Consideraciones sobre el voto electrónico

El voto electrónico es un tema que se ha instalado tanto en las agendas de gobierno (nacional, provincial y municipal) como en la opinión pública. Este trabajo discutimos algunas posibles definiciones de voto electrónico; analizamos algunas debilidades, tanto prácticas, según revelan algunas experiencias en el mundo, como teóricas; y postulamos una serie de requerimientos que a nuestro criterio debería cumplir cualquier sistema de este tipo.Sociedad Argentina de Informática e Investigación Operativa (SADIO

Consideraciones sobre el voto electrónico

El voto electrónico es un tema que se ha instalado tanto en las agendas de gobierno (nacional, provincial y municipal) como en la opinión pública. Este trabajo discutimos algunas posibles definiciones de voto electrónico; analizamos algunas debilidades, tanto prácticas, según revelan algunas experiencias en el mundo, como teóricas; y postulamos una serie de requerimientos que a nuestro criterio debería cumplir cualquier sistema de este tipo.Sociedad Argentina de Informática e Investigación Operativa (SADIO

Consideraciones sobre el voto electrónico

El voto electrónico es un tema que se ha instalado tanto en las agendas de gobierno (nacional, provincial y municipal) como en la opinión pública. Este trabajo discutimos algunas posibles definiciones de voto electrónico; analizamos algunas debilidades, tanto prácticas, según revelan algunas experiencias en el mundo, como teóricas; y postulamos una serie de requerimientos que a nuestro criterio debería cumplir cualquier sistema de este tipo.Sociedad Argentina de Informática e Investigación Operativa (SADIO

More Practical and Secure History-Independent Hash Tables

Direct-recording electronic (DRE) voting systems have been used in several countries including United States, India, and the Netherlands to name a few. In the majority of those cases, researchers discovered several security flaws in the implementation and architecture of the voting system. A common property of the machines inspected was that the votes were stored sequentially according to the time they were cast, which allows an attacker to break the anonymity of the voters using some side-channel information. Subsequent research (Molnar et al. Oakland’06, Bethencourt et al. NDSS’07, Moran et al. ICALP’07) pointed out the connection between vote storage and history-independence, a privacy property that guarantees that the system does not reveal the sequence of operations that led to the current state. There are two flavors of history-independence. In a weakly history-independent data structure, every possible sequence of operations consistent with the current set of items is equally likely to have occurred. In a strongly history-independent data structure, items must be stored in a canonical way, i.e., for any set of items, there is only one possible memory representation. Strong history- independence implies weak history-independence but considerably constrains the design choices of the data structures. In this work, we present and analyze an efficient hash table data structure that simultaneously achieves the following properties: • It is based on the classic linear probing collision-handling scheme. • It is weakly history-independent. • It is secure against collision-timing attacks. That is, we consider adversaries that can measure the time for an update operation, but cannot observe data values, and we show that those adversaries cannot learn information about the items in the table. • All operations are significantly faster in practice (in particular, almost 2x faster for high load factors) than those of the commonly used strongly history-independent linear probing method proposed by Blelloch and Golovin (FOCS’07), which is not secure against collision-timing attacks. The first property is desirable for ease of implementation. The second property is desirable for the sake of maximizing privacy in scenarios where the memory of the hash table is exposed, such as post-election audit of DRE voting machines or direct memory access (DMA) attacks. The third property is desirable for maximizing privacy against adversaries who do not have access to memory but nevertheless are capable of accurately measuring the execution times of data structure operations. To our knowledge, our hash table construction is the first data structure that combines history-independence and protection against a form of timing attacks

How not to VoteAgain: Pitfalls of Scalable Coercion-Resistant E-Voting

Secure electronic voting is a relatively trivial exercise if a single authority can be completely trusted. In contrast, the construction of efficient and usable schemes which provide strong security without strong trust assumptions is still an open problem, particularly in the remote setting. Coercion-resistance is one of, if not the hardest property to add to a verifiable e-voting system. Numerous secure e-voting systems have been designed to provide coercion-resistance. One of these systems is VoteAgain (Usenix Security 2020) whose security we revisit in this work. We discovered several pitfalls that break the security properties of VoteAgain in threat scenarios for which it was claimed secure. The most critical consequence of our findings is that there exists a voting authority in VoteAgain which needs to be trusted for all security properties. This means that VoteAgain is as (in)secure as a trivial voting system with a single and completely trusted voting authority. We argue that this problem is intrinsic to VoteAgain\u27s design and could thus only be resolved, if possible, by fundamental modifications. We hope that our work will ensure that VoteAgain is not employed for real elections in its current form. Further, we highlight subtle security pitfalls to avoid on the path towards more efficient, usable, and reasonably secure coercion-resistant e-voting. To this end, we conclude the paper by describing the open problems which need to be solved to make VoteAgain\u27s approach secure

