Individual Verifiability for E-Voting, From Formal Verification To Machine Learning

The cornerstone of secure electronic voting protocols lies in the principle of individual verifiability. This thesis delves into the intricate task of harmonizing this principle with two other crucial aspects: ballot privacy and coercion-resistance. In the realm of electronic voting, individual verifiability serves as a critical safeguard. It empowers each voter with the ability to confirm that their vote has been accurately recorded and counted in the final tally. This thesis explores the intricate balance between this pivotal aspect of electronic voting and the equally important facets of ballot privacy and coercion-resistance. Ballot privacy, or the assurance that a voter's choice remains confidential, is a fundamental right in democratic processes. It ensures that voters can express their political preferences without fear of retribution or discrimination. On the other hand, coercion-resistance refers to the system's resilience against attempts to influence or manipulate a voter's choice. Furthermore, this thesis also ventures into an empirical analysis of the effectiveness of individual voter checks in ensuring a correct election outcome. It considers a scenario where an adversary possesses additional knowledge about the individual voters and can strategically decide which voters to target. The study aims to estimate the degree to which these checks can still guarantee the accuracy of the election results under such circumstances. In essence, this thesis embarks on a comprehensive exploration of the dynamics between individual verifiability, ballot privacy, and coercion-resistance in secure electronic voting protocols. It also seeks to quantify the effectiveness of individual voter checks in maintaining the integrity of election outcomes, particularly when faced with a knowledgeable and capable adversary. The first contribution of this thesis is revisiting the seminal coercion-resistant e-voting protocol by Juels, Catalano, and Jakobsson (JCJ), examining its usability and practicality. It discusses the credential handling system proposed by Neumann et al., which uses a smart card to unlock or fake credentials via a PIN code. The thesis identifies several security concerns with the JCJ protocol, including an attack on coercion-resistance due to information leakage from the removal of duplicate ballots. It also addresses the issues of PIN errors and the single point of failure associated with the smart card. To mitigate these vulnerabilities, we propose hardware-flexible protocols that allow credentials to be stored by ordinary means while still being PIN-based and providing PIN error resilience. One of these protocols features a linear tally complexity, ensuring efficiency and scalability for large-scale electronic voting systems. The second contribution of this thesis pertains to the exploration and validation of the ballot privacy definition proposed by Cortier et. al., particularly in the context of an adversarial presence. Our exploration involves both the Selene and the MiniVoting abstract scheme. We apply Cortier's definition of ballot privacy to this scheme, investigating how it holds up under this framework. To ensure the validity of our findings, we employ the use of tools for machine-checked proof. This method provides a rigorous and reliable means of verifying our results, ensuring that our conclusions are both accurate and trustworthy. The final contribution of this thesis is a detailed examination and analysis of the Estonian election results. This analysis is conducted in several phases, each contributing to a comprehensive understanding of the election process. The first phase involves a comprehensive marginal analysis of the Estonian election results. We compute upper bounds for several margins, providing a detailed statistical overview of the election outcome. This analysis allows us to identify key trends and patterns in the voting data, laying the groundwork for the subsequent phase of our research. We then train multiple binary classifiers to predict whether a voter is likely to verify their vote. This predictive modeling enables an adversary to gain insights into voter behavior and the factors that may influence their decision to verify their vote. With the insights gained from the previous phases, an adversarial classification algorithm for verifying voters is trained. The likelihood of such an adversary is calculated using various machine learning models, providing a more robust assessment of potential threats to the election process

Distinguishing Cartesian Products of Countable Graphs

The distinguishing number D(G) of a graph G is the minimum number of colors needed to color the vertices of G such that the coloring is preserved only by the trivial automorphism. In this paper we improve results about the distinguishing number of Cartesian products of finite and infinite graphs by removing restrictions to prime or relatively prime factors

