Paper 2016/431

Security Proofs for Participation Privacy, Receipt-Freeness, Ballot Privacy, and Verifiability Against Malicious Bulletin Board for the Helios Voting Scheme

David Bernhard, Oksana Kulyk, and Melanie Volkamer

Abstract

The Helios voting scheme is well studied including formal proofs for verifiability and ballot privacy. However, depending on its version, the scheme provides either participation privacy (hiding who participated in the election) or verifiability against malicious bulletin board (preventing election manipulation by ballot stuffing), but not both at the same time. It also does not provide receipt-freeness, thus enabling vote buying by letting the voters contstruct receipts proving how they voted. Recently, an extension to Helios, further referred to as KTV-Helios, has been proposed that claims to provide these additional security properties. However, the authors of KTV-Helios did not prove their claims. Our first contribution is to provide formal definition for participation privacy and receipt-freeness, that can be applied to KTV-Helios. These definitions were used to also prove the corresponding claims of KTV-Helios. Our second contribution is to use the existing definitions of ballot privacy and verifiability against malicious bulletin board as applied to Helios in order to prove that both security properties also hold for KTV-Helios.