A Formal Analysis of the Norwegian E-voting Protocol
Véronique Cortier and Cyrille Wiedling
LORIA - CNRS, Nancy, France
Abstract. Norway has used e-voting in its last political election in September 2011, with more than 25 000 voters using the e-voting option. The underlying protocol is a new protocol designed by the ERGO group, involving several actors (a bulletin box but also a receipt generator, a decryption service, and an auditor). Of course, trusting the correctness and security of e-voting protocols is crucial in that context. Formal def- initions of properties such as privacy, coercion-resistance or verifiability have been recently proposed, based on equivalence properties. In this paper, we propose a formal analysis of the protocol used in Norway, w.r.t. privacy, considering several corruption scenarios. Part of this study has conducted using the ProVerif tool, on a simplified model.
Keywords: e-voting, privacy, formal methods.
1 Introduction
Electronic voting protocols promise a convenient, efficient and reliable way for collecting and tallying the votes, avoiding for example usual human errors when counting. It is used or have been used for political elections in several countries like e.g. USA, Estonia, Switzerland and recently Norway, at least in trials. How- ever, the recent history has shown that these systems are highly vulnerable to attacks. For example, the Diebold machines as well as the electronic machines used in India have been attacked [13,24]. Consequently, the use of electronic vot- ing raises many ethical and political issues. For example, the German Federal Constitutional Court decided on 3 March 2009 that electronic voting used for the last 10 years was unconstitutional [1]. There is therefore a pressing need for a rigorous analysis of the security of e-voting protocols. A first step towards the security analysis of e-voting pro- tocols consists in precisely defining security w.r.t. e-voting. Formal definitions have been proposed for several key properties such as privacy, receipt-freeness, coercion resistance, or verifiability, most of them in terms of equivalence-based properties (see e.g. [12,17]). It is however difficult to formally analyse e-voting protocols for two main reasons. First there are very few tools that can check