Privacy and verifiability in voting systems: Methods, developments and trends

Abstract One of the most challenging aspects in computer-supported voting is to combine the apparently conflicting requirements of privacy and verifiability. On the one hand, privacy requires that a vote cannot be traced back from the result to a voter, while on the other hand, verifiability states that a voter can trace the effect of her vote on the result. This can be addressed using various privacy-enabling cryptographic primitives which also offer verifiability. As more and more refined voting systems were proposed, understanding of first privacy and later verifiability in voting increased, and notions of privacy as well as notions of verifiability in voting became increasingly more refined. This has culminated in a variety of verifiable systems that use cryptographic primitives to ensure specific kinds of privacy. However, the corresponding privacy and verifiability claims are not often verified independently. When they are investigated, claims have been invalidated sufficiently often to warrant a cautious approach to them. The multitude of notions, primitives and proposed solutions that claim to achieve both privacy and verifiability form an interesting but complex landscape. The purpose of this paper is to survey this landscape by providing an overview of the methods, developments and current trends regarding privacy and verifiability in voting systems.

[1]  Byoungcheon Lee,et al.  Providing Receipt-Freeness in Mixnet-Based Voting Protocols , 2003, ICISC.

[2]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[3]  Josh Benaloh,et al.  Ballot Casting Assurance via Voter-Initiated Poll Station Auditing , 2007, EVT.

[4]  Jörn Müller-Quade,et al.  Bingo Voting: Secure and Coercion-Free Voting Using a Trusted Random Number Generator , 2007, VOTE-ID.

[5]  Wolter Pieters,et al.  Receipt-freeness as a special case of anonymity in epistemic logic , 2006 .

[6]  Byoungcheon Lee,et al.  An Efficient Mixnet-Based Voting Scheme Providing Receipt-Freeness , 2004, TrustBus.

[7]  Jun Pang,et al.  Measuring Voter-Controlled Privacy , 2009, 2009 International Conference on Availability, Reliability and Security.

[8]  C. Andrew Neff,et al.  Ballot Casting Assurance , 2006, EVT.

[9]  Ralf Küsters,et al.  An Epistemic Approach to Coercion-Resistance for Electronic Voting Protocols , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[10]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[11]  Ralf Küsters,et al.  A Game-Based Definition of Coercion-Resistance and Its Applications , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[12]  Rolf Haenni,et al.  A New Approach towards Coercion-Resistant Remote E-Voting in Linear Time , 2011, Financial Cryptography.

[13]  Byoungcheon Lee,et al.  Receipt-Free Electronic Voting Scheme with a Tamper-Resistant Randomizer , 2002, ICISC.

[14]  Pascal Lafourcade,et al.  Benaloh's Dense Probabilistic Encryption Revisited , 2011, AFRICACRYPT.

[15]  Mohamed Mejri,et al.  Specification of Electronic Voting Protocol Properties Using ADM Logic: FOO Case Study , 2008, ICICS.

[16]  John Kelsey,et al.  Performance Requirements for End-to-End Verifiable Elections , 2010, EVT/WOTE.

[17]  Lorrie Faith Cranor,et al.  Sensus: a security-conscious electronic polling system for the Internet , 1997, Proceedings of the Thirtieth Hawaii International Conference on System Sciences.

[18]  Zhe Xia,et al.  Focus group views on Prêt à Voter 1.0 , 2011, 2011 International Workshop on Requirements Engineering for Electronic Voting Systems.

[19]  Martin Hirt,et al.  Multi party computation: efficient protocols, general adversaries, and voting , 2001 .

[20]  Craig Gentry,et al.  A fully homomorphic encryption scheme , 2009 .

[21]  David Pointcheval,et al.  On Some Incompatible Properties of Voting Schemes , 2010, Towards Trustworthy Elections.

[22]  David Chaum,et al.  Secret-ballot receipts: True voter-verifiable elections , 2004, IEEE Security & Privacy Magazine.

[23]  Michael Backes,et al.  Automated Verification of Remote Electronic Voting Protocols in the Applied Pi-Calculus , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[24]  Mark Ryan,et al.  Analysis of an Electronic Voting Protocol in the Applied Pi Calculus , 2005, ESOP.

[25]  Jun Pang,et al.  A formal framework for quantifying voter-controlled privacy , 2009, J. Algorithms.

[26]  Mark Ryan,et al.  Verifying privacy-type properties of electronic voting protocols , 2009, J. Comput. Secur..