Revisiting Practical and Usable Coercion-Resistant Remote E-Voting

In this paper we revisit the seminal coercion-resistant e-voting protocol by Juels, Catalano and Jakobsson (JCJ) and in particular the attempts to make it usable and practical. In JCJ the user needs to handle cryptographic credentials and be able to fake these in case of coercion. In a series of three papers Neumann et al. analysed the usability of JCJ, and constructed and implemented a practical credential handling system using a smart card which unlock the true credential via a PIN code, respectively fake the credential via faking the PIN. We present several attacks and problems with the security of this protocol, especially an attack on coercion-resistance due to information leakage from the removal of duplicate ballots. Another problem, already stressed but not solved by Neumann et al, is that PIN typos happen frequently and would invalidate the cast vote without the voter being able to detect this. We construct different protocols which repair these problems. Further, the smart card is a trusted component which can invalidate cast votes without detection and can be removed by a coercer to force abstention, i.e. presenting a single point of failure. Hence we choose to make the protocols hardware-flexible i.e. also allowing the credentials to be store by ordinary means, but still being PIN based and providing PIN error resilience. Finally, one of the protocols has a linear tally complexity to ensure an efficient scheme also with many voters

"Just for the sake of transparency": Exploring Voter Mental Models Of Verifiability

Verifiable voting schemes allow voters to verify their individual votes and the election outcome. The voting protocol Selene offers verification of plaintext votes while preserving privacy. Misconceptions of verification mechanisms might result in voters mistrust of the system or abstaining from using it. In this paper, we interviewed 24 participants and invited them to illustrate their mental models of Selene. The drawings demonstrated different levels of sophistication and four mental models: 1) technology understanding, 2) meaning of the verification phase, 3) security concerns, and 4) unnecessary steps. We highlight the misconceptions expressed regarding Internet voting technologies and the system design. Based on our findings, we conclude with recommendations for future implementations of Selene as well as for the design of Internet voting systems in general

Asthma disease as cause of admission to hospitals due to exposure to ambient oxidants in Mashhad, Iran

Nowadays, asthma is one of the most common chronic respiratory diseases, worldwide. Many reports have emphasized the correlation between the short-term exposure to the ambient air pollutants and acute respiratory diseases, especially among children with asthmatic symptoms. The aim of this study was to evaluate the relationship between the exposure to three atmospheric antioxidants (NO2, SO2, and O3) and hospital admission due to asthmatic disease (HAAD) in the city of Mashhad, Iran. The concentrations of atmospheric antioxidants were obtained from the real-time monitoring stations located in the city. The collected data were employed for developing predictive models in the AirQ software. In order to investigate the association between short-term exposure to air pollutants and HAAD, the study participants were categorized into two age groups: less than 15 and from 15 to 64Â years old. The results indicated that in people less than 15Â years increase in NO2 (attributable proportion (AP)Â =Â 3.775%, 95% CI 0.897--6.883%), SO2 (APÂ =Â 3.649%, 95% CI 1.295--5.937%), and O3 (APÂ =Â 0.554%,95% CI 0.00--3.321) results in increase in HAAD. While for those aged between 15 and 64Â years, the AP was 4.192% (95% CI 0.450--7.662%) for NO2; 0.0% (95% CI 0.00--1.687%) for SO2; and 0.236% (95% CI 0.00--1.216%) for O3. The number of asthmatic cases who were less than 15Â years admitted to the hospitals during the study period was higher than that of those within the age groups between 15 and 64Â years as a consequence of exposure to NO2 (101 vs. 75), SO2 (98 vs. 0), and O3 (15 vs. 3), respectively. To the best of our knowledge, the AirQ model has not been applied before to estimate the effect of atmospheric antioxidant exposure on hospital admission because of asthma disease. Eventually, this model is proposed to be applicable for other cities around the world

Machine-Checked Proofs of Privacy Against Malicious Boards for Selene & Co

International audiencePrivacy is a notoriously difficult property to achieve in complicated systems and especially in electronic voting schemes. Moreover, electronic voting schemes is a class of systems that require very high assurance. The literature contains a number of ballot privacy definitions along with security proofs for common systems. Some machine-checked security proofs have also appeared. We define a new ballot privacy notion that captures a larger class of voting schemes. This notion improves on the state of the art by taking into account that verification in many schemes will happen or must happen after the tally has been published, not before as in previous definitions. As a case study we give a machine-checked proof of privacy for Selene, which is a remote electronic voting scheme which offers an attractive mix of security properties and usability. Prior to our work, the computational privacy of Selene has never been formally verified. Finally, we also prove that MiniVoting and Belenios satisfies our definition