E-Voting and Identity

The Norwegian government will run a trial of internet remote voting during the 2011 local government elections. A new cryptographic voting protocol will be used, where so-called return codes allow voters to verify that their ballots will be counted as cast.

This paper discusses a slightly simplified version of the cryptographic protocol. The description and analysis of the simplified protocol contains most of the ideas and concepts used to build and analyse the full protocol. In particular, the simplified protocol uses the full protocol’s novel method for generating the return codes.

The security of the protocol relies on a novel hardness assumption similar to Decision Diffie-Hellman. While DDH is a claim that a random subgroup of a non-cyclic group is indistinguishable from the whole group, our assumption is related to the indistinguishability of certain special subgroups. We discuss this question in some detail.

The short history of e-voting has shown that projects are doomed to fail in the absence of trust among the electorate. The first binding Norwegian Internet elections are scheduled for fall 2011. Notably, transparency is taken as a guideline in the project. This article discusses transparency and other measures the Norwegians apply that are suited to establish profound trust, i.e. trust that grounds on the system’s technical features, rather than mere assertions. We show whether at all, how and to which degree these measures are implemented and point out room for enhancements. We also address general challenges of projects which try to reach a high level of transparency for others as lessons learned.

In remote electronic elections the voting client software is usually in charge of encoding the voting options chosen by the voter. Cast as intended verification methods can be used to audit this process, so that voters do not need to trust the voting client software. In this paper we present the revision of our initial proposal for the eValg2011 project for an Internet voting protocol providing cast as intended verification functionalities, and evaluate its security.

Current approaches to electronic implementations of voting protocols involve translating legal text to source code of an imperative programming language. Because the gap between legal text and source code is very large, it is difficult to trust that the program meets its legal specification. In response, we promote linear logic as a high-level language for both specifying and implementing voting protocols. Our linear logical specifications of the single-winner first-past-the-post (SW-FPTP) and single transferable vote (STV) protocols demonstrate that this approach leads to concise implementations that closely correspond to their legal specification, thereby increasing trust.

Some years ago, Juels et al. introduced the first coercion-resistant Internet voting protocol. Its basic concept is still the most viable approach to address voter coercion and vote selling in Internet voting. However, one of the main open issues is its unrealistic computational requirements of the quadratic-time tallying procedure. In this paper, we examine the cause of this issue, namely the authorization of votes, and summarize the most recent proposals to perform this step in linear time. We explain the key underlying concepts of these proposals and introduce a new protocol based on anonymity sets. The size of these anonymity sets serves as an adjustable security parameter, which determines the degree of coercion-resistance. The main advantage of the new protocol is to move computational complexity introduced in recent works from the voter side to the tallying authority side.

This paper briefly describes security challenges for critical web applications such as the Helios Voting system. After analyzing the Helios demonstration website we discovered several small flaws that can have a large security critical impact. An attacker is able to extract sensitive information, manipulate voting results, and modify the displayed information of Helios without any deep technical knowledge or laboratory-like prerequisites. Displaying and processing trusted information in an untrustworthy user agent can lead to the issue that most protection mechanisms are useless. In our approach of attacking Helios voting systems we do not rely on an already infected or trojanized machine of the user, instead we use simple and commonly known web browser features to leverage information disclosure and state modification attacks. We propose that online voting applications should at least follow the latest vulnerability mitigation guidelines. In addition, there should be thorough and frequent coverage with automated as well as manual penetrations tests in privacy sensitive applications. E-Voting software driven by web browsers is likely to become an attractive target for attackers. Successful exploitation can have impact ranging from large scale personal information leakage, financial damage, calamitously intended information and state modification as well as severe real life impact in many regards.

This paper presents MarkPledge3 (MP3), the most efficient specification of the MarkPledge (MP) technique. The MP technique allows the voter to verify that her vote is correctly encrypted with a soundness of 1 − 2^− α , with 20 ≤ α ≤ 30, just by performing a match of a small string (4-5 characters). Due to its simplicity, verifying the election public data (vote encryptions and tally) in MP3 is 2.6 times faster than with MP2 and the vote encryption creation on devices with low computational power, e.g. smart cards, is approximately 6 times better than the best of the previous MP specifications (MP1 and MP2).

