Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On the Necessity of Pre-agreed Secrets for Thwarting Last-minute Coercion: Vulnerabilities and Lessons From the Loki E-voting Protocol

Jingxin Qiao, Myrto Arapinis, Thomas Zacharias

Abstract

Coercion-resistance (CR) is a crucial security property in e-voting systems. It ensures that an attacker cannot compel a voter to vote in a specific way by using threats or rewards. The Loki e-voting protocol, proposed by Giustolisi \emph{et al.} at IEEE S\&P (2024), introduces a novel design that mitigates last-minute coercion through a re-voting mechanism. It also aims to address the usability issues of the seminal JCJ e-voting protocol, specifically: i) the requirement that voters can store and hide pre-agreed credentials, and ii) the ability of voters to convincingly lie while being coerced. In this work, we identify two vulnerabilities in Loki. The first is a brute-force attack that compromises the integrity of the evasion strategy. Specifically, this attack allows an adversary to cast a ballot on behalf of their victim in a way that the evasion strategy cannot defend against, rendering it ineffective. The second vulnerability is a forced abstention attack, which allows an adversary to detect when their victim has complied with their instruction not to vote. We generalise the integrity attack to reveal a fundamental dilemma: without pre-agreed secret credentials, it is not possible to prevent last-minute coercion. Finally, we show how reverting to pre-agreed secret credentials fixes the aforementioned vulnerabilities and discuss the trade-off between tallying efficiency and stronger trust assumptions.

On the Necessity of Pre-agreed Secrets for Thwarting Last-minute Coercion: Vulnerabilities and Lessons From the Loki E-voting Protocol

Abstract

Coercion-resistance (CR) is a crucial security property in e-voting systems. It ensures that an attacker cannot compel a voter to vote in a specific way by using threats or rewards. The Loki e-voting protocol, proposed by Giustolisi \emph{et al.} at IEEE S\&P (2024), introduces a novel design that mitigates last-minute coercion through a re-voting mechanism. It also aims to address the usability issues of the seminal JCJ e-voting protocol, specifically: i) the requirement that voters can store and hide pre-agreed credentials, and ii) the ability of voters to convincingly lie while being coerced. In this work, we identify two vulnerabilities in Loki. The first is a brute-force attack that compromises the integrity of the evasion strategy. Specifically, this attack allows an adversary to cast a ballot on behalf of their victim in a way that the evasion strategy cannot defend against, rendering it ineffective. The second vulnerability is a forced abstention attack, which allows an adversary to detect when their victim has complied with their instruction not to vote. We generalise the integrity attack to reveal a fundamental dilemma: without pre-agreed secret credentials, it is not possible to prevent last-minute coercion. Finally, we show how reverting to pre-agreed secret credentials fixes the aforementioned vulnerabilities and discuss the trade-off between tallying efficiency and stronger trust assumptions.

Paper Structure

This paper contains 66 sections, 9 theorems, 81 equations, 16 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Coercion-Resistant E-Voting Scheme Syntax
  4. Coercion-Resistance Definition
  5. Overview of Loki
  6. Attack on CR-Integrity
  7. Formalising CR-integrity
  8. Effective evasion
  9. The CR-Integrity game
  10. Brute-Force Attack on Loki's CR-Integrity
  11. $\mathcal{D}_R^v$-agnostic brute-force adversaries
  12. $\mathcal{D}_R^v$-aware brute-force adversaries
  13. Loki for Real-World Elections: the Case of Estonia
  14. Impact Discussion
  15. Attack on CR-Privacy
  16. ...and 51 more sections

Key Result

Theorem 1

Let $\mathbf{param} = (\mathbb{I}, \mathbb{O}, \mathcal{D}_O, \mathcal{D}_R^v, \mathcal{D}_T^{v}, t_{end})$ be any voting parameters and $\mathcal{D}_R^{vs}, \mathcal{D}_T^{vs}$ be any distributions. Let $\kappa(\cdot) = \Theta(\log(\cdot))$, then there exists a non-negligible function $\alpha(\cdot $\blacktriangleleft$$\blacktriangleleft$

Figures (16)

  • Figure 1: Loki framework. Circles denote ballots under coercion. Diamonds are genuine ballots. Squares are noise ballots from VS. The malicious option is $o_2$ and genuine one is $o_1$.
  • Figure 2: CR-Integrity game for protocol $\Gamma^{\mathcal{D}_R^{vs},\mathcal{D}_T^{vs}}$ and adversary.
  • Figure 3: Attack algorithm of $\mathcal{A}_{brute}^{c,\kappa,\mathcal{D}}$. Attacker $\mathcal{A}_{brute}^{c,\kappa,\mathcal{D}}(1^\lambda)$ runs in $\lambda^c$ steps , and launches its attack at time $\kappa(\lambda)$. The Hamming weight of a string is the number of symbols that are different from the zero-symbol of the alphabet used.
  • Figure 4: The success rate gap between ideal and real voter re-voting distributions $\mathcal{D}_{uni}$ and $\mathcal{D}^{LE1}_R$ respectively.
  • Figure 5: CR-Privacy game for protocol $\Gamma^{\mathcal{D}_R^{vs},\mathcal{D}_T^{vs}}$ and adversary.
  • ...and 11 more figures

Theorems & Definitions (20)

  • Definition 1
  • Definition 2: Informal
  • Remark 1
  • Definition 3: CR-Integrity
  • Theorem 1
  • Remark 2
  • Theorem 2
  • Definition 4: CR-Privacy
  • Theorem 3: $\delta_{min}$-optimal kusters2012game
  • Theorem 4
  • ...and 10 more