A recent paper brought to my attention that exponentiation mix-based voting systems can be susceptible to Pfitzmann-like attacks. This vulnerability allows an attacker to track a specific pseudonym by exponentiating it with a random factor during registration. After each braiding, the attacker can exponentiate all pseudonyms with the same random factor, identifying a match. This method enables the attacker to consistently track how a particular person votes.
Initially, it may seem that this attack vector is mitigated by requiring a signed membership certificate before inclusion in the braidchain ledger. However, an adversary can insert an arbitrary pseudonym into the membership certificate during registration when the base generator is already braided. Consequently, a corrupt registration process could still enable vote tracking.
To address this issue, we can add a proof of knowledge for the pseudonym exponent in the membership certificate. This would prevent an adversary from using another person's pseudonym obtained from a public bulletin board.
A recent paper brought to my attention that exponentiation mix-based voting systems can be susceptible to Pfitzmann-like attacks. This vulnerability allows an attacker to track a specific pseudonym by exponentiating it with a random factor during registration. After each braiding, the attacker can exponentiate all pseudonyms with the same random factor, identifying a match. This method enables the attacker to consistently track how a particular person votes.
Initially, it may seem that this attack vector is mitigated by requiring a signed membership certificate before inclusion in the braidchain ledger. However, an adversary can insert an arbitrary pseudonym into the membership certificate during registration when the base generator is already braided. Consequently, a corrupt registration process could still enable vote tracking.
To address this issue, we can add a proof of knowledge for the pseudonym exponent in the membership certificate. This would prevent an adversary from using another person's pseudonym obtained from a public bulletin board.