Secure Electronic Voting

Dr. Costas Lambrinoudakis

Lecturer Dept. of Information and Communication Systems Engineering University of the Aegean Greece & e-Vote Project, Technical Director European Commission, IST Program

What is electronic voting?

An electronic voting (e-voting) system is a voting system in which the election data is recorded, stored and processed primarily as digital information.
Network Voting System Standards, VoteHere, Inc., April 2002
Voting

Paper voting

E-voting

Paper ballots

...

Punch cards

Polling place voting

Internet voting

Precinct voting

Kiosk voting

COMPSEC-2003 / Friday 31-10-2003

C. Lambrinoudakis Secure Electronic Voting

Do we need electronic voting systems?*

Electronic voting has been considered to be an efficient and cost effective alternative / complement of the conventional voting procedure They could lead to increased voter turnout, thus supporting democratic process. They could give elections new potential (by providing ballots in multiple languages, accommodating lengthy ballots, etc.) thus enhancing democratic process. They could open a new market, supporting the commerce and the employment.
* D. Gritzalis (Ed.), Secure Electronic Voting, Kluwer Academic Publishers, USA, January 2003.
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis Secure Electronic Voting 3

Opportunities for electronic voting

Most countries believe that Internet voting will occur within the next decade. Internet voting options satisfy voters desire for convenience. Internet voting can satisfy the requirements of people with special needs. Several countries are willing to try Internet voting for a small scale election (local regional). The technology is available.

COMPSEC-2003 / Friday 31-10-2003

C. Lambrinoudakis Secure Electronic Voting

Barriers to electronic voting

Lack of common voting system standards across nations. Time and difficulty of changing national election laws. Time and cost of certifying a voting system. Security and reliability of electronic voting. Equal access to Internet voting for all socioeconomic groups. The Digital Divide problem (both for election organisers and voters). Political risk associated with trying a new voting system. Need for security and election experts.
C. Lambrinoudakis Secure Electronic Voting 5

COMPSEC-2003 / Friday 31-10-2003

Generic voting principles

Only eligible persons can vote. No person can vote more than once. The vote is secret. Each (correctly cast) vote gets counted. The voters trust that their vote is counted.
Internet Policy Institute, Report of the National Workshop on Internet Voting, March 2001

COMPSEC-2003 / Friday 31-10-2003

C. Lambrinoudakis Secure Electronic Voting

Identifying e-Voting Requirements

but do we really know what is the expected functionality from an e-voting system ? to which election process does it apply
(General Elections, Internal Elections, Polls .) ?

Does it comply with the existing legal framework ? Is it secure ? Are the actors (users) of the system and their roles clearly defined ?

COMPSEC-2003 / Friday 31-10-2003

C. Lambrinoudakis Secure Electronic Voting

Identifying e-Voting Requirements

Two approaches for .. what we need: An e-voting system may be specified either as a set of guidelines to be adopted for ensuring conformance to the legislation.
(State Authority point of view)

or in terms of the problems associated with the provision of the adequate level of security (anonymity, authentication, tractability, etc.).
(System Engineer point of view)
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis Secure Electronic Voting 8

Identifying e-Voting Requirements

none of these approaches is complete!
Legal Requirements
Abstract formulations (Laws, Principles etc)

Functional Requirements Usability Properties

Non-Functional Requirements Security and System Properties (flexibility - efficiency etc)

COMPSEC-2003 / Friday 31-10-2003

C. Lambrinoudakis Secure Electronic Voting

Identifying e-Voting Requirements

A third approach, proposed by the e-VOTE project*: Requirements elicitation based on a Generic Voting Model, taking into account the:
European Union legislation. Organisational details of the conventional voting processes. Opportunities offered and the constraints imposed by state-

of-the-art technologies.

Aim of the developers is to express:

The legal requirements. The security (non-functional) requirements. The functional requirements.

as a User Requirements Specification document that sets specific Design Criteria.

Consortium: Q&R (GR), Univ. of the Aegean(GR), Cryptomathic (DK), Univ. of Regensburg (D), Municipality of Amaroussion(GR), Self Governing Region of Kosice (SK)
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis Secure Electronic Voting 10

(Non-functional: Security and other System Properties)

Design Criteria

For an electronic voting system to comply with the constitutional and legal requirements, it must exhibit specific security properties, aiming at protecting the:
Democracy: Democracy Accuracy: Accuracy Only eligible voters are allowed to vote and each eligible voter can only cast a single vote. The announced tally exactly matches the actual outcome of the election, implying that no one can change anyone elses vote, all valid votes are included in the final tally and no invalid vote is included in the final tally. No one should be able to determine how any other individual voted. Votes should not be able to be modified without detection. Mechanisms for auditing the election in order to ensure that it has been properly conducted (Universal or Individual). Individual
C. Lambrinoudakis Secure Electronic Voting 11

Privacy: Privacy Integrity: Integrity Verifiability: Verifiability

COMPSEC-2003 / Friday 31-10-2003

(Non-functional: Security and other System Properties) No reasonably sized