Abstract
In recent years, a large number of secure voting protocols have been proposed in the literature. Often these protocols contain flaws, but because they are complex protocols, rigorous formal analysis has proven hard to come by. Rivest’s ThreeBallot and Vote/Anti-Vote/Vote (VAV) voting systems are important because they aim to provide security (voter anonymity and voter verifiability) without requiring cryptography. In this paper, we construct CSP models of ThreeBallot and VAV, and use them to produce the first automated formal analysis of their anonymity properties. Along the way, we discover that one of the crucial assumptions under which ThreeBallot and VAV (and many other voting systems) operate—the short ballot assumption—is highly ambiguous in the literature. We give various plausible precise interpretations and discover that in each case, the interpretation either is unrealistically strong or else fails to ensure anonymity. We give a revised version of the short ballot assumption for ThreeBallot and VAV that is realistic but still provides a guarantee of anonymity.
Similar content being viewed by others
Notes
A previous version of this paper appeared in the Proceedings of the 10th International Conference on Integrated Formal Methods, Springer LNCS 7940. The final publication is available at http://link.springer.com/chapter/10.1007%2F978-3-642-38613-8_7.
The CSP model of ThreeBallot voting system, from which the experimental results given in this paper were produced, can be downloaded from the first author’s personal webpage http://muratmoran.wordpress.com/publications/ under the CSP codes title. It is also available on the departmental webpage http://epubs.surrey.ac.uk/id/eprint/804928.
References
Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24, 84–90 (1981)
Fujioka, A., Okamoto, T., Ohta, K.: A practical secret voting scheme for large scale elections. In: AUSCRYPT, pp. 244–251 (1992)
Juels, A., Catalano, D., Jakobsson, M.: Coercion-resistant electronic elections. In: IACR Cryptology ePrint Archive, p. 165 (2002)
Chaum, D., Ryan, P.Y.A., Schneider, S.A.: A practical voter-verifiable election scheme. In: ESORICS, pp. 118–139 (2005)
Rivest, R.L.: The Threeballot Voting System (2006). http://theory.lcs.mit.edu/rivest/Rivest-TheThreeBallotVotingSystem.pdf
Rivest, R.L., Smith, W.D.: Three voting protocols: ThreeBallot, VAV, and Twin. In: Proceedings of USENIX/ACCURATE Electronic Voting Technology (EVT), Press (2007). www.usenix.org/legacy/event/evt07/tech/full_papers/rivest/rivest_html/index.html
Hoare, C.A.R.: Communicating sequential processes. Commun. ACM 21, 666–677 (1978)
Gardiner, P., Goldsmith, M., Hulance, J., Jackson, D., Roscoe, B., Scattergood, B., Armstrong, B.: FDR2 user manual
Backes, M., Hritcu, C., Maffei, M.: Automated verification of remote electronic voting protocols in the applied pi-calculus. In: CSF, pp. 195–209 (2008)
Smyth, B.: Formal verification of cryptographic protocols with automated reasoning. Ph.D. thesis, School of Computer Science, University of Birmingham (2011)
Ryan, P.Y.A., Schneider, S.A.: Prêt à Voter with re-encryption mixes. In: ESORICS, pp. 313–326 (2006)
Moran, M., Heather, J., Schneider, S.: Verifying anonymity in voting systems using CSP. Form. Asp. Comput. 26(1), 63–98 (2014)
Cichon, J., Kutylowski, M., Weglorz, B.: Short ballot assumption and threeballot voting protocol. In: SOFSEM, pp. 585–598 (2008)
de Marneffe, O., Pereira, O., Quisquater, J.J.: Simulation-based analysis of E2E voting systems. In: Proceedings of the 1st International Conference on E-voting and Identity. VOTE-ID’07. Springer, Berlin, Heidelberg, pp. 137–149 (2007)
Strauss, C.: The trouble with triples: A critical review of the triple ballot (3ballot) scheme. Part 1 (2006). https://www.cs.princeton.edu/~appel/voting/Strauss-TroubleWithTriples.pdf
Strauss, C.: A critical review of the triple ballot voting system, part 2: Cracking the triple ballot encryption (2006). https://www.cs.princeton.edu/~appel/voting/Strauss-ThreeBallotCritique2v1.5.pdf
Clark, J., Essex, A., Adams, C.: On the security of ballot receipts in E2E voting systems. In: IAVoSS Workshop on Trustworthy Elections (WOTE) (2007)
Appel, A.W.: How to Defeat Rivest’s ThreeBallot Voting System (2007)
Tjøstheim, T., Peacock, T., Ryan, P.Y.A.: A case study in system-based analysis: the ThreeBallot voting system and Prêt à Voter. In: VoComp (2007)
Henry, K., Stinson, D.R., Sui, J.: The effectiveness of receipt-based attacks on Threeballot. Trans. Inf. Forensic Secur. 4(4), 699–707 (2009)
Küsters, R., Truderung, T., Vogt, A.: Verifiability, privacy, and coercion–resistance: new insights from a case study. In: IEEE Symposium on Security and Privacy (SP), pp. 538–553 (2011)
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings of 42nd IEEE Symposium on Foundations of Computer Science, pp. 136–145 (2001)
Roscoe, A.W.: The Theory and Practice of Concurrency. Prentice Hall PTR, Upper Saddle River (1997)
Lazic, R.S.: A semantic study of data independence with applications to model checking. D.Phil. thesis, Oxford University Computing Laboratory (1999)
Roscoe, A.W.: Understanding Concurrent Systems, 1st edn. Springer, New York (2010)
Acknowledgments
Some of the work was conducted, while authors were at the University of Surrey and carried out under the EPSRC-funded trustworthy voting systems (TVS) project EP/G025797/1. First author’s work is sponsored by The Ministry of Education Republic of Turkey.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Prof. Einar Broch Johnsen and Luigia Petr.
Rights and permissions
About this article
Cite this article
Moran, M., Heather, J. & Schneider, S. Automated anonymity verification of the ThreeBallot and VAV voting systems. Softw Syst Model 15, 1049–1062 (2016). https://doi.org/10.1007/s10270-014-0445-x
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10270-014-0445-x