Guess my vote : a study of opacity and information flow in voting systems

With an overall theme of information flow, this thesis has two main strands. In the first part of the thesis, I review existing information flow properties, highlighting a recent definition known as opacity [25]. Intuitively, a predicate cP is opaque if for every run in which cP is true, there exists an indistinguishable run in which it is false, where a run can be regarded as a sequence of events. Hence, the observer is never able to establish the truth of cPo The predicate cP can be defined according to requirements of the system, giving opacity a great deal of flexibility and versatility. Opacity is then studied in relation to several well-known definitions for information flow. As will be shown, several of these properties can be cast as variations of opacity, while others have a relationship by implication with the opacity property [139]. This demonstrates the flexibility of opacity, at the same time establishing its distinct character. In the second part of the thesis, I investigate information flow in voting systems. Pret a Voter [36] is the main exemplar, and is compared to other schemes in the case study. I first analyse information flow in Pret a Voter and the FOO scheme [59], concentrating on the core protocols. The aim is to investigate the security requirements of each scheme, and the extent to which they can be captured using opacity. I then discuss a systems-based analysis of Pret a Voter [163], which adapts and extends an earlier analysis of the Chaum [35] and Neff [131]' [132]' [133] schemes in [92]. Although this analysis has identified several potential vulnerabilities, it cannot be regarded as systematic, and a more rigorous approach may be necessary. It is possible that a combination of the information flow and systems- based analyses might be the answer. The analysis of coercion-resistance, which is performed on Pret a Voter and the FOO scheme, may exemplify this more systematic approach. Receipt-freeness usually means that the voter is unable to construct a proof of her vote. Coercion-resistance is a stronger property in that it accounts for the possibility of interaction between the coercer and the voter during protocol execution. It appears that the opacity property is ideally suited to expressing the requirements for coercion-resistance in each scheme. A formal definition of receipt-freeness cast as a variation of opacity is proposed [138], together with suggestions on how it might be reinforced to capture coercion-resistance. In total, the thesis demonstrates the remarkable flexibility of opacity, both in expressing differing security requirements and as a tool for security analysis. This work lays the groundwork for future enhancement of the opacity framework.EThOS - Electronic Theses Online ServiceDSTL : EPSRCGBUnited Kingdo

Investigation of hospital discharge cases and SARS-CoV-2 introduction into Lothian care homes

Background The first epidemic wave of severe acute respiratory syndrome coronavirus-2 (SARS-CoV-2) in Scotland resulted in high case numbers and mortality in care homes. In Lothian, over one-third of care homes reported an outbreak, while there was limited testing of hospital patients discharged to care homes. Aim To investigate patients discharged from hospitals as a source of SARS-CoV-2 introduction into care homes during the first epidemic wave. Methods A clinical review was performed for all patients discharges from hospitals to care homes from 1st March 2020 to 31st May 2020. Episodes were ruled out based on coronavirus disease 2019 (COVID-19) test history, clinical assessment at discharge, whole-genome sequencing (WGS) data and an infectious period of 14 days. Clinical samples were processed for WGS, and consensus genomes generated were used for analysis using Cluster Investigation and Virus Epidemiological Tool software. Patient timelines were obtained using electronic hospital records. Findings In total, 787 patients discharged from hospitals to care homes were identified. Of these, 776 (99%) were ruled out for subsequent introduction of SARS-CoV-2 into care homes. However, for 10 episodes, the results were inconclusive as there was low genomic diversity in consensus genomes or no sequencing data were available. Only one discharge episode had a genomic, time and location link to positive cases during hospital admission, leading to 10 positive cases in their care home. Conclusion The majority of patients discharged from hospitals were ruled out for introduction of SARS-CoV-2 into care homes, highlighting the importance of screening all new admissions when faced with a novel emerging virus and no available vaccine

SARS-CoV-2 Omicron is an immune escape variant with an altered cell entry pathway

Vaccines based on the spike protein of SARS-CoV-2 are a cornerstone of the public health response to COVID-19. The emergence of hypermutated, increasingly transmissible variants of concern (VOCs) threaten this strategy. Omicron (B.1.1.529), the fifth VOC to be described, harbours multiple amino acid mutations in spike, half of which lie within the receptor-binding domain. Here we demonstrate substantial evasion of neutralization by Omicron BA.1 and BA.2 variants in vitro using sera from individuals vaccinated with ChAdOx1, BNT162b2 and mRNA-1273. These data were mirrored by a substantial reduction in real-world vaccine effectiveness that was partially restored by booster vaccination. The Omicron variants BA.1 and BA.2 did not induce cell syncytia in vitro and favoured a TMPRSS2-independent endosomal entry pathway, these phenotypes mapping to distinct regions of the spike protein. Impaired cell fusion was determined by the receptor-binding domain, while endosomal entry mapped to the S2 domain. Such marked changes in antigenicity and replicative biology may underlie the rapid global spread and altered pathogenicity of the Omicron variant

