Attacking and fixing Helios: An analysis of ballot secrecy

Attacking and fixing Helios: An analysis of ballot secrecy. Véronique Cortier and Ben Smyth. Journal of Computer Security, 21(1):89–148, IOS Press, 2013.

Download

[PDF] [HTML] 

Abstract

Helios 2.0 is an open-source web-based end-to-end verifiable electronic voting system, suitable for use in low-coercion environments. In this article, we analyse ballot secrecy in Helios and discover a vulnerability which allows an adversary to compromise the privacy of voters. The vulnerability exploits the absence of ballot independence in Helios and works by replaying a voter's ballot or a variant of it, the replayed ballot magnifies the voter's contribution to the election outcome and this magnification can be used to violated privacy. We demonstrate the practicality of the attack by violating a voter's privacy in a mock election using the software implementation of Helios. Moreover, the feasibility of an attack is considered in the context of French legislative elections and, based upon our findings, we believe it constitutes a real threat to ballot secrecy. We present a fix and show that our solution satisfies a formal definition of ballot secrecy using the applied pi calculus. Furthermore, we present similar vulnerabilities in other electronic voting protocols -- namely, the schemes by Lee et al., Sako & Kilian, and Schoenmakers -- which do not assure ballot independence. Finally, we argue that independence and privacy properties are unrelated, and non-malleability is stronger than independence.

BibTeX

@article{JCS2012-Ben,
  author =        {Cortier, V{\'e}ronique and Smyth, Ben},
  journal =       {Journal of Computer Security},
  publisher =     {{IOS} Press},
  title =         {Attacking and fixing {H}elios: An analysis of ballot secrecy},
  year =          {2013},
 doi = {10.3233/JCS-2012-0458},
volume = {21},
number = {1},
pages = {89-148},
  abstract =      {Helios 2.0 is an open-source web-based end-to-end verifiable 
electronic voting system, suitable for use in low-coercion environments. 
In this article, we analyse ballot secrecy in Helios and discover a 
vulnerability which allows an adversary to compromise the privacy of voters.
The vulnerability exploits the absence of ballot independence in Helios 
and works by replaying a voter's ballot or a variant of it, the replayed ballot
magnifies the voter's contribution to the election outcome and this magnification can be used to violated privacy.
We demonstrate the practicality of the attack by 
violating a voter's privacy
 in a mock 
election using 
the software implementation of Helios. 
Moreover, the feasibility of an attack is considered in the context of French 
legislative elections and, based upon our findings,
we believe it constitutes a 
real threat to ballot secrecy. 
We present a fix and show that our solution satisfies
a formal definition of ballot secrecy using the applied pi calculus.
Furthermore, we present similar vulnerabilities in other electronic 
voting protocols -- namely, the schemes by Lee \emph{et al.}, Sako \& Kilian, and Schoenmakers -- 
which do not assure ballot independence.
Finally, we argue that 
independence and privacy properties are unrelated, and non-malleability is stronger than independence.
},
}