BeleniosVS: Secrecy and Verifiability against a Corrupted Voting Device

Véronique Cortier, Alicia Filipiak, and Joseph Lallemand. BeleniosVS: Secrecy and Verifiability against a Corrupted Voting Device. In 32nd IEEE Computer Security Foundations Symposium (CSF'19), pp. 367–381, IEEE Computer Society Press, Hoboken, June 2019.

Download

[PDF] 

Abstract

Electronic voting systems aim at two conflicting properties, namely privacy and verifiability, while trying to minimise the trust assumptions on the various voting components. Most existing voting systems either assume trust in the voting device or in the voting server. We propose a novel remote voting scheme BeleniosVS that achieves both privacy and verifiability against a dishonest voting server as well as a dishonest voting device. In particular, a voter does not leak her vote to her voting device and she can check that her ballot on the bulletin board does correspond to her intended vote. More specifically, we assume two elections authorities: the voting server and a registrar that acts only during the setup. Then BeleniosVS guarantees both privacy and verifiability against a dishonest voting device, provided that not both election authorities are corrupted. Additionally, our scheme guarantees receipt-freeness against an external adversary. We provide a formal proof of privacy, receipt-freeness, and verifiability using the tool ProVerif, covering a hundred cases of threat scenarios. Proving verifiability required to develop a set of sufficient conditions, that can be handled by ProVerif. This contribution is of independent interest.

BibTeX

@InProceedings{beleniosVS-CSF19,
  author =	 {V\'eronique Cortier and Alicia Filipiak and Joseph
                  Lallemand},
  title =	 {BeleniosVS: Secrecy and Verifiability against a
                  Corrupted Voting Device},
  booktitle =	 {32nd IEEE Computer Security Foundations Symposium
                  (CSF'19)},
  abstract =	 {Electronic voting systems aim at two conflicting
                  properties, namely privacy and verifiability, while
                  trying to minimise the trust assumptions on the
                  various voting components. Most existing voting
                  systems either assume trust in the voting device or
                  in the voting server. We propose a novel remote
                  voting scheme BeleniosVS that achieves both privacy
                  and verifiability against a dishonest voting server
                  as well as a dishonest voting device. In particular,
                  a voter does not leak her vote to her voting device
                  and she can check that her ballot on the bulletin
                  board does correspond to her intended vote. More
                  specifically, we assume two elections authorities:
                  the voting server and a registrar that acts only
                  during the setup. Then BeleniosVS guarantees both
                  privacy and verifiability against a dishonest voting
                  device, provided that not both election authorities
                  are corrupted. Additionally, our scheme guarantees
                  receipt-freeness against an external adversary. We
                  provide a formal proof of privacy, receipt-freeness,
                  and verifiability using the tool ProVerif, covering
                  a hundred cases of threat scenarios. Proving
                  verifiability required to develop a set of
                  sufficient conditions, that can be handled by
                  ProVerif. This contribution is of independent
                  interest.},
  year =	 2019,
  pages =	 {367--381},
  month =	 {June},
  address =	 {Hoboken},
  publisher =	 {{IEEE} Computer Society Press},
  year =	 2019,
  acronym =	 {{CSF}'18},
  nmonth =	 6,
                  ={https://members.loria.fr/VCortier/files/Papers/csf19-report.pdf},
}