Abstract
The importance of voter auditing in order to ensure election integrity has been extensively studied in the e-voting literature. On the other hand, the necessity of auditing to protect voter privacy in an e-voting system has been mostly overlooked. In this work, we investigate election privacy issues that appear in the state-of-the-art implementations of e-voting systems that apply threshold public key encryption (TPKE) in the client like Helios and use a bulletin board (BB). More specifically, we show that without PKI support or -more generally- authenticated BB “append” operations, such systems are vulnerable to attacks where the malicious election server can act as a man-in-the-middle between the election trustees and the voters, hence it can learn how the voters have voted. We suggest compulsory trustee auditing as countermeasure for this type of man-in-the-middle attacks. Furthermore, we propose a list of guidelines to avoid some common, subtle, yet important problems that may appear during the implementation of any TPKE-based e-voting system.
A. Kiayias—Research supported by ERC project CODAMODA and project FINER of the Greek Secretariat of Research and Technology.
T. Zacharias—Research supported by project FINER of the Greek Secretariat of Research and Technology.
B. Zhang—Work completed while at the National and Kapodistrian University of Athens. Research supported by project FINER of the Greek Secretariat of Research and Technology.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The additive homomorphic property of an encryption scheme suggests that multiplying the encryptions of two messages \(m_1\) and \(m_2\) under some public key, results in an encryption of \(m_1+m_2\) under the same public key.
- 2.
- 3.
One may think of the EA being part of the BB; we separate the two entities in our work in order to enable the BB to be completely passive; having a passive BB is important in practice since a robust implementation for the BB will distribute the responsibility of maintaining the election transcript to a set of servers which will be required to execute an agreement protocol for each append operation that should be readable by honest parties.
- 4.
Note that each trustee does not know the other trustees’ actual partial public keys.
References
Adida, B.: Helios: web-based open-audit voting. In: USENIX Security Symposium (2008)
Aumann, Y., Lindell, Y.: Security against covert adversaries: efficient protocols for realistic adversaries. J. Cryptology 23(2), 281–343 (2010)
Benaloh, J.: Simple verifiable elections. In: Wallach, D.S., Rivest, R.L. (eds.) EVT. USENIX Association (2006)
Benaloh, J., Byrne, M.D., Eakin, B., Kortum, P.T., McBurnett, N., Pereira, O., Stark, P.B., Wallach, D.S., Fisher, G., Montoya, J., Parker, M., Winn, M.: STAR-vote: a secure, transparent, auditable, and reliable voting system. In: EVT/WOTE 2013, August 2013
Benaloh, J.C., Tuinstra, D.: Receipt-free secret-ballot elections (extended abstract). In: STOC (1994)
Benaloh, J.C., Yung, M.: Distributing the power of a government to enhance the privacy of voters (extended abstract). In: PODC (1986)
Bernhard, D., Cortier, V., Galindo, D., Pereira, O., Warinschi, B.: A comprehensive analysis of game-based ballot privacy definitions. Cryptology ePrint Archive, Report 2015/255 (2015). http://eprint.iacr.org/
Bernhard, D., Cortier, V., Pereira, O., Smyth, B., Warinschi, B.: Adapting helios for provable ballot privacy. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 335–354. Springer, Heidelberg (2011)
Bernhard, D., Pereira, O., Warinschi, B.: How not to prove yourself: pitfalls of the fiat-shamir heuristic and applications to helios. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 626–643. Springer, Heidelberg (2012)
Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–88 (1981)
Chaum, D.: Surevote: technical overview. In: Proceedings of the Workshop on Trustworthy Elections, WOTE, August 2001
Chaum, D., Essex, A., Carback, R., Clark, J., Popoveniuc, S., Sherman, A., Vora, P.: Scantegrity: end-to-end voter-verifiable optical-scan voting. IEEE Secur. Priv. 6(3), 40–46 (2008)
Chaum, D., Ryan, P.Y.A., Schneider, S.: A practical voter-verifiable election scheme. In: di Vimercati, S.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 118–139. Springer, Heidelberg (2005)
Chevallier-Mames, B., Fouque, P.-A., Pointcheval, D., Stern, J., Traoré, J.: On some incompatible properties of voting schemes. In: Chaum, D., Jakobsson, M., Rivest, R.L., Ryan, P.Y.A., Benaloh, J., Kutylowski, M., Adida, B. (eds.) Towards Trustworthy Elections. LNCS, vol. 6000, pp. 191–199. Springer, Heidelberg (2010)
Clarkson, M.R., Chong, S., Myers, A.C.: Civitas: toward a secure voting system. In: 2008 IEEE Symposium on Security and Privacy (S&P 2008), pp. 354–368, May 2008
