# A Formal Approach to Coercion Resistance and Its Application to E-Voting

^{1}

^{2}

^{3}

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Methods and Frameworks

#### 2.1. Applied Pi-Calculus

`P,Q,R:= plain processes``0 null process``P|Q parallel composition``!P replication`- $\nu n$
`.P name restriction` `if`$M=N$`then P else Q conditional``in`$(u,x)$.`P message input``out`$(u,N)$.`P message output`

`A,B,C:= extended processes``P plain process``A|B parallel composition`- $\nu n$.
`A name restriction` - $\nu x$.
`A variable restriction` - $\left\{{}^{M}{/}_{x}\right\}$
`active substitution`

**Definition**

**1**

_{s})). Two terms M and N are equal in the frame ϕ, written $\left(M{=}_{E}N\right)\varphi $, if, and only if there exists $\tilde{n}$ and a substitution σ such that $\varphi \equiv v\tilde{n}.\sigma $, $M\sigma {=}_{E}N\sigma $, and $\tilde{n}\cap (fn\left(M\right)\cup fn\left(N\right))=\varnothing $.

**Definition**

**2**

_{l})). Labeled bisimilarity is the largest symmetric relation $\mathcal{R}$ on closed extended processes such that A $\mathcal{R}$ B implies

- $A{\approx}_{s}B$;
- if $A\to {A}^{\prime}$, then $B{\to}^{*}{B}^{\prime}$ and A′ $\mathcal{R}$ B′ for some B′;
- if $A\stackrel{\alpha}{\to}{A}^{\prime}$ and $fv\left(\alpha \right)\subseteq dom\left(\alpha \right)$ and $bn\left(\alpha \right)\cap fn\left(B\right)=\varnothing $, then $B{\to}^{*}\stackrel{\alpha}{\to}{\to}^{*}{B}^{\prime}$ and A′ $\mathcal{R}$ B′ for some B′.

#### 2.2. ATL*

**Definition**

**3**

**Definition**

**4**

- $Agt$ is a non-empty and finite set of agents. Subsets $A\subseteq Agt$ of agents are called coalitions.
- $PV$ is a countable set of atomi propositions or atoms.
- S is a non-empty set of states and ${s}_{0}\in S$ is the initial state of $\mathcal{G}$.
- $Act$ is a finite non-empty set of actions. A tuple $\overrightarrow{a}={\left({a}_{i}\right)}_{i\in Agt}\in Ac{t}^{Agt}$ is called a joint action.
- For every agent $i\in Agt$, ${\sim}_{i}$ is an equivalence relation on S, which is called the indistinguishability relation for i.
- $d:Agt\times S\to ({2}^{Act}\backslash \{\varnothing \})$ is the protocol function, satisfying the property that for all states $s,{s}^{\prime}\in S$ and any agent $i,s{\sim}_{i}{s}^{\prime}$ implies $d(i,s)=d(i,{s}^{\prime})$. That is, the same (non-empty) set of actions is available to agent i in uindistinguishable states.
- $\to \subseteq S\times Ac{t}^{Agt}\times S$ is the translation relation such that for every state $s\in S$ and joint action $\overrightarrow{a}\in Ac{t}^{Agt}$, $(s,\overrightarrow{a},{s}^{\prime})\in \to $ for some state ${s}^{\prime}\in S$ if ${a}_{i}\in d(i,s)$ for every agent $i\in Agt$. We normally write $s\stackrel{\overrightarrow{a}}{\to}r$ for $(s,\overrightarrow{a},r)\in \to $.
- $\pi :S\to {2}^{PV}$ is the state-labeling function.

