Results 1 - 10
of
26
Adapting Helios for provable ballot privacy
- In ESORICS’11: 16th European Symposium on Research in Computer Security, volume 6879 of LNCS
, 2011
"... Abstract. Recent results show that the current implementation of Helios, a practical e-voting protocol, does not ensure independence of the cast votes, and demonstrate the impact of this lack of independence on vote privacy. Some simple fixes seem to be available and security of the revised scheme h ..."
Abstract
-
Cited by 16 (8 self)
- Add to MetaCart
(Show Context)
Abstract. Recent results show that the current implementation of Helios, a practical e-voting protocol, does not ensure independence of the cast votes, and demonstrate the impact of this lack of independence on vote privacy. Some simple fixes seem to be available and security of the revised scheme has been studied with respect to symbolic models. In this paper we study the security of Helios using computational models. Our first contribution is a model for the property known as ballot privacy that generalizes and extends several existing ones. Using this model, we investigate an abstract voting scheme (of which the revised Helios is an instantiation) built from an arbitrary encryption scheme with certain functional properties. We prove, generically, that whenever this encryption scheme falls in the class of voting-friendly schemes that we define, the resulting voting scheme provably satisfies ballot privacy. We explain how our general result yields cryptographic security guarantees for the revised version of Helios (albeit from non-standard assumptions). Furthermore, we show (by giving two distinct constructions) that it is possible to construct voting-friendly encryption, and therefore voting schemes, using only standard cryptographic tools. We detail an instantiation based on ElGamal encryption and Fiat-Shamir non-interactive zero-knowledge proofs that closely resembles Helios and which provably satisfies ballot privacy. 1
Defining privacy for weighted votes, single and multi-voter coercion
- IN: ESORICS 2012. LNCS
, 2012
"... Most existing formal privacy definitions for voting protocols are based on observational equivalence between two situations where two voters swap their votes. These definitions are unsuitable for cases where votes are weighted. In such a case swapping two votes can result in a different outcome and ..."
Abstract
-
Cited by 8 (4 self)
- Add to MetaCart
(Show Context)
Most existing formal privacy definitions for voting protocols are based on observational equivalence between two situations where two voters swap their votes. These definitions are unsuitable for cases where votes are weighted. In such a case swapping two votes can result in a different outcome and both situations become trivially distinguishable. We present a definition for privacy in voting protocols in the applied π-calculus that addresses this problem. Using our model, we are also able to define multi-voter coercion, i.e. situations where several voters are attacked at the same time. Then we prove that under certain realistic assumptions a protocol secure against coercion of a single voter is also secure against coercion of multiple voters. This applies for Receipt-Freeness as well as Coercion-Resistance.
Towards practical and secure coercion-resistant electronic elections
, 2010
"... Coercion-resistance is the most effective property to fight coercive attacks in Internet elections. This notion was introduced by Juels, Catalano, and Jakobsson (JCJ) at WPES 2005 together with a voting protocol that satisfies such a stringent security requirement. Un-fortunately, their scheme has ..."
Abstract
-
Cited by 8 (0 self)
- Add to MetaCart
(Show Context)
Coercion-resistance is the most effective property to fight coercive attacks in Internet elections. This notion was introduced by Juels, Catalano, and Jakobsson (JCJ) at WPES 2005 together with a voting protocol that satisfies such a stringent security requirement. Un-fortunately, their scheme has a quadratic complexity (the overhead for tallying authorities is quadratic in the number of votes) and would there-fore not be suitable for large scale elections. Based on the work of JCJ, Schweisgut proposed a more efficient scheme. In this paper, we first show that Schweisgut’s scheme is insecure. In particular, we describe an at-tack that allows a coercer to check whether a voter followed or not his instructions. We then present a new coercion-resistant election scheme with a linear complexity that overcomes the drawbacks of these previous proposals. Our solution relies on special anonymous credentials and is proven secure, in the random oracle model, under the q-Strong Diffie-Hellman and Strong Decisional Diffie-Hellman Inversion assumptions.
