Selene: Voting with Transparent Verifiability and Coercion-Mitigation

Peter Y. A. Ryan, Peter Rønne, and Vincenzo Iovino. Selene: Voting with Transparent Verifiability and Coercion-Mitigation. In Proceedings of the 1st Workshop on Advances in Secure Electronic Voting Voting (Voting'16), pp. 176–192, Lecture Notes in Computer Science 9604, Springer, Barbados, Feb 2016.
doi:10.1007/978-3-662-53357-4_12

Download

[PDF] [HTML] 

Abstract

End-to-end verifiable voting schemes typically involves voters handling an encrypted ballot in order to con rm that their vote is accurately included in the tally. While this may be technically valid, from a public acceptance standpoint is may be problematic: many voters may not really understand the purpose of the encrypted ballot and the various checks that they can perform. In this paper we take a different approach and revisit an old idea: to provide each voter with a private tracking number. Votes are posted on a bulletin board in the clear along with their associated tracking number. This is appealing in that it provides voters with a very simple, intuitive way to verify their vote, in the clear. However, there are obvious drawbacks: we must ensure that no two voters are assigned the same tracker and we need to keep the trackers private.
In this paper, we propose a scheme that addresses both of these problems: we ensure that voters get unique trackers and we close o the coercer's window of opportunity by ensuring that the voters only learn their tracking numbers after votes have been posted. The resulting scheme provides receipt-freeness, and indeed a good level of coercion-resistance while also providing a more immediately understandable form of verifiability. The cryptography is under the bonnet as far as the voter is concerned. The basic scheme still has a problem in some contexts: if the coercer is himself a voter there is a chance that the coerced voter might light on the coercer's tracker, or the coercer simply claims that it is his. We argue that in many contexts this may be an acceptable threat when weighed against the more transparent verification provided by the scheme. Nonetheless, we describe some elaborations of the basic scheme to mitigate such threats.

BibTeX

@InProceedings{RRI-voting16,
  abstract =	 { End-to-end verifiable voting schemes typically
                  involves voters handling an encrypted ballot in
                  order to con rm that their vote is accurately
                  included in the tally. While this may be technically
                  valid, from a public acceptance standpoint is may be
                  problematic: many voters may not really understand
                  the purpose of the encrypted ballot and the various
                  checks that they can perform. In this paper we take
                  a different approach and revisit an old idea: to
                  provide each voter with a private tracking
                  number. Votes are posted on a bulletin board in the
                  clear along with their associated tracking
                  number. This is appealing in that it provides voters
                  with a very simple, intuitive way to verify their
                  vote, in the clear. However, there are obvious
                  drawbacks: we must ensure that no two voters are
                  assigned the same tracker and we need to keep the
                  trackers private.\par In this paper, we propose a
                  scheme that addresses both of these problems: we
                  ensure that voters get unique trackers and we close
                  o the coercer's window of opportunity by ensuring
                  that the voters only learn their tracking numbers
                  after votes have been posted. The resulting scheme
                  provides receipt-freeness, and indeed a good level
                  of coercion-resistance while also providing a more
                  immediately understandable form of
                  verifiability. The cryptography is under the bonnet
                  as far as the voter is concerned. The basic scheme
                  still has a problem in some contexts: if the coercer
                  is himself a voter there is a chance that the
                  coerced voter might light on the coercer's tracker,
                  or the coercer simply claims that it is his. We
                  argue that in many contexts this may be an
                  acceptable threat when weighed against the more
                  transparent verification provided by the
                  scheme. Nonetheless, we describe some elaborations
                  of the basic scheme to mitigate such threats.},
  author =	 {Ryan, Peter Y. A. and R{\o}nne, Peter and Iovino,
                  Vincenzo},
  title =	 {Selene: Voting with Transparent Verifiability and
                  Coercion-Mitigation},
  booktitle =	 {Proceedings of the 1st Workshop on Advances in
                  Secure Electronic Voting Voting (Voting'16)},
  year =	 2016,
  editor =	 {Jeremy Clark and Sarah Meiklejohn and Peter
                  Y. A. Ryan and Dan S. Wallach and Michael Brenner
                  and Kurt Rohloff},
  doi =		 {10.1007/978-3-662-53357-4_12},
  volume =	 9604,
  series =	 {Lecture Notes in Computer Science},
  pages =	 {176--192},
  month =	 {Feb},
  address =	 {Barbados},
  publisher =	 {Springer},
  url =		 {https://hal.inria.fr/hal-01242690},
}