Ballot secrecy: Security definition, sufficient conditions, and analysis of Helios

We propose a definition of ballot secrecy as an indistinguishability game in the computational model of cryptography. Our definition improves upon earlier definitions to ensure ballot secrecy is preserved in the presence of an adversary that controls ballot collection. We also propose a definition of ballot independence as an adaptation of an indistinguishability game for asymmetric encryption. We prove relations between our definitions. In particular, we prove ballot independence is sufficient for ballot secrecy in voting systems with zero-knowledge tallying proofs. Moreover, we prove that building systems from non-malleable asymmetric encryption schemes suffices for ballot secrecy, thereby eliminating the expense of ballot-secrecy proofs for a class of encryption-based voting systems. We demonstrate applicability of our results by analysing the Helios voting system and its mixnet variant. Our analysis reveals that Helios does not satisfy ballot secrecy in the presence of an adversary that controls ballot collection. The vulnerability cannot be detected by earlier definitions of ballot secrecy, because they do not consider such adversaries. We adopt non-malleable ballots as a fix and prove that the fixed system satisfies ballot secrecy.

[1]  Ben Smyth,et al.  Non-malleable encryption with proofs of plaintext knowledge and applications to voting , 2019, IACR Cryptol. ePrint Arch..

[2]  Ben Smyth,et al.  A critique of game-based definitions of receipt-freeness for voting , 2019, IACR Cryptol. ePrint Arch..

[3]  Maxime Meyer,et al.  Exploiting re-voting in the Helios election system , 2019, Inf. Process. Lett..

[4]  Ben Smyth Surveying definitions of coercion resistance , 2019, IACR Cryptol. ePrint Arch..

[5]  Ben Smyth Athena: A verifiable, coercion-resistant voting system with linear complexity , 2019, IACR Cryptol. ePrint Arch..

[6]  Shahram Khazaei,et al.  A rigorous security analysis of a decentralized electronic voting protocol in the universal composability framework , 2018, J. Inf. Secur. Appl..

[7]  Ben Smyth,et al.  Secret, verifiable auctions from elections , 2018, Theor. Comput. Sci..

[8]  Ben Smyth,et al.  Authentication with weaker trust assumptions for voting systems , 2018, IACR Cryptol. ePrint Arch..

[9]  Ben Smyth Verifiability of Helios Mixnet , 2018, IACR Cryptol. ePrint Arch..

[10]  Ben Smyth,et al.  A foundation for secret, verifiable elections , 2018, IACR Cryptol. ePrint Arch..

[11]  Cas J. F. Cremers,et al.  Improving Automated Symbolic Analysis for E-voting Protocols: A Method Based on Sufficient Conditions for Ballot Secrecy , 2017, ArXiv.

[12]  Philip B. Stark,et al.  Public Evidence from Secret Ballots , 2017, E-VOTE-ID.

[13]  Véronique Cortier,et al.  Machine-Checked Proofs of Privacy for Electronic Voting Protocols , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[14]  Ben Smyth,et al.  A short introduction to secrecy and verifiability for elections , 2017, ArXiv.

[15]  Ben Smyth First-past-the-post suffices for ranked voting , 2017 .

[16]  B. Smyth,et al.  An attack against the Helios election system that exploits re-voting , 2016, 1612.04099.

[17]  Aleksander Essex,et al.  The cloudier side of cryptographic end-to-end verifiable voting: a security analysis of Helios , 2016, ACSAC.

[18]  Georg Fuchsbauer,et al.  BeleniosRF: A Non-interactive Receipt-Free Electronic Voting Scheme , 2016, CCS.

[19]  Ben Smyth,et al.  Automated Reasoning for Equivalences in the Applied Pi Calculus with Barriers , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[20]  Ben Smyth,et al.  NM-CPA Secure Encryption with Proofs of Plaintext Knowledge , 2015, IWSEC.

[21]  Ben Smyth,et al.  Election Verifiability: Cryptographic Definitions and an Analysis of Helios and JCJ , 2015 .

[22]  Véronique Cortier,et al.  SoK: A Comprehensive Analysis of Game-Based Ballot Privacy Definitions , 2015, 2015 IEEE Symposium on Security and Privacy.

[23]  Aggelos Kiayias,et al.  End-to-End Verifiable Elections in the Standard Model , 2015, EUROCRYPT.

[24]  Ben Smyth Secrecy and independence for election schemes , 2015, IACR Cryptol. ePrint Arch..

[25]  J. Alex Halderman,et al.  Security Analysis of the Estonian Internet Voting System , 2014, CCS.

[26]  Ben Smyth Ballot secrecy with malicious bulletin boards , 2014, IACR Cryptol. ePrint Arch..

[27]  Véronique Cortier,et al.  Election Verifiability for Helios under Weaker Trust Assumptions , 2014, ESORICS.

[28]  Cacm Staff,et al.  ACM's 2014 general election: please take this opportunity to vote , 2014 .

[29]  Ben Smyth,et al.  Hawk and Aucitas: e-Auction Schemes from the Helios and Civitas e-Voting Schemes , 2014, Financial Cryptography.

