Automated Anonymity Verification of the ThreeBallot Voting System
نویسندگان
چکیده
In recent years, a large number of secure voting protocols have been proposed in the literature. Often these protocols contain flaws, but because they are complex protocols, rigorous formal analysis has proven hard to come by. Rivest’s ThreeBallot voting system is important because it aims to provide security (voter anonymity and voter verifiability) without requiring cryptography. In this paper, we construct a CSP model of ThreeBallot, and use it to produce the first automated formal analysis of its anonymity property. Along the way, we discover that one of the crucial assumptions under which ThreeBallot (and many other voting systems) operates—the Short Ballot Assumption—is highly ambiguous in the literature. We give various plausible precise interpretations, and discover that in each case, the interpretation either is unrealistically strong, or else fails to ensure anonymity. Therefore, we give a version of the Short Ballot Assumption for ThreeBallot that is realistic but still provides a guarantee of anonymity.
منابع مشابه
Automated Verification for Functional and Relational Properties of Voting Rules
In this paper, we formalise classes of axiomatic properties for voting rules, discuss their characteristics, and show how symmetry properties can be exploited in the verification of other properties. Following that, we describe how automated verification methods such as software bounded model checking and deductive verification can be used to verify implementations of voting rules. We present a...
متن کاملA Case Study in System-Based Analysis: The ThreeBallot Voting System and Prêt à Voter
Threat analysis of voting systems is a field of increasing interest. While it is important to verify the system itself, it has been found that certain vulnerabilities only become apparent when taking a “systembased” view, i.e. considering interactions between the various components of a scheme. In this paper we apply a model for system-based analysis to carry out a systematic threat analysis of...
متن کاملDouble voter perceptible blind signature based electronic voting protocol
Mu et al. have proposed an electronic voting protocol and claimed that it protects anonymity of voters, detects double voting and authenticates eligible voters. It has been shown that it does not protect voter's privacy and prevent double voting. After that, several schemes have been presented to fulfill these properties. However, many of them suffer from the same weaknesses. In this p...
متن کاملA Verifiable Voting Protocol Based on Farnel
Farnel is a voting system proposed in 2001 in which each voter signs a ballot. It uses two ballot boxes to avoid the association between a voter and a vote. In this paper we first point out a flaw in the ThreeBallot system proposed by Rivest that seems to have gone unnoticed so far: it reveals statistical information about who is winning the election. Then, trying to resolve this and other flaw...
متن کاملIdentification and Mitigation of a Vulnerability in the ThreeBallot Voting Scheme
Recently, the ThreeBallot voting scheme has been proposed as a means of providing a voter with a non-transferable receipt for their vote without resorting to more traditional means of cryptography. The ThreeBallot scheme is attractive because voters are not required to either understand complex cryptography present in other voting schemes, or more usually, trust a software or hardware artifact ...
متن کامل