Auditing for privacy in threshold PKE e-voting

Purpose This paper aims to investigate the importance of auditing for election privacy via issues that appear in the state-of-the-art implementations of e-voting systems that apply threshold public key encryption (TPKE) in the client such as Helios and use a bulletin board (BB). Design/methodology/approach Argumentation builds upon a formal description of a typical TPKE-based e-voting system where the election authority (EA) is the central node in a star network topology. The paper points out the weaknesses of the said topology with respect to privacy and analyzes how these weaknesses affect the security of several instances of TPKE-based e-voting systems. Overall, it studies the importance of auditing from a privacy aspect. Findings The paper shows that without public key infrastructure (PKI) support or – more generally – authenticated BB “append” operations, TPKE-based e-voting systems are vulnerable to attacks where the malicious EA can act as a man-in-the-middle between the election trustees and the voters; hence, it can learn how the voters have voted. As a countermeasure for such attacks, this work suggests compulsory trustee auditing. Furthermore, it analyzes how lack of cryptographic proof verification affects the level of privacy that can be provably guaranteed in a typical TPKE e-voting system. Originality/value As opposed to the extensively studied importance of auditing to ensure election integrity, the necessity of auditing to protect privacy in an e-voting system has been mostly overlooked. This paper reveals design weaknesses present in noticeable TPKE-based e-voting systems that can lead to a total breach of voters’ privacy and shows how auditing can be applied for providing strong provable privacy guarantees.

[1]  Ben Smyth,et al.  Computational Election Verifiability: Definitions and an Analysis of Helios and JCJ , 2015, IACR Cryptol. ePrint Arch..

[2]  Panayiotis Tsanakas,et al.  From Helios to Zeus , 2013, EVT/WOTE.

[3]  Aggelos Kiayias,et al.  On the Necessity of Auditing for Election Privacy in e-Voting Systems , 2015, e-Democracy.

[4]  Aggelos Kiayias,et al.  End-to-End Verifiable Elections in the Standard Model , 2015, EUROCRYPT.

[5]  Mark Ryan,et al.  Election Verifiability in Electronic Voting Protocols , 2010, ESORICS.

[6]  David Chaum,et al.  A Practical Voter-Verifiable Election Scheme , 2005, ESORICS.

[7]  Michael J. Fischer,et al.  A robust and verifiable cryptographically secure election scheme , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[8]  Bogdan Warinschi,et al.  How Not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios , 2012, ASIACRYPT.

[9]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[10]  Silvio Micali,et al.  The Knowledge Complexity of Interactive Proof Systems , 1989, SIAM J. Comput..

[11]  Philip B. Stark,et al.  STAR-Vote: A Secure, Transparent, Auditable, and Reliable Voting System , 2012, EVT/WOTE.

[12]  Jörg Schwenk,et al.  The Bug That Made Me President a Browser- and Web-Security Case Study on Helios Voting , 2011, VoteID.

[13]  Michael R. Clarkson,et al.  Civitas: Toward a Secure Voting System , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[14]  J. Alex Halderman,et al.  Security Analysis of the Estonian Internet Voting System , 2014, CCS.

[15]  Ronald Cramer,et al.  A secure and optimally efficient multi-authority election scheme , 1997, Eur. Trans. Telecommun..

[16]  Moti Yung,et al.  Distributing the power of a government to enhance the privacy of voters , 1986, PODC '86.

[17]  Miroslaw Kutylowski,et al.  Scratch, Click & Vote: E2E Voting over the Internet , 2010, Towards Trustworthy Elections.

[18]  Yvo Desmedt,et al.  Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an Example , 2010, EVT/WOTE.

[19]  Aggelos Kiayias,et al.  An Internet Voting System Supporting User Privacy , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[20]  Yehuda Lindell,et al.  Security Against Covert Adversaries: Efficient Protocols for Realistic Adversaries , 2007, Journal of Cryptology.

[21]  Ben Smyth,et al.  Attacking and Fixing Helios: An Analysis of Ballot Secrecy , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[22]  David A. Wagner,et al.  Analyzing internet voting security , 2004, CACM.

[23]  Ben Adida,et al.  Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[24]  Kristian Gjøsteen The Norwegian Internet Voting Protocol , 2011, VoteID.

[25]  Torben P. Pedersen A Threshold Cryptosystem without a Trusted Party (Extended Abstract) , 1991, EUROCRYPT.

[26]  Ben Smyth,et al.  Adapting Helios for Provable Ballot Privacy , 2011, ESORICS.

[27]  Jeremy Clark,et al.  Scantegrity: End-to-End Voter-Verifiable Optical- Scan Voting , 2008, IEEE Security & Privacy.

[28]  Markus Jakobsson,et al.  Coercion-resistant electronic elections , 2005, WPES '05.

[29]  Jeremy Clark,et al.  Remotegrity: Design and Use of an End-to-End Verifiable Remote Voting System , 2013, ACNS.

[30]  Ralf Küsters,et al.  Clash Attacks on the Verifiability of E-Voting Systems , 2012, 2012 IEEE Symposium on Security and Privacy.

[31]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[32]  Aggelos Kiayias,et al.  DEMOS-2: Scalable E2E Verifiable Elections without Random Oracles , 2015, CCS.

[33]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[34]  Kristian Gjøsteen Analysis of an internet voting protocol , 2010, IACR Cryptol. ePrint Arch..