[30]  David Bernhard,et al.  Zero-knowledge proofs in theory and practice , 2014 .

[31]  Ben Smyth,et al.  Ballot secrecy and ballot independence: definitions and relations , 2014 .

[32]  Véronique Cortier,et al.  Distributed ElGamal à la Pedersen: Application to Helios , 2013, WPES.

[33]  Ben Smyth,et al.  Ballot Secrecy and Ballot Independence Coincide , 2013, ESORICS.

[34]  Bogdan Warinschi,et al.  Cryptographic Voting - A Gentle Introduction , 2013, FOSAD.

[35]  Alfredo Pironti,et al.  Truncating TLS Connections to Violate Beliefs in Web Applications , 2013, WOOT.

[36]  Bruno Blanchet,et al.  Verification of security protocols with lists: From length one to unbounded length , 2012, J. Comput. Secur..

[37]  Panayiotis Tsanakas,et al.  From Helios to Zeus , 2013, EVT/WOTE.

[38]  Véronique Cortier,et al.  A generic construction for voting correctness at minimum cost - Application to Helios , 2013, IACR Cryptol. ePrint Arch..

[39]  Yvo Desmedt,et al.  Applying Divertibility to Blind Ballot Copying in the Helios Internet Voting System , 2012, ESORICS.

[40]  Steve A. Schneider,et al.  A Formal Framework for Modelling Coercion Resistance and Receipt Freeness , 2012, FM.

[41]  Douglas W. Jones,et al.  Broken Ballots: Will Your Vote Count? , 2012 .

[42]  Ralf Küsters,et al.  Clash Attacks on the Verifiability of E-Voting Systems , 2012, 2012 IEEE Symposium on Security and Privacy.

[43]  Judith G. Kelley,et al.  Monitoring Democracy , 2012 .

[44]  Mark Ryan,et al.  Reduction of Equational Theories for Verification of Trace Equivalence: Re-encryption, Associativity and Commutativity , 2012, POST.

[45]  Eric Wustrow,et al.  Attacking the Washington, D.C. Internet Voting System , 2012, Financial Cryptography.

[46]  Douglas Wikstr How to Implement a Stand-alone Verifier for the Verificatum Mix-Net , 2012 .

[47]  Bogdan Warinschi,et al.  On Necessary and Sufficient Conditions for Private Ballot Submission , 2012, IACR Cryptol. ePrint Arch..

[48]  Feng Hao,et al.  A Fair and Robust Voting System by Broadcast , 2012, Electronic Voting.

[49]  Ben Smyth Replay attacks that violate ballot secrecy in Helios , 2012, IACR Cryptol. ePrint Arch..

[50]  Kristian Gjøsteen,et al.  The Norwegian Internet Voting Protocol , 2011, VoteID.

[51]  Ben Smyth,et al.  Adapting Helios for Provable Ballot Privacy , 2011, ESORICS.

[52]  Olivier Pereira,et al.  Running Mixnet-Based Elections with Helios , 2011, EVT/WOTE.

[53]  Ben Smyth,et al.  Formal verification of cryptographic protocols with automated reasoning , 2011 .

[54]  Ben Smyth,et al.  Attacking and Fixing Helios: An Analysis of Ballot Secrecy , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[55]  Graham Steel,et al.  Formal Analysis of Protocols Based on TPM State Registers , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[56]  Ben Smyth,et al.  A note on replay attacks that violate privacy in electronic voting schemes , 2011 .

[57]  Ben Smyth,et al.  ProVerif 1.85: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial , 2011 .

[58]  Ralf Küsters,et al.  Accountability: definition and relationship to verifiability , 2010, CCS '10.

[59]  Eric Wustrow,et al.  Security analysis of India's electronic voting machines , 2010, CCS '10.

[60]  Ralf Küsters,et al.  A Game-Based Definition of Coercion-Resistance and Its Applications , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[61]  Feng Hao,et al.  Anonymous voting by two-round public discussion , 2010, IET Inf. Secur..

[62]  Gerald V. Post,et al.  Using re-voting to reduce the threat of coercion in elections , 2010, Electron. Gov. an Int. J..

[63]  Jörn Müller-Quade,et al.  Universally Composable Incoercibility , 2009, IACR Cryptol. ePrint Arch..

[64]  Mark Ryan,et al.  Verifying privacy-type properties of electronic voting protocols , 2009, J. Comput. Secur..

[65]  Jean-Jacques Quisquater,et al.  Electing a University President Using Open-Audit Voting: Analysis of Real-World Use of Helios , 2009, EVT/WOTE.

[66]  Ryan W. Gardner,et al.  Coercion Resistant End-to-end Voting , 2009, Financial Cryptography.

[67]  Douglas Wikström,et al.  Simplified Submission of Inputs to Protocols , 2008, SCN.

[68]  Ben Adida,et al.  Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[69]  Mark Ryan,et al.  Automatic Verification of Privacy Properties in the Applied pi Calculus , 2008, IFIPTM.

[70]  Isobel White,et al.  Electoral Pilot Schemes , 2008 .

[71]  C. Kaplan WHY ELECTIONS FAIL , 2008, The Review of Politics.

