On the Necessity of Pre-agreed Secrets for Thwarting Last-minute Coercion: Vulnerabilities and Lessons From the Loki E-voting Protocol

Abstract: Coercion-resistance (CR) is a crucial security property in e-voting systems. It ensures that an attacker cannot compel a voter to vote in a specific way by using threats or rewards. The Loki e-voting protocol, proposed by Giustolisi \emph{et al.} at IEEE S&P (2024), introduces a novel design that mitigates last-minute coercion through a re-voting mechanism. It also aims to address the usability issues of the seminal JCJ e-voting protocol, specifically: i) the requirement that voters can store and hide pre-agreed credentials, and ii) the ability of voters to convincingly lie while being coerced. In this work, we identify two vulnerabilities in Loki. The first is a brute-force attack that compromises the integrity of the evasion strategy. Specifically, this attack allows an adversary to cast a ballot on behalf of their victim in a way that the evasion strategy cannot defend against, rendering it ineffective. The second vulnerability is a forced abstention attack, which allows an adversary to detect when their victim has complied with their instruction not to vote. We generalise the integrity attack to reveal a fundamental dilemma: without pre-agreed secret credentials, it is not possible to prevent last-minute coercion. Finally, we show how reverting to pre-agreed secret credentials fixes the aforementioned vulnerabilities and discuss the trade-off between tallying efficiency and stronger trust assumptions.

• The paper proves that revoting protocols without pre-agreed secrets are vulnerable to brute-force and forced-abstention attacks, undermining coercion-resistance.
• The analysis leverages real-world voter behavior data, showing that practical attacks can overwrite honest votes with over 80% success in typical scenarios.
• The study introduces CR-Loki, demonstrating that integrating cryptographic credentials restores robust coercion-resistance despite potential usability tradeoffs.

Analysis of the Need for Pre-agreed Secrets in Revoting Protocols: Vulnerabilities in Loki and the Design of CR-Loki

Introduction

This paper, "On the Necessity of Pre-agreed Secrets for Thwarting Last-minute Coercion: Vulnerabilities and Lessons From the Loki E-voting Protocol" (2604.00188), presents a formal analysis of the coercion-resistance (CR) guarantees of the Loki e-voting protocol. The primary focus is on resilience to last-minute coercion—the scenario in which a coercer can interact with a voter up until the very end of the voting period. The paper applies the general coercion-resistance definition of Küsters et al., and demonstrates that Loki’s approach—eschewing pre-agreed secrets between voters and the voting system—succumbs to both brute-force attacks and forced-abstention attacks, negating its claimed protection from last-minute coercion. Building on these findings, the paper establishes a general impossibility result: revoting protocols without pre-agreed secrets cannot achieve robust coercion-resistance. It further proposes CR-Loki, an extension of Loki which introduces cryptographic credentials as pre-agreed secrets, and formally proves that this construction achieves coercion-resistance.

The Loki Protocol: Design and Security Model

Loki, proposed by Giustolisi et al. in 2024, is a revoting protocol designed to provide practical coercion-resistance for remote e-voting. Traditional protocols (e.g., JCJ, Civitas) require voters to manage fake credentials, which present usability challenges. Loki aims to enhance usability by using a (trusted-for-CR) Voting Server (VS) to manage all cast ballots and generate noise ballots that obscure the actions of honest and coerced voters. The protocol allows revoting and embeds a "signalling" mechanism: each ballot contains an encrypted list of indices representing ballots believed by the voter to have been freely cast. The VS, which maintains its own trusted records, can thus accept or disregard ballots based on this signaling.

Figure 1: The Loki framework highlights cast ballot record composition—circles for coerced ballots, diamonds for genuine ballots, squares for VS-generated noise. The adversarial/coercion option is $o_2$, the honest one $o_1$.

Loki is intended to allow voters to evade coercion even under over-the-shoulder threats (the adversary may observe or control voters' actions in real-time), removing the practical requirement for a "coercion-free window" at the end of the election.

Formalization of Coercion-Resistance and Loki's Security Goals

The paper leverages the formal definition of CR from Küsters-Truderung-Vogt: for every strategy coercer can enforce, there must exist a counter-strategy that (1) assures the honest vote is counted with overwhelming probability (CR-Integrity), and (2) prevents the coercer distinguishing, beyond some $\delta$-bounded advantage, whether the voter complied or successfully evaded (CR-Privacy).

The key innovation in Loki is its attempt to manage CR purely via public signaling in ballots without any pre-established secret per voter, thus reducing trust and usability burdens on voters. However, the analysis reveals that this relaxed security model creates exploitable attack surfaces.

