Some desired properties of e-voting systems
description
Transcript of Some desired properties of e-voting systems
![Page 1: Some desired properties of e-voting systems](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815e02550346895dcc4a2e/html5/thumbnails/1.jpg)
Receipt-freeness and coercion-resistance:formal definitions and fault attacks
Stéphanie Delaune / Steve Kremer / Mark D. Ryan
![Page 2: Some desired properties of e-voting systems](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815e02550346895dcc4a2e/html5/thumbnails/2.jpg)
Some desired properties of e-voting systems– Eligibility: only eligible voters can vote, and only once.– Fairness: no voter can be influenced by votes already made.– Indiv. verif.: a voter can verify that her vote was counted.– Universal verifiability: a voter can verify that the published
result is the tally of the votes cast.– Privacy: no-one can find out how a voter voted.– Receipt-freeness: Voter doesn’t get receipt for her vote.– Coercion-resistance: Voter cannot be blackmailed / bought.– Robustness: Voters cannot disrupt the election.
Faulty behaviour tolerated.– Vote-and-go: Voters participate in one session.
![Page 3: Some desired properties of e-voting systems](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815e02550346895dcc4a2e/html5/thumbnails/3.jpg)
Verification● Computing systems are usually
programmed at the low level– involving, e.g., detail of messages
sent between components, and participants– detail of specific encryption arrangements
● But properties are expressed at a higher level of abstraction– they depend not on individual details, but on the system
as a whole● Model checking:
M *MM
![Page 4: Some desired properties of e-voting systems](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815e02550346895dcc4a2e/html5/thumbnails/4.jpg)
Verification of FOO’92
● [KR’05] formalises the voting protocol of Fujioka/Okamoto/Ohta 1992
● Using the Applied Pi Calculus
● We verified eligibility, fairness, and privacy.
● (What does that mean?)
A 3-phase protocol using commitments and blind signatures
A language for describing concurrent and communicating processes, and their properties
![Page 5: Some desired properties of e-voting systems](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815e02550346895dcc4a2e/html5/thumbnails/5.jpg)
Kinds of properties● Reachability properties:
– The system can/cannot get into a certain state– e.g., a message will/won’t appear on
a public channel
● Observational equivalence properties: – two versions of the system cannot be distinguished by an
observer who can see messages on public channels and perform arbitrary tests on the processes.
M
*MM
![Page 6: Some desired properties of e-voting systems](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815e02550346895dcc4a2e/html5/thumbnails/6.jpg)
● Privacy– no-one can find out how Alice voted.
● Receipt-freeness– Alice doesn’t get a receipt (or any other by-product
of the voting process); thus Alice cannot prove afterwards to a coercer how she voted
– Receipt-freeness is like privacy, but even with Alice’s cooperation
● Coercion-resistance– Alice cannot prove how she voted, even if
interaction with the coercer is allowed during the voting process
– Even stronger than receipt-freeness.
Some properties in strength-order
![Page 7: Some desired properties of e-voting systems](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815e02550346895dcc4a2e/html5/thumbnails/7.jpg)
Formalising privacy● ?? No-one can find out how Alice voted
– Actually too strong: e.g., if the vote was unanimous, then everyone knows how Alice voted
– Even if not unanimous, a coalition consisting of all voters except Alice can tell how Alice voted.
● If Alice and Bob were to swap votes, no-one would be able to tell
● A situation in which Alice votes vote vA and Bob votes vB is indistinguishable by the attacker to one in which Alice votes vB and Bob votes vA.
)()()()( ABBA vBvAvBvA
![Page 8: Some desired properties of e-voting systems](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815e02550346895dcc4a2e/html5/thumbnails/8.jpg)
Formalising receipt-freeness● Like privacy, but Alice cooperates by publishing her
private key and any secrets (e.g. nonces) ● Before the election: e.g. her private key● After the election: secrets she has learned during the
election process● The coercer needs to be convinced that Alice is telling the truth
● He needs to be able to verify the secrets● Suppose A(vC) is the process that votes vC and copies the voting
interaction (messages received and sent) to the coercer. The protocol is receipt-free if exists A’ such that
)(')()( CAC vBAvBvA
![Page 9: Some desired properties of e-voting systems](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815e02550346895dcc4a2e/html5/thumbnails/9.jpg)
Coercion-resistance● In this case, Alice interacts with the coercer (e.g. by
mobile phone) during the election.● The coercer can participate in Alice’s vote:
● She can tell him messages she receives during the process (although he might not believe her)
● He can instruct her on what messages to send back (although she might not obey).