**Definition**

**5**

- $\mathcal{G},s\vDash p$ iff $s\in \pi \left(p\right)$
- $\mathcal{G},s\vDash \neg \phi $ iff $\mathcal{G},s\u22ad\phi $
- $\mathcal{G},s\vDash {\phi}_{1}\wedge {\phi}_{2}$ iff $\mathcal{G},s\vDash {\phi}_{1}$ and $\mathcal{G},s\vDash {\phi}_{2}$
- $\mathcal{G},s\vDash \langle \langle A\rangle \rangle \phi $ iff there exists ${s}_{A}\in {\mathsf{\Sigma}}_{A}^{Ir}$ such that,
- for each path $\lambda \in out(q,{s}_{A})$ we have $\mathcal{G},\lambda \vDash \phi $

- $\mathcal{G},\lambda \vDash \phi $ iff $\mathcal{G},\lambda \left[0\right]\vDash \phi $
- $\mathcal{G},\lambda \vDash \neg \gamma $ iff $\mathcal{G},\lambda \u22ad\gamma $
- $\mathcal{G},\lambda \vDash {\gamma}_{1}\wedge {\gamma}_{2}$ iff $\mathcal{G},\lambda \vDash {\gamma}_{1}$ and $\mathcal{G},\lambda \vDash {\gamma}_{2}$
- $\mathcal{G},\lambda \vDash X\gamma $ iff $\mathcal{G},\lambda [1,+\infty ]\vDash \gamma $
- $\mathcal{G},\lambda \vDash {\gamma}_{1}U{\gamma}_{2}$ iff there exists $i\ge 0$ such that $\mathcal{G},\lambda [i,+\infty ]\vDash {\gamma}_{2}$ and
- $\mathcal{G},\lambda [j,+\infty ]\vDash {\gamma}_{1}$ for all $0\le j\le i$

## 3. Results

#### 3.1. Game-Based Definitions

#### 3.1.1. Simulation-Based Model

- Registering: $\mathsf{register}(S{K}_{R},i,{k}_{1})\to (s{k}_{i},p{k}_{i})$, the inputs are the registrar’s secret key, a voter’s ID, and a security parameter. It returns a pair of keys.
- Voting: $\mathsf{vote}(sk,P{K}_{T},{n}_{C},\beta ,{k}_{2}\to ballot)$, the inputs are: the voter’s secret key, the public key of the talliers, the number of candidates, the choice of a voter and a security parameter. It returns the ballot.
- Tallying: $\mathsf{tally}(S{K}_{T},\mathcal{BB},{n}_{C},{\left\{p{k}_{i}\right\}}_{i=1}^{{n}_{V}},{k}_{3})\to (X,P)$, The inputs are the talliers’ secret key, the whole bulletin board, the number of candidates, all public voting keys, and a security parameter. The outputs are the voting tally along with a non-interactive proof that the tally was correctly computed.
- Verifying: $\mathsf{verify}(P{K}_{T},\mathcal{BB},{n}_{C},X,P)\to \{0,1\}$, the inputs are the talliers’ public key, the bulletin board, the number of candidates, and the results of the previous function. It returns whether the tally was correct or not.

- Setup phase: only a minority of registrars and talliers can be corrupted by the attacker. Moreover, their secret keys are generated by a trustworthy third party.
- Prior to registration: the attacker may coerce a voter before the registration phase either to obtain a transcript of this phase or to influence the voter’s interaction with the registrar.
- Registration phase: one of the following three assumptions is required to prevent simulation attacks from the attacker: either no transcripts of a voter’s interaction with the registrar can be made, or the coercer cannot corrupt any registrar, or the voter is aware of the identity of any corrupt registrar.
- Voting, tallying, and verification phases: The attacker can coerce any number of voters in a static, active way. The assumption on corrupted talliers still holds. Moreover, private anonymous channels are required for the cast of ballots. Without them, it is impossible to achieve coercion resistance.

