A Formal Approach to Coercion Resistance and Its Application to E-Voting
Abstract
:1. Introduction
2. Methods and Frameworks
2.1. Applied Pi-Calculus
- P,Q,R:= plain processes
- 0 null process
- P|Q parallel composition
- !P replication
- .P name restriction
- ifthen P else Q conditional
- in.P message input
- out.P message output
- A,B,C:= extended processes
- P plain process
- A|B parallel composition
- .A name restriction
- .A variable restriction
- active substitution
- ;
- if , then and A′ B′ for some B′;
- if and and , then and A′ B′ for some B′.
2.2. ATL*
- is a non-empty and finite set of agents. Subsets of agents are called coalitions.
- is a countable set of atomi propositions or atoms.
- S is a non-empty set of states and is the initial state of .
- is a finite non-empty set of actions. A tuple is called a joint action.
- For every agent , is an equivalence relation on S, which is called the indistinguishability relation for i.
- is the protocol function, satisfying the property that for all states and any agent implies . That is, the same (non-empty) set of actions is available to agent i in uindistinguishable states.
- is the translation relation such that for every state and joint action , for some state if for every agent . We normally write for .
- is the state-labeling function.
- iff
- iff
- iff and
- iff there exists such that,
- for each path we have
- iff
- iff
- iff and
- iff
- iff there exists such that and
- for all
3. Results
3.1. Game-Based Definitions
3.1.1. Simulation-Based Model
- Registering: , the inputs are the registrar’s secret key, a voter’s ID, and a security parameter. It returns a pair of keys.
- Voting: , the inputs are: the voter’s secret key, the public key of the talliers, the number of candidates, the choice of a voter and a security parameter. It returns the ballot.
- Tallying: , The inputs are the talliers’ secret key, the whole bulletin board, the number of candidates, all public voting keys, and a security parameter. The outputs are the voting tally along with a non-interactive proof that the tally was correctly computed.
- Verifying: , the inputs are the talliers’ public key, the bulletin board, the number of candidates, and the results of the previous function. It returns whether the tally was correct or not.
- Setup phase: only a minority of registrars and talliers can be corrupted by the attacker. Moreover, their secret keys are generated by a trustworthy third party.
- Prior to registration: the attacker may coerce a voter before the registration phase either to obtain a transcript of this phase or to influence the voter’s interaction with the registrar.
- Registration phase: one of the following three assumptions is required to prevent simulation attacks from the attacker: either no transcripts of a voter’s interaction with the registrar can be made, or the coercer cannot corrupt any registrar, or the voter is aware of the identity of any corrupt registrar.
- Voting, tallying, and verification phases: The attacker can coerce any number of voters in a static, active way. The assumption on corrupted talliers still holds. Moreover, private anonymous channels are required for the cast of ballots. Without them, it is impossible to achieve coercion resistance.
- Experiment
- (voter names, “control voters”);
- ;
- ,“set target voter and vote”);
- if or or
- then
- output ’0’;
- ;
- if then
- ;
- );
- else
- ;
- ;
- ,“cast ballots”);
- “guess b”);
- if then
- output ’1’;
- else
- output ’0’;
- Experiment
- (voter names, “control voters”);
- ;
- ,“set target voter and vote”);
- if or or
- then
- output ’0’;
- ;
- if then
- );
- ;
- ;
- ,“cast ballots”);
- “guess b”);
- if then
- output ’1’;
- else
- output ’0’;
3.1.2. -Coercion Resistance
- is overwhelming as a function of the security parameter.
- is δ-bounded as a function of the security parameter.
3.2. Applied Pi-Calculus
3.2.1. Swap Coercion Resistance
- ;
- .
3.2.2. Multi-Voter Coercion
3.3. Logic
3.3.1. ATL*-Based Definitions
- For Delaune, Kremer, and Ryan, two interpretations of the informal definition are proposed: either the coercer cannot know the value of the coerced voter’s vote, or he must not be able to find any correlation between the voter and her vote. This leads to two versions of the definition:Despite the voter and the coercer’s cooperation, no link can be created between the voter and her vote by the coercer.
- Juels, Catalano, and Jakobsson’s definition is translated into three formulas: for basic coercion resistance, randomization attacks, and forced abstention attacks, respectively.The voter can successfully deceive the coercer into thinking she followed his instructions.Where expresses that voter v has crossed the slot on a ballot.
- For Kusters, Truderung, and Vogt’s definition, the translation of the case where the coercer instructs the voter to vote for a certain candidate is as follows:The voter has a strategy to reach her goal without the coercer finding out that she disobeyed his instructions.