Attack Analysis: Brute-force and Forced Abstention

Brute-force Attacks on CR-Integrity

The analysis defines a generic attack game for CR-Integrity, where the adversary attempts to overwrite or invalidate a coerced voter's genuine (intended) ballot. The attacker can leverage knowledge of the possible index lists (the "signaling" values) to construct a sequence of ballots which, with high probability, eventually matches the VS's record for that voter, causing the VS to accept a malicious ballot. Since the space of possible indices grows only polynomially in the number of votes, and the number of ballots per voter in real elections is small, exhaustive search is entirely practical.

Empirical evidence from the Estonian national elections (as summarized in the paper) demonstrates that 98% of voters cast only one ballot, and the vast majority of cast ballot records are of size at most two. A coercer can, by waiting until late in the election and rapidly submitting a small set of variants, completely overwrite a victim's honest ballot with probability exceeding 80%, even with minimal effort.

Strong empirical claim: In real-world settings such as the Estonian I-voting deployments, a brute-force coercion attack can succeed with probability over 80% if the attacker has only three slots for ballot injection near the election’s end.

The attack remains effective even if the Voting Server attempts to mimic the honest-voter revoting/noise distribution. The protocol allows state desynchronization, after which the voter can no longer recover their intended vote unless they can guess the attacker’s sequence—rendering recovery computationally infeasible.

Forced-abstention Attacks on CR-Privacy

The protocol is further vulnerable to forced-abstention attacks. A coercer may instruct the victim to abstain. By observing the public bulletin board, the adversary can reliably detect whether the victim complied (only a single, VS-generated ballot exists) or attempted to evade, as the distribution of record lengths (again, heavily biased toward length one in real deployments) makes this an effective distinguishing signal.

The result is that Loki’s coercion-resistance:

• is invalid against attackers who exploit voting history patterns or real-world statistical data,
• provides no fallback in scenarios where the voter never experiences a coercion-free period.

General Impossibility Result for Revoting Protocols without Pre-agreed Secrets

Abstracting from the specifics of Loki, the paper formalizes the general structure of revoting protocols with public signaling and demonstrates a completeness result: any such protocol that does not rely on long, random, pre-agreed secrets shared between voter and authority cannot ensure CR-Integrity under last-minute coercion. The argument applies to a broad class of protocols, including JCJ-style systems lacking pre-credentialed indirection, and demonstrates that the signaling mechanism is, in essence, always subject to the same kind of brute-force and overwrite attacks as observed for Loki.

Key technical claim:

Revoting protocols which aim to guarantee both a coercion-free window at any election time (i.e., are "moment-of-privacy" universal) and to avoid pre-agreed, voter-specific secrets, are fundamentally unachievable: at least one of receipt-freeness or CR-Integrity must be compromised.

CR-Loki: Restoring Security via Pre-agreed Credentials

To address these architectural vulnerabilities, the paper presents CR-Loki: a protocol which retains Loki’s general approach but returns to using cryptographic credentials as pre-agreed voter secrets, analogous to the JCJ family. Each ballot contains an encryption of the secret credential, and the VS uses the credential (not reconstructable or guessable by the adversary) as the untamperable signaling mechanism.

To mask abstention behavior and prevent forced-abstention attacks, the VS always ensures that, at each time tick, each voter's slot is filled by a noise ballot if the voter is inactive. Under IND-CCA/IND-RCCA secure encryption and UC NIZK, the protocol meets the formal definitions of coercion-resistance, privacy, and verifiability.

The performance characteristics of CR-Loki are superior to the patched JCJ* protocol, with linear vs. quasi-linear tallying complexity, albeit at the cost of requiring a trusted VS for secret generation and CR enforcement.

Practical and Theoretical Implications

Practically, the results demonstrate that, despite usability disadvantages, the use of per-voter, pre-shared secrets is existential for any protocol that wishes to resist adaptive, last-minute coercion in electronic voting without unreliable trust in timing assumptions or long coercion-free periods. Attempts to sidestep this hard requirement (as in Loki) will result in protocols that are broken in realistic models of voter and attacker behavior.

Theoretically, the generic impossibility theorem provides a unifying formal tool to evaluate purported advances in revoting protocols: if credentialless architectures or late-stage only mechanisms are offered without hard, private, unpredictable voter signals, their security claims are provably unsound. The security proofs for CR-Loki clarify that, given setup-phase trust, usability and computational efficiency are compatible with strong CR, but only with real-world trust tradeoffs.

Conclusion

This paper rigorously demonstrates that the design philosophy underpinning Loki—coercion-resistance without pre-agreed secrets—is fundamentally incompatible with robust defense against last-minute coercion in realistic election environments. Analysis of voting pattern distributions and brute-force feasibility, validated by real-world data, highlight how attackers can leverage protocol structure to defeat both ballot integrity and abstention privacy. The design and proof of CR-Loki reestablish the necessity for pre-shared cryptographic secrets in secure remote e-voting, and offer concrete guidance for practitioners seeking both efficiency and the strongest CR guarantees.