Election verifiability aims to ensure that the outcome produced by electronic voting systems correctly reflects the intentions of eligible voters, even in the presence of an adversary that may corrupt various parts of the voting infrastructure. Protecting such systems from manipulation is challenging because of their distributed nature involving voters, election authorities, voting servers and voting platforms. An adversary corrupting any of these can make changes that, individually, would go unnoticed, yet in the end will affect the outcome of the election. It is, therefore, important to rigorously evaluate whether the measures prescribed by election verifiability achieve their goals. We propose a formal framework that allows such an evaluation in a systematic and automated way. We demonstrate its application to the verification of various scenarios in Helios and Belenios, two prominent internet voting systems, for which we capture features and corruption models previously outside the scope of formal verification. Relying on the Tamarin protocol prover for automation, we derive new security proofs and attacks on deployed versions of these protocols, illustrating trade-offs between usability and security.Index Terms-electronic voting, verifiability, verification.the scope of the definition. The formal notion of corruption (i.e. leaked voter credentials) may, in practice, cover several different scenarios (e.g. credentials leaked by a storage device); appropriate procedures may allow effective verifiability even for such inadvertently corrupted voters, or for voters subject to dynamic corruption, e.g. after voting. Indeed, we show that this stronger property is achievable for example in Helios and Belenios.Previous work. The first symbolic model for election verifiability was proposed by Kremer et al.[13], but the scenarios to which it applies assume that all voters are honest and verify their votes. Moreover, although the protocol models in [13] are symbolic -being specified in an abstract process algebrathe formulas used for specifying the security properties cannot be expressed in ProVerif/Tamarin. They are global properties referring to an unbounded number of events in a trace. The challenge for symbolic verifiability is, relying on universal quantification over events in a trace, to obtain a sound model for end-to-end verifiability within the standard class of trace formulas accepted by ProVerif/Tamarin. A type-based symbolic model, also covering privacy properties and applied to Helios, is proposed by Cortier et al. in [14], which does not cover revoting and the associated notion of end-to-end verifiability is weaker than the one later proposed for Belenios in [21]: it only states that the multiset of verified votes for honest voters should be part of the final outcome. In general, we need a complete characterisation of the outcome, also limiting the multiset of adversarial votes, even for systems like Helios, which may be considered to provide weaker verifiability than Belenios. A first reason is that Helio...
Belenios is an online voting system that provides a strong notion of election verifiability, where no single party has to be trusted, and security holds as soon as either the voting registrar or the voting server is honest. It was formally proved to be secure, making the assumption that no further ballots are cast on the bulletin board after voters verified their ballots. In practice, however, revoting is allowed and voters can verify their ballots anytime. This gap between formal proofs and use in practice leaves open space for attacks, as has been shown recently. In this paper we make two simple additions to Belenios and we formally prove that the new version satisfies the expected verifiability properties. Our proofs are automatically performed with the Tamarin prover, under the assumption that voters are allowed to vote at most four times.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.