Prêt à voter: a systems perspective

Numerous cryptographic voting schemes have been proposed in recent years. Many of these have highly desirable formal security properties. However, as with all security systems, even a well-designed technical system can be undermined by implementation details or environmental factors, typically including human users, that violate (often implicit) assumptions of the design and evaluation. In ‘Cryptographic Voting Protocols: a System Perspective ’ [11] Karlof et al perform a systems-based analysis of the Chaum [5] and Neff [17], [18], [19] schemes. They identify a number of vulnerabilities and discuss possible mitigations and counter-measures. In this paper, we examine the extent to which these vulnerabilities carry over to the Prêt à Voter scheme [6]. In addition, we describe some further systems-based vulnerabilities not identified in [11]. We also discuss some further threats, such as chain voting attacks, which do not apply to the Chaum or Neff schemes but to which Prêt à Voter is vulnerable, unless appropriate countermeasures are deployed. It turns out that Prêt à Voter is remarkably robust to most of the vulnerabilities described in [11] and here.

UNIVERSITY OF NEWCASTLE UPON TYNE

Cryptographic voting schemes strive to provide high assurance of accuracy and secrecy with minimal trust assumptions, in particular, avoiding the need to trust software, hardware, suppliers, officials etc. Ideally we would like to make a voting process as transparent as possible and so base out assurance purely on the vigilance of the electorate at large, via suitable cryptographic algorithms and protocols. However, it is important to recognize that election systems are above all socio-technical systems: they must be usable by the electorate at large. As a result, it may be necessary to trade-off technical perfection against simplicity and usability. We illustrate this tension via design decisions in the Pr\^{e}t \`{a} Voter scheme. © 2006 University of Newcastle upon Tyne

A Case Study in System-Based Analysis: The ThreeBallot Voting System and Prêt à Voter

Abstract. Threat analysis of voting systems is a field of increasing interest. While it is important to verify the system itself, it has been found that certain vulnerabilities only become apparent when taking a “systembased” view, i.e. considering interactions between the various components of a scheme. In this paper we apply a model for system-based analysis to carry out a systematic threat analysis of the ThreeBallot voting system and Prêt à Voter.

Added entries UNIVERSITY OF NEWCASTLE UPON TYNE

There has recently been keen interest in the threat analysis of voting systems. While it is important to verify the system itself, it has been found that certain vulnerabilities only become apparent when taking a “systems-based ” view, i.e. considering interactions between the various components of a scheme [13, 24]. Threat analysis has so far been of three main forms: systems-based, protocol-level and taxonomy check-lists. We discuss these approaches before presenting a model for analysis of voting systems that essentially combines the first two methods, while avoiding the repetition that can occur with the latter. The model is described in detail, and demonstrated with an example from a case study of the Ryan-Randell “Scratch Card” voting system [20]

Added entries UNIVERSITY OF NEWCASTLE UPON TYNE

Threat analysis of voting systems is an increasing field of interest. While it is important to verify the system itself, it has been found that certain vulnerabilities only become apparent when taking a “system-based ” view, i.e. considering interactions between the various components of a scheme. In this paper we apply a model for system-based analysis [22] to carry out a systematic threat analysis of the ThreeBallot voting system [18] and Prêt à Voter [8]. © 2007 University of Newcastle upon Tyne. Printed and published by the University of Newcastle upon Tyne

Using Prêt à Voter in Victorian State Elections

The Prêt à Voter cryptographic voting system was designed to be flexible and to offer voters a familiar and easy voting experience. In this paper we present a case study of our efforts to adapt Prêt à Voter to the idiosyncrasies of elections in the Australian state of Victoria. The general background and desired user experience have previously been described; here we concentrate on the cryptographic protocols for dealing with some unusual aspects of Victorian voting. We explain the problems, present solutions, then analyse their security properties and explain how they tie in to other design decisions. We hope this will be an interesting case study on the application of end-to-end verifiable voting protocols to real elections

A Supervised Verifiable Voting Protocol for the Victorian Electoral Commission

This paper describes the design of a supervised verifiable voting protocol suitable for use for elections in the state of Victoria, Australia. We provide a brief overview of the style and nature of the elections held in Victoria and associated challenges. Our protocol, based on Prêt à Voter, presents a new ballot overprinting front-end design, which assists the voter in completing the potentially complex ballot. We also present and analyse a series of modifications to the back-end that will enable it to handle the large number of candidates, 35+ , with ranking single transferable vote (STV), which some Victorian elections require. We conclude with a threat analysis of the scheme and a discussion on the impact of the modifications on the integrity and privacy assumptions of Prêt à Voter