[27]  Jun Pang,et al.  Bulletin Boards in Voting Systems: Modelling and Measuring Privacy , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[28]  J. LaFountain Inc. , 2013, American Art.

[29]  Jeremy Clark,et al.  Aperio: High Integrity Elections for Developing Countries , 2010, Towards Trustworthy Elections.

[30]  Atsushi Fujioka,et al.  A Practical Secret Voting Scheme for Large Scale Elections , 1992, AUSCRYPT.

[31]  Markus Jakobsson,et al.  Coercion-resistant electronic elections , 2005, WPES '05.

[32]  Jeremy Clark,et al.  Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes , 2008, EVT.

[33]  Ben Smyth,et al.  Attacking and Fixing Helios: An Analysis of Ballot Secrecy , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[34]  Warren D. Smith,et al.  Cryptography meets voting , 2005 .

[35]  Mark Ryan,et al.  Coercion-resistance and receipt-freeness in electronic voting , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[36]  Josh Benaloh,et al.  Simple Verifiable Elections , 2006, EVT.

[37]  Sjouke Mauw,et al.  Drawing Message Sequence Charts with LATEX , 2001 .

[38]  Erik P. de Vink,et al.  Data Anonymity in the FOO Voting Scheme , 2007, VODCA@FOSAD.

[39]  Pascal Lafourcade,et al.  Vote-Independence: A Powerful Privacy Notion for Voting Protocols , 2011, FPS.

[40]  Byoungcheon Lee,et al.  Receipt-free Electronic Voting through Collaboration of Voter and Honest Verifier , 2000 .

[41]  Mark A. Herschberg,et al.  Secure electronic voting over the World Wide Web , 1997 .

[42]  Jeremy Clark,et al.  Punchscan in Practice: An E2E Election Case Study , 2007 .

[43]  Satoshi Obana,et al.  An Implementation of a Universally Verifiable Electronic Voting Scheme based on Shuffling , 2002, Financial Cryptography.

[44]  Warren D. Smith Three Voting Protocols: ThreeBallot, VAV, and Twin , 2007, EVT.

[45]  Ronald Cramer,et al.  A Secure and Optimally Efficient Multi-Authority Election Scheme ( 1 ) , 2000 .

[46]  C. Andrew Ne,et al.  Practical high certainty intent verification for encrypted votes , 2004 .

[47]  Rüdiger Grimm,et al.  Formalization of Receipt-Freeness in the Context of Electronic Voting , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[48]  Carlisle M. Adams,et al.  Eperio: Mitigating Technical Complexity in Cryptographic Election Verification , 2010, EVT/WOTE.

[49]  Ben Smyth,et al.  Adapting Helios for Provable Ballot Privacy , 2011, ESORICS.

[50]  G. R. BLAKLEY Safeguarding cryptographic keys , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[51]  Caroline Fontaine,et al.  A Survey of Homomorphic Encryption for Nonspecialists , 2007, EURASIP J. Inf. Secur..

[52]  Josh Benaloh,et al.  Receipt-free secret-ballot elections (extended abstract) , 1994, STOC '94.

[53]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[54]  David Chaum,et al.  Attacking Paper-Based E2E Voting Systems , 2010, Towards Trustworthy Elections.

[55]  Michael R. Clarkson,et al.  Civitas: Toward a Secure Voting System , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[56]  Moni Naor,et al.  Receipt-Free Universally-Verifiable Voting with Everlasting Privacy , 2006, CRYPTO.

[57]  Josh Benaloh,et al.  Dense Probabilistic Encryption , 1999 .

[58]  Markus Jakobsson,et al.  Designated Verifier Proofs and Their Applications , 1996, EUROCRYPT.

[59]  Valtteri Niemi,et al.  How to Prevent Buying of Votes in Computer Elections , 1994, ASIACRYPT.

[60]  Douglas Wikström,et al.  Five Practical Attacks for "Optimistic Mixing for Exit-Polls" , 2003, Selected Areas in Cryptography.

[61]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[62]  Peter Y. A. Ryan,et al.  A variant of the Chaum voter-verifiable scheme , 2005, WITS '05.

[63]  Radha Poovendran,et al.  A framework and taxonomy for comparison of electronic voting schemes , 2006, Comput. Secur..

[64]  Stefan Popoveniuc,et al.  A framework for secure electronic voting , 2008 .

[65]  Jacques Traoré,et al.  A practical and secure coercion-resistant scheme for remote elections , 2007, Frontiers of Electronic Voting.

[66]  Carlos Ribeiro,et al.  An Efficient and Highly Sound Voter Verification Technique and Its Implementation , 2011, VoteID.

