Skip to main content
SpringerLink
Log in

Automated anonymity verification of the ThreeBallot and VAV voting systems

  • Theme Section Paper
  • Published:
Software & Systems Modeling Aims and scope Submit manuscript

Abstract

In recent years, a large number of secure voting protocols have been proposed in the literature. Often these protocols contain flaws, but because they are complex protocols, rigorous formal analysis has proven hard to come by. Rivest’s ThreeBallot and Vote/Anti-Vote/Vote (VAV) voting systems are important because they aim to provide security (voter anonymity and voter verifiability) without requiring cryptography. In this paper, we construct CSP models of ThreeBallot and VAV, and use them to produce the first automated formal analysis of their anonymity properties. Along the way, we discover that one of the crucial assumptions under which ThreeBallot and VAV (and many other voting systems) operate—the short ballot assumption—is highly ambiguous in the literature. We give various plausible precise interpretations and discover that in each case, the interpretation either is unrealistically strong or else fails to ensure anonymity. We give a revised version of the short ballot assumption for ThreeBallot and VAV that is realistic but still provides a guarantee of anonymity.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20

Similar content being viewed by others

Notes

  1. A previous version of this paper appeared in the Proceedings of the 10th International Conference on Integrated Formal Methods, Springer LNCS 7940. The final publication is available at http://link.springer.com/chapter/10.1007%2F978-3-642-38613-8_7.

  2. The CSP model of ThreeBallot voting system, from which the experimental results given in this paper were produced, can be downloaded from the first author’s personal webpage http://muratmoran.wordpress.com/publications/ under the CSP codes title. It is also available on the departmental webpage http://epubs.surrey.ac.uk/id/eprint/804928.

References

  1. Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24, 84–90 (1981)

    Article  Google Scholar 

  2. Fujioka, A., Okamoto, T., Ohta, K.: A practical secret voting scheme for large scale elections. In: AUSCRYPT, pp. 244–251 (1992)

  3. Juels, A., Catalano, D., Jakobsson, M.: Coercion-resistant electronic elections. In: IACR Cryptology ePrint Archive, p. 165 (2002)

  4. Chaum, D., Ryan, P.Y.A., Schneider, S.A.: A practical voter-verifiable election scheme. In: ESORICS, pp. 118–139 (2005)

  5. Rivest, R.L.: The Threeballot Voting System (2006). http://theory.lcs.mit.edu/rivest/Rivest-TheThreeBallotVotingSystem.pdf

  6. Rivest, R.L., Smith, W.D.: Three voting protocols: ThreeBallot, VAV, and Twin. In: Proceedings of USENIX/ACCURATE Electronic Voting Technology (EVT), Press (2007). www.usenix.org/legacy/event/evt07/tech/full_papers/rivest/rivest_html/index.html

  7. Hoare, C.A.R.: Communicating sequential processes. Commun. ACM 21, 666–677 (1978)

    Article  MATH  Google Scholar 

  8. Gardiner, P., Goldsmith, M., Hulance, J., Jackson, D., Roscoe, B., Scattergood, B., Armstrong, B.: FDR2 user manual

  9. Backes, M., Hritcu, C., Maffei, M.: Automated verification of remote electronic voting protocols in the applied pi-calculus. In: CSF, pp. 195–209 (2008)

  10. Smyth, B.: Formal verification of cryptographic protocols with automated reasoning. Ph.D. thesis, School of Computer Science, University of Birmingham (2011)

  11. Ryan, P.Y.A., Schneider, S.A.: Prêt à Voter with re-encryption mixes. In: ESORICS, pp. 313–326 (2006)

  12. Moran, M., Heather, J., Schneider, S.: Verifying anonymity in voting systems using CSP. Form. Asp. Comput. 26(1), 63–98 (2014)

  13. Cichon, J., Kutylowski, M., Weglorz, B.: Short ballot assumption and threeballot voting protocol. In: SOFSEM, pp. 585–598 (2008)

  14. de Marneffe, O., Pereira, O., Quisquater, J.J.: Simulation-based analysis of E2E voting systems. In: Proceedings of the 1st International Conference on E-voting and Identity. VOTE-ID’07. Springer, Berlin, Heidelberg, pp. 137–149 (2007)

  15. Strauss, C.: The trouble with triples: A critical review of the triple ballot (3ballot) scheme. Part 1 (2006). https://www.cs.princeton.edu/~appel/voting/Strauss-TroubleWithTriples.pdf

  16. Strauss, C.: A critical review of the triple ballot voting system, part 2: Cracking the triple ballot encryption (2006). https://www.cs.princeton.edu/~appel/voting/Strauss-ThreeBallotCritique2v1.5.pdf

  17. Clark, J., Essex, A., Adams, C.: On the security of ballot receipts in E2E voting systems. In: IAVoSS Workshop on Trustworthy Elections (WOTE) (2007)

  18. Appel, A.W.: How to Defeat Rivest’s ThreeBallot Voting System (2007)

  19. Tjøstheim, T., Peacock, T., Ryan, P.Y.A.: A case study in system-based analysis: the ThreeBallot voting system and Prêt à Voter. In: VoComp (2007)

  20. Henry, K., Stinson, D.R., Sui, J.: The effectiveness of receipt-based attacks on Threeballot. Trans. Inf. Forensic Secur. 4(4), 699–707 (2009)

    Article  Google Scholar 

  21. Küsters, R., Truderung, T., Vogt, A.: Verifiability, privacy, and coercion–resistance: new insights from a case study. In: IEEE Symposium on Security and Privacy (SP), pp. 538–553 (2011)

  22. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings of 42nd IEEE Symposium on Foundations of Computer Science, pp. 136–145 (2001)

  23. Roscoe, A.W.: The Theory and Practice of Concurrency. Prentice Hall PTR, Upper Saddle River (1997)

    Google Scholar 

  24. Lazic, R.S.: A semantic study of data independence with applications to model checking. D.Phil. thesis, Oxford University Computing Laboratory (1999)

  25. Roscoe, A.W.: Understanding Concurrent Systems, 1st edn. Springer, New York (2010)

    Book  MATH  Google Scholar 

Download references

Acknowledgments

Some of the work was conducted, while authors were at the University of Surrey and carried out under the EPSRC-funded trustworthy voting systems (TVS) project EP/G025797/1. First author’s work is sponsored by The Ministry of Education Republic of Turkey.

Author information

Authors and Affiliations

  1. Giresun University, Giresun, Turkey

    Murat Moran

  2. Chiastic Security, Guildford, UK

    James Heather

  3. University of Surrey, Guildford, UK

    Steve Schneider

Authors
  1. Murat Moran
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. James Heather
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Steve Schneider
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Murat Moran.

Additional information

Communicated by Prof. Einar Broch Johnsen and Luigia Petr.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Moran, M., Heather, J. & Schneider, S. Automated anonymity verification of the ThreeBallot and VAV voting systems. Softw Syst Model 15, 1049–1062 (2016). https://doi.org/10.1007/s10270-014-0445-x

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10270-014-0445-x

Keywords

Search

Navigation