On remote electronic voting with both coercion resistance and cast-as-intended verifiability

In this work, we study two essential but apparently contradictory properties of electronic voting systems: coercion resistance (CR) and cast-as-intended verifiability (CAI). Informally, the CR property ensures that a voter cannot prove to anybody else the vote content, which prevents vote selling an...

ver descrição completa

Detalhes bibliográficos
Autores: Finogina, Tamara, Herranz Sotoca, Javier|||0000-0001-5141-7234
Tipo de documento: artigo
Data de publicação:2023
País:España
Recursos:Universitat Politècnica de Catalunya (UPC)
Repositório:UPCommons. Portal del coneixement obert de la UPC
Idioma:inglês
OAI Identifier:oai:upcommons.upc.edu:2117/393548
Acesso em linha:https://hdl.handle.net/2117/393548
https://dx.doi.org/10.1016/j.jisa.2023.103554
Access Level:Acceso aberto
Palavra-chave:Electronic voting
Coercion resistance
Cast as intended verifiability
Zero-knowledge systems
Classificació AMS::94 Information And Communication, Circuits
Àrees temàtiques de la UPC::Matemàtiques i estadística
Descrição
Resumo:In this work, we study two essential but apparently contradictory properties of electronic voting systems: coercion resistance (CR) and cast-as-intended verifiability (CAI). Informally, the CR property ensures that a voter cannot prove to anybody else the vote content, which prevents vote selling and voting under duress. The CAI property ensures that a malicious voting device cannot cheat the voter and send to the ballot box an encryption of a voting option different from the one chosen by the voter. In this work, we formalize security definitions capturing both coercion resistance and cast-as-intended verification in settings without secure delivery channels between the election authority and voters. After that, we consider some previously proposed solutions aimed at providing these two properties. For some of them (that we call unsatisfactory solutions) we show why they fail to achieve some of the two properties. We then concentrate on one of the two generic solutions that we call satisfactory: we prove that it satisfies the two proposed definitions and we detail how it can be instantiated in both classical cryptographic (e.g., ElGamal ciphertexts) and quantum-resistant (e.g., using lattice-based cryptosystems) settings.