[67]  Yvo Desmedt,et al.  Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an Example , 2010, EVT/WOTE.

[68]  Jeremy Clark,et al.  Scantegrity II Municipal Election at Takoma Park: The First E2E Binding Governmental Election with Ballot Privacy , 2010, USENIX Security Symposium.

[69]  Sung-Hyuk Cha,et al.  Taxonomy and Nomenclature of Preferential Voting Methods , 2012 .

[70]  Johannes A. Buchmann,et al.  On Coercion-Resistant Electronic Elections with Linear Work , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[71]  Carlos Ribeiro,et al.  Improving Remote Voting Security with CodeVoting , 2010, Towards Trustworthy Elections.

[72]  Moni Naor,et al.  Split-ballot voting: Everlasting privacy with distributed trust , 2007, TSEC.

[73]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[74]  Ben Adida,et al.  Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[75]  Alan T. Sherman,et al.  Punchscan: Introduction and System Definition of a High-Integrity Election System , 2006 .

[76]  Peter Y. A. Ryan,et al.  Pretty Good Democracy for More Expressive Voting Schemes , 2010, ESORICS.

[77]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[78]  Jeremy Clark,et al.  Scantegrity: End-to-End Voter-Verifiable Optical- Scan Voting , 2008, IEEE Security & Privacy.

[79]  Matthew K. Franklin,et al.  Multi-Autority Secret-Ballot Elections with Linear Work , 1996, EUROCRYPT.

[80]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1998, IEEE J. Sel. Areas Commun..

[81]  Jeroen van de Graaf,et al.  A Verifiable Voting Protocol Based on Farnel , 2010, Towards Trustworthy Elections.

[82]  Jean-Jacques Quisquater,et al.  Electing a University President Using Open-Audit Voting: Analysis of Real-World Use of Helios , 2009, EVT/WOTE.

[83]  Emmanouil Magkos,et al.  Receipt-Freeness in Large-Scale Elections without Untappable Channels , 2001, I3E.

[84]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[85]  Markus Jakobsson,et al.  Making Mix Nets Robust for Electronic Voting by Randomized Partial Checking , 2002, USENIX Security Symposium.

[86]  Tatsuaki Okamoto,et al.  Receipt-Free Electronic Voting Schemes for Large Scale Elections , 1997, Security Protocols Workshop.

[87]  C. Andrew Neff,et al.  A verifiable secret shuffle and its application to e-voting , 2001, CCS '01.

[88]  Ronald L. Rivest,et al.  Scratch & vote: self-contained paper-based cryptographic voting , 2006, WPES '06.

[89]  Erik P. de Vink,et al.  Formalising Receipt-Freeness , 2006, ISC.

[90]  Kazue Sako,et al.  Receipt-Free Mix-Type Voting Scheme - A Practical Solution to the Implementation of a Voting Booth , 1995, EUROCRYPT.

[91]  W. Marsden I and J , 2012 .

[92]  David Chaum,et al.  A Practical Voter-Verifiable Election Scheme , 2005, ESORICS.

[93]  Pascal Lafourcade,et al.  A formal taxonomy of privacy in voting protocols , 2012, 2012 IEEE International Conference on Communications (ICC).

[94]  Jacques Stern,et al.  Practical multi-candidate election system , 2001, PODC '01.

[95]  Jeroen van de Graaf,et al.  Ieee Transactions on Information Forensics and Security: Special Issue on Electronic Voting 1 Voting with Unconditional Privacy by Merging Prêt-` A-voter and Punchscan , 2022 .

[96]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[97]  Mark Ryan,et al.  Election Verifiability in Electronic Voting Protocols , 2010, ESORICS.

[98]  Jörg Schwenk,et al.  Secure Internet Voting with Code Sheets , 2007, VOTE-ID.

[99]  Kazue Sako,et al.  Efficient Receipt-Free Voting Based on Homomorphic Encryption , 2000, EUROCRYPT.

[100]  Carlos Ribeiro,et al.  VeryVote: A Voter Verifiable Code Voting System , 2009, VoteID.

[101]  Ramaswamy Ramanujam,et al.  Knowledge-based modelling of voting protocols , 2007, TARK '07.

[102]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[103]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[104]  Tatsuaki Okamoto,et al.  An electronic voting scheme , 1996, IFIP World Conference on IT Tools.

[105]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[106]  Patrick Horster,et al.  Some Remarks on a Receipt-Free and Universally Verifiable Mix-Type Voting Scheme , 1996, ASIACRYPT.