Voting on the internet

We address some of the challenges in achieving internet voting for real world elections. One challenge is that home-based computers are likely to be infected by malware, threatening both the integrity and privacy of the vote. Another concern is the possibility that a voter may be coerced to vote in a particular way, for example by a family member or organised crime ring. Moreover, any voting system intended to be used on a large scale should not require complex operations by voters whose purpose is hard to understand. We introduce a series of novel proposals for internet voting, presented across three parts. First we examine how the problem of malware-infected computers in internet voting could be solved. We propose to use a dedicated hardware token (which is not required to be trustworthy) that helps remove the need to trust the voting computer and the server. Second we examine how the outcome verification methods provided by internet voting can be made more intuitive. We show how using trial votes help voters achieve more intuitive verifiability. Third we examine how the tension between verifiability and incoercibility can be reconciled while maintaining the usability of the voting systems. We propose a new property which we call “coercion-evidence” that helps improve usability, reduce trust assumptions, while maintaining the security of the system

Applications of graph theory to wireless networks and opinion analysis

La teoría de grafos es una rama importante dentro de la matemática discreta. Su uso ha aumentado recientemente dada la conveniencia de los grafos para estructurar datos, para analizarlos y para generarlos a través de modelos. El objetivo de esta tesis es aplicar teoría de grafos a la optimización de redes inalámbricas y al análisis de opinión. El primer conjunto de contribuciones de esta tesis versa sobre la aplicación de teoría de grafos a redes inalámbricas. El rendimiento de estas redes depende de la correcta distribución de canales de frecuencia en un espacio compartido. Para optimizar estas redes se proponen diferentes técnicas, desde la aplicación de heurísticas como simulated annealing a la negociación automática. Cualquiera de estas técnicas requiere un modelo teórico de la red inalámbrica en cuestión. Nuestro modelo de redes Wi-Fi utiliza grafos geométricos para este propósito. Los vértices representan los dispositivos de la red, sean clientes o puntos de acceso, mientras que las aristas representan las señales entre dichos dispositivos. Estos grafos son de tipo geométrico, por lo que los vértices tienen posición en el espacio, y las aristas tienen longitud. Con esta estructura y la aplicación de un modelo de propagación y de uso, podemos simular redes inalámbricas y contribuir a su optimización. Usando dicho modelo basado en grafos, hemos estudiado el efecto de la interferencia cocanal en redes Wi-Fi 4 y mostramos una mejora de rendimiento asociada a la técnica de channel bonding cuando se usa en regiones donde hay por lo menos 13 canales disponibles. Por otra parte, en esta tesis doctoral hemos aplicado teoría de grafos al análisis de opinión dentro de la línea de investigación de SensoGraph, un método con el que se realiza un análisis de opinión sobre un conjunto de elementos usando grafos de proximidad, lo que permite manejar grandes conjuntos de datos. Además, hemos desarrollado un método de análisis de opinión que emplea la asignación manual de aristas y distancias en un grafo para estudiar la similaridad entre las muestras dos a dos. Adicionalmente, se han explorado otros temas sin relación con los grafos, pero que entran dentro de la aplicación de las matemáticas a un problema de la ingeniería telemática. Se ha desarrollado un sistema de votación electrónica basado en mixnets, secreto compartido de Shamir y cuerpos finitos. Dicha propuesta ofrece un sistema de verificación numérico novedoso a la vez que mantiene las propiedades esenciales de los sistemas de votación

Ballot secrecy: Security definition, sufficient conditions, and analysis of Helios

We propose a definition of ballot secrecy as an indistinguishability game in the computational model of cryptography. Our definition improves upon earlier definitions to ensure ballot secrecy is preserved in the presence of an adversary that controls ballot collection. We also propose a definition of ballot independence as an adaptation of an indistinguishability game for asymmetric encryption. We prove relations between our definitions. In particular, we prove ballot independence is sufficient for ballot secrecy in voting systems with zero-knowledge tallying proofs. Moreover, we prove that building systems from non-malleable asymmetric encryption schemes suffices for ballot secrecy, thereby eliminating the expense of ballot-secrecy proofs for a class of encryption-based voting systems. We demonstrate applicability of our results by analysing the Helios voting system and its mixnet variant. Our analysis reveals that Helios does not satisfy ballot secrecy in the presence of an adversary that controls ballot collection. The vulnerability cannot be detected by earlier definitions of ballot secrecy, because they do not consider such adversaries. We adopt non-malleable ballots as a fix and prove that the fixed system satisfies ballot secrecy

