Anonymity and Verifiability in Voting: Understanding (Un)Linkability

  • Lucie Langer
  • Hugo Jonker
  • Wolter Pieters
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6476)


Anonymity and verifiability are crucial security requirements for voting. Still, they seem to be contradictory, and confusion exists about their precise meanings and compatibility. In this paper, we resolve the confusion by showing that both can be expressed in terms of (un)linkability: while anonymity requires unlinkability of voter and vote, verifiability requires linkability of voters and election result. We first provide a conceptual model which captures anonymity as well as verifiability. Second, we express the semantics of (un)linkability in terms of (in)distinguishability. Third, we provide an adversary model that describes which capabilities the attacker has for establishing links. These components form a comprehensive model for describing and analyzing voting system security. In a case study we use our model to analyze the security of the voting scheme Prêt à Voter. Our work contributes to a deeper understanding of anonymity and verifiability and their correlation in voting.


anonymity verifiability unlinkability e-voting adversary model 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adida, B., Neff, C.A.: Ballot Casting Assurance. In: Proc. 2006 USENIX/ACCURATE Electronic Voting Technology Workshop. USENIX Association, Berkeley (2006)Google Scholar
  2. 2.
    Benaloh, J., Tuinstra, D.: Receipt-free secret-ballot elections (extended abstract). In: Proc. 26th ACM Symp. on Theory of Computing, pp. 544–553. ACM, New York (1994)Google Scholar
  3. 3.
    Benaloh, J.: Ballot Casting Assurance via Voter-Initiated Poll Station Auditing. In: Proceedings of the USENIX/ACCURATE Electronic Voting Technology Workshop, EVT 2007, p. 14. USENIX Association, Berkeley (2007)Google Scholar
  4. 4.
    Burmester, M., Magkos, E.: Towards Secure and Practical e-Elections in the New Era. In: Advances in Information Security, vol. 7. Kluwer Academic Publishers, Dordrecht (2003)Google Scholar
  5. 5.
    Chaum, D.: Secret-Ballot Receipts: True Voter-Verifiable Elections. IEEE Security and Privacy 2(1), 38–47 (2004)CrossRefGoogle Scholar
  6. 6.
    Chaum, D., Ryan, P.Y.A., Schneider, S.A.: A Practical Voter-Verifiable Election Scheme. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 118–139. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Chevallier-Mames, B., Fouque, P.A., Pointcheval, D., Stern, J., Traoré, J.: On Some Incompatible Properties of Voting Schemes. In: Workshop on Trustworthy Elections, WOTE 2006 (2006)Google Scholar
  8. 8.
    Delaune, S., Kremer, S., Ryan, M.: Coercion-Resistance and Receipt-Freeness in Electronic Voting. In: CSFW, pp. 28–42. IEEE Computer Society, Los Alamitos (2006)Google Scholar
  9. 9.
    Dolev, D., Yao, A.C.C.: On the Security of Public Key Protocols. IEEE Transactions on Information Theory 29(2), 198–207 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Fujioka, A., Okamoto, T., Ohta, K.: A Practical Secret Voting Scheme for Large Scale Elections. In: Zheng, Y., Seberry, J. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 244–251. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  11. 11.
    Garcia, F., Hasuo, I., Pieters, W., Rossum, P.v.: Provable anonymity. In: Proc. 3rd Workshop on Formal Methods in Security Engineering, pp. 63–72. ACM, New York (2005)Google Scholar
  12. 12.
    Gomulkiewicz, M., Klonowski, M., Kutylowski, M.: Rapid mixing and security of Chaum’s visual electronic voting. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 132–145. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Hirt, M., Sako, K.: Efficient receipt-free voting based on homomorphic encryption. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 539–556. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  14. 14.
    Jakobsson, M., Juels, A., Rivest, R.L.: Making Mix Nets Robust For Electronic Voting By Randomized Partial Checking. In: Proceedings of the 11th USENIX Security Symposium, pp. 339–353. USENIX Association, Berkeley (2002)Google Scholar
  15. 15.
    Juels, A., Catalano, D., Jakobsson, M.: Coercion-resistant electronic elections. In: Proc. ACM Workshop on Privacy in the Electronic Society, pp. 61–70. ACM, New York (2005)Google Scholar
  16. 16.
    Karlof, C., Sastry, N., Wagner, D.: Cryptographic Voting Protocols: A Systems Perspective. In: Proc. 14th USENIX Security Symposium, pp. 33–50 (2005)Google Scholar
  17. 17.
    Küsters, R., Truderung, T.: An Epistemic Approach to Coercion-Resistance for Electronic Voting Protocols. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy (S&P), pp. 251–266. IEEE Computer Society, Los Alamitos (2009)CrossRefGoogle Scholar
  18. 18.
    Rivest, R.L., Smith, W.D.: Three voting protocols: ThreeBallot, VAV, and Twin. In: Proc. Electronic Voting Technology Workshop. USENIX (2007)Google Scholar
  19. 19.
    Ryan, P.Y.A.: A variant of the chaum voter-verifiable scheme. In: Proc. 2005 Workshop on Issues in the Theory of Security, pp. 81–88 (2005)Google Scholar
  20. 20.
    Smyth, B., Ryan, M.D., Kremer, S., Kourjieh, M.: Election verifiability in electronic voting protocols. In: Proceedings of the 4th Benelux Workshop on Information and System Security (WISSEC 2009). Louvain-la-Neuve, Belgium (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Lucie Langer
    • 1
  • Hugo Jonker
    • 2
  • Wolter Pieters
    • 3
  1. 1.Cryptography and Computer Algebra GroupTechnische Universität DarmstadtGermany
  2. 2.Faculty of Science, Technology and CommunicationUniversity of LuxembourgLuxembourg
  3. 3.Centre for Telematics and Information TechnologyUniversity of TwenteNetherlands

Personalised recommendations