Presentation is loading. Please wait.

Presentation is loading. Please wait.

Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan."— Presentation transcript:

1 Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan

2 Some desired properties of e-voting systems – Eligibility: only eligible voters can vote, and only once. – Fairness: no voter can be influenced by votes already made. – Indiv. verif.: a voter can verify that her vote was counted. – Universal verifiability: a voter can verify that the published result is the tally of the votes cast. – Privacy: no-one can find out how a voter voted. – Receipt-freeness: Voter doesn’t get receipt for her vote. – Coercion-resistance: Voter cannot be blackmailed / bought. – Robustness: Voters cannot disrupt the election. Faulty behaviour tolerated. – Vote-and-go: Voters participate in one session.

3 Verification ● Computing systems are usually programmed at the low level – involving, e.g., detail of messages sent between components, and participants – detail of specific encryption arrangements ● But properties are expressed at a higher level of abstraction – they depend not on individual details, but on the system as a whole ● Model checking:

4 Verification of FOO’92 ● [KR’05] formalises the voting protocol of Fujioka/Okamoto/Ohta 1992 ● Using the Applied Pi Calculus ● We verified eligibility, fairness, and privacy. ● (What does that mean?) A 3-phase protocol using commitments and blind signatures A language for describing concurrent and communicating processes, and their properties

5 Kinds of properties ● Reachability properties: – The system can/cannot get into a certain state – e.g., a message will/won’t appear on a public channel ● Observational equivalence properties: – two versions of the system cannot be distinguished by an observer who can see messages on public channels and perform arbitrary tests on the processes.

6 ● Privacy – no-one can find out how Alice voted. ● Receipt-freeness – Alice doesn’t get a receipt (or any other by-product of the voting process); thus Alice cannot prove afterwards to a coercer how she voted – Receipt-freeness is like privacy, but even with Alice’s cooperation ● Coercion-resistance – Alice cannot prove how she voted, even if interaction with the coercer is allowed during the voting process – Even stronger than receipt-freeness. Some properties in strength-order

7 Formalising privacy ● ?? No-one can find out how Alice voted – Actually too strong: e.g., if the vote was unanimous, then everyone knows how Alice voted – Even if not unanimous, a coalition consisting of all voters except Alice can tell how Alice voted. ● If Alice and Bob were to swap votes, no-one would be able to tell ● A situation in which Alice votes vote v A and Bob votes v B is indistinguishable by the attacker to one in which Alice votes v B and Bob votes v A.

8 Formalising receipt-freeness ● Like privacy, but Alice cooperates by publishing her private key and any secrets (e.g. nonces) ● Before the election: e.g. her private key ● After the election: secrets she has learned during the election process ● The coercer needs to be convinced that Alice is telling the truth ● He needs to be able to verify the secrets ● Suppose A(v C ) is the process that votes v C and copies the voting interaction (messages received and sent) to the coercer. The protocol is receipt-free if exists A’ such that

9 Coercion-resistance ● In this case, Alice interacts with the coercer (e.g. by mobile phone) during the election. ● The coercer can participate in Alice’s vote: ● She can tell him messages she receives during the process (although he might not believe her) ● He can instruct her on what messages to send back (although she might not obey). ● He might have independent means of verifying her reports and her actions

10 The voting booth c Voting booth Voting system Published data a Coercer

11 Interaction between the voter and the coercer ● Let P be a process and c 1, c 2 be channels. The process P c1,c2 is a process like P but which copies all messages it receives on c 1 to c 2, and accepts inputs on c 2 for messages it sends on c 1. Specifically, ● Every in(c 1,y) in P is replaced by in(c 1,y); out(c 2,y). ● Every out(c 1,m) in P is replaced by in(c 2,x); out(c 1,x) where x is a variable not occurring in P. ● Every new n in P is replaced by new n; out(c 2,n). ● If A is Alice’s voting process, then A a,c is the process in which Alice cooperates fully with the coercer.

12 Formalising coercion-resistance Rough idea: ● Better: there exists a process A’ such that – If A’ votes then it votes v A – For all coercers C, there exists a vote v, such that ● Consider the cases ● Coercer’s vote is v A ● Coercer’s vote is v C ● Coercer sends garbage

13 Fault attack ● The coercer could try to distinguish the two sides by sending incoherent messages to Alice. ● On the left-hand side, C|A will block, so only B’s vote for v A will be observed. ● On the right-hand side, A’ will still vote v A, so v and v A will be observed. ● If successful, this is an attack on coercion resistance. ● Might not be successful if A’ can detect the incoherence of the messages from C.

14 Simplified [LBDKYY’03] ● Uses re-encryption and designated verifier proofs. ● Re-encryption ● Randomised encryption: {m} K contains “random coins” ● Re-encryption: change the random coin ● E.g., in El Gamal, the ciphertext (x,y) is changed to (xg r,yh r ). ● Designated verifier proofs ● S can prove to A that, say, c is the encryption of m, but A cannot use this proof to convince someone else. ● Technically this is achieved by giving A the ability to simulate transcripts of the proof

15 Simplified [LBDKYY’03] AliceAdministratorCollector

16 Simplified [LBDKYY’03] ● Fails coercion resistance, because coercer can ● prepare a message meant to look like but actually garbage; ● test whether Alice votes or not. ● Fixable by encoding s.t. every message can be interpreted as a valid encryption of a valid vote.

17 Conclusions ● A strong notion of coercion resistance is formalised ● Coercer interacts with voter during election process ● Can give her messages to use, including ones designed specifically to test her loyalty ● No experience yet in proving protocols satisfy CR ● Need to compare with computational notion of [JCJ05] [JCJ05] A. Juels, D.Catalano, M. Jakobsson. Coercion Resistant Electronic Elections. WPES, Nov 2005.

Download ppt "Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan."

Similar presentations

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
A Pairing-Based Blind Signature

A Pairing-Based Blind Signature
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.

Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.
Security Definitions in Computational Cryptography

Security Definitions in Computational Cryptography
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
Electronic voting: theory and practice Mark D. Ryan ● Electronic voting promises – convenient way of recording and tallying votes – security against fraud.

Electronic voting: theory and practice Mark D. Ryan ● Electronic voting promises – convenient way of recording and tallying votes – security against fraud.
Vanessa Teague Department of Computer Science and Software Engineering University of Melbourne Australia.

Vanessa Teague Department of Computer Science and Software Engineering University of Melbourne Australia.
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

Similar presentations

Ads by Google