VoteBox Nano: A smaller, stronger FPGA-based voting machine

This thesis describes a minimal implementation of a cryptographically secure direct recording electronic (DRE) voting system, built with a low-cost Xilinx FPGA board. Our system, called VoteBox Nano, follows the same design principles as the VoteBox, a full-featured electronic voting system. The votes are encrypted using El-gamal homomorphic encryption and the correctness of the system can be challenged by real voters during an ongoing election. In order to fit within the limits of a minimal FPGA, VoteBox Nano eliminates VoteBox's sophisticated network replication mechanism and full-color bitmap graphics system. In return, VoteBox Nano runs without any operating or language runtime system and interacts with the voter using simple character graphics, radically shrinking the implementation complexity. VoteBox Nano also integrates a true random number generator (TRNG), providing improved security. In order to deter hardware tampering, we used FPGA's native JTAG interface coupled with TRNG. At boot-time, the proper FPGA configuration displays a random number on the built-in display. Any interaction with the JTAG interface will change this random number, allowing the poll workers to detect election-day tampering, simply by observing whether the number has changed

BBB-Voting: 1-out-of-k Blockchain-Based Boardroom Voting

Voting is a means to agree on a collective decision based on available choices (e.g., candidates), where participants (voters) agree to abide by their outcome. To improve some features of e-voting, decentralized solutions based on a blockchain can be employed, where the blockchain represents a public bulletin board that in contrast to a centralized bulletin board provides $100\%$ availability and censorship resistance. A blockchain ensures that all entities in the voting system have the same view of the actions made by others due to its immutable and append-only log. The existing blockchain-based boardroom voting solution called Open Voting Network (OVN) provides the privacy of votes and perfect ballot secrecy, but it supports only two candidates. We present BBB-Voting, an equivalent blockchain-based approach for decentralized voting than OVN, but in contrast to it, BBB-Voting supports 1-out-of-$k$ choices and provides a fault tolerance mechanism that enables recovery from stalling participants. We provide a cost-optimized implementation using Ethereum, which we compare with OVN and show that our work decreases the costs for voters by $13.5\%$ in terms of gas consumption. Next, we outline the extension of our implementation scaling to magnitudes higher number of participants than in a boardroom voting, while preserving the costs paid by the authority and participants -- we made proof-of-concept experiments with up to 1000 participants

SoK: Verifiability Notions for E-Voting Protocols

International audienceThere have been intensive research efforts in the last two decades or so to design and deploy electronic voting (e-voting) protocols and systems which allow voters and/or external auditors to check that the votes were counted correctly. This security property, which not least was motivated by numerous problems in even national elections, is called verifiability. It is meant to defend against voting devices and servers that have programming errors or are outright malicious. In order to properly evaluate and analyze e-voting protocols and systems w.r.t. verifiability, one fundamental challenge has been to formally capture the meaning of this security property. While the first formal definitions of verifiability were devised in the late 1980s already, new verifiability definitions are still being proposed. The definitions differ in various aspects, including the classes of protocols they capture and even their formulations of the very core of the meaning of verifiability. This is an unsatisfying state of affairs, leaving the research on the verifiability of e-voting protocols and systems in a fuzzy state.In this paper, we review all formal definitions of verifiability proposed in the literature and cast them in a framework proposed by Küsters, Truderung, and Vogt (the KTV framework), yielding a uniform treatment of verifiability. This enables us to provide a detailed comparison of the various definitions of verifiability from the literature. We thoroughly discuss advantages and disadvantages, and point to limitations and problems. Finally, from these discussions and based on the KTV framework, we distill a general definition of verifiability, which can be instantiated in various ways, and provide precise guidelines for its instantiation. The concepts for verifiability we develop should be widely applicable also beyond the framework used here. Altogether, our work offers a well-founded reference point for future research on the verifiability of e-voting systems