Model Checking the SELENE E-Voting Protocol in Multi-agent Logics

Selene is a recently proposed voting protocol that provides reasonable protection against coercion. In this paper, we make the first step towards a formalization of selected features of the protocol by means of formulae and models of multi-agent logics. We start with a very abstract view of the protocol as a public composition of a secret bijection from tracking numbers to voters and a secret mapping from voters to their choices. Then, we refine the view using multi-agent models of strategic interaction. The models define the space of strategies for the voters, the election authority, and the potential coercer. We express selected properties of the protocol using the strategic logic \(\mathbf {ATL_\mathrm {ir}}\), and conduct preliminary verification by model checking. While \(\mathbf {ATL_\mathrm {ir}}\) allows for intuitive specification of requirements like coercion-resistance, model checking of \(\mathbf {ATL_\mathrm {ir}}\) is notoriously hard. We show that some of the complexity can be avoided by using a recent approach of approximate model checking, based on fixpoint approximations.

[1]  Charles Pecheur,et al.  Reasoning about memoryless strategies under partial observability and unconditional fairness constraints , 2015, Inf. Comput..

[2]  Alessio Lomuscio,et al.  Verifying Security Properties in Unbounded Multiagent Systems , 2016, AAMAS.

[3]  Wojciech Jamroga,et al.  Bisimulations for Verifying Strategic Abilities with an Application to ThreeBallot , 2017, AAMAS.

[4]  Pierre-Yves Schobbens,et al.  Alternating-time logic with imperfect recall , 2004, LCMAS.

[5]  Wojciech Jamroga,et al.  Alternating Epistemic Mu-Calculus , 2011, IJCAI.

[6]  Tatsuaki Okamoto,et al.  Receipt-Free Electronic Voting Schemes for Large Scale Elections , 1997, Security Protocols Workshop.

[7]  Vincenzo Iovino,et al.  Selene: Voting with Transparent Verifiability and Coercion-Mitigation , 2016, Financial Cryptography Workshops.

[8]  Damian Kurpiewski,et al.  Fixpoint Approximation of Strategic Abilities under Imperfect Information , 2017, AAMAS.

[9]  Josh Benaloh,et al.  Receipt-Free Secret-Ballot Elections , 1994, STOC 1994.

[10]  Wojciech Penczek,et al.  LDYIS: a Framework for Model Checking Security Protocols , 2008, Fundam. Informaticae.

[11]  Wojciech Jamroga,et al.  Expressing Receipt-Freeness and Coercion-Resistance in Logics of Strategic Ability: Preliminary Attempt , 2016, PrAISe@ECAI.

[12]  R. Tennant Algebra , 1941, Nature.

[13]  Mark Ryan,et al.  Coercion-resistance and receipt-freeness in electronic voting , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[14]  Josh Benaloh,et al.  Receipt-free secret-ballot elections (extended abstract) , 1994, STOC '94.

[15]  Ralf Küsters,et al.  An Epistemic Approach to Coercion-Resistance for Electronic Voting Protocols , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[16]  Pascal Lafourcade,et al.  A formal taxonomy of privacy in voting protocols , 2012, 2012 IEEE International Conference on Communications (ICC).

[17]  Wolter Pieters,et al.  Receipt-freeness as a special case of anonymity in epistemic logic , 2006 .

[18]  Alessio Lomuscio,et al.  MCMAS: an open-source model checker for the verification of multi-agent systems , 2017, International Journal on Software Tools for Technology Transfer.

[19]  Ralf Küsters,et al.  A Game-Based Definition of Coercion-Resistance and Its Applications , 2010, CSF.

[20]  Bo Meng A Critical Review of Receipt-Freeness and Coercion-Resistance , 2009 .

[21]  Thomas A. Henzinger,et al.  Alternating-time temporal logic , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.