On remote electronic voting with both coercion resistance and cast-as-intended verifiability

In this work, we study two essential but apparently contradictory properties of electronic voting systems: coercion resistance (CR) and cast-as-intended verifiability (CAI). Informally, the CR property ensures that a voter cannot prove to anybody else the vote content, which prevents vote selling an...

Descripción completa

Detalles Bibliográficos
Autores: Finogina, Tamara, Herranz Sotoca, Javier|||0000-0001-5141-7234
Tipo de recurso: artículo
Fecha de publicación:2023
País:España
Institución:Universitat Politècnica de Catalunya (UPC)
Repositorio:UPCommons. Portal del coneixement obert de la UPC
Idioma:inglés
OAI Identifier:oai:upcommons.upc.edu:2117/393548
Acceso en línea:https://hdl.handle.net/2117/393548
https://dx.doi.org/10.1016/j.jisa.2023.103554
Access Level:acceso abierto
Palabra clave:Electronic voting
Coercion resistance
Cast as intended verifiability
Zero-knowledge systems
Classificació AMS::94 Information And Communication, Circuits
Àrees temàtiques de la UPC::Matemàtiques i estadística
Descripción
Sumario:In this work, we study two essential but apparently contradictory properties of electronic voting systems: coercion resistance (CR) and cast-as-intended verifiability (CAI). Informally, the CR property ensures that a voter cannot prove to anybody else the vote content, which prevents vote selling and voting under duress. The CAI property ensures that a malicious voting device cannot cheat the voter and send to the ballot box an encryption of a voting option different from the one chosen by the voter. In this work, we formalize security definitions capturing both coercion resistance and cast-as-intended verification in settings without secure delivery channels between the election authority and voters. After that, we consider some previously proposed solutions aimed at providing these two properties. For some of them (that we call unsatisfactory solutions) we show why they fail to achieve some of the two properties. We then concentrate on one of the two generic solutions that we call satisfactory: we prove that it satisfies the two proposed definitions and we detail how it can be instantiated in both classical cryptographic (e.g., ElGamal ciphertexts) and quantum-resistant (e.g., using lattice-based cryptosystems) settings.