163 research outputs found
Receipt-Freeness and Coercion Resistance in Remote E-Voting Systems
Abstract: Remote electronic voting (E-voting) is a more convenient and efficient methodology when compared with traditional voting systems. It allows voters to vote for candidates remotely, however, remote E-voting systems have not yet been widely deployed in practical elections due to several potential security issues, such as vote-privacy, robustness and verifiability. Attackers' targets can be either voting machines or voters. In this paper, we mainly focus on three important security properties related to voters: receipt-freeness, vote-selling resistance, and voter-coercion resistance. In such scenarios, voters are willing or forced to cooperate with attackers. We provide a survey of existing remote E-voting systems, to see whether or not they are able to satisfy these three properties to avoid corresponding attacks. Furthermore, we identify and summarise what mechanisms they use in order to satisfy these three security properties
Public Evidence from Secret Ballots
Elections seem simple---aren't they just counting? But they have a unique,
challenging combination of security and privacy requirements. The stakes are
high; the context is adversarial; the electorate needs to be convinced that the
results are correct; and the secrecy of the ballot must be ensured. And they
have practical constraints: time is of the essence, and voting systems need to
be affordable and maintainable, and usable by voters, election officials, and
pollworkers. It is thus not surprising that voting is a rich research area
spanning theory, applied cryptography, practical systems analysis, usable
security, and statistics. Election integrity involves two key concepts:
convincing evidence that outcomes are correct and privacy, which amounts to
convincing assurance that there is no evidence about how any given person
voted. These are obviously in tension. We examine how current systems walk this
tightrope.Comment: To appear in E-Vote-Id '1
What proof do we prefer? Variants of verifiability in voting
In this paper, we discuss one particular feature of Internet
voting, verifiability, against the background of scientific
literature and experiments in the Netherlands. In order
to conceptually clarify what verifiability is about, we distinguish
classical verifiability from constructive veriability in
both individual and universal verification. In classical individual
verifiability, a proof that a vote has been counted can
be given without revealing the vote. In constructive individual
verifiability, a proof is only accepted if the witness (i.e.
the vote) can be reconstructed. Analogous concepts are de-
fined for universal veriability of the tally. The RIES system
used in the Netherlands establishes constructive individual
verifiability and constructive universal verifiability,
whereas many advanced cryptographic systems described
in the scientific literature establish classical individual
verifiability and classical universal verifiability.
If systems with a particular kind of verifiability continue
to be used successfully in practice, this may influence the
way in which people are involved in elections, and their image
of democracy. Thus, the choice for a particular kind
of verifiability in an experiment may have political consequences.
We recommend making a well-informed democratic
choice for the way in which both individual and universal
verifiability should be realised in Internet voting, in
order to avoid these unconscious political side-effects of the
technology used. The safest choice in this respect, which
maintains most properties of current elections, is classical
individual verifiability combined with constructive universal
verifiability. We would like to encourage discussion
about the feasibility of this direction in scientific research
Vote buying revisited: implications for receipt-freeness
In this paper, we analyse the concept of vote buying based
on examples that try to stretch the meaning of the concept. Which ex-
amples can still be called vote buying, and which cannot? We propose
several dimensions that are relevant to qualifying an action as vote buy-
ing or not. As a means of protection against vote buying and coercion,
the concept of receipt-freeness has been proposed. We argue that, in or-
der to protect against a larger set of vote buying activities, the concept
of receipt-freeness should be interpreted probabilistically. We propose a
general definition of probabilistic receipt-freeness by adapting existing
definitions of probabilistic anonymity to voting
An Epistemic Approach to Coercion-Resistance for Electronic Voting Protocols
Coercion resistance is an important and one of the most intricate security
requirements of electronic voting protocols. Several definitions of coercion
resistance have been proposed in the literature, including definitions based on
symbolic models. However, existing definitions in such models are rather
restricted in their scope and quite complex.
In this paper, we therefore propose a new definition of coercion resistance
in a symbolic setting, based on an epistemic approach. Our definition is
relatively simple and intuitive. It allows for a fine-grained formulation of
coercion resistance and can be stated independently of a specific, symbolic
protocol and adversary model. As a proof of concept, we apply our definition to
three voting protocols. In particular, we carry out the first rigorous analysis
of the recently proposed Civitas system. We precisely identify those conditions
under which this system guarantees coercion resistance or fails to be coercion
resistant. We also analyze protocols proposed by Lee et al. and Okamoto.Comment: An extended version of a paper from IEEE Symposium on Security and
Privacy (S&P) 200
Analysis Of Electronic Voting Schemes In The Real World
Voting is at the heart of a country’s democracy. Assurance in the integrity of the electoral process is pivotal for voters to have any trust in the system. Often, electronic voting schemes proposed in the literature, or even implemented in real world elections do not always consider all issues that may exist in the environment in which they might be deployed. In this paper, we identify some real - world issues and threats to electronic voting schemes. We then use the threats we have identified to present an analysis of schemes recently used in Australia and Estonia and present recommendations to mitigate threats to such schemes when deployed in an untrustworthy environment
A framework for comparing the security of voting schemes
We present a new framework to evaluate the security of voting schemes. We utilize the framework to compare a wide range of voting schemes, including practical schemes in realworld use and academic schemes with interesting theoretical properties. In the end we present our results in a neat comparison table.
We strive to be unambiguous: we specify our threat model, assumptions and scope, we give definitions to the terms that we use, we explain every conclusion that we draw, and we make an effort to describe complex ideas in as simple terms as possible.
We attempt to consolidate all important security properties from literature into a coherent framework. These properties are intended to curtail vote-buying and coercion, promote verifiability and dispute resolution, and prevent denial-of-service attacks. Our framework may be considered novel in that trust assumptions are an output of the framework, not an input. This means that our framework answers questions such as ”how many authorities have to collude in order to violate ballot secrecy in the Finnish paper voting scheme?
Extending Helios Towards Private Eligibility Verifiability
We show how to extend the Helios voting system to provide eligibility verifiability without revealing who voted which we call private eligibility verifiability. The main idea is that real votes are hidden in a crowd of null votes that are cast by others but are indistinguishable from those of the eligible voter. This extended Helios scheme also improves Helios towards receipt-freeness
- …