3.3.2. A Probabilistic Definition
4. Discussion
5. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Juels, A.; Catalano, D.; Jakobsson, M. Coercion-resistant electronic elections. In Proceedings of the 2005 ACM workshop on Privacy in the Electronic Society, Alexandria, VA, USA, 7 November 2005; pp. 61–70. [Google Scholar]
- Abadi, M.; Fournet, C. Mobile values, new names, and secure communcation. In Proceedings of the 28th ACM Symposium on Principles of Programming Languages (POPL’01), London, UK, 17–19 January 2001; pp. 104–115. [Google Scholar]
- Alur, R.; Henzinger, T.A.; Kupferman, O. Alternating-time temporal logic. J. ACM 2002, 49, 672–713. [Google Scholar] [CrossRef] [Green Version]
- Unruh, D.; Mûller-Quade, J. Universally Composable Incoercibility. Available online: https://eprint.iacr.org/2009/520.pdf (accessed on 1 December 2021).
- Küsters, R.; Truderung, T.; Vogt, A. A game-based definition of coercion resistance and its applications. J. Comput. Secur. 2012, 20, 709–764. [Google Scholar] [CrossRef] [Green Version]
- Küsters, R.; Truderung, T.; Vogt, A. Proving Coercion-Resistance of Scantegrity II. In Information and Communications Security. ICICS 2010. Lecture Notes in Computer Science; Soriano, M., Qing, S., López, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2010; Volume 6476. [Google Scholar] [CrossRef]
- Delaune, S.; Kremer, S.; Ryan, M. Verifying privacy-type properties of electronic voting protocols. J. Comput. Secur. 2009, 17, 435–487. [Google Scholar] [CrossRef] [Green Version]
- Cortier, V.; Wiedling, C. A Formal Analysis of the Norwegian E-voting Protocol. In Principles of Security and Trust. POST 2012. Lecture Notes in Computer Science; Degano, P., Guttman, J.D., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7215. [Google Scholar] [CrossRef] [Green Version]
- Backes, M.; Hritcu, C.; Maffei, M. Automated Verification of Remote Electronic Voting Protocols in the Applied Pi-Calculus. In Proceedings of the 2008 21st IEEE Computer Security Foundations Symposium, Pittsburgh, PA, USA, 23–25 June 2008; pp. 195–209. [Google Scholar] [CrossRef]
- Dreier, J.; Lafourcade, P.; Lakhnech, Y. Defining Privacy for Weighted Votes, Single and Multi-voter Coercion. In Computer Security—ESORICS 2012. ESORICS 2012. Lecture Notes in Computer Science; Foresti, S., Yung, M., Martinelli, F., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7459. [Google Scholar] [CrossRef] [Green Version]
- Tabatabaei, M.; Jamroga, W.; Ryan, P.Y. Expressing receipt-freeness and coercion-resistance in logics of strategic ability: Preliminary attempt. In Proceedings of the 1st International Workshop on AI for Privacy and Security, PrAISe@ECAI 2016, The Hague, The Netherlands, 29–30 August 2016; pp. 1:1–1:8. [Google Scholar] [CrossRef]
- Belardinelli, F.; Condurache, R.; Dima, C.; Jamroga, W.; Knapik, M. Bisimulations for verifying strategic abilities with an application to the ThreeBallot voting protocol. Inf. Comput. 2021, 276, 104552. [Google Scholar] [CrossRef]
- Schnoor, H. Deciding Epistemic and Strategic Properties of Cryptographic Protocols. In Computer Security—ESORICS 2012. ESORICS 2012. Lecture Notes in Computer Science; Foresti, S., Yung, M., Martinelli, F., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7459. [Google Scholar] [CrossRef] [Green Version]
Framework | Forced Randomization | Forced Abstention | Partially Automatable | Probabilistic |
---|---|---|---|---|
JCJ | ● | ● | | |
KTV | ● | ● | | ● |
DKR | | | ● | |
Backes | | ◓ 1 | ● | |
DLL | | | ● | |
Belardinelli | | | ● | |
Schnoor | | | ● | ● |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Riou, S.; Kulyk, O.; Marcos del Blanco, D.Y. A Formal Approach to Coercion Resistance and Its Application to E-Voting. Mathematics 2022, 10, 781. https://doi.org/10.3390/math10050781
Riou S, Kulyk O, Marcos del Blanco DY. A Formal Approach to Coercion Resistance and Its Application to E-Voting. Mathematics. 2022; 10(5):781. https://doi.org/10.3390/math10050781
Chicago/Turabian StyleRiou, Stanislas, Oksana Kulyk, and David Yeregui Marcos del Blanco. 2022. "A Formal Approach to Coercion Resistance and Its Application to E-Voting" Mathematics 10, no. 5: 781. https://doi.org/10.3390/math10050781
APA StyleRiou, S., Kulyk, O., & Marcos del Blanco, D. Y. (2022). A Formal Approach to Coercion Resistance and Its Application to E-Voting. Mathematics, 10(5), 781. https://doi.org/10.3390/math10050781