Conference PaperPDF Available

Verifiable Internet Voting Solving Secure Platform Problem

Authors:
Miroslaw Kutylowski at NASK National Research Institute
Miroslaw Kutylowski
Filip Zagorski at Wroclaw University of Science and Technology
Filip Zagorski
Download full-text PDFDownload full-text PDF
Read full-text
Download citation

Abstract

We present a voter verifiable Internet voting scheme which provides anonymity and eliminates the danger of vote selling even if the computer used by the voter cannot be fully trusted. The ballots cast remain anonymous - even the machine does not know the choice of the voter. It makes no sense to buy votes - the voter can cheat the buyer even if his machine cooperates with the buyer. Nevertheless, the voter can verity that his vote has been counted.
5405adb90cf2bba34c1d74
f8.pdf
Content uploaded by Filip Zagorski
Author content
All content in this area was uploaded by Filip Zagorski on Sep 02, 2014
Content may be subject to copyright.
5405adb40cf2c48563b17d
62.pdf
Content uploaded by Filip Zagorski
Author content
All content in this area was uploaded by Filip Zagorski on Sep 02, 2014
Content may be subject to copyright.
?
?
Vi
σi· · ·
N=pq
g G Z
N
GmodN
ZN
e
ϕ(N)d e ·d= 1 mod (p1, q 1) d
e
ˆg=gd
λ
1jλ yj
j xjyj=gxj
ˆyi=yd
im k1
(α, β, γ , δ) := (m·(y1·...·yλ)k1, gk1, md
·y1·...·ˆyλ)k1,ˆgk1).
i
(αi, βi, γi, δi) = (m·(yi·...·yλ)ki, g ki, md·yi·...·ˆyλ)ki,ˆgki).
ri
(αi+1, βi+1 , γi+1, δi+1 ) :=
(αixi
i
·(yi+1 ·...·yλ)ri, βi·gri, γixi
i
·yi+1 ·...·ˆyλ)ri, δi·ˆgri).
ki+1 =ki+ri
(m·(yi+1 ·...·yλ)ki+1 , g ki+1, md·(ˆyi+1 ·...·ˆyλ)ki+1 ,ˆgki+1 ).
k α =m·ykγ=md·ˆykγ=αdδ=βd
α=γeβ=δe
(α, β)
y1·. . . ·yλ
ue(m)m e(m)
m ue(m)
l
ue(m)l= (ml·(y1·...·yλ)k·l, g k·l, md·l·y1·...·ˆyλ)k·l,ˆgk·l).
ue(ml)ml
k·l
(α, β, γ , δ)
k1
m1m2
(m1·αk, m2·βk, gk), k α, β
αhβh
ghh k
m1m2
β
α
y1, . . . , yλ
m
(m·(y1·...·yλ)k, g k)
k
k
5
6
= 1 2
4·1
3m
(1
4W)m
W
N
N
i i
s
s
i cic0
i
ci, c0
iG
cic0
ig
i
N
s1s2
s=s1+s2s
s1s2
s, s1, s2
s1s2
z
z B.2
N
i cic0
i
i did0
i
di, d0
icic0
i
ci, c0
i
r
K r
K
r
K
AA X X
A A
1
2X
X
γ χ
(m·(y1· ·yλ)k, gk)
(m·(y1·...·yλ)k, M1·γk, M2·χk, g k)
M1M2
A A
X X
K
A A
A
A
1
2
1
2
2k
k
2k
c0, c1, . . . , cN1, c0
0, c0
1, . . . , c0
N1
cNcN+1, . . . , c2N, c0
N, c0
N+1, . . . , c0
2N
cN+mc0
N+m
m
c0= = c0
0
s1, s2π(j) =
j+smod N s =s1+s2
(id, id0) (rid, rid0)
id0=BGS (id)rid0=B GS (rid)
j
A A X X
N TATXt∈ {A, X}fu,t,j =t
Tt(j)=1 fu,t,j =t fl,t,j ∈ {t, t}
fu,t,j
x∈ {u, l}u, l i
px,i = [ueγ(fx,A,i)ueχ(fx,X,i )uey(cπ(i))uey(c0
π(i))uey(id)uey(id0)]
γ χ y =y1·. . . ·yk
apx,i
[ueγ(fx,A,i)ueχ(fx,X,i )uey(cπ(K+i))uey(c0
π(K+i))uey(rid)uey(rid0)]
t j
v= [pt,j ]av =
[apt,j ;pt,j ]
n2
n
A, A
s1s2s
s
s1, s2TAid
i
z
Alice(z)
Alice(z)
t
w
j w
cjπ(w) = j
v= [pt,w]
av = [apt,w;pt,w ]
v av
r
Alice(r)
K:= R(Alice(r)) R
v EncK(av)
v v
ueγ(ft,A,i)
TA
ueχ(ft,X,i)
v av
v av
1iλ i
i1
i
λ
λ
r
2
N
N
id, id0, ci, c0
i)
A/A, X/X
4K100N
10N
K= 20 200
... The first of these proposals include protocols by Chaum [6] and Neff [19], which were implemented soon after (Chaum's as Citizen-Verified Voting [16] and Neff's by VoteHere). Several more proposals with prototypes followed: Prêtà Voter [10], Punchscan [21,15], the proposal of Kutylowski and Zagórski [18] as Voting Ducks, and Simple Verifiable Voting [4] as Helios [2] and Vote-Box [24]. ...
