Ceremonies for End-to-End Verifiable Elections

State-of-the-art e-voting systems rely on voters to perform certain actions to ensure that the election authorities are not manipulating the election result. This so-called “end-to-end (E2E) verifiability” is the hallmark of current e-voting protocols; nevertheless, thorough analysis of current systems is still far from being complete. In this work, we initiate the study of e-voting protocols as ceremonies. A ceremony, as introduced by Ellison [23], is an extension of the notion of a protocol that includes human participants as separate nodes of the system that should be taken into account when performing the security analysis. that centers on the two properties of end-to-end verifiability and voter privacy and allows the consideration of arbitrary behavioural distributions for the human participants. We then analyse the Helios system as an e-voting ceremony. Security in the e-voting ceremony model requires the specification of a class of human behaviours with respect to which the security properties can be preserved. We show how end-to-end verifiability and voter privacy are sensitive to human behaviour in the protocol by characterizing the set of behaviours under which the security can be preserved and also showing explicit scenarios where it fails. We then provide experimental evaluation with human subjects from two different sources where people used Helios: the elections of the International Association for Cryptologic Research (IACR) and a poll of senior year computer science students. We report on the auditing behaviour of the participants as we measured it and we discuss the effects on the level of certainty that can be given by each of the two electorates. The outcome of our analysis is a negative one: the auditing behaviour of people (including cryptographers) is not sufficient to ensure the correctness of the tally with good probability in either case studied. The same holds true even for simulated data that capture the case of relatively well trained participants while, finally, the security of the ceremony can be shown but under the assumption of essentially ideally behaving human subjects. We note that while our results are stated for Helios, they automatically transfer to various other e-voting systems that, as Helios, rely on client-side encryption to encode the voter’s choice

Public Evidence from Secret Ballots

Elections seem simple---aren't they just counting? But they have a unique, challenging combination of security and privacy requirements. The stakes are high; the context is adversarial; the electorate needs to be convinced that the results are correct; and the secrecy of the ballot must be ensured. And they have practical constraints: time is of the essence, and voting systems need to be affordable and maintainable, and usable by voters, election officials, and pollworkers. It is thus not surprising that voting is a rich research area spanning theory, applied cryptography, practical systems analysis, usable security, and statistics. Election integrity involves two key concepts: convincing evidence that outcomes are correct and privacy, which amounts to convincing assurance that there is no evidence about how any given person voted. These are obviously in tension. We examine how current systems walk this tightrope.Comment: To appear in E-Vote-Id '1

Comparing "challenge-based" and "code-based" internet voting verification implementations

Internet-enabled voting introduces an element of invisibility and unfamiliarity into the voting process, which makes it very different from traditional voting. Voters might be concerned about their vote being recorded correctly and included in the final tally. To mitigate mistrust, many Internet-enabled voting systems build verifiability into their systems. This allows voters to verify that their votes have been cast as intended, stored as cast and tallied as stored at the conclusion of the voting period. Verification implementations have not been universally successful, mostly due to voter difficulties using them. Here, we evaluate two cast as intended verification approaches in a lab study: (1) "Challenge-Based" and (2) "Code-Based". We assessed cast-as-intended vote verification efficacy, and identified usability issues related to verifying and/or vote casting. We also explored acceptance issues post-verification, to see whether our participants were willing to engage with Internet voting in a real election. Our study revealed the superiority of the code-based approach, in terms of ability to verify effectively. In terms of real-life Internet voting acceptance, convenience encourages acceptance, while security concerns and complexity might lead to rejection

Applying Block Chain Technologies to Digital Voting Algorithms

Voting is a fundamental aspect to democracy. Many countries have advanced voting systems in place, but many of these systems have issues behind them such as not being anonymous or verifiable. Additionally, most voting systems currently have a central authority in charge of counting votes, which can be prone to corruption. We propose a voting system which mitigates many of these issues. Our voting system attempts to provide decentralization, pseudoanonymity, and verifiability. For our system, we have identified the requirements, implemented the backbone of the system, recognized some of its shortcomings, and proposed areas of future work on this voting system

End-to-end verifiable voting for developing countries -- what's hard in Lausanne is harder still in Lahore

