transformation[NY95]. We prove that if there exist an adversary that breaks receipt freeness then there exist an adversary that breaks the IND-CCA2 security of Naor-Yung encryption scheme. We further show that the ``D-Shuffle\u27\u27 provides us with the option of having multiple authorities creating the ballots such that no single authority can break voter\u27s privacy

End-to-end verifiable elections in the standard model

We present the cryptographic implementation of “DEMOS”, a new e-voting system that is end-to-end verifiable in the standard model, i.e., without any additional “setup” assumption or access to a random oracle (RO). Previously known end-to-end verifiable e-voting systems required such additional assumptions (specifically, either the existence of a “randomness beacon” or were only shown secure in the RO model). In order to analyze our scheme, we also provide a modeling of end-to-end verifiability as well as privacy and receipt-freeness that encompasses previous definitions in the form of two concise attack games. Our scheme satisfies end-to-end verifiability information theoretically in the standard model and privacy/receipt-freeness under a computational assumption (subexponential Decisional Diffie Helman). In our construction, we utilize a number of techniques used for the first time in the context of e-voting schemes that include utilizing randomness from bit-fixing sources, zero-knowledge proofs with imperfect verifier randomness and complexity leveraging

Protecting the Privacy of Voters: New Definitions of Ballot Secrecy for E-Voting

Protecting the privacy of voters is a basic requirement of any electronic voting scheme, and formal definitions can be used to prove that a scheme satisfies privacy. In this work, we provide new game-based definitions of ballot secrecy for electronic voting schemes. First, we propose an intuitive definition in the honest model, i.e., a model in which all election officials are honest. Then, we show that this definition can be easily extended to the malicious ballot box setting and a setting that allows for a distributed tallier. In fact, to the best of our knowledge, we provide the first game-based definition of ballot secrecy that models both a malicious ballot box and a malicious subset of talliers. We demonstrate that our definitions of ballot secrecy are satisfiable, defining electronic voting scheme constructions which we prove satisfy our definitions. Finally, we revisit existing definitions, exploring their limitations and contextualising our contributions to the field