● He might have independent means of verifying her reports and her actions
![Page 10: Some desired properties of e-voting systems](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815e02550346895dcc4a2e/html5/thumbnails/10.jpg)
The voting booth
c
Voting boothVoting system
Published data
a
Coercer
![Page 11: Some desired properties of e-voting systems](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815e02550346895dcc4a2e/html5/thumbnails/11.jpg)
Interaction between the voter and the coercer
● Let P be a process and c1, c2 be channels. The process Pc1,c2 is a process like P but which copies all messages it receives on c1 to c2, and accepts inputs on c2 for messages it sends on c1. Specifically,
● Every in(c1,y) in P is replaced by in(c1,y); out(c2,y).● Every out(c1,m) in P is replaced by in(c2,x); out(c1,x)
where x is a variable not occurring in P.● Every new n in P is replaced by new n; out(c2,n).
● If A is Alice’s voting process, then Aa,c is theprocess in which Alice cooperates fully with the coercer.
![Page 12: Some desired properties of e-voting systems](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815e02550346895dcc4a2e/html5/thumbnails/12.jpg)
Formalising coercion-resistanceRough idea:
● Better: there exists a process A’ such that– If A’ votes then it votes vA– For all coercers C, there exists a vote v, such that
● Consider the cases● Coercer’s vote is vA
● Coercer’s vote is vC
● Coercer sends garbage
)(',)(, , vBAbaCvBAbaC Aca
)(',)(, , vBAbaCcvBAbaCc Aca
![Page 13: Some desired properties of e-voting systems](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815e02550346895dcc4a2e/html5/thumbnails/13.jpg)
Fault attack )(')(, vBACchcvBACchc A
chccha
● The coercer could try to distinguish the two sides by sending incoherent messages to Alice.
● On the left-hand side, C|A will block, so only B’s vote for vA will be observed.
● On the right-hand side, A’ will still vote vA, so v and vA will be observed.
● If successful, this is an attack on coercion resistance.● Might not be successful if A’ can detect the
incoherence of the messages from C.
![Page 14: Some desired properties of e-voting systems](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815e02550346895dcc4a2e/html5/thumbnails/14.jpg)
Simplified [LBDKYY’03]● Uses re-encryption and designated verifier proofs.● Re-encryption
● Randomised encryption: {m}K contains “random coins”● Re-encryption: change the random coin
● E.g., in El Gamal, the ciphertext (x,y) is changed to (xgr,yhr).
● Designated verifier proofs● S can prove to A that, say, c is the encryption of m,
but A cannot use this proof to convince someone else.● Technically this is achieved by giving
A the ability to simulate transcripts of the proof
![Page 15: Some desired properties of e-voting systems](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815e02550346895dcc4a2e/html5/thumbnails/15.jpg)
Simplified [LBDKYY’03]
Alice Administrator Collector
AlicevSign cColl ,1
reencrypt
AdminvSign cColl ,2
AdminvSign cColl ,2
21 ,DVP cColl
cColl vv
![Page 16: Some desired properties of e-voting systems](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815e02550346895dcc4a2e/html5/thumbnails/16.jpg)
Simplified [LBDKYY’03]● Fails coercion resistance, because coercer can
● prepare a message meant to look like but actually garbage;
● test whether Alice votes or not.
● Fixable by encoding s.t. every message can be interpreted as a valid encryption of a valid vote.
AlicevSign cColl ,1
![Page 17: Some desired properties of e-voting systems](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815e02550346895dcc4a2e/html5/thumbnails/17.jpg)
Conclusions● A strong notion of coercion resistance is formalised
● Coercer interacts with voter during election process● Can give her messages to use, including ones
designed specifically to test her loyalty● No experience yet in proving protocols satisfy CR● Need to compare with computational notion of [JCJ05]
[JCJ05] A. Juels, D.Catalano, M. Jakobsson. Coercion Resistant Electronic Elections. WPES, Nov 2005.