Voting: You Can't Have Privacy without Individual Verifiability

Voting: You Can't Have Privacy without Individual Verifiability. Véronique Cortier and Joseph Lallemand. In 25th ACM Conference on Computer and Communications Security (CCS'18), pp. 53–66, ACM, 2018.

Download

[PDF] [HTML] 

Abstract

Electronic voting typically aims at two main security goals: vote privacy and verifiability. These two goals are often seen as antagonistic and some national agencies even impose a hierarchy between them: first privacy, and then verifiability as an additional feature. Verifiability typically includes individual verifiability (a voter can check that her ballot is counted); universal verifiability (anyone can check that the result corresponds to the published ballots); and eligibility verifiability (only legitimate voters may vote).
We show that actually, privacy implies individual verifiability. In other words, systems without individual verifiability cannot achieve privacy (under the same trust assumptions). To demonstrate the generality of our result, we show this implication in two different settings, namely cryptographic and symbolic models, for standard notions of privacy and individual verifiability. Our findings also highlight limitations in existing privacy definitions in cryptographic settings.

BibTeX

@InProceedings{PrivVerif-CCS18,
  author = 	 {V\'eronique Cortier and Joseph Lallemand},
  title = 	 {Voting: You Can't Have Privacy without Individual Verifiability},
  booktitle = {25th ACM Conference on Computer and Communications Security (CCS'18)},
  year = 	 {2018},
  abstract = {Electronic voting typically aims at two main security goals: vote
privacy and verifiability. These two goals are often seen as
antagonistic and some national agencies even impose a hierarchy between
them: first privacy, and then verifiability as an additional feature.
Verifiability typically includes individual verifiability
  (a voter can check that her ballot is counted); universal
  verifiability (anyone can check that the result corresponds to the
  published ballots); and eligibility verifiability (only legitimate
  voters may vote).
\par
We show that actually, privacy implies individual verifiability. In other words,
systems without individual verifiability cannot achieve privacy (under the same
trust assumptions). To demonstrate the generality of our result, we
show this implication in two different settings, namely cryptographic
and symbolic models, for standard notions of privacy and
individual verifiability.
Our findings also highlight limitations in existing privacy
definitions in cryptographic settings.
},
  pages = 	 {53--66},
  OPTaddress = 	 {},
    publisher = {ACM},
  doi = {10.1145/3243734.3243762},
}