`Experiment`${\mathsf{Exp}}_{ES,\mathcal{A},H}^{c-resist}({k}_{1},{k}_{2},{k}_{3},{n}_{V},{n}_{A},{n}_{C})$- $V\leftarrow \mathcal{A}$
`(voter names, “control voters”);` - ${\{(s{k}_{i},p{k}_{i})\leftarrow \mathsf{register}(S{K}_{\mathcal{R}},i,{k}_{2})\}}_{i=1}^{{n}_{V}}$;
- $(j,\beta )\leftarrow \mathcal{A}({\left\{s{k}_{i}\right\}}_{i\in V}$,
`“set target voter and vote”);` `if`$\left|V\right|\ne {n}_{A}$`or`$j\notin \{1,2,\dots ,{n}_{V}\}=V$`or`- $\beta \notin \{1,2,\dots ,{n}_{C}\}\cup \varnothing $
`then` `output`’0’;- $b{\in}_{U}\{0,1\}$;
`if`$b=0$`then`- $\tilde{sk}\leftarrow \mathsf{fakekey}(P{K}_{T},s{k}_{j},p{k}_{j})$;
- $\mathcal{BB}\Leftarrow \mathsf{vote}(s{k}_{j},P{K}_{T},{n}_{C},\beta ,{k}_{2}$);
`else`- $\tilde{sk}\leftarrow s{k}_{j}$;
- $\mathcal{BB}\Leftarrow vote({\left\{s{k}_{i}\right\}}_{i\ne j,i\notin V},P{K}_{T},{n}_{C},{D}_{{n}_{u},{n}_{C}},{k}_{2})$;
- $\mathcal{BB}\Leftarrow \mathcal{A}(\tilde{sk},\mathcal{BB}$,
`“cast ballots”`); - $(X,P)\leftarrow \mathsf{tally}(S{K}_{T},\mathcal{BB},{n}_{C},{\left\{p{k}_{i}\right\}}_{i=1}^{{n}_{V}},{k}_{3});$
- ${b}^{\prime}\leftarrow \mathcal{A}(X,P,$
`“guess b”`); `if`${b}^{\prime}=b$ then`output`’1’;`else``output`’0’;

`Experiment`${\mathsf{Exp}}_{ES,\mathcal{A},H}^{c-resist-ideal}({k}_{1},{k}_{2},{k}_{3},{n}_{V},{n}_{A},{n}_{C})$- $V\leftarrow {\mathcal{A}}^{\prime}$(
`voter names, “control voters”`); - ${\{(s{k}_{i},p{k}_{i})\leftarrow \mathsf{register}(S{K}_{\mathcal{R}},i,{k}_{2})\}}_{i=1}^{{n}_{V}}$;
- $(j,\beta )\leftarrow {\mathcal{A}}^{\prime}({\left\{s{k}_{i}\right\}}_{i\in V}$,“
`set target voter and vote`”); `if`$\left|V\right|\ne {n}_{A}$`or`$j\notin \{1,2,\dots ,{n}_{V}\}=V$`or`- $\beta \notin \{1,2,\dots ,{n}_{C}\}\cup \varnothing $
`then` `output`’0’;- $b{\in}_{U}\{0,1\}$;
`if`$b=0$`then`- $\mathcal{BB}\Leftarrow \mathsf{vote}(s{k}_{j},P{K}_{T},{n}_{C},\beta ,{k}_{2}$);
- $\tilde{sk}\leftarrow s{k}_{j}$;
- $\mathcal{BB}\Leftarrow vote({\left\{s{k}_{i}\right\}}_{i\ne j,i\notin V},P{K}_{T},{n}_{C},{D}_{{n}_{u},{n}_{C}},{k}_{2})$;
- $\mathcal{BB}\Leftarrow {\mathcal{A}}^{\prime}(\tilde{sk},\mathcal{BB}$,
`“cast ballots”`); - $(X,P)\leftarrow \mathsf{ideal}-\mathsf{tally}(S{K}_{T},\mathcal{BB},{n}_{C},{\left\{p{k}_{i}\right\}}_{i=1}^{{n}_{V}},{k}_{3});$
- ${b}^{\prime}\leftarrow \mathcal{A}(X,P,$
`“guess b”`); `if`${b}^{\prime}=b$`then``output`’1’;- else
`output`’0’;

#### 3.1.2. $\delta $-Coercion Resistance

**Definition**

**6**

- $Pr\left[\right(c\left|\right|\tilde{v}\left|\right|{e}_{S}{)}^{\left(l\right)}\mapsto \gamma ]$ is overwhelming as a function of the security parameter.
- $Pr\left[\right(c\left|\right|\U0001d625\U0001d636\U0001d62e\left|\right|{e}_{S}{)}^{\left(l\right)}\mapsto 1]-Pr[\left(c\right||\tilde{v}\left|\right|{e}_{S}{)}^{\left(l\right)}\mapsto 1]$ is δ-bounded as a function of the security parameter.