Proving Coercion-Resistance of Scantegrity II
- Proceedings of the 12th International Conference on Information and Communications Security (ICICS 2010), volume 6476 of Lecture Notes in Computer Science
, 2010
"... Abstract. By now, many voting protocols have been proposed that, among others, are designed to achieve coercion-resistance, i.e., resis-tance to vote buying and voter coercion. Scantegrity II is among the most prominent and successful such protocols in that it has been used in several elections. How ..."
Abstract
-
Cited by 7 (1 self)
- Add to MetaCart
(Show Context)
Abstract. By now, many voting protocols have been proposed that, among others, are designed to achieve coercion-resistance, i.e., resis-tance to vote buying and voter coercion. Scantegrity II is among the most prominent and successful such protocols in that it has been used in several elections. However, almost none of the modern voting proto-cols used in practice, including Scantegrity II, has undergone a rigorous cryptographic analysis. In this paper, we prove that Scantegrity II enjoys an optimal level of coercion-resistance, i.e., the same level of coercion-resistance as an ideal voting protocol (which merely reveals the outcome of the election), ex-cept for so-called forced abstention attacks. This result is obtained under the (necessary) assumption that the workstation used in the protocol is honest. Our analysis is based on a rigorous cryptographic definition of coercion-resistance we recently proposed. We argue that this definition is in fact the only existing cryptographic definition of coercion-resistance suitable for analyzing Scantegrity II. Our case study should encourage and facili-tate rigorous cryptographic analysis of coercion-resistance also for other voting protocols used in practice. 1
Analysis of a receiptfree auction protocol in the applied pi calculus
- In Proc. 7th Workshop on Formal Aspects in Security and Trust (FAST’10), volume 6561 of LNCS
, 2011
"... Abstract. We formally study two privacy-type properties in online auc-tion protocols, bidding-price-secrecy and receipt-freeness. These proper-ties are formalised as observational equivalences in the applied pi cal-culus. We analyse the receipt-free auction protocol by Abe and Suzuki. Bidding-price- ..."
Abstract
-
Cited by 6 (5 self)
- Add to MetaCart
Abstract. We formally study two privacy-type properties in online auc-tion protocols, bidding-price-secrecy and receipt-freeness. These proper-ties are formalised as observational equivalences in the applied pi cal-culus. We analyse the receipt-free auction protocol by Abe and Suzuki. Bidding-price-secrecy of the protocol is verified using ProVerif, whereas receipt-freeness of the protocol is proved manually. 1
Measuring vote privacy, revisited
- ACM Conference on Computer and Communications Security (CCS 2012
, 2012
"... We propose a new measure for privacy of votes. Our measure relies on computational conditional entropy, an extension of the traditional notion of entropy that incorporates both information-theoretic and computational aspects. As a result, we capture in a unified manner privacy breaches due to two or ..."
Abstract
-
Cited by 6 (4 self)
- Add to MetaCart
(Show Context)
We propose a new measure for privacy of votes. Our measure relies on computational conditional entropy, an extension of the traditional notion of entropy that incorporates both information-theoretic and computational aspects. As a result, we capture in a unified manner privacy breaches due to two orthogonal sources of insecurity: combinatorial aspects that have to do with the number of participants, the distribution of their votes and published elec-tion outcome as well as insecurity of the cryptography used in an implementation. Our privacy measure overcomes limitations of two previous ap-proaches to defining vote privacy and we illustrate its applicability through several case studies. We offer a generic way of applying our measure to a large class of cryptographic protocols that includes the protocols implemented in Helios. We also describe a practical application of our metric on Scantegrity audit data from a real elec-tion.
Formal analysis of privacy in an eHealth protocol
- In: Proc. 17th ESORICS. Volume 7459 of LNCS
, 2012
"... Abstract. Given the sensitive nature of health data, privacy of eHealth systems is of prime importance. An eHealth system must enforce that users remain private, even if they are bribed or coerced to reveal themselves or others. Consider e.g. a pharmaceutical company that bribes a pharmacist to reve ..."