A Scalable Coercion-resistant Blockchain Decision-making Scheme

Typically, a decentralized collaborative blockchain decision-making mechanism is realized by remote voting. To date, a number of blockchain voting schemes have been proposed; however, to the best of our knowledge, none of these schemes achieve coercion-resistance. In particular, for most blockchain voting schemes, the randomness used by the voting client can be viewed as a witness/proof of the actual vote, which enables improper behaviors such as coercion and vote-buying. Unfortunately, the existing coercion-resistant voting schemes cannot be directly adopted in the blockchain context. In this work, we design the first scalable coercion-resistant blockchain decision-making scheme that supports private differential voting power and 1-layer liquid democracy as introduced by Zhang et al. (NDSS\u2719). Its overall complexity is $O(n)$, where $n$ is the number of voters. Moreover, the ballot size is reduced from Zhang et al.\u27s $\Theta(m)$ to $\Theta(1)$, where $m$ is the number of experts and/or candidates. Its incoercibility is formally proven under the UC incoercibility framework by Alwen et al. (Crypto\u2715). We implement a prototype of the scheme and the evaluation result shows that our scheme\u27s tally execution time is more than 6x faster than VoteAgain (USENIX\u2720) in an election with over 10,000 voters and over 50\% extra ballot rate

Matters of Coercion-Resistance in Cryptographic Voting Schemes

This work addresses coercion-resistance in cryptographic voting schemes. It focuses on three particularly challenging cases: write-in candidates, internet elections and delegated voting. Furthermore, this work presents a taxonomy for analyzing and comparing a huge variety of voting schemes, and presents practical experiences with the voting scheme Bingo Voting

A framework for comparing the security of voting schemes

We present a new framework to evaluate the security of voting schemes. We utilize the framework to compare a wide range of voting schemes, including practical schemes in realworld use and academic schemes with interesting theoretical properties. In the end we present our results in a neat comparison table. We strive to be unambiguous: we specify our threat model, assumptions and scope, we give definitions to the terms that we use, we explain every conclusion that we draw, and we make an effort to describe complex ideas in as simple terms as possible. We attempt to consolidate all important security properties from literature into a coherent framework. These properties are intended to curtail vote-buying and coercion, promote verifiability and dispute resolution, and prevent denial-of-service attacks. Our framework may be considered novel in that trust assumptions are an output of the framework, not an input. This means that our framework answers questions such as ”how many authorities have to collude in order to violate ballot secrecy in the Finnish paper voting scheme?

Seventh International Joint Conference on Electronic Voting

This volume contains papers presented at E-Vote-ID 2022, the Seventh International JointConference on Electronic Voting, held during October 4–7, 2022. This was the first in-personconference following the COVID-19 pandemic, and, as such, it was a very special event forthe community since we returned to the traditional venue in Bregenz, Austria. The E-Vote-IDconference resulted from merging EVOTE and Vote-ID, and 18 years have now elapsed sincethe first EVOTE conference in Austria.Since that conference in 2004, over 1500 experts have attended the venue, including scholars,practitioners, authorities, electoral managers, vendors, and PhD students. E-Vote-ID collectsthe most relevant debates on the development of electronic voting, from aspects relating tosecurity and usability through to practical experiences and applications of voting systems, alsoincluding legal, social, or political aspects, amongst others, turning out to be an importantglobal referent on these issues

Formal Verification of Verifiability in E-Voting Protocols

Election verifiability is one of the main security properties of e-voting protocols, referring to the ability of independent entities, such as voters or election observers, to validate the outcome of the voting process. It can be ensured by means of formal verification that applies mathematical logic to verify the considered protocols under well-defined assumptions, specifications, and corruption scenarios. Automated tools allow an efficient and accurate way to perform formal verification, enabling comprehensive analysis of all execution scenarios and eliminating the human errors in the manual verification. The existing formal verification frameworks that are suitable for automation are not general enough to cover a broad class of e-voting protocols. They do not cover revoting and cannot be tuned to weaker or stronger levels of security that may be achievable in practice. We therefore propose a general formal framework that allows automated verification of verifiability in e-voting protocols. Our framework is easily applicable to many protocols and corruption scenarios. It also allows refined specifications of election procedures, for example accounting for revote policies. We apply our framework to the analysis of several real-world case studies, where we capture both known and new attacks, and provide new security guarantees. First, we consider Helios, a prominent web-based e-voting protocol, which aims to provide end-to-end verifiability. It is however vulnerable to ballot stuffing when the voting server is corrupt. Second, we consider Belenios, which builds upon Helios and aims to achieve stronger verifiability, preventing ballot stuffing by splitting the trust between a registrar and the server. Both of these systems have been used in many real-world elections. Our third case study is Selene, which aims to simplify the individual verification procedure for voters, providing them with trackers for verifying their votes in the clear at the end of election. Finally, we consider the Estonian e-voting protocol, that has been deployed for national elections since 2005. The protocol has continuously evolved to offer better verifiability guarantees but has no formal analysis. We apply our framework to realistic models of all these protocols, deriving the first automated formal analysis in each case. As a result, we find several new attacks, improve the corresponding protocols to address their weakness, and prove that verifiability holds for the new versions