In recent years end-to-end verifiable voting (E2EVV) has emerged as a promising new paradigm to conduct evidence-based elections. However, E2EVV systems thus far have primarily been designed for the developed world and the fundamental assumptions underlying the design of these systems do not readily translate to the developing world, and may even act as potential barriers to adoption of these systems. This is unfortunate because developing countries account for 80\% of the global population, and given their economic and socio-political dilemmas and their track record of contentious elections, these countries arguably stand to benefit most from this exciting new paradigm. In this paper, we highlight various limitations and challenges in adapting E2EVV systems to these environments, broadly classed across social, political, technical, operational, and human dimensions. We articulate corresponding research questions and identify significant literature gaps in these categories. We also suggest relevant strategies to aid researchers, practitioners, and policymakers in visualizing and exploring solutions that align with the context and unique ground realities in these environments. Our goal is to outline a broader research agenda for the community to successfully adapt E2EVV voting systems to developing countries

End-to-end verifiable voting for developing countries - what’s hard in Lausanne is harder still in Lahore

In recent years end-to-end verifiable voting (E2EVV) has emerged as a promising new paradigm to conduct evidence-based elections. However, E2EVV systems thus far have primarily been designed for the developed world and the fundamental assumptions underlying the design of these systems do not readily translate to the developing world, and may even act as potential barriers to adoption of these systems. This is unfortunate because developing countries account for 80\% of the global population, and given their economic and socio-political dilemmas and their track record of contentious elections, these countries arguably stand to benefit most from this exciting new paradigm. In this paper, we highlight various limitations and challenges in adapting E2EVV systems to these environments, broadly classed across social, political, technical, operational, and human dimensions. We articulate corresponding research questions and identify significant literature gaps in these categories. We also suggest relevant strategies to aid researchers, practitioners, and policymakers in visualizing and exploring solutions that align with the context and unique ground realities in these environments. Our goal is to outline a broader research agenda for the community to successfully adapt E2EVV voting systems to developing countries

Election Security Is Harder Than You Think

Recent years have seen the rise of nation-state interference in elections across the globe, making the ever-present need for more secure elections all the more dire. While certain common-sense approaches have been a typical response in the past, e.g. ``don't connect voting machines to the Internet'' and ``use a voting system with a paper trail'', known-good solutions to improving election security have languished in relative obscurity for decades. These techniques are only now finally being implemented at scale, and that implementation has brought the intricacies of sophisticated approaches to election security into full relief. This dissertation argues that while approaches to improve election security like paper ballots and post-election audits seem straightforward, in reality there are significant practical barriers to sufficient implementation. Overcoming these barriers is a necessary condition for an election to be secure, and while doing so is possible, it requires significant refinement of existing techniques. In order to better understand how election security technology can be improved, I first develop what it means for an election to be secure. I then delve into experimental results regarding voter-verified paper, discussing the challenges presented by paper ballots as well as some strategies to improve the security they can deliver. I examine the post-election audit ecosystem and propose a manifest improvement to audit workload analysis through parallelization. Finally, I show that even when all of these conditions are met (as in a vote-by-mail scenario), there are still wrinkles that must be addressed for an election to be truly secure.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/163272/1/matber_1.pd

Natural Strategic Abilities in Voting Protocols

Security properties are often focused on the technological side of the system. One implicitly assumes that the users will behave in the right way to preserve the property at hand. In real life, this cannot be taken for granted. In particular, security mechanisms that are difficult and costly to use are often ignored by the users, and do not really defend the system against possible attacks. Here, we propose a graded notion of security based on the complexity of the user's strategic behavior. More precisely, we suggest that the level to which a security property $\varphi$ is satisfied can be defined in terms of (a) the complexity of the strategy that the voter needs to execute to make $\varphi$ true, and (b) the resources that the user must employ on the way. The simpler and cheaper to obtain $\varphi$, the higher the degree of security. We demonstrate how the idea works in a case study based on an electronic voting scenario. To this end, we model the vVote implementation of the \Pret voting protocol for coercion-resistant and voter-verifiable elections. Then, we identify "natural" strategies for the voter to obtain receipt-freeness, and measure the voter's effort that they require. We also look at how hard it is for the coercer to compromise the election through a randomization attack