[72]  Jill Lepore “Rock, Paper, Scissors: How we used to vote” , 2008 .

[73]  Bogdan Warinschi,et al.  Advances in Cryptology - Asiacrypt 2008 , 2008 .

[74]  Rop Gonggrijp,et al.  Studying the Nedap/Groenendaal ES3B Voting Computer: A Computer Security Perspective , 2007, EVT.

[75]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[76]  Jens Groth,et al.  Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures , 2006, ASIACRYPT.

[77]  Moni Naor,et al.  Receipt-Free Universally-Verifiable Voting with Everlasting Privacy , 2006, CRYPTO.

[78]  C. Andrew Neff,et al.  Ballot Casting Assurance , 2006, EVT.

[79]  Mark Ryan,et al.  Coercion-resistance and receipt-freeness in electronic voting , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[80]  Peter Brent,et al.  The Australian ballot: Not the secret ballot , 2006 .

[81]  Markus Jakobsson,et al.  Coercion-resistant electronic elections , 2005, WPES '05.

[82]  Edward V. Schneier Beyond Free and Fair: Monitoring Elections and Building Democracy , 2005, The Journal of Politics.

[83]  Yvo Desmedt,et al.  Electronic Voting: Starting Over? , 2005, ISC.

[84]  David Chaum,et al.  A Practical Voter-Verifiable Election Scheme , 2005, ESORICS.

[85]  Nicole Schweikardt,et al.  Arithmetic, first-order logic, and counting quantifiers , 2002, TOCL.

[86]  Dan S. Wallach,et al.  Analysis of an electronic voting system , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[87]  Jens Groth,et al.  Efficient Maximal Privacy in Boardroom Voting and Anonymous Broadcast , 2004, Financial Cryptography.

[88]  Marcos A. Kiwi,et al.  Electronic jury voting protocols , 2002, Theor. Comput. Sci..

[89]  Epp Maaten,et al.  Towards Remote E-Voting: Estonian case , 2004, Electronic Voting in Europe.

[90]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[91]  C. Andrew Ne,et al.  Practical high certainty intent verification for encrypted votes , 2004 .

[92]  C. Andrew Neff,et al.  Verifiable e-Voting Indisputable electronic elections at polling places , 2003 .

[93]  Aggelos Kiayias,et al.  Self-tallying Elections and Perfect Ballot Secrecy , 2002, Public Key Cryptography.

[94]  Rosario Gennaro A Protocol to Achieve Independence in Constant Rounds , 2000, IEEE Trans. Parallel Distributed Syst..

[95]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[96]  Amit Sahai,et al.  Non-malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization , 1999, CRYPTO.

[97]  Berry Schoenmakers,et al.  A Simple Publicly Verifiable Secret Sharing Scheme and Its Application to Electronic , 1999, CRYPTO.

[98]  Yiannis Tsiounis,et al.  On the Security of ElGamal Based Encryption , 1998, Public Key Cryptography.

[99]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[100]  Ronald Cramer,et al.  A Secure and Optimally Efficient Multi-Authority Election Scheme ( 1 ) , 2000 .

[101]  Patrick Horster,et al.  Some Remarks on a Receipt-Free and Universally Verifiable Mix-Type Voting Scheme , 1996, ASIACRYPT.

[102]  Matthew K. Franklin,et al.  Multi-Autority Secret-Ballot Elections with Linear Work , 1996, EUROCRYPT.

[103]  Rosario Gennaro Achieving independence efficiently and securely , 1995, PODC '95.

[104]  Kazue Sako,et al.  Receipt-Free Mix-Type Voting Scheme - A Practical Solution to the Implementation of a Voting Booth , 1995, EUROCRYPT.

[105]  Thomas Saalfeld,et al.  On Dogs and Whips: Recorded Votes , 1995 .

[106]  Josh Benaloh,et al.  Receipt-free secret-ballot elections (extended abstract) , 1994, STOC '94.

[107]  Birgit Pfitzmann,et al.  Breaking Efficient Anonymous Channel , 1994, EUROCRYPT.

[108]  Josh Benaloh,et al.  Receipt-Free Secret-Ballot Elections , 1994, STOC 1994.

[109]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[110]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[111]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[112]  Birgit Pfitzmann,et al.  How to Break the Direct RSA-Implementation of Mixes , 1990, EUROCRYPT.

[113]  Michael O. Rabin,et al.  Achieving independence in logarithmic number of rounds , 1987, PODC '87.

[114]  Josh Benaloh Verifiable secret-ballot elections , 1987 .

[115]  Moti Yung,et al.  Distributing the power of a government to enhance the privacy of voters , 1986, PODC '86.

[116]  David Chaum,et al.  Demonstrating Possession of a Discrete Logarithm Without Revealing It , 1986, CRYPTO.

[117]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[118]  Baruch Awerbuch,et al.  Verifiable secret sharing and achieving simultaneity in the presence of faults , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[119]  B. Grofman,et al.  Choosing an Electoral System: Issues and Alternatives , 1984 .

[120]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[121]  M. Carmichael THE BALLOT , 1976, The Lancet.

[122]  F. Delano United Nations Universal Declaration of Human Rights , 1952, Nature.