... To provide higher confidence in the results, the backend creates multiple sets of left and right mixes; in Takoma Park, we created 40 sets for each election, 20 of which were audited. Given 2 contests per ballot and 40 sets of left and right mixes, there are a total of 160 commitments per ballot in the audit trail, in addition to a commitment per contestant per ballot for each confirmation number (15)(16)(17)(18), depending on the Ward). ...
... We confirmed with election officials the contents of each box and the officials verified, with our assistance, that the USB memory sticks did not contain any ballot data by looking at the configuration file and making sure the ballot data file was blank. 18 To protect against virus infection on the sticks we set them to read-only for this procedure. ...
Scantegrity II Municipal Election at Takoma Park: The First E2E Binding Governmental Election with Ballot Privacy
Conference Paper
Full-text available
  • Sep 2010
On November 3, 2009, voters in Takoma Park, Maryland, cast ballots for mayor and city council members using the ScantegrityII voting system—the first time any end-to-end (e2e) voting system with ballot privacy has been used in any binding governmental election. This case-study describes how we carried out this complex engineering feat involving improved design and implementation of a novel cryptographic voting system, streamlined procedures, agreements with the City, and assessments of the experiences of voters and poll workers. The election with 1722 voters from six wards involved paper ballots with invisible-ink confirmation codes, instant-runoff voting with write-ins, early and absentee (mail-in) voting, dual-language ballots, provisional ballots, privacy sleeves, any which-way scanning with parallel conventional desk-top scanners, end-to-end verifiability based on optional web-based voter verification of votes cast, a full hand recount, thresholded authorities, three independent outside auditors, full transparency, fully disclosed software, and exit surveys for voters and pollworkers. Despite some glitches, the use of Scantegrity II was a success, demonstrating that e2e cryptographic voting systems can be effectively used and well accepted by the general public.
View
... The usual solution for changed votes / fake votes is the employment of code voting such as proposed by Kutylowski and Zagorski [KZ07]. Code Voting is a process where every voter receives unique coding tables out of band and uses them to communicate with the election servers without having to trust the device they are using. ...
Attacks against Network Voting Systems
Thesis
Full-text available
  • Jul 2015
The scientific community concentrates on formal or cryptographic safety regarding network voting systems. While this is necessary and valuable work there are also real-world threats to those systems that are not covered by this research. The results are several security issues with released voting systems discovered either during their pilot trials or first runs. Electronic network voting systems are potentially very vulnerable to mass manipulation of votes and / or voters. Therefore the goal is to develop systems that are against said mass manipulation while not imposing overly complicated cryptography on the voter. We concentrate on historic attacks and universal goals for network voting systems to learn a lesson and develop according guidelines that can be universally used to design and implement network voting systems. The guidelines are furthermore evaluated and applied to existing voting systems.