We present a new model for polling-booth voting: the voter enters the polling booth with a computational assistant which helps her verify that her vote is correctly recorded. The assistant interacts with the voting system while the voter votes on the machine in the polling booth. We present an independently-verifiable, coercion-resistant protocol based on this model. Unlike all other independently-verifiable protocols, this one is completely paperless and does not require the voter to perform any tasks outside the polling booth. We provide property definitions, rigorous claims and a description of a prototype.

Prêt à Voter is one of the most well-known and most extensively analysed electronic voting systems for polling stations. However, an analysis from a legal point of view has not yet been conducted. The purpose of this paper is to analyse the readiness of Prêt à Voter for legally binding federal elections in Germany. This case is of particular interest as Germany has with the Constitutional Court Decision from 2009 probably the most restrictive requirements on electronic voting in particular regarding the public nature of elections and verifiability respectively. While many aspects are analysed, some remain open for further legal and technical discussions. Thus, a final decision is not yet possible. Aspects analysed are the ballot paper layout, different processes from ballot printing through to the publishing of results, as well as verifiability, and the overall election management.

This paper presents an extension of the Prêt à Voter verifiable voting system to handle write-ins. This is achieved by introducing an additional ‘Write-In’ option and allowing the voter optionally to enter a write-in candidate of their choice. The voter obtains a receipt which includes their write-in, but that receipt does not indicate whether the write-in candidate was selected or not. The system provides flexibility with respect to the tallying of write-in votes. We also introduce null ballots in order to achieve receipt-freeness with respect to write-ins.

Individual verifiability is the ability of an electronic voting system to convince a voter that his vote has been correctly counted in the tally. Unfortunately, in most electronic voting systems the proofs for individual verifiability are non-intuitive and, moreover, need trusted devices to be checked. Based on the remote voting system JCJ/Civitas, we propose Trivitas, a protocol that achieves direct and end-to-end individual verifiability, while at the same time preserving coercion-resistance.

Our technical contributions rely on two main ideas, both related to the notion of credentials already present in JCJ/Civitas. Firstly, we propose the use of trial credentials, as a way to track and audit the handling of a ballot from one end of the election system to the other end, without increased complexity on the voter end. Secondly, due to indistinguishability of credentials from random values, we observe that the association between any credential and its corresponding vote can be made public at the end of the election process, without compromising coercion-resistance. The voter has more intuitive and direct evidence that her intended vote has not been changed and will be counted in the final tally.

Estonia has implemented internet voting as a method to participate in various types of elections since 2005. In Riigikogu (parliament) Elections of 2011, over 140,000 voters used the internet voting method. The share of votes cast over the internet among all votes was 24.3%. In light of this popularity it is questioned by various stakeholders whether internet voting can be implemented correctly and securely to support electoral principles such as uniformity. This paper gives an overview of the Estonian Internet Voting System and analyzes events that occurred during the Riigikogu Elections of 2011.

Research on mitigating vulnerabilities in electronic elections has focused mainly on developing cryptographic voting and counting schemes that satisfy strong mathematical requirements. However many practical problems with e-election systems in general cannot be solved by cryptology. In this paper we consider some of these practical problems by examining deficiencies that are common to the many e-election systems currently used in Australia, including but not limited to e-voting and e-counting systems. We identify poor practices in the commissioning, development, operation and scrutiny of these systems, and we then make recommendations for improving practice. We argue that best practice guidelines for e-election systems need to be explicitly articulated and should include four key elements: failure-critical engineering, risk assessment, a culture of audit and strong transparency.

The literature abounds with discussions on the relative security merits of various voting systems, and on whether a move towards electronic voting is, from a security perspective, something to be encouraged or discouraged. Little has been said, however, on whether there would be unintended side-effects of changing the voting technology, in terms of the votes cast. Security issues aside, should we expect the introduction of an electronic voting system to affect the results of the election?

This paper attempts to tease out some of the possible effects, by analysing ballot data from the 2008 Australian Capital Territory (ACT) Legislative Assembly Election.