Receipt-freeness and coercion-resistance:formal definitions and fault attacks

Stéphanie Delaune / Steve Kremer / Mark D. Ryan

Some desired properties of e-voting systems– Eligibility: only eligible voters can vote, and only once.– Fairness: no voter can be influenced by votes already made.– Indiv. verif.: a voter can verify that her vote was counted.– Universal verifiability: a voter can verify that the published

result is the tally of the votes cast.– Privacy: no-one can find out how a voter voted.– Receipt-freeness: Voter doesn’t get receipt for her vote.– Coercion-resistance: Voter cannot be blackmailed / bought.– Robustness: Voters cannot disrupt the election.

Faulty behaviour tolerated.– Vote-and-go: Voters participate in one session.

Verification● Computing systems are usually

programmed at the low level– involving, e.g., detail of messages

sent between components, and participants– detail of specific encryption arrangements

● But properties are expressed at a higher level of abstraction– they depend not on individual details, but on the system

as a whole● Model checking:

M *MM

Verification of FOO’92

● [KR’05] formalises the voting protocol of Fujioka/Okamoto/Ohta 1992

● Using the Applied Pi Calculus

● We verified eligibility, fairness, and privacy.

● (What does that mean?)

A 3-phase protocol using commitments and blind signatures

A language for describing concurrent and communicating processes, and their properties

Kinds of properties● Reachability properties:

– The system can/cannot get into a certain state– e.g., a message will/won’t appear on

a public channel

● Observational equivalence properties: – two versions of the system cannot be distinguished by an

observer who can see messages on public channels and perform arbitrary tests on the processes.

M

*MM

● Privacy– no-one can find out how Alice voted.

● Receipt-freeness– Alice doesn’t get a receipt (or any other by-product

of the voting process); thus Alice cannot prove afterwards to a coercer how she voted

– Receipt-freeness is like privacy, but even with Alice’s cooperation

● Coercion-resistance– Alice cannot prove how she voted, even if

interaction with the coercer is allowed during the voting process

– Even stronger than receipt-freeness.

Some properties in strength-order

Formalising privacy● ?? No-one can find out how Alice voted

– Actually too strong: e.g., if the vote was unanimous, then everyone knows how Alice voted

– Even if not unanimous, a coalition consisting of all voters except Alice can tell how Alice voted.

● If Alice and Bob were to swap votes, no-one would be able to tell

● A situation in which Alice votes vote vA and Bob votes vB is indistinguishable by the attacker to one in which Alice votes vB and Bob votes vA.

)()()()( ABBA vBvAvBvA

Formalising receipt-freeness● Like privacy, but Alice cooperates by publishing her

private key and any secrets (e.g. nonces) ● Before the election: e.g. her private key● After the election: secrets she has learned during the

election process● The coercer needs to be convinced that Alice is telling the truth

● He needs to be able to verify the secrets● Suppose A(vC) is the process that votes vC and copies the voting

interaction (messages received and sent) to the coercer. The protocol is receipt-free if exists A’ such that

)(')()( CAC vBAvBvA

Coercion-resistance● In this case, Alice interacts with the coercer (e.g. by

mobile phone) during the election.● The coercer can participate in Alice’s vote:

● She can tell him messages she receives during the process (although he might not believe her)

● He can instruct her on what messages to send back (although she might not obey).

● He might have independent means of verifying her reports and her actions

The voting booth

c

Voting boothVoting system

Published data

a

Coercer

Interaction between the voter and the coercer

● Let P be a process and c1, c2 be channels. The process Pc1,c2 is a process like P but which copies all messages it receives on c1 to c2, and accepts inputs on c2 for messages it sends on c1. Specifically,

● Every in(c1,y) in P is replaced by in(c1,y); out(c2,y).● Every out(c1,m) in P is replaced by in(c2,x); out(c1,x)

where x is a variable not occurring in P.● Every new n in P is replaced by new n; out(c2,n).

● If A is Alice’s voting process, then Aa,c is theprocess in which Alice cooperates fully with the coercer.

Formalising coercion-resistanceRough idea:

● Better: there exists a process A’ such that– If A’ votes then it votes vA– For all coercers C, there exists a vote v, such that

● Consider the cases● Coercer’s vote is vA

● Coercer’s vote is vC

● Coercer sends garbage

)(',)(, , vBAbaCvBAbaC Aca

)(',)(, , vBAbaCcvBAbaCc Aca

Fault attack )(')(, vBACchcvBACchc A

chccha

● The coercer could try to distinguish the two sides by sending incoherent messages to Alice.

● On the left-hand side, C|A will block, so only B’s vote for vA will be observed.

● On the right-hand side, A’ will still vote vA, so v and vA will be observed.

● If successful, this is an attack on coercion resistance.● Might not be successful if A’ can detect the

incoherence of the messages from C.

Simplified [LBDKYY’03]● Uses re-encryption and designated verifier proofs.● Re-encryption

● Randomised encryption: {m}K contains “random coins”● Re-encryption: change the random coin

● E.g., in El Gamal, the ciphertext (x,y) is changed to (xgr,yhr).

● Designated verifier proofs● S can prove to A that, say, c is the encryption of m,

but A cannot use this proof to convince someone else.● Technically this is achieved by giving

A the ability to simulate transcripts of the proof

Simplified [LBDKYY’03]

Alice Administrator Collector

AlicevSign cColl ,1

reencrypt

AdminvSign cColl ,2

AdminvSign cColl ,2

21 ,DVP cColl

cColl vv

Simplified [LBDKYY’03]● Fails coercion resistance, because coercer can

● prepare a message meant to look like but actually garbage;

● test whether Alice votes or not.

● Fixable by encoding s.t. every message can be interpreted as a valid encryption of a valid vote.

AlicevSign cColl ,1

Conclusions● A strong notion of coercion resistance is formalised

● Coercer interacts with voter during election process● Can give her messages to use, including ones

designed specifically to test her loyalty● No experience yet in proving protocols satisfy CR● Need to compare with computational notion of [JCJ05]

[JCJ05] A. Juels, D.Catalano, M. Jakobsson. Coercion Resistant Electronic Elections. WPES, Nov 2005.