Cohen, J.D., Fischer, M.J.: A robust and verifiable cryptographically secure election scheme (extended abstract). In: FOCS (1985)
Cortier, V., Smyth, B.: Attacking and fixing Helios: An analysis of ballot secrecy. ePrint Archive, 2010:625 (2010)
Cramer, R., Gennaro, R., Schoenmakers, B.: A secure and optimally efficient multi-authority election scheme. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 103–118. Springer, Heidelberg (1997)
Delaune, S., Kremer, S., Ryan, M.: Verifying privacy-type properties of electronic voting protocols. J. Comput. Secur. 17(4), 435–487 (2009)
Estehghari, S., Desmedt, Y.: Exploiting the client vulnerabilities in internet e-voting systems: hacking helios 2.0 as an example. In: EVT/WOTE (2010)
Gjøsteen, K.: Analysis of an internet voting protocol. IACR Cryptology ePrint Archive, 2010:380 (2010)
Gjøsteen, K.: The Norwegian internet voting protocol. IACR Cryptology ePrint Archive, 2013:473 (2013)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems (extended abstract). In: STOC (1985)
Groth, J.: Evaluating security of voting schemes in the universal composability framework. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 46–60. Springer, Heidelberg (2004)
Heiderich, M., Frosch, T., Niemietz, M., Schwenk, J.: The bug that made me president a browser- and web-security case study on helios voting. In: Kiayias, A., Lipmaa, H. (eds.) VoteID 2011. LNCS, vol. 7187, pp. 89–103. Springer, Heidelberg (2012)
Helios. Helios github repository. https://github.com/benadida/helios-server. Accessed 31 July 2014
Helios. Helios privacy claims. https://vote.heliosvoting.org/privacy. Accessed 31 July 2014
Jefferson, D.R., Rubin, A.D., Simons, B., Wagner, D.: Analyzing internet voting security. Commun. ACM 47(10), 59–64 (2004)
Juels, A., Catalano, D., Jakobsson, M.: Coercion-resistant electronic elections. IACR Cryptology ePrint Archive 2002:165 (2002)
Kiayias, A., Korman, M., Walluck, D.: An internet voting system supporting user privacy. In: ACSAC (2006)
Kiayias, A., Zacharias, T., Zhang, B.: End-to-end verifiable elections in the standard model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 468–498. Springer, Heidelberg (2015)
Kremer, S., Ryan, M., Smyth, B.: Election verifiability in electronic voting protocols. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 389–404. Springer, Heidelberg (2010)
Küsters, R., Truderung, T., Vogt, A.: Verifiability, privacy, and coercion-resistance: new insights from a case study. In: IEEE Symposium on Security and Privacy, pp. 538–553. IEEE Computer Society (2011)
Küsters, R., Truderung, T., Vogt, A.: Clash attacks on the verifiability of e-voting systems. In: IEEE Symposium on Security and Privacy, pp. 395–409. IEEE Computer Society (2012)
Kutylowski, M., Zagórski, F.: Scratch, click & vote: E2E voting over the internet. In: Chaum, D., Jakobsson, M., Rivest, R.L., Ryan, P.Y.A., Benaloh, J., Kutylowski, M., Adida, B. (eds.) Towards Trustworthy Elections. LNCS, vol. 6000, pp. 343–356. Springer, Heidelberg (2010)
Moran, T., Naor, M.: Receipt-free universally-verifiable voting with everlasting privacy. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 373–392. Springer, Heidelberg (2006)
Pedersen, T.P.: A threshold cryptosystem without a trusted party. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 522–526. Springer, Heidelberg (1991)
Smyth, B., Frink, S., Clarkson, M.R.: Computational election verifiability: Definitions and an analysis of Helios and JCJ. Technical report
Springall, D., Finkenauer, T., Durumeric, Z., Kitcat, J., Hursti, H., MacAlpine, M., Alex Halderman, J.: Security analysis of the Estonian internet voting system. In: SIGSAC (2014)
Tsoukalas, G., Papadimitriou, K., Louridas, P., Tsanakas, P.: From helios to zeus. In: EVT/WOTE. USENIX Association (2013)
Zagórski, F., Carback, R.T., Chaum, D., Clark, J., Essex, A., Vora, P.L.: Remotegrity: design and use of an end-to-end verifiable remote voting system. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 441–457. Springer, Heidelberg (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Kiayias, A., Zacharias, T., Zhang, B. (2015). On the Necessity of Auditing for Election Privacy in e-Voting Systems. In: Katsikas, S., Sideridis, A. (eds) E-Democracy – Citizen Rights in the World of the New Computing Paradigms. e-Democracy 2015. Communications in Computer and Information Science, vol 570. Springer, Cham. https://doi.org/10.1007/978-3-319-27164-4_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-27164-4_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27163-7
Online ISBN: 978-3-319-27164-4
eBook Packages: Computer ScienceComputer Science (R0)