Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan
Some desired properties of e-voting systems – Eligibility: only eligible voters can vote, and only once. – Fairness: no voter can be influenced by votes already made. – Indiv. verif.: a voter can verify that her vote was counted. – Universal verifiability: a voter can verify that the published result is the tally of the votes cast. – Privacy: no-one can find out how a voter voted. – Receipt-freeness: Voter doesn’t get receipt for her vote. – Coercion-resistance: Voter cannot be blackmailed / bought. – Robustness: Voters cannot disrupt the election. Faulty behaviour tolerated. – Vote-and-go: Voters participate in one session.
Verification ● Computing systems are usually programmed at the low level – involving, e.g., detail of messages sent between components, and participants – detail of specific encryption arrangements ● But properties are expressed at a higher level of abstraction – they depend not on individual details, but on the system as a whole ● Model checking: = φ M ≈ * M M
Verification of FOO’92 ● [KR’05] formalises the A 3-phase protocol using commitments voting protocol of and blind signatures Fujioka/Okamoto/Ohta 1992 ● Using the A language for describing Applied Pi Calculus concurrent and communicating processes, and their properties ● We verified eligibility , fairness , and privacy. ● (What does that mean?)
Kinds of properties ● Reachability properties: – The system can/cannot get into a certain state – e.g., a message will/won’t appear on = φ M a public channel ● Observational equivalence properties: – two versions of the system cannot be distinguished by an observer who can see messages on public channels and perform arbitrary tests on the processes. M ≈ * M
Some properties in strength-order ● Privacy – no-one can find out how Alice voted. ● Receipt-freeness – Alice doesn’t get a receipt (or any other by-product of the voting process); thus Alice cannot prove afterwards to a coercer how she voted – Receipt-freeness is like privacy , but even with Alice’s cooperation ● Coercion-resistance – Alice cannot prove how she voted, even if interaction with the coercer is allowed during the voting process – Even stronger than receipt-freeness .
Formalising privacy ● ?? No-one can find out how Alice voted – Actually too strong: e.g., if the vote was unanimous, then everyone knows how Alice voted – Even if not unanimous, a coalition consisting of all voters except Alice can tell how Alice voted. ● If Alice and Bob were to swap votes, no-one would be able to tell ● A situation in which Alice votes vote v A and Bob votes v B is indistinguishable by the attacker to one in which Alice votes v B and Bob votes v A . ≈ A ( v ) B ( v ) A ( v ) B ( v ) A B B A
Formalising receipt-freeness ● Like privacy, but Alice cooperates by publishing her private key and any secrets (e.g. nonces) ● Before the election: e.g. her private key ● After the election: secrets she has learned during the election process ● The coercer needs to be convinced that Alice is telling the truth ● He needs to be able to verify the secrets ● Suppose A(v C ) is the process that votes v C and copies the voting interaction (messages received and sent) to the coercer. The protocol is receipt-free if exists A’ such that ≈ A ( v ) B ( v ) A ' B ( v ) C A C
Coercion-resistance ● In this case, Alice interacts with the coercer (e.g. by mobile phone) during the election. ● The coercer can participate in Alice’s vote: ● She can tell him messages she receives during the process (although he might not believe her) ● He can instruct her on what messages to send back (although she might not obey). ● He might have independent means of verifying her reports and her actions
The voting booth Voting booth Voting system a c Published data Coercer
Interaction between the voter and the coercer ● Let P be a process and c 1 , c 2 be channels. The process P c1,c2 is a process like P but which copies all messages it receives on c 1 to c 2 , and accepts inputs on c 2 for messages it sends on c 1 . Specifically, ● Every in(c 1 ,y) in P is replaced by in(c 1 ,y); out(c 2 ,y). ● Every out(c 1 ,m) in P is replaced by in(c 2 ,x); out(c 1 ,x) where x is a variable not occurring in P. ● Every new n in P is replaced by new n; out(c 2 ,n). ● If A is Alice’s voting process, then A a,c is the process in which Alice cooperates fully with the coercer.
Formalising coercion-resistance Rough idea: ( ) ( ) υ ≈ υ a , c C a , b A B ( v ) C a , b A ' B ( v ) A ● Better: there exists a process A’ such that – If A’ votes then it votes v A – For all coercers C, there exists a vote v, such that ( ( ) ) ( ( ) ) υ υ ≈ υ υ a , c c C a , b A B ( v ) c C a , b A ' B ( v ) A Consider the cases ● ● Coercer’s vote is v A ● Coercer’s vote is v C ● Coercer sends garbage
Fault attack ( ) ( ) υ ≈ υ cha , chc chc C A B ( v ) chc C A ' B ( v ) A ● The coercer could try to distinguish the two sides by sending incoherent messages to Alice. ● On the left-hand side, C|A will block, so only B’s vote for v A will be observed. ● On the right-hand side, A’ will still vote v A , so v and v A will be observed. ● If successful, this is an attack on coercion resistance. ● Might not be successful if A’ can detect the incoherence of the messages from C.
Simplified [LBDKYY’03] ● Uses re-encryption and designated verifier proofs. ● Re-encryption ● Randomised encryption: {m} K contains “random coins” ● Re-encryption: change the random coin ● E.g., in El Gamal, the ciphertext (x,y) is changed to (xg r ,yh r ). ● Designated verifier proofs ● S can prove to A that, say, c is the encryption of m, but A cannot use this proof to convince someone else. ● Technically this is achieved by giving A the ability to simulate transcripts of the proof
Simplified [LBDKYY’03] Alice Administrator Collector ( ) { } c Sign v Coll , Alice 1 reencrypt ( ) { } c Sign v Coll , Admin 2 ( ) { } { } 1 , c c = DVP v v 2 Coll Coll ( ) { } c Sign v Coll , Admin 2
Simplified [LBDKYY’03] ● Fails coercion resistance, because coercer can ( ) { } ● prepare a message meant to look like c Sign v Coll , Alice 1 but actually garbage; ● test whether Alice votes or not. ● Fixable by encoding s.t. every message can be interpreted as a valid encryption of a valid vote.
Conclusions ● A strong notion of coercion resistance is formalised ● Coercer interacts with voter during election process ● Can give her messages to use, including ones designed specifically to test her loyalty ● No experience yet in proving protocols satisfy CR ● Need to compare with computational notion of [JCJ05] [JCJ05] A. Juels, D.Catalano, M. Jakobsson. Coercion Resistant Electronic Elections . WPES, Nov 2005.
Pics
Recommend
More recommend
