An Epistemic Approach to Coercion-Resistance for Electronic Voting Protocols

Coercion resistance is an important and one of the most intricate security requirements of electronic voting protocols. Several definitions of coercion resistance have been proposed in the literature, including definitions based on symbolic models. However, existing definitions in such models are rather restricted in their scope and quite complex. In this paper, we therefore propose a new definition of coercion resistance in a symbolic setting, based on an epistemic approach. Our definition is relatively simple and intuitive. It allows for a fine-grained formulation of coercion resistance and can be stated independently of a specific, symbolic protocol and adversary model. As a proof of concept, we apply our definition to three voting protocols. In particular, we carry out the first rigorous analysis of the recently proposed Civitas system. We precisely identify those conditions under which this system guarantees coercion resistance or fails to be coercion resistant. We also analyze protocols proposed by Lee et al. and Okamoto.

💡 Research Summary

The paper tackles one of the most demanding security properties for electronic voting systems—coercion‑resistance—by introducing a new, epistemic‑based definition that is both simpler and more general than existing symbolic formulations. Traditional definitions often intertwine the notion of coercion‑resistance with a specific cryptographic construction or adversary model, leading to cumbersome specifications that are difficult to apply across different protocols. To overcome this, the authors adopt an epistemic perspective: they model what a coercer can know about a voter’s choice rather than focusing solely on the inability to directly observe the vote.

The core idea is expressed through the concept of “possible worlds.” For any execution trace observable by the coercer, the definition requires the existence of two worlds that are indistinguishable to the coercer—one where the voter cast vote A and another where the voter cast vote B. If such worlds exist for every observable trace, the coercer cannot deduce which candidate the voter actually selected, and the protocol is said to be coercion‑resistant. This formulation abstracts away from concrete cryptographic primitives, allowing the definition to be applied to any symbolic protocol, regardless of the underlying encryption scheme, zero‑knowledge proof system, or mix‑net architecture.

The paper proceeds in three main steps: (1) formalizing the epistemic framework using standard modal logic operators (K for knowledge) and defining the set of all possible worlds consistent with a given trace; (2) proving that the definition is sound with respect to the intuitive notion of coercion‑resistance and that it can be instantiated for a range of adversary capabilities, including a fully network‑controlling adversary, a “simultaneous coercer” who can interact with the voter during the voting phase, and a “multi‑coercer” scenario where several independent coercers collude. The authors also discuss how the definition can be verified using simulation‑based proofs or automated tools such as ProVerif, by constructing the required indistinguishable worlds and checking the knowledge operator.

To demonstrate practicality, the authors apply the definition to three well‑known voting protocols:

1. Civitas – a modern system that combines mix‑nets, credential‑based authentication, and non‑interactive zero‑knowledge proofs. The analysis reveals that Civitas achieves coercion‑resistance only when two conditions hold: (i) the voter’s credential (the “receipt”) is never reused after the vote is cast, and (ii) the voter can separate the authentication phase from the actual ballot submission. If either condition is violated—e.g., a voter reuses a credential or the system leaks a link between the credential and the ballot—the coercer can construct a world where the observed messages uniquely identify the voter’s choice, breaking coercion‑resistance.

2. Lee et al.’s protocol – a code‑based voting scheme that relies on a random oracle to hide the mapping between a voter’s secret code and the final encrypted ballot. The epistemic analysis shows that coercion‑resistance hinges on the entropy of the oracle’s responses. When the oracle’s output is sufficiently unpredictable, the coercer cannot distinguish between two possible votes, satisfying the definition. Conversely, if the oracle’s randomness is low or can be predicted, the coercer can infer the voter’s choice, violating the property.

3. Okamoto’s protocol – a classic construction using standard public‑key encryption and digital signatures. The paper demonstrates that the protocol is not coercion‑resistant unless the voter’s signing key is never disclosed to the coercer and the signature is effectively “disposed of” after voting. If the coercer obtains the signing key (or a valid signature that can be linked to the ballot), they can directly verify which candidate the voter selected, thereby invalidating the epistemic condition.

Across all three case studies, the authors identify subtle design elements—credential reuse prevention, random‑oracle unpredictability, and post‑vote key disposal—that are often overlooked in informal security arguments but become explicit requirements under the epistemic definition.

The discussion section highlights the strengths of the new definition: its protocol‑agnostic nature, its ability to capture a wide spectrum of coercer capabilities, and its intuitive “world‑splitting” metaphor that makes security requirements more accessible to designers. The authors also acknowledge limitations, notably the potential difficulty of constructing the required possible worlds for complex protocols without automated assistance, and the need for tool support to scale the approach to real‑world election systems.

Finally, the paper outlines future research directions: (i) integrating the epistemic definition into automated verification frameworks to enable rapid, compositional analysis of new voting schemes; (ii) extending the model to handle multi‑coercer environments and dynamic adversaries that can adapt their strategies during the election; and (iii) incorporating human factors such as user errors in credential handling, which can affect the epistemic conditions in practice.

In summary, the work provides a fresh, logically grounded definition of coercion‑resistance that simplifies reasoning, broadens applicability, and uncovers precise security conditions in existing protocols. By applying the definition to Civitas, Lee et al., and Okamoto, the authors not only validate its usefulness but also contribute concrete insights that can guide the design of next‑generation, coercion‑resistant electronic voting systems.