Abstract
-
Cited by 5 (2 self)
- Add to MetaCart
Abstract. Given the sensitive nature of health data, privacy of eHealth systems is of prime importance. An eHealth system must enforce that users remain private, even if they are bribed or coerced to reveal themselves or others. Consider e.g. a pharmaceutical company that bribes a pharmacist to reveal information which breaks a doctor’s privacy. In this paper, we first identify and formalise several new but important privacy notions on enforcing doctor privacy. Then we analyse privacy of a complicated and practical eHealth protocol (DLVV08). Our analysis shows to what extent these new properties as well as properties such as anonymity and untraceability are satisfied by the protocol. Finally, we address the found am-biguities which result in privacy flaws, and propose suggestions for fixing them. 1
A formal analysis of the Norwegian e-voting protocol
, 2011
"... Abstract. Norway has used e-voting in its last political election in September 2011, with more than 25 000 voters using the e-voting option. The underlying protocol is a new protocol designed by the ERGO group, involving several actors (a bulletin box but also a receipt generator, a decryption servi ..."
Abstract
-
Cited by 5 (2 self)
- Add to MetaCart
(Show Context)
Abstract. Norway has used e-voting in its last political election in September 2011, with more than 25 000 voters using the e-voting option. The underlying protocol is a new protocol designed by the ERGO group, involving several actors (a bulletin box but also a receipt generator, a decryption service, and an auditor). Of course, trusting the correctness and security of e-voting protocols is crucial in that context. Formal def-initions of properties such as privacy, coercion-resistance or verifiability have been recently proposed, based on equivalence properties. In this paper, we propose a formal analysis of the protocol used in Nor-way, w.r.t. privacy, considering several corruption scenarios. Part of this study has conducted using the ProVerif tool, on a simplified model.
A comprehensive analysis of game-based ballot privacy definitions
- In 2015 IEEE Symposium on Security and Privacy, SP 2015
"... Abstract. We critically survey game-based security definitions for the privacy of voting schemes. In addition to known limitations, we unveil several previously unnoticed shortcomings. Surprisingly, the conclusion of our study is that none of the existing definitions is satisfactory: they either pro ..."
Abstract
-
Cited by 4 (1 self)
- Add to MetaCart
(Show Context)
Abstract. We critically survey game-based security definitions for the privacy of voting schemes. In addition to known limitations, we unveil several previously unnoticed shortcomings. Surprisingly, the conclusion of our study is that none of the existing definitions is satisfactory: they either provide only weak guarantees, or can be applied only to a limited class of schemes, or both. Based on our findings, we propose a new game-based definition of privacy which we call BPRIV. We also identify a new property which we call strong consistency, needed to express that tallying does not leak sensitive information. We validate our security notions by showing that BPRIV, strong consistency (and an additional simple property called strong correctness) for a voting scheme imply its security in a simulation-based sense. This result also yields a proof technique for proving entropy-based notions of privacy which offer the strongest security guarantees but are hard to prove directly: first prove your scheme BPRIV, strongly consistent (and correct),then study the entropy-based privacy of the result function of the election, which is a much easier task.
End-to-end verifiable elections in the standard model
- Advances in Cryptology - EUROCRYPT 2015, volume 9057 of Lecture Notes in Computer Science
, 2015
"... We present the cryptographic implementation of “DEMOS”, a new e-voting system that is end-to-end verifiable in the standard model, i.e., without any additional “setup ” assumption or access to a random oracle (RO). Previously known end-to-end verifiable e-voting systems required such additional assu ..."
Abstract
-
Cited by 4 (1 self)
- Add to MetaCart
(Show Context)
We present the cryptographic implementation of “DEMOS”, a new e-voting system that is end-to-end verifiable in the standard model, i.e., without any additional “setup ” assumption or access to a random oracle (RO). Previously known end-to-end verifiable e-voting systems required such additional assumptions (specifically, either the existence of a “randomness beacon ” or were only shown secure in the RO model). In order to analyze our scheme, we also provide a modeling of end-to-end verifiability as well as privacy and receipt-freeness that encompasses previous definitions in the form of two concise attack games. Our scheme satisfies end-to-end verifiability information theoretically in the standard model and privacy/receipt-freeness under a computational assumption (subexponential Decisional Diffie Hel-man). In our construction, we utilize a number of techniques used for the first time in the context of e-voting schemes that include utilizing randomness from bit-fixing sources, zero-knowledge proofs with imperfect verifier randomness and complexity leveraging. 1
