Receipt-freeness and coercion-resistance: formal definitions and - - PowerPoint PPT Presentation

Receipt-freeness and coercion-resistance: formal definitions and fault attacks

Stéphanie Delaune / Steve Kremer / Mark D. Ryan

Some desired properties of e-voting systems

– Eligibility: only eligible voters can vote, and only once. – Fairness: no voter can be influenced by votes already made. – Indiv. verif.: a voter can verify that her vote was counted. – Universal verifiability: a voter can verify that the published

result is the tally of the votes cast.

– Privacy: no-one can find out how a voter voted. – Receipt-freeness: Voter doesn’t get receipt for her vote. – Coercion-resistance: Voter cannot be blackmailed / bought. – Robustness: Voters cannot disrupt the election.

Faulty behaviour tolerated.

– Vote-and-go: Voters participate in one session.

Verification

• Computing systems are usually

programmed at the low level

– involving, e.g., detail of messages

sent between components, and participants

– detail of specific encryption arrangements

• But properties are expressed at a higher level of

abstraction

– they depend not on individual details, but on the system

as a whole

• Model checking:

φ = M

*

M M ≈

Verification of FOO’92

• [KR’05] formalises the

voting protocol of Fujioka/Okamoto/Ohta 1992

• Using the

Applied Pi Calculus

• We verified eligibility,

fairness, and privacy.

• (What does that mean?)

A 3-phase protocol using commitments and blind signatures A language for describing concurrent and communicating processes, and their properties

Kinds of properties

• Reachability properties:

– The system can/cannot get into a certain state – e.g., a message will/won’t appear on

a public channel

• Observational equivalence properties:

– two versions of the system cannot be distinguished by an

• bserver who can see messages on public channels and

perform arbitrary tests on the processes.

φ = M

*

M M ≈

• Privacy

– no-one can find out how Alice voted.

• Receipt-freeness

– Alice doesn’t get a receipt (or any other by-product

• f the voting process); thus Alice cannot prove

afterwards to a coercer how she voted

– Receipt-freeness is like privacy, but even with

Alice’s cooperation

• Coercion-resistance

– Alice cannot prove how she voted, even if

interaction with the coercer is allowed during the voting process

– Even stronger than receipt-freeness.

Some properties in strength-order

Formalising privacy

• ?? No-one can find out how Alice voted

– Actually too strong: e.g., if the vote was unanimous, then

everyone knows how Alice voted

– Even if not unanimous, a coalition consisting of all voters

except Alice can tell how Alice voted.

• If Alice and Bob were to swap votes, no-one would be

able to tell

• A situation in which Alice votes vote vA and Bob votes vB is

indistinguishable by the attacker to one in which Alice votes vB and Bob votes vA.

  ) ( ) ( ) ( ) (

A B B A

v B v A v B v A ≈

Formalising receipt-freeness

• Like privacy, but Alice cooperates by publishing her

private key and any secrets (e.g. nonces)

• Before the election: e.g. her private key
• After the election: secrets she has learned during the

election process

• The coercer needs to be convinced that Alice is telling the truth
• He needs to be able to verify the secrets
• Suppose A(vC) is the process that votes vC and copies the voting

interaction (messages received and sent) to the coercer. The protocol is receipt-free if exists A’ such that

  ) ( ' ) ( ) (

C A C

v B A v B v A

≈

Coercion-resistance

• In this case, Alice interacts with the coercer (e.g. by

mobile phone) during the election.

• The coercer can participate in Alice’s vote:
• She can tell him messages she receives during the process

(although he might not believe her)

• He can instruct her on what messages to send back (although

she might not obey).

• He might have independent means of verifying her

reports and her actions

The voting booth

c

Voting booth Voting system Published data

a

Coercer

Interaction between the voter and the coercer

• Let P be a process and c1, c2 be channels. The process

Pc1,c2 is a process like P but which copies all messages it receives on c1 to c2, and accepts inputs on c2 for messages it sends on c1. Specifically,

• Every in(c1,y) in P is replaced by in(c1,y); out(c2,y).
• Every out(c1,m) in P is replaced by in(c2,x); out(c1,x)

where x is a variable not occurring in P.

• Every new n in P is replaced by new n; out(c2,n).
• If A is Alice’s voting process, then Aa,c is the

process in which Alice cooperates fully with the coercer.

Formalising coercion-resistance

Rough idea:

• Better: there exists a process A’ such that

– If A’ votes then it votes vA – For all coercers C, there exists a vote v, such that

• Consider the cases
• Coercer’s vote is vA
• Coercer’s vote is vC
• Coercer sends garbage

( )

( )

  ) ( ' , ) ( ,

,

v B A b a C v B A b a C

A c a

υ υ ≈

( ) ( )

( ) ( )

  ) ( ' , ) ( ,

,

v B A b a C c v B A b a C c

A c a

υ υ υ υ ≈

Fault attack

( )

( )

  ) ( ' ) (

,

v B A C chc v B A C chc

A chc cha

υ υ ≈

• The coercer could try to distinguish the two sides by

sending incoherent messages to Alice.

• On the left-hand side, C|A will block, so only B’s vote

for vA will be observed.

• On the right-hand side, A’ will still vote vA, so v and vA

will be observed.

• If successful, this is an attack on coercion resistance.
• Might not be successful if A’ can detect the

incoherence of the messages from C.

Simplified [LBDKYY’03]

• Uses re-encryption and designated verifier proofs.
• Re-encryption
• Randomised encryption: {m}K contains “random coins”
• Re-encryption: change the random coin
• E.g., in El Gamal, the ciphertext (x,y) is changed to

(xgr,yhr).

• Designated verifier proofs
• S can prove to A that, say, c is the encryption of m,

but A cannot use this proof to convince someone else.

• Technically this is achieved by giving

A the ability to simulate transcripts of the proof

Simplified [LBDKYY’03]

Alice Administrator Collector

{ }

( ) Alice v Sign

c Coll,

1

reencrypt

{ }

( ) Admin v Sign

c Coll,

2

{ }

( ) Admin v Sign

c Coll,

2

{ } { }

( )

2 1 ,

DVP

c Coll c Coll

v v =

Simplified [LBDKYY’03]

• Fails coercion resistance, because coercer can
• prepare a message meant to look like

but actually garbage;

• test whether Alice votes or not.
• Fixable by encoding s.t. every

message can be interpreted as a valid encryption of a valid vote.

{ }

( ) Alice v Sign

c Coll,

1

Conclusions

• A strong notion of coercion resistance is formalised
• Coercer interacts with voter during election process
• Can give her messages to use, including ones

designed specifically to test her loyalty

• No experience yet in proving protocols satisfy CR
• Need to compare with computational notion of [JCJ05]

[JCJ05] A. Juels, D.Catalano, M. Jakobsson. Coercion Resistant Electronic Elections. WPES, Nov 2005.

Pics