Adapting Helios for provable ballot secrecy

Adapting Helios for provable ballot secrecy. David Bernhard, Véronique Cortier, Olivier Pereira, Ben Smyth, and Bogdan Warinschi. In Proceedings of the 16th European Symposium on Research in Computer Security (ESORICS'11), Lecture Notes in Computer Science 6879, 2011.

Download

[PDF] [HTML] 

Abstract

Recent results show that the current implementation of Helios, a practical e-voting protocol, does not ensure independence of the cast votes, and demonstrate the impact of this lack of independence on vote privacy. Some simple fixes seem to be available and security of the revised scheme has been studied with respect to symbolic models.
In this paper we study the security of Helios using computational models. Our first contribution is a model for the property known as ballot privacy that generalizes and extends several existing ones.
Using this model, we investigate an abstract voting scheme (of which the revised Helios is an instantiation) built from an arbitrary encryption scheme with certain functional properties. We prove, generically, that whenever this encryption scheme falls in the class of voting-friendly schemes that we define, the resulting voting scheme provably satisfies ballot privacy.
We explain how our general result yields cryptographic security guarantees for the revised version of Helios (albeit from non-standard assumptions).
Furthermore, we show (by giving two distinct constructions) that it is possible to construct voting-friendly encryption, and therefore voting schemes, using only standard cryptographic tools. We detail an instantiation based on ElGamal encryption and Fiat-Shamir non-interactive zero-knowledge proofs that closely resembles Helios and which provably satisfies ballot privacy.

BibTeX

@InProceedings{Helios-Esorics2011,
  author = 	 {David Bernhard and V\'eronique Cortier and Olivier Pereira and Ben Smyth and Bogdan Warinschi},
  title = 	 {Adapting Helios for provable ballot secrecy},
  booktitle = {Proceedings of the 16th European Symposium on Research in Computer Security (ESORICS'11)},
  year = 	 {2011},
  editor = 	 {Springer},
  volume = 	 {6879},
  series = 	 {Lecture Notes in Computer Science},
abstract =  {
Recent results show that the current implementation of Helios, a
practical e-voting protocol, does not ensure independence of the cast
votes, and demonstrate the impact of this lack of independence on vote
privacy. Some simple fixes seem to be available and security of the
revised scheme has been studied with respect to symbolic models.
\par
In this paper we study the security of Helios using computational
models.  Our first contribution is a model for the property known as
ballot privacy that generalizes and extends several existing ones. 
\par
Using this model, we investigate an abstract voting scheme (of which
the revised Helios is an instantiation) built from an arbitrary
encryption scheme with certain functional properties.  We prove,
generically, that whenever this encryption scheme falls in the class
of voting-friendly schemes that we define, the resulting voting
scheme provably satisfies ballot privacy. 
\par
We explain how our general result yields cryptographic security
guarantees for the revised version of Helios (albeit from non-standard
assumptions).
\par
Furthermore, we show (by giving two distinct constructions) that it is
possible to construct voting-friendly encryption, and therefore
voting schemes, using only standard cryptographic tools.  
We detail an instantiation based on ElGamal encryption and Fiat-Shamir
non-interactive zero-knowledge proofs that closely resembles Helios
and which provably satisfies ballot privacy. },
 doi = {10.1007/978-3-642-23822-2_19},
}