The Append-Only Web Bulletin Board

A large number of papers on verifiable electronic voting that have appeared in the literature in recent years have relied heavily on the availability of an append-only web bulletin board. Despite this widespread requirement, however, the notion of an append-only web bulletin board remains somewhat vague, and no method of constructing such a bulletin board has been proposed. This paper fills the gap. We identify the required properties of an append-only web bulletin board, and introduce the concept of certified publishing of messages to the board. We show how such a board can be constructed in order to satisfy the properties we have identified. Finally, we consider how to extend the scheme to make the web bulletin board robust and able to offer assurance to writers of the inclusion of their messages. Although the work presented here has been inspired and motivated by the requirements of electronic voting systems, the web bulletin board is sufficiently general to allow use in other contexts

A Peered Bulletin Board for Robust Use in Verifiable Voting Systems

The Web Bulletin Board (WBB) is a key component of verifiable election systems. It is used in the context of election verification to publish evidence of voting and tallying that voters and officials can check, and where challenges can be launched in the event of malfeasance. In practice, the election authority has responsibility for implementing the web bulletin board correctly and reliably, and will wish to ensure that it behaves correctly even in the presence of failures and attacks. To ensure robustness, an implementation will typically use a number of peers to be able to provide a correct service even when some peers go down or behave dishonestly. In this paper we propose a new protocol to implement such a Web Bulletin Board, motivated by the needs of the vVote verifiable voting system. Using a distributed algorithm increases the complexity of the protocol and requires careful reasoning in order to establish correctness. Here we use the Event-B modelling and refinement approach to establish correctness of the peered design against an idealised specification of the bulletin board behaviour. In particular we show that for n peers, a threshold of t > 2n/3 peers behaving correctly is sufficient to ensure correct behaviour of the bulletin board distributed design. The algorithm also behaves correctly even if honest or dishonest peers temporarily drop out of the protocol and then return. The verification approach also establishes that the protocols used within the bulletin board do not interfere with each other. This is the first time a peered web bulletin board suite of protocols has been formally verified.Comment: 49 page

Implementing broadcast channels with memory for electronic voting systems

To provide universal verifiability, cryptographic voting protocols often require a broadcast channel to spread the election data to the public. The basic requirements on such a broadcast channel are similar for most protocols, for example that the channel maintains a memory of all broadcast messages and that nothing can be deleted from the channel’s memory. In this paper, we provide a formal definition for such broadcast channels with memory and describe their properties. We also analyze the significance of a broadcast channel with memory in cryptographic voting protocols and propose that such a channel is provided in form of a service that we call bulletin board. Based on this service, we analyze some real-world problems that cryptographic voting protocols might have and provide possible solutions. For this we define a generic interface for the main board functionalities, which offers a flexible way of extending the basic properties of a bulletin board to comply with all sorts of additional requirements

Gaining assurance in a voter-verifiable voting system

The literature on e-voting systems has many examples of discussion of the correctness of the computer and communication algorithms of such systems, as well as discussions of their vulnerabilities. However, a gap in the literature concerns the practical need (before adoption of a specific e-voting system) for a complete case demonstrating that the system as a whole has sufficiently high probability of exhibiting the desired properties when in use in an actual election. This paper discusses the problem of producing such a case, with reference to a specific system: a version of the Prêt à Voter scheme for voter-verifiable e-voting. We show a possible organisation of a case in terms of four main requirements – accuracy, privacy, termination and ‘trustedness’– and show some of the detailed organisation that such a case should have, the diverse kinds of evidence that needs to be gathered and some of the interesting difficulties that arise