Security Proofs for Participation Privacy, Receipt-Freeness and Ballot Privacy for the Helios Voting Scheme

The Helios voting scheme is well studied including formal proofs for verifiability and ballot privacy. However, depending on its version, the scheme provides either participation privacy (hiding who participated in the election) or verifiability against malicious bulletin board (preventing election manipulation by ballot stuffing), but not both at the same time. It also does not provide receipt-freeness, thus enabling vote buying by letting the voters construct receipts proving how they voted. Recently, an extension to Helios, further referred to as KTV-Helios, has been proposed that claims to provide these additional security properties. However, the authors of KTV-Helios did not prove their claims. Our contribution is to provide formal definitions for participation privacy and receipt-freeness that we applied to KTV-Helios. In order to evaluate the fulfillment of participation privacy and receipt-freeness, we furthermore applied the existing definition of ballot privacy, which was also used for evaluating the security of Helios, in order to show that ballot privacy also holds for KTV-Helios.