#### 3.2. Applied Pi-Calculus

#### 3.2.1. Swap Coercion Resistance

**Definition**

**7**

**Definition**

**8**

- $C{\left[{V}^{\prime}\right]}^{\backslash out(chc,.)}{\approx}_{l}{V}_{A}{\{}^{a}{/}_{v}\}$;
- $S\left[C\left[{V}_{A}{{\{}^{?}{/}_{v}\}}^{{c}_{1},{c}_{2}}\right]\right|{V}_{B}{\{}^{a}{/}_{v}\}]{\approx}_{l}S\left[{V}^{\prime}\right|{V}_{B}{\{}^{c}{/}_{v}\}]$.

#### 3.2.2. Multi-Voter Coercion

**Definition**

**9**

**Definition**

**10**

**Definition**

**11**

#### 3.3. Logic

#### 3.3.1. ATL*-Based Definitions

- For Delaune, Kremer, and Ryan, two interpretations of the informal definition are proposed: either the coercer cannot know the value of the coerced voter’s vote, or he must not be able to find any correlation between the voter and her vote. This leads to two versions of the definition:$$\underset{v\in V\backslash \left\{c\right\}}{\bigwedge}\underset{i\in Bal}{\bigwedge}\neg \langle \langle c,v\rangle \rangle F(vote{d}_{v,i}\wedge {K}_{c}vote{d}_{v,i})$$$$\underset{v\in V\backslash \left\{c\right\}}{\bigwedge}\underset{i\in Bal}{\bigwedge}\neg \langle \langle c,v\rangle \rangle F(vote{d}_{v,i}\wedge \underset{j\in Bal\backslash i}{\bigvee}{K}_{c}\neg vote{d}_{v,j})$$Despite the voter and the coercer’s cooperation, no link can be created between the voter and her vote by the coercer.
- Juels, Catalano, and Jakobsson’s definition is translated into three formulas: for basic coercion resistance, randomization attacks, and forced abstention attacks, respectively.$$\underset{v\in V\backslash \left\{c\right\}}{\bigwedge}\underset{i,j\in Bal}{\bigwedge}\langle \langle v\rangle \rangle F(vote{d}_{v,i}\wedge {B}_{c}vote{d}_{v,j})$$The voter can successfully deceive the coercer into thinking she followed his instructions.$$\underset{v\in V\backslash \left\{c\right\}}{\bigwedge}\neg \langle \langle c,v\rangle \rangle F{K}_{c}crosse{d}_{v,1}$$Where $crosse{d}_{v,n}$ expresses that voter v has crossed the ${n}^{th}$ slot on a ballot.$$\underset{v\in V\backslash \left\{c\right\}}{\bigwedge}\neg \langle \langle c,v\rangle \rangle G(\underset{i\in Bal}{\bigwedge}\neg vote{d}_{v,i}\wedge {K}_{c}\underset{i\in Bal}{\bigwedge}\neg vote{d}_{v,i})$$
- For Kusters, Truderung, and Vogt’s definition, the translation of the case where the coercer instructs the voter to vote for a certain candidate is as follows:$$\underset{v\in V\backslash \left\{c\right\}}{\bigwedge}\underset{i,j\in Bal,i\ne j}{\bigwedge}\langle \langle v\rangle \rangle F(vote{d}_{v,i}\wedge G\neg {K}_{c}\neg vote{d}_{v,j})$$The voter has a strategy to reach her goal without the coercer finding out that she disobeyed his instructions.

