Classifying Privacy and Verifiability Requirements for Electronic Voting

Abstract: Voter privacy and verifiability are fundamental security concepts for elec-tronic voting. Existing literature on electronic voting provides many definitions and interpretations of these concepts, both informal and formal. While the informal defini-tions are often vague and imprecise, the formal definitions tend to be very complex and restricted in their scope as they are usually tailored for specific scenarios. Moreover, some of the existing interpretations are contradictory. This paper provides informal, yet precise definitions of anonymity, receipt-freeness and coercion-resistance and identifies different levels of individual and universal veri-fiability. The overarching goal of this paper is to investigate which levels are conceiv-able for implementing these requirements in e-voting systems for elections of different significance (for instance political elections vs. elections in associations).

LNCS

Composable notions of incoercibility aim to forbid a coercer from using anything beyond the coerced parties’ inputs and outputs to catch them when they try to deceive him. Existing definitions are restricted to weak coercion types, and/or are not universally composable. Furthermore, they often make too strong assumptions on the knowledge of coerced parties—e.g., they assume they known the identities and/or the strategies of other coerced parties, or those of corrupted parties— which makes them unsuitable for applications of incoercibility such as e-voting, where colluding adversarial parties may attempt to coerce honest voters, e.g., by offering them money for a promised vote, and use their own view to check that the voter keeps his end of the bargain. In this work we put forward the first universally composable notion of incoercible multi-party computation, which satisfies the above intuition and does not assume collusions among coerced parties or knowledge of the corrupted set. We define natural notions of UC incoercibility corresponding to standard coercion-types, i.e., receipt-freeness and resistance to full-active coercion. Importantly, our suggested notion has the unique property that it builds on top of the well studied UC framework by Canetti instead of modifying it. This guarantees backwards compatibility, and allows us to inherit results from the rich UC literature. We then present MPC protocols which realize our notions of UC incoercibility given access to an arguably minimal setup—namely honestly generate tamper-proof hardware performing a very simple cryptographic operation—e.g., a smart card. This is, to our knowledge, the first proposed construction of an MPC protocol (for more than two parties) that is incoercibly secure and universally composable, and therefore the first construction of a universally composable receipt-free e-voting protocol

Formal Treatment of Distributed Trust in Electronic Voting

Electronic voting systems are among the most security critical distributed systems. Different trust concepts are implemented to mitigate the risk of conspiracies endangering security properties. These concepts render systems often very complex and end users no longer recognize whom they need to trust. Correspondingly, specific trust considerations are necessary to support users. Recently, resilience terms have been proposed in order to express, which entities can violate the addressed security properties in particular by illegal collaborations. However, previous works derived these resilience terms manually. Thus, successful attacks can be missed. Based on this approach, we propose a framework to formally and automatically derive these terms. Our framework comprises a knowledge calculus, which allows us to model knowledge and reason about knowledge of collaborating election entities. The introduced framework is applied to deduce previously manually derived resilience terms of three remote electronic voting systems, namely Polyas, Helios and the Estonian voting system. Thereby, we were able to discover mistakes in previous derivations

An Epistemic Approach to Coercion-Resistance for Electronic Voting Protocols

Coercion resistance is an important and one of the most intricate security requirements of electronic voting protocols. Several definitions of coercion resistance have been proposed in the literature, including definitions based on symbolic models. However, existing definitions in such models are rather restricted in their scope and quite complex. In this paper, we therefore propose a new definition of coercion resistance in a symbolic setting, based on an epistemic approach. Our definition is relatively simple and intuitive. It allows for a fine-grained formulation of coercion resistance and can be stated independently of a specific, symbolic protocol and adversary model. As a proof of concept, we apply our definition to three voting protocols. In particular, we carry out the first rigorous analysis of the recently proposed Civitas system. We precisely identify those conditions under which this system guarantees coercion resistance or fails to be coercion resistant. We also analyze protocols proposed by Lee et al. and Okamoto.Comment: An extended version of a paper from IEEE Symposium on Security and Privacy (S&P) 200

A critique of game-based definitions of receipt-freeness for voting

We analyse three game-based definitions of receipt-freeness; uncovering soundness issues with two of the definitions and completeness issues with all three. Hence, two of the definitions are too weak, i.e., satisfiable by voting schemes that are not intuitively receipt-free. More precisely, those schemes need not even satisfy ballot secrecy. Consequently, the definitions are satisfiable by schemes that reveal how voters\u27 vote. Moreover, we find that each definition is limited in scope. Beyond soundness and completeness issues, we show that each definition captures a different attacker model and we examine some of those differences

Implementation of DEMOS Voting

Η εργασία αυτή ασχολείται τις προκλήσεις στην υλοποίηση των συστημάτων ηλεκτρονικής ψηφοφορίας. Στο πρώτο μέρος αναλύονται οι προδιαγραφές με τις οποίες τα συστήματα ψηφοφορίας (είτε παραδοσιακά, είτε ηλεκτρονικά) οφείλουν να συμμορφώνονται. Έμφαση δίνεται στις λεπτομέρειες υλοποίησης των συστημάτων ηλεκτρονικής ψηφοφορίας και στο πως αυτά συγκρίνονται με τα συστήματα που βασίζονται σε έντυπα. Στο δεύτερο μέρος περιγράφεται ένα νέο σύστημα ηλεκτρονικής ψηφοφορίας που υλοποιήθηκε στα πλαίσια αυτής της εργασίας. Στόχος αυτού του συστήματος είναι να ικανοποιήσει τις παραπάνω απαιτήσεις.This work deals with the implementation challenges of electronic voting systems. The first part analyzes the standards that an ideal voting system (either traditional or electronic) should comply with. Focus is put on the implementation details of electronic voting systems and how they compare to paper-based ones. The second part describes a new electronic voting system that was implemented as part of this work. The goal of this system is to fulfill the above requirements

BeleniosRF: A Non-interactive Receipt-Free Electronic Voting Scheme

International audienceWe propose a new voting scheme, BeleniosRF, that offers both receipt-freeness and end-to-end verifiability. It is receipt-free in a strong sense, meaning that even dishonest voters cannot prove how they voted. We provide a game-based definition of receipt-freeness for voting protocols with non-interactive ballot casting, which we name strong receipt-freeness (sRF). To our knowledge, sRF is the first game-based definition of receipt-freeness in the literature, and it has the merit of being particularly concise and simple. Built upon the Helios protocol, BeleniosRF inherits its simplicity and does not require any anti-coercion strategy from the voters. We implement BeleniosRF and show its feasibility on a number of platforms, including desktop computers and smartphones

Seve: Automatic tool for verification of security protocols

Master'sMASTER OF SCIENC