View
... These improvements, however, still require complex forms of credential management, thus lacking in usability from the voter's perspective. A number of other schemes has been suggested that provide some level of coercion resistance [27,32], which, however, also require complex actions from the voter. The Caveat Coercitor scheme [18] aims at detecting whether coercion took place during the election, but not at preventing it. ...
Extending Helios Towards Private Eligibility Verifiability
Conference Paper
Full-text available
  • Sep 2015
We show how to extend the Helios voting system to provide eligibility verifiability without revealing who voted which we call private eligibility verifiability. The main idea is that real votes are hidden in a crowd of null votes that are cast by others but are indistinguishable from those of the eligible voter. This extended Helios scheme also improves Helios towards receipt-freeness.
View
... This approach consists in having a secondary communication channel to the election server that would allow the confirmation of the correct vote delivery. Kuty lowski and Zagórski [40] proposed a voting protocol where a voter uses a secondary channel first to " decrypt " the ballot and choose the candidate, and then to verify with a probability of 1 2 that the vote was correctly submitted to the election server. The main disadvantage of this protocol is the complexity of the verification tasks given to the voter that must deal directly with the encrypted ballots. ...
Improving Remote Voting Security with CodeVoting
Conference Paper
Full-text available
  • Jan 2010
One of the major problems that prevents the spread of elections with the possibility of remote voting over electronic networks, also called Internet Voting, is the use of unreliable client platforms, such as the voter’s computer and the Internet infrastructure connecting it to the election server. A computer connected to the Internet is exposed to viruses, worms, Trojans, spyware, malware and other threats that can compromise the election’s integrity. For instance, it is possible to write a virus that changes the voter’s vote to a predetermined vote on election’s day. Another possible attack is the creation of a fake election web site where the voter uses a malicious vote program on the web site that manipulates the voter’s vote (phishing/pharming attack). Such attacks may not disturb the election protocol, therefore can remain undetected in the eyes of the election auditors. We propose the use of CodeVoting to overcome insecurity of the client platform. CodeVoting consists in creating a secure communication channel to communicate the voter’s vote between the voter and a trusted component attached to the voter’s computer. Consequently, no one controlling the voter’s computer can change the his/her’s vote. The trusted component can then process the vote according to a cryptographic voting protocol to enable cryptographic verification at the server’s side.
View
Human Factors in Coercion Resistant Internet Voting -- A Review of Existing Solutions and Open Challenges
Conference Paper
Full-text available
  • Oct 2020
While Internet voting has a potential of improving the democratic processes, it introduces new challenges to the security of the election, such as the possibility of voter coercion due to voting in uncontrolled environments. Cryptographic research has resulted in a number of proposals for protecting against such coercion with the help of counter-strategies that can be used by the voter to convince the coercer that they obeyed their instructions while secretly voting for another voting option. So far, these proposals have been theoretical, and their usability in terms of ability of the voter to apply the counter-strategies in practice has not been thoroughly investigated. We conducted a literature review to identify the available counter-strategies and assumptions on voters' capabilities. We evaluated the identified assumptions and conclude a number of usability issues. We provide recommendations on further research directions and practical considerations in designing coercion resistant voting systems are provided.
View
Cobra: Toward Concurrent Ballot Authorization for Internet Voting
Article
We propose and study the notion of concurrent ballot authorization for coercion-resistant, end-to-end verifi-able (E2E) internet voting. A central part of providing coercion resistance is the ability for an election authority to filter out fake ballots from legitimate ones in a way that is both private and universally verifiable. This ballot authorization process, however, can potentially come at a heavy computational cost. In previous proposals, the bulk of this computation cannot be performed until the last ballot has been cast. By contrast, concurrent ballot authorization allows ballots to be authorized as they are submitted, allowing the tally to be declared immediately after polls close. An efficient tally is especially impor-tant in the coercion-resistant internet voting setting, as it is particularly vulnerable to denial of service attacks caused by floods of fake ballots. We present a proof-of-concept voting system, Cobra, the first coercion-resistant system to offer concurrent ballot authorization. Although Cobra offers the fastest tallying relative to the related work, it has a registration process that we consider to be too slow to be viable; one that is quadratic in the number of eligible voters. We present Cobra as a first-step toward what we hope will become a standard feature of coercion-resistant internet voting schemes: concurrent ballot authorization.
View
The Norwegian Internet Voting Protocol
Conference Paper
  • Sep 2011
The Norwegian government will run a trial of internet remote voting during the 2011 local government elections. A new cryptographic voting protocol will be used, where so-called return codes allow voters to verify that their ballots will be counted as cast. This paper discusses a slightly simplified version of the cryptographic protocol. The description and analysis of the simplified protocol contains most of the ideas and concepts used to build and analyse the full protocol. In particular, the simplified protocol uses the full protocol’s novel method for generating the return codes. The security of the protocol relies on a novel hardness assumption similar to Decision Diffie-Hellman. While DDH is a claim that a random subgroup of a non-cyclic group is indistinguishable from the whole group, our assumption is related to the indistinguishability of certain special subgroups. We discuss this question in some detail.
View
Scantegrity III: automatic trustworthy receipts, highlighting over/under votes, and full voter verifiability
Conference Paper
Full-text available
  • Aug 2011
Building on lessons learned from the November 2009 Scantegrity II election in Takoma Park, MD, we propose improvements to the Scantegrity II voting system that (1) automatically print trustworthy receipts for easier on-line verification, (2) highlight ballot features including over/under votes to comply with the Help America Vote Act, and (3) achieve full voter verifiability by eliminating print audits. We call the improved voting system Scantegrity III, which features a new ballot style and a special casting station that highlights ballots and prints receipts. Scantegrity III addresses the major limitations of Scantegrity II and delivers the feature most requested by voters and election officials at the Takoma Park election: printing receipts automatically. We present, analyze, and compare three designs for a Scantegrity receipt printer: a simple image duplicator available to voters in an optional separate station before casting; a mark sense translator, connected to the official ballot scanner, which reads encrypted codenumbers printed on the ballot; and the Scantegrity III casting station, which is an embellished mark sense translator. At the Scantegrity III station, voters cast ballots that include both Scantegrity II codes in invisible ink and Scantegrity I codes in conventional ink; this combination of codes enables print audits to be eliminated. We also design a Trusted Platform Module (TPM) enhancement to bolster privacy, to store keys and verification codes, and to ensure that the correct software is booted. Election integrity does not depend on the correct operation of the TPM. Receipt printers reduce the amount of special voter instruction required, improve accessibility, enable each voter to detect if any additional mark is added to her ballot after casting, and make vote verification easier.
View
Lagrangian E-Voting: Verifiability on Demand and Strong Privacy
Conference Paper
Full-text available
  • Jun 2010
We propose a new approach to verifiability of Internet e-voting procedures: correct counting of each single ballot can be checked, but verification is a zero-knowledge court procedure. After verification period is over, certain keys are destroyed and breaking vote privacy becomes substantially harder. Our main goal is to provide a framework for the political situation in which the voters are more concerned about disclosure of their preferences than about the correctness of the results. Our approach also responds to threats of coercion exercised by a physically present coercer. Our approach can be used on top of most previous schemes to improve their privacy features. It is limited to the cases when the voters hold electronic ID cards.
View
Secure Internet Voting Based on Paper Ballots
Conference Paper
  • Dec 2008
Internet voting will probably be one of the most significant achievements of the future information society. It will have an enormous impact on the election process making it fast, reliable and inexpensive. Nonetheless, so far the problem of providing security of remote voting is considered to be very difficult, as one has to take into account susceptibility of the voter’s PC to various cyber-attacks. As a result, most of the research effort is put into developing protocols and machines for poll-site electronic voting. Although these solutions yield promising results, most of them cannot be directly applied to Internet voting because of the secure platform problem. However, the cryptographic components they utilize may be very useful in the context of remote voting, too. This paper presents a scheme based on combination of mixnets and homomorphic encryption borrowed from robust poll-site voting, along with techniques recommended for remote voting – code sheets and test ballots. The protocol tries to minimize the trust put in voter’s PC by employing paper ballots distributed before elections. The voter uses the ballot to submit an encrypted vote, which is illegible for the potentially corrupt PC. The creation of paper ballots, as well as the decryption of votes, is performed by a group of cooperating trusted servers. As a result, the scheme is characterized by strong asymmetry – all computations are carried out on the server side. Hence, it does not require any additional hardware on the voter’s side. Furthermore, the scheme offers distributed trust, receipt-freeness and verifiability.
View
UNIVERSAL RE-ENCRYPTION OF SIGNATURES AND CONTROLLING ANONYMOUS INFORMATION FLOW
Article
Full-text available
  • Jan 2006
Anonymous communication protocols, very essential for preserv- ing privacy of the parties communicating, may lead to severe prob- lems. A malicious server may use anonymous communication proto- cols for injecting unwelcome messages into the system so that their source can be hardly traced. So anonymity and privacy protection on one side and protection against such phenomena as spam are so far contradictory goals. We propose a mechanism that may be used to limit the men- tioned side efiects of privacy protection. During the protocol pro- posed each encrypted message admitted into the system is signed by a respective authority. Then, on its route through the network the encrypted message and the signature are re-encrypted universally. The purpose of universal re-encryption is to hide the routes of the messages from an observer monitoring the tra-c. Despite re-encryption, signature of the authority remains valid. Depending on a particular application, veriflcation of the signature is possible either ofi-line by anybody with the access to the ciphertext and the signature or requires contact with the authority that has issued the signature. Our work is an extension of recent works by Golle, Jakobsson, Juels and Syverson.
View
A Practical Voting Scheme with Receipts
Conference Paper
Full-text available
  • Aug 2005
David Chaum introduced Visual Voting scheme in which a voter obtains a paper receipt from a voting machine. This receipt can be used to verify that his vote was counted in the final tally, but cannot be used for vote selling. The Chaum’s system requires sophisticated printers and application of randomized partial checking (RPC) method. We propose a complete design of a voting system that preserves advantages of the Chaum’s scheme, but eliminates the use of special printers and RPC. Keywordselectronic voting-receipt voting-re–encryption-mixnet-anonymity
View
View
An Ecient Scheme for Proving a Shue
Article
  • Jan 2001
In this paper, we propose a novel and ecient protocol for proving the correctness of a shue, without leaking how the shue was performed. Using this protocol, we can prove the correctness of a shue of n data with roughly 18n exponentiations, where as the protocol of Sako-Kilian(SK95) required 642n and that of Abe(Ab99) required 22nlogn. The length of proof will be only 211n bits in our protocol, opposed to 218n bits and 214nlogn bits required by Sako-Kilian and Abe, respectively. The proposed protocol will be a building block of an ecient, universally veriable mix-net, whose application to voting system is prominent.
View
A Verifiable Secret Shue and its Application to EVoting
Article
  • Jan 2002
We present a mathematical construct which provides a cryptographic protocol to verifiably shue a sequence of k modular integers, and discuss its application to secure, universally verifiable, multi-authority election schemes. The output of the shue operation is another sequence of k modular integers, each of which is the same secret power of a correspond- ing input element, but the order of elements in the output is kept secret. Though it is a trivial matter for the "shuer" (who chooses the permuta- tion of the elements to be applied) to compute the output from the input, the construction is important because it provides a linear size proof of correctness for the output sequence (i.e. a proof that it is of the form claimed) that can be checked by an arbitrary verifiers. The complexity of the protocol improves on that of Furukawa-Sako(16) both measured by number of exponentiations and by overall size. The protocol is shown to be honest-verifier zeroknowledge in a special case, and is computational zeroknowledge in general. On the way to the final result, we also construct a generalization of the well known Chaum- Pedersen protocol for knowledge of discrete logarithm equality ((10), (7)). In fact, the generalization specializes exactly to the Chaum-Pedersen pro- tocol in the case k = 2. This result may be of interest on its own. An application to electronic voting is given that matches the features of the best current protocols with significant eciency improvements. An alternative application to electronic voting is also given that introduces an entirely new paradigm for achieving Universally Verifiable elections.
View
View
Cryptographic voting protocols: A systems perspective
Article
  • Jan 2005
Cryptographic voting protocols offer the promise of veri-fiable voting without needing to trust the integrity of any software in the system. However, these cryptographic protocols are only one part of a larger system composed of voting machines, software implementations, and elec-tion procedures, and we must analyze their security by considering the system in its entirety. In this paper, we analyze the security properties of two different crypto-graphic protocols, one proposed by Andrew Neff and an-other by David Chaum. We discovered several potential weaknesses in these voting protocols which only became apparent when considered in the context of an entire vot-ing system. These weaknesses include: subliminal chan-nels in the encrypted ballots, problems resulting from human unreliability in cryptographic protocols, and de-nial of service. These attacks could compromise election integrity, erode voter privacy, and enable vote coercion. Whether our attacks succeed or not will depend on how these ambiguities are resolved in a full implementation of a voting system, but we expect that a well designed implementation and deployment may be able to mitigate or even eliminate the impact of these weaknesses. How-ever, these protocols must be analyzed in the context of a complete specification of the system and surrounding procedures before they are deployed in any large-scale public election.
View
Cryptography meets voting
Article
  • Oct 2005
We survey the contributions of the entire the-oretical computer science/cryptography community dur-ing 1975-2002 that impact the question of how to run ver-ifiable elections with secret ballots. The approach based on homomorphic encryptions is the most successful; one such scheme is sketched in detail and argued to be fea-sible to implement. It is explained precisely what these ideas accomplish but also what they do not accomplish, and a short history of election fraud throughout history is included.
View
The ThreeBallot Voting System
Article
  • Nov 2006
We present a new paper-based voting method with interesting security properties. The attempt here is to see if one can achieve the same security properties of recently proposed cryptographic voting protocols, but without using any cryptography, using only paper ballots. We partially succeed. (Initially, I thought the proposal accomplished this goal, but several readers discovered a vote-buying attack (see Section 4.4) that appears to be rather difficult to fix without making the resulting system much less usable in practice. Currently, this paper should thus be viewed more as an academic proposal than a practical proposal. Perhaps some variation on these ideas in this paper might still turn out to be of practical use. The “OneBallot with Exchanged Receipts” system sketched at the end of Section 5.3.1, looks particularly promising at the moment. . . ) The principles of ThreeBallot are simple and easy to understand. In this proposal, not only can each voter verify that her vote is recorded as she intended, but she gets a “receipt” that she can take home that can be used later to verify that her vote is actually included in the final tally. Her receipt, however, does not allow her to prove to anyone else how she voted. In this “ThreeBallot” voting system, each voter casts three paper ballots, with certain restrictions on how they may be filled out, so the tallying works. These paper ballots are of course “voter-verifiable.” All ballots cast are scanned and published on a web site, so anyone may correctly compute the election result. A voter receives a copy of one of her ballots as her “receipt”, which she may take home. Only the voter knows which ballot she copied for her receipt. The voter is unable to use her receipt to prove how she voted or to sell her vote, as the receipt doesn’t reveal how she voted. A voter can check that the web site contains a ballot matching her receipt. Deletion or modification of ballots is thus detectable; so the integrity of the election is verifiable.
View
Receipt-Free K-out-of-L Voting Based on ElGamal Encryption
Chapter
We present a K-out-of-L voting scheme, i.e., a voting scheme that allows every voter to vote for (up to) K candidates from a set of L candidates. The scheme is receipt-free, which means that even a malicious voter cannot prove to anybody how he voted. Furthermore, the scheme can be based on any semantically secure homomorphic encryption scheme, in particular also on the modified ElGamal encryption scheme which does not allow for efficient decryption of arbitrary large messages (but is more efficient than Paillier’s encryption scheme). We note that in contrast to the standard setting with receipts, in a receipt-free setting a K-out-of-L voting scheme cannot be derived directly from a yes/no voting scheme. Finally, we show that the voting protocol of Lee and Kim is not receipt-free, opposed to what is claimed in the paper.
View