#### 3.3.2. A Probabilistic Definition

## 4. Discussion

## 5. Conclusions

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## References

- Juels, A.; Catalano, D.; Jakobsson, M. Coercion-resistant electronic elections. In Proceedings of the 2005 ACM workshop on Privacy in the Electronic Society, Alexandria, VA, USA, 7 November 2005; pp. 61–70. [Google Scholar]
- Abadi, M.; Fournet, C. Mobile values, new names, and secure communcation. In Proceedings of the 28th ACM Symposium on Principles of Programming Languages (POPL’01), London, UK, 17–19 January 2001; pp. 104–115. [Google Scholar]
- Alur, R.; Henzinger, T.A.; Kupferman, O. Alternating-time temporal logic. J. ACM
**2002**, 49, 672–713. [Google Scholar] [CrossRef] [Green Version] - Unruh, D.; Mûller-Quade, J. Universally Composable Incoercibility. Available online: https://eprint.iacr.org/2009/520.pdf (accessed on 1 December 2021).
- Küsters, R.; Truderung, T.; Vogt, A. A game-based definition of coercion resistance and its applications. J. Comput. Secur.
**2012**, 20, 709–764. [Google Scholar] [CrossRef] [Green Version] - Küsters, R.; Truderung, T.; Vogt, A. Proving Coercion-Resistance of Scantegrity II. In Information and Communications Security. ICICS 2010. Lecture Notes in Computer Science; Soriano, M., Qing, S., López, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2010; Volume 6476. [Google Scholar] [CrossRef]
- Delaune, S.; Kremer, S.; Ryan, M. Verifying privacy-type properties of electronic voting protocols. J. Comput. Secur.
**2009**, 17, 435–487. [Google Scholar] [CrossRef] [Green Version] - Cortier, V.; Wiedling, C. A Formal Analysis of the Norwegian E-voting Protocol. In Principles of Security and Trust. POST 2012. Lecture Notes in Computer Science; Degano, P., Guttman, J.D., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7215. [Google Scholar] [CrossRef] [Green Version]
- Backes, M.; Hritcu, C.; Maffei, M. Automated Verification of Remote Electronic Voting Protocols in the Applied Pi-Calculus. In Proceedings of the 2008 21st IEEE Computer Security Foundations Symposium, Pittsburgh, PA, USA, 23–25 June 2008; pp. 195–209. [Google Scholar] [CrossRef]
- Dreier, J.; Lafourcade, P.; Lakhnech, Y. Defining Privacy for Weighted Votes, Single and Multi-voter Coercion. In Computer Security—ESORICS 2012. ESORICS 2012. Lecture Notes in Computer Science; Foresti, S., Yung, M., Martinelli, F., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7459. [Google Scholar] [CrossRef] [Green Version]
- Tabatabaei, M.; Jamroga, W.; Ryan, P.Y. Expressing receipt-freeness and coercion-resistance in logics of strategic ability: Preliminary attempt. In Proceedings of the 1st International Workshop on AI for Privacy and Security, PrAISe@ECAI 2016, The Hague, The Netherlands, 29–30 August 2016; pp. 1:1–1:8. [Google Scholar] [CrossRef]
- Belardinelli, F.; Condurache, R.; Dima, C.; Jamroga, W.; Knapik, M. Bisimulations for verifying strategic abilities with an application to the ThreeBallot voting protocol. Inf. Comput.
**2021**, 276, 104552. [Google Scholar] [CrossRef] - Schnoor, H. Deciding Epistemic and Strategic Properties of Cryptographic Protocols. In Computer Security—ESORICS 2012. ESORICS 2012. Lecture Notes in Computer Science; Foresti, S., Yung, M., Martinelli, F., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7459. [Google Scholar] [CrossRef] [Green Version]

Framework | Forced Randomization | Forced Abstention | Partially Automatable | Probabilistic |
---|---|---|---|---|

JCJ | ● | ● | ||

KTV | ● | ● | ● | |

DKR | ● | |||

Backes | ◓ ^{1} | ● | ||

DLL | ● | |||

Belardinelli | ● | |||

Schnoor | ● | ● |

^{1}Requires at least one other abstaining voter.

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Riou, S.; Kulyk, O.; Marcos del Blanco, D.Y.
A Formal Approach to Coercion Resistance and Its Application to E-Voting. *Mathematics* **2022**, *10*, 781.
https://doi.org/10.3390/math10050781

**AMA Style**

Riou S, Kulyk O, Marcos del Blanco DY.
A Formal Approach to Coercion Resistance and Its Application to E-Voting. *Mathematics*. 2022; 10(5):781.
https://doi.org/10.3390/math10050781

**Chicago/Turabian Style**

Riou, Stanislas, Oksana Kulyk, and David Yeregui Marcos del Blanco.
2022. "A Formal Approach to Coercion Resistance and Its Application to E-Voting" *Mathematics* 10, no. 5: 781.
https://doi.org/10.3390/math10050781