Receipt-freeness and coercion-resistance:
formal definitions and fault attacks
Stéphanie Delaune / Steve Kremer / Mark D. Ryan
Some desired properties of e-voting systems
–
Eligibility: only eligible voters can vote, and only once.
–
Fairness: no voter can be influenced by votes already made.
–
Indiv. verif.: a voter can verify that her vote was counted.
–
Universal verifiability: a voter can verify that the published
result is the tally of the votes cast.
–
Privacy: no-one can find out how a voter voted.
–
Receipt-freeness: Voter doesn’t get receipt for her vote.
–
Coercion-resistance: Voter cannot be blackmailed / bought.
–
Robustness: Voters cannot disrupt the election.
Faulty behaviour tolerated.
–
Vote-and-go: Voters participate in one session.
Verification
●
●
Computing systems are usually
programmed at the low level
–
involving, e.g., detail of messages
sent between components, and participants
–
detail of specific encryption arrangements
But properties are expressed at a higher level of
abstraction
–
●
they depend not on individual details, but on the system
as a whole
Model checking:
M 
M M
*
Verification of FOO’92
●
●
●
●
[KR’05] formalises the
voting protocol of
Fujioka/Okamoto/Ohta 1992
Using the
Applied Pi Calculus
We verified eligibility,
fairness, and privacy.
(What does that mean?)
A 3-phase protocol
using commitments
and blind signatures
A language for describing
concurrent and communicating
processes, and their properties
Kinds of properties
●
●
Reachability properties:
–
The system can/cannot get into a certain state
–
e.g., a message will/won’t appear on
a public channel
M 
Observational equivalence properties:
–
two versions of the system cannot be distinguished by an
observer who can see messages on public channels and
perform arbitrary tests on the processes.
M M
*
Some properties in strength-order
●
Privacy
–
●
●
no-one can find out how Alice voted.
Receipt-freeness
–
Alice doesn’t get a receipt (or any other by-product
of the voting process); thus Alice cannot prove
afterwards to a coercer how she voted
–
Receipt-freeness is like privacy, but even with
Alice’s cooperation
Coercion-resistance
–
Alice cannot prove how she voted, even if
interaction with the coercer is allowed during the
voting process
–
Even stronger than receipt-freeness.
Formalising privacy
●
●
?? No-one can find out how Alice voted
–
Actually too strong: e.g., if the vote was unanimous, then
everyone knows how Alice voted
–
Even if not unanimous, a coalition consisting of all voters
except Alice can tell how Alice voted.
If Alice and Bob were to swap votes, no-one would be
able to tell
●
A situation in which Alice votes vote vA and Bob votes vB is
indistinguishable by the attacker to one in which Alice votes vB
and Bob votes vA.
A(vA ) B(vB )   A(vB ) B(vA ) 
Formalising receipt-freeness
●
Like privacy, but Alice cooperates by publishing her
private key and any secrets (e.g. nonces)
●
●
●
After the election: secrets she has learned during the
election process
The coercer needs to be convinced that Alice is telling the truth
●
●
Before the election: e.g. her private key
He needs to be able to verify the secrets
Suppose A(vC) is the process that votes vC and copies the voting
interaction (messages received and sent) to the coercer.
The protocol is receipt-free if exists A’ such that
A(vC ) B(vA )  
A' B(vC ) 
Coercion-resistance
●
●
In this case, Alice interacts with the coercer (e.g. by
mobile phone) during the election.
The coercer can participate in Alice’s vote:
●
●
●
She can tell him messages she receives during the process
(although he might not believe her)
He can instruct her on what messages to send back (although
she might not obey).
He might have independent means of verifying her
reports and her actions
The voting booth
Voting booth
Voting system
a
c
Published data
Coercer
Interaction between the voter and the coercer
●
Let P be a process and c1, c2 be channels. The process
Pc1,c2 is a process like P but which copies all messages
it receives on c1 to c2, and accepts inputs on c2 for
messages it sends on c1. Specifically,
●
●
●
●
Every in(c1,y) in P is replaced by in(c1,y); out(c2,y).
Every out(c1,m) in P is replaced by in(c2,x); out(c1,x)
where x is a variable not occurring in P.
Every new n in P is replaced by new n; out(c2,n).
If A is Alice’s voting process, then Aa,c is the
process in which Alice cooperates fully with the
coercer.
Formalising coercion-resistance
Rough idea:

C  a, b A
a ,c

B(vA )   C  a, b A' B(v) 
Better: there exists a process A’ such that
●
If A’ votes then it votes vA
For all coercers C, there exists a vote v, such that
–
–
 c C  a, b A
a ,c
●

B(vA ) 
Consider the cases
●
Coercer’s vote is vA
●
Coercer’s vote is vC
●
Coercer sends garbage
  c C  a, b A' B(v) 
 chc C A
cha,chc
●

B(vA ) 
  chc C A' B(v) 
The coercer could try to distinguish the two sides by
sending incoherent messages to Alice.
●
●
●
Fault attack
On the left-hand side, C|A will block, so only B’s vote
for vA will be observed.
On the right-hand side, A’ will still vote vA, so v and vA
will be observed.
If successful, this is an attack on coercion resistance.
●
Might not be successful if A’ can detect the
incoherence of the messages from C.
Simplified [LBDKYY’03]
●
Uses re-encryption and designated verifier proofs.
●
Re-encryption
●
Randomised encryption: {m}K contains “random coins”
●
Re-encryption: change the random coin
●
●
E.g., in El Gamal, the ciphertext (x,y) is changed to
(xgr,yhr).
Designated verifier proofs
●
●
S can prove to A that, say, c is the encryption of m,
but A cannot use this proof to convince someone else.
Technically this is achieved by giving
A the ability to simulate transcripts of
the proof
Simplified [LBDKYY’03]
Alice
Administrator

1
Sign vColl
, Alice
c

reencrypt

DVP v
2
Sign vColl
, Admin
c
c1
Coll


2
,  vColl
c

2
Sign vColl
, Admin
c

Collector
Simplified [LBDKYY’03]
●
Fails coercion resistance, because coercer can
●
●
●
prepare a message meant to look like
but actually garbage;
test whether Alice votes or not.
Fixable by encoding s.t. every
message can be interpreted as a
valid encryption of a valid vote.

1
Sign vColl
, Alice
c

Conclusions
●
A strong notion of coercion resistance is formalised
●
●
Coercer interacts with voter during election process
Can give her messages to use, including ones
designed specifically to test her loyalty
●
No experience yet in proving protocols satisfy CR
●
Need to compare with computational notion of [JCJ05]
[JCJ05] A. Juels, D.Catalano, M. Jakobsson. Coercion Resistant
Electronic Elections. WPES, Nov 2005.