1 / 17

Some desired properties of e-voting systems

Receipt-freeness and c oercion-resistance: f ormal definitions and fault attacks St é phanie Delaune / Steve Kremer / Mark D. Ryan. Some desired properties of e-voting systems. Eligibility: only eligible voters can vote, and only once.

rory
Download Presentation

Some desired properties of e-voting systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Receipt-freeness and coercion-resistance:formal definitions and fault attacksStéphanie Delaune / Steve Kremer / Mark D. Ryan

  2. Some desired properties of e-voting systems • Eligibility: only eligible voters can vote, and only once. • Fairness: no voter can be influenced by votes already made. • Indiv. verif.: a voter can verify that her vote was counted. • Universal verifiability: a voter can verify that the published result is the tally of the votes cast. • Privacy: no-one can find out how a voter voted. • Receipt-freeness:Voter doesn’t get receipt for her vote. • Coercion-resistance:Voter cannot be blackmailed / bought. • Robustness: Voters cannot disrupt the election.Faulty behaviour tolerated. • Vote-and-go: Voters participate in one session.

  3. Verification • Computing systems are usually programmed at the low level • involving, e.g., detail of messages sent between components, and participants • detail of specific encryption arrangements • But properties are expressed at a higher level of abstraction • they depend not on individual details, but on the system as a whole • Model checking:

  4. Verification of FOO’92 A 3-phase protocol using commitments and blind signatures • [KR’05] formalises the voting protocol of Fujioka/Okamoto/Ohta 1992 • Using the Applied Pi Calculus • We verified eligibility, fairness, and privacy. • (What does that mean?) A language for describing concurrent and communicating processes, and their properties

  5. Kinds of properties • Reachability properties: • The system can/cannot get into a certain state • e.g., a message will/won’t appear on a public channel • Observational equivalence properties: • two versions of the system cannot be distinguished by an observer who can see messages on public channels and perform arbitrary tests on the processes.

  6. Some properties in strength-order • Privacy • no-one can find out how Alice voted. • Receipt-freeness • Alice doesn’t get a receipt (or any other by-product of the voting process); thusAlice cannot prove afterwards to a coercer how she voted • Receipt-freeness is like privacy, but even with Alice’s cooperation • Coercion-resistance • Alice cannot prove how she voted, even if interaction with the coercer is allowed during the voting process • Even stronger than receipt-freeness.

  7. Formalising privacy • ?? No-one can find out how Alice voted • Actually too strong: e.g., if the vote was unanimous, then everyone knows how Alice voted • Even if not unanimous, a coalition consisting of all voters except Alice can tell how Alice voted. • If Alice and Bob were to swap votes, no-one would be able to tell • A situation in which Alice votes vote vA and Bob votes vB is indistinguishable by the attacker to one in which Alice votes vB and Bob votes vA.

  8. Formalising receipt-freeness • Like privacy, but Alice cooperates by publishing her private key and any secrets (e.g. nonces) • Before the election: e.g. her private key • After the election: secrets she has learned during the election process • The coercer needs to be convinced that Alice is telling the truth • He needs to be able to verify the secrets • Suppose A(vC) is the process that votes vC and copies the voting interaction (messages received and sent) to the coercer. The protocol is receipt-free if exists A’ such that

  9. Coercion-resistance • In this case, Alice interacts with the coercer (e.g. by mobile phone) during the election. • The coercer can participate in Alice’s vote: • She can tell him messages she receives during the process (although he might not believe her) • He can instruct her on what messages to send back (although she might not obey). • He might have independent means of verifying her reports and her actions

  10. The voting booth Voting booth Voting system a c Published data Coercer

  11. Interaction between the voter and the coercer • Let P be a process and c1, c2 be channels. The process Pc1,c2 is a process like P but which copies all messages it receives on c1 to c2, and accepts inputs on c2 for messages it sends on c1. Specifically, • Every in(c1,y) in P is replaced by in(c1,y); out(c2,y). • Every out(c1,m) in P is replaced by in(c2,x); out(c1,x) where x is a variable not occurring in P. • Every new n in P is replaced by new n; out(c2,n). • If A is Alice’s voting process, then Aa,c is theprocess in which Alice cooperates fully with the coercer.

  12. Formalising coercion-resistance Rough idea: • Better: there exists a process A’ such that • If A’ votes then it votes vA • For all coercers C, there exists a vote v, such that • Consider the cases • Coercer’s vote is vA • Coercer’s vote is vC • Coercer sends garbage

  13. Fault attack • The coercer could try to distinguish the two sides by sending incoherent messages to Alice. • On the left-hand side, C|A will block, so only B’s vote for vA will be observed. • On the right-hand side, A’ will still vote vA, so v and vA will be observed. • If successful, this is an attack on coercion resistance. • Might not be successful if A’ can detect the incoherence of the messages from C.

  14. Simplified [LBDKYY’03] • Uses re-encryption and designated verifier proofs. • Re-encryption • Randomised encryption: {m}K contains “random coins” • Re-encryption: change the random coin • E.g., in El Gamal, the ciphertext (x,y) is changed to (xgr,yhr). • Designated verifier proofs • S can prove to A that, say, c is the encryption of m,but A cannot use this proof to convince someone else. • Technically this is achieved by givingA the ability to simulate transcripts of the proof

  15. Simplified [LBDKYY’03] Alice Administrator Collector

  16. Simplified [LBDKYY’03] • Fails coercion resistance, because coercer can • prepare a message meant to look like but actually garbage; • test whether Alice votes or not. • Fixable by encoding s.t. every message can be interpreted as a valid encryption of a valid vote.

  17. Conclusions • A strong notion of coercion resistance is formalised • Coercer interacts with voter during election process • Can give her messages to use, including ones designed specifically to test her loyalty • No experience yet in proving protocols satisfy CR • Need to compare with computational notion of [JCJ05] [JCJ05] A. Juels, D.Catalano, M. Jakobsson. Coercion Resistant Electronic Elections. WPES, Nov 2005.

More Related