Voting: You Can't Have Privacy without Individual Verifiability

Electronic voting typically aims at two main security goals: vote privacy and verifiability. These two goals are often seen as antagonistic and some national agencies even impose a hierarchy between them: first privacy, and then verifiability as an additional feature. Verifiability typically includes individual verifiability (a voter can check that her ballot is counted); universal verifiability (anyone can check that the result corresponds to the published ballots); and eligibility verifiability (only legitimate voters may vote). We show that actually, privacy implies individual verifiability. In other words, systems without individual verifiability cannot achieve privacy (under the same trust assumptions). To demonstrate the generality of our result, we show this implication in two different settings, namely cryptographic and symbolic models, for standard notions of privacy and individual verifiability. Our findings also highlight limitations in existing privacy definitions in cryptographic settings.

[1]  Véronique Cortier,et al.  A Type System for Privacy Properties , 2017, CCS.

[2]  Véronique Cortier,et al.  A formal analysis of the Norwegian E-voting protocol , 2017, J. Comput. Secur..

[3]  Ben Adida,et al.  Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[4]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[5]  Mark Ryan,et al.  Coercion-resistance and receipt-freeness in electronic voting , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[6]  Mark Ryan,et al.  Election Verifiability in Electronic Voting Protocols , 2010, ESORICS.

[7]  Ben Smyth Ballot secrecy with malicious bulletin boards , 2014, IACR Cryptol. ePrint Arch..

[8]  David Pointcheval,et al.  On Some Incompatible Properties of Voting Schemes , 2010, Towards Trustworthy Elections.

[9]  Mark Ryan,et al.  Verifying privacy-type properties of electronic voting protocols , 2009, J. Comput. Secur..

[10]  Eric Wustrow,et al.  Attacking the Washington, D.C. Internet Voting System , 2012, Financial Cryptography.

[11]  Bogdan Warinschi,et al.  How Not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios , 2012, ASIACRYPT.

[12]  Rop Gonggrijp,et al.  Studying the Nedap/Groenendaal ES3B Voting Computer: A Computer Security Perspective , 2007, EVT.

[13]  David Galindo,et al.  2015 Neuchâtel's Cast-as-Intended Verification Mechanism , 2015, VoteID.

[14]  Bruno. Blanchet,et al.  Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif , 2016, Found. Trends Priv. Secur..

[15]  Jan Willemson,et al.  Improving the Verifiability of the Estonian Internet Voting Scheme , 2016, E-VOTE-ID.

[16]  J. Alex Halderman,et al.  Security Analysis of the Estonian Internet Voting System , 2014, CCS.

[17]  Josh Benaloh Verifiable secret-ballot elections , 1987 .

[18]  Ralf Küsters,et al.  Verifiability, Privacy, and Coercion-Resistance: New Insights from a Case Study , 2011, 2011 IEEE Symposium on Security and Privacy.

[19]  Ralf Küsters,et al.  Accountability: definition and relationship to verifiability , 2010, CCS '10.

[20]  Warren D. Smith Three Voting Protocols: ThreeBallot, VAV, and Twin , 2007, EVT.

[21]  Véronique Cortier,et al.  SoK: A Comprehensive Analysis of Game-Based Ballot Privacy Definitions , 2015, 2015 IEEE Symposium on Security and Privacy.

[22]  Véronique Cortier,et al.  Election Verifiability for Helios under Weaker Trust Assumptions , 2014, ESORICS.

[23]  Peter Y. A. Ryan,et al.  Computing Science Pret a Voter with Paillier Encryption Pret a Voter with Paillier Encryption Bibliographical Details Pret a Voter with Paillier Encryption Suggested Keywords Prêtà Voter with Paillier Encryption , 2007 .

[24]  Michael R. Clarkson,et al.  Civitas: Toward a Secure Voting System , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[25]  Eric Wustrow,et al.  Security analysis of India's electronic voting machines , 2010, CCS '10.

[26]  Michael Backes,et al.  Automated Verification of Remote Electronic Voting Protocols in the Applied Pi-Calculus , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[27]  Ben Smyth,et al.  Attacking and Fixing Helios: An Analysis of Ballot Secrecy , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[28]  Véronique Cortier,et al.  SoK: Verifiability Notions for E-Voting Protocols , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[29]  Georg Fuchsbauer,et al.  BeleniosRF: A Non-interactive Receipt-Free Electronic Voting Scheme , 2016, CCS.