Formal Verification of Verifiability in E-Voting Protocols

Election verifiability is one of the main security properties of e-voting protocols, referring to the ability of independent entities, such as voters or election observers, to validate the outcome of the voting process. It can be ensured by means of formal verification that applies mathematical logic to verify the considered protocols under well-defined assumptions, specifications, and corruption scenarios. Automated tools allow an efficient and accurate way to perform formal verification, enabling comprehensive analysis of all execution scenarios and eliminating the human errors in the manual verification. The existing formal verification frameworks that are suitable for automation are not general enough to cover a broad class of e-voting protocols. They do not cover revoting and cannot be tuned to weaker or stronger levels of security that may be achievable in practice. We therefore propose a general formal framework that allows automated verification of verifiability in e-voting protocols. Our framework is easily applicable to many protocols and corruption scenarios. It also allows refined specifications of election procedures, for example accounting for revote policies.

We apply our framework to the analysis of several real-world case studies, where we capture both known and new attacks, and provide new security guarantees. First, we consider Helios, a prominent web-based e-voting protocol, which aims to provide end-to-end verifiability. It is however vulnerable to ballot stuffing when the voting server is corrupt. Second, we consider Belenios, which builds upon Helios and aims to achieve stronger verifiability, preventing ballot stuffing by splitting the trust between a registrar and the server. Both of these systems have been used in many real-world elections. Our third case study is Selene, which aims to simplify the individual verification procedure for voters, providing them with trackers for verifying their votes in the clear at the end of election. Finally, we consider the Estonian e-voting protocol, that has been deployed for national elections since 2005. The protocol has continuously evolved to offer better verifiability guarantees but has no formal analysis. We apply our framework to realistic models of all these protocols, deriving the first automated formal analysis in each case. As a result, we find several new attacks, improve the corresponding protocols to address their weakness, and prove that verifiability holds for the new versions.