Cryptology ePrint Archive: Report 2015/942

Secrecy and independence for election schemes

Ben Smyth

Abstract: We study ballot secrecy and ballot independence for election schemes. First, we propose a definition of ballot secrecy as an indistinguishability game in the computational model of cryptography. Our definition builds upon and strengthens earlier definitions to ensure that ballot secrecy is preserved in the presence of an adversary that controls the bulletin board and communication channel. Secondly, we propose a definition of ballot independence as an adaptation of a non-malleability definition for asymmetric encryption. We also provide a simpler, equivalent definition as an indistinguishability game. Thirdly, we prove that ballot independence is necessary in election schemes satisfying ballot secrecy. Finally, we demonstrate the applicability of our results by analysing Helios. Our analysis identifies a new attack against Helios, which enables an adversary to determine if a voter did not vote for the adversary's chosen candidate. The attack requires the adversary to control the bulletin board or communication channel, thus, it could not have been detected by earlier definitions of ballot secrecy.

Category / Keywords: foundations / anonymity, election schemes, foundations, Helios, independence, non-malleability, privacy, public-key cryptography, secrecy, voting

Date: received 26 Sep 2015, last revised 4 Oct 2015

Contact author: research at bensmyth com

Available format(s): PDF | BibTeX Citation

Version: 20151004:165335 (All versions of this report)

Short URL: ia.cr/2015/942

Discussion forum: Show discussion | Start new discussion