Receipt - freeness : formal definition and fault attacks ( Extended Abstract )

Intuitively, an election protocol is receipt-free if a voter A cannot prove to a potential coercer C that she voted in a particular way. We assume that A wishes to cooperate with C; receipt-freeness guarantees that such cooperation will not be worthwhile, because it will be impossible for C to obtain proof about how A voted. Receipt-freeness is a similar property to privacy, which asserts that an intruder cannot gain information about how A voted. Receipt-freeness is like privacy with the additional assumption that A cooperates with the intruder C, for example by sharing her secret key and other secret information generated during the protocol. Thus, receipt-freeness implies privacy. Receipt-freeness is also related to the property of individual verifiability, which guarantees that a voter A can obtain proof that her vote was counted in the final tally of the election. In order to satisfy both receipt-freeness and individual verifiability, it is necessary that the verification constitute proof for A, but that it is insufficient proof for the coercer C. Therefore, some bounds on the communication between A and C are necessary. If C has verifiable access to all of the secrets held by A, then intuitively the verification that A receives will constitute proof for C as well. Such communication bounds between A and C may in practice be provided by the voting booth which A enters in order to cast her vote. In this private booth, C cannot see what A actually does. A wishes to cooperate with C, and may have shared secrets with C before entering the booth. We may even assume that A and C can communicate while A is inside the booth (for example, by mobile phone), so that A can inform C about the messages she receives from the election administrator and take instructions from C about what messages to send back. But C may not be able to verify the veracity of all the messages that A claims to receive from the administrator (for example, the values of nonces). Similarly, C may not be able to verify that A sends the agreed messages back to the administrator. C’s ability to verify these things will depend on the details of the protocol: what information is revealed at what time, which channels are secret and which public, etc. We will assume that C has the capabilities (such as control of public channels) of a Dolev-Yao attacker. In this paper we propose a formalisation of receipt-freeness in terms of observational equivalence in the applied pi calculus. The formalisation of receipt-freeness is non trivial and gives interesting insights. Among others, our formalisation highlights a new kind of fault attacks. The idea of a fault attack is to let the coercer test the loyalty of a coerced voter. The coercer gives the voter messages that she should use during the protocol. The coercer can send a garbage message to the voter. If the voter is unable to decide whether the message is garbage or not (for instance when a ciphertext is sent), the attacker may distinguish a voter who follows the coercer’s instructions from a voter who is trying to cheat the coercer, as the protocol would block on the incorrect message. In practice, a coercer can use this technique to check whether a coerced voter is behaving as expected. We illustrate the attack on a simple protocol inspired by a voting protocol proposed by Lee et al. [5], which we refer to as the Lee et al. 03 protocol. Independently, Juels et al. [3] proposed formal definitions for a strong version of receipt-freeness, they call coercion resistance. Their and our definition seem to have similarities and consider stronger attack models than the usual informal definitions. However, their definitions are given in a computational setting, rather than the symbolic model considered here. We do not yet know how these definitions compare.