Automated Anonymity Verification of the ThreeBallot Voting System

In recent years, a large number of secure voting protocols have been proposed in the literature. Often these protocols contain flaws, but because they are complex protocols, rigorous formal analysis has proven hard to come by. Rivest’s ThreeBallot voting system is important because it aims to provide security (voter anonymity and voter verifiability) without requiring cryptography. In this paper, we construct a CSP model of ThreeBallot, and use it to produce the first automated formal analysis of its anonymity property. Along the way, we discover that one of the crucial assumptions under which ThreeBallot (and many other voting systems) operates-the Short Ballot Assumption-is highly ambiguous in the literature.We give various plausible precise interpretations, and discover that in each case, the interpretation either is unrealistically strong, or else fails to ensure anonymity. Therefore, we give a version of the Short Ballot Assumption for ThreeBallot that is realistic but still provides a guarantee of anonymity

A novel symbolic approach to verifying epistemic properties of programs

We introduce a framework for the symbolic verification of epistemic properties of programs expressed in a class of general-purpose programming languages. To this end, we reduce the verification problem to that of satisfiability of first-order formulae in appropriate theories. We prove the correctness of our reduction and we validate our proposal by applying it to two examples: the dining cryptographers problem and the ThreeBallot voting protocol. We put forward an implementation using existing solvers, and report experimental results showing that the approach can perform better than state-of-the-art symbolic model checkers for temporal-epistemic logic

A novel symbolic approach to verifying epistemic properties of programs

We introduce a framework for the symbolic verification of epistemic properties of programs expressed in a class of general-purpose programming languages. To this end, we reduce the verification problem to that of satisfiability of first-order formulae in appropriate theories. We prove the correctness of our reduction and we validate our proposal by applying it to two examples: the dining cryptographers problem and the ThreeBallot voting protocol. We put forward an implementation using existing solvers, and report experimental results showing that the approach can perform better than state-of-the-art symbolic model checkers for temporal-epistemic logic

Settling for limited privacy: how much does it help?

This thesis explores practical and theoretical aspects of several privacy-providing technologies, including tools for anonymous web-browsing, verifiable electronic voting schemes, and private information retrieval from databases. State-of-art privacy-providing schemes are frequently impractical for implementational reasons or for sheer information-theoretical reasons due to the amount of information that needs to be transmitted. We have been researching the question of whether relaxing the requirements on such schemes, in particular settling for imperfect but sufficient in real-world situations privacy, as opposed to perfect privacy, may be helpful in producing more practical or more efficient schemes. This thesis presents three results. The first result is the introduction of caching as a technique for providing anonymous web-browsing at the cost of sacrificing some functionality provided by anonymizing systems that do not use caching. The second result is a coercion-resistant electronic voting scheme with nearly perfect privacy and nearly perfect voter verifiability. The third result consists of some lower bounds and some simple upper bounds on the amount of communication in nearly private information retrieval schemes; our work is the first in-depth exploration of private information schemes with imperfect privacy

A Cut Principle for Information Flow

We view a distributed system as a graph of active locations with unidirectional channels between them, through which they pass messages. In this context, the graph structure of a system constrains the propagation of information through it. Suppose a set of channels is a cut set between an information source and a potential sink. We prove that, if there is no disclosure from the source to the cut set, then there can be no disclosure to the sink. We introduce a new formalization of partial disclosure, called *blur operators*, and show that the same cut property is preserved for disclosure to within a blur operator. This cut-blur property also implies a compositional principle, which ensures limited disclosure for a class of systems that differ only beyond the cut.Comment: 31 page

Public Evidence from Secret Ballots

Elections seem simple---aren't they just counting? But they have a unique, challenging combination of security and privacy requirements. The stakes are high; the context is adversarial; the electorate needs to be convinced that the results are correct; and the secrecy of the ballot must be ensured. And they have practical constraints: time is of the essence, and voting systems need to be affordable and maintainable, and usable by voters, election officials, and pollworkers. It is thus not surprising that voting is a rich research area spanning theory, applied cryptography, practical systems analysis, usable security, and statistics. Election integrity involves two key concepts: convincing evidence that outcomes are correct and privacy, which amounts to convincing assurance that there is no evidence about how any given person voted. These are obviously in tension. We examine how current systems walk this tightrope.Comment: To appear in E-Vote-Id '1

Norwegian internet voting protocol revisited: ballot box and receipt generator are allowed to collude

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link. open access articleNorway experienced internet voting in 2011 and 2013 for municipal and parliamentary elections, respectively. Its security depends on the assumptions that the involving organizations are completely independent, reliable, and the receipt codes are securely sent to the voters. In this paper, we point out the following aspects: - The vote privacy of the Norwegian scheme is violated if Ballot Box and Receipt Generator cooperate because the private key of Decryption Service can be obtained by the two former players. We propose a solution to avoid this issue without adding new players. - To assure the correctness, the receipt codes are sent to the voters over a pre‐channel (postal service) and a post‐channel (Short Message Service [SMS]). However, by holding both SMS and the postal receipt code, a voter can reveal his vote even after the elections. Albeit revoting is a fairly well solution for coercion or concealment, intentional vote revealing is still a problem. We suggest SMS only for notification of vote submission. - In case the codes are falsely generated or the pre‐channel is not secure, a vote can be counted for a different candidate without detection. We propose a solution in which voters verify the integrity of the postal receipt codes

Sähköisen äänestämisen tietoturva

Tiivistelmä. Sähköistä äänestämistä on kokeiltu parin vuosikymmenen ajan eri puolilla maailmaa Suomesta Yhdysvaltoihin muutamassa kymmenessä maassa. Sähköisiä äänestyksiä on toteutettu valtakunnallisista vaaleista yritysten pienäänestyksiin. Tutkimusmenetelmänä käytetään kuvailevaa kirjallisuuskatsausta, jossa tutkittavaa ilmiötä kuvataan laaja-alaisesti mutta, josta luokitellaan eri kriteerein sähköisten äänestysjärjestelmien ominaisuuksia tietoturvan näkökulmasta eri ympäristöissä. Tutkielmassa kartoitetaan erilaisia ympäristöjä, joissa sähköisiä äänestysjärjestelmiä on hyödynnetty lähtien maailman ensimmäisestä valtakunnallisesta äänestyksestä Virossa, aina viimeaikaisiin kokeiluihin. Tutkielmassa käydään läpi myös uudempia tutkimuksia tekniikoista, joilla havaittuja ongelmia yritetään ratkaista. Kirjallisuuskatsaus keskittyy siihen, millaisia tietoturvaan liittyviä haasteita sähköisessä äänestämisessä on ja miltä äänestämisen tulevaisuus näyttää. Sähköisten äänestysjärjestelmien käyttöönottoon liittyy useita haasteita ohjelmisto- ja laitesuunnittelusta internetin turvallisuuteen sekä äänestyskäytäntöihin. Kirjallisuuskatsaus käy läpi eri tutkimuksissa toistuvat sekä yleisimmät huomioitavat asiat, joita ovat täydellisen tietoturvallisuuden saavuttamisen vaikeus sekä tietoturvahaasteet, ei pelkästään laitteissa tai ohjelmissa vaan myös ihmisten käyttäytymisessä. Lopuksi luodaan katse tulevaisuuden näkymiin ja annetaan jatkotutkimusehdotuksia siitä, miten rakennetaan tietoturvallinen äänestysjärjestelmä, jota kaikki osaavat käyttää. Tutkimusmenetelmänä käytetään kuvailevaa kirjallisuuskatsausta, jossa tutkittavaa ilmiötä kuvataan laaja-alaisesti mutta josta luokitellaan eri kriteerein sähköisten äänestysjärjestelmien ominaisuuksia tietoturvan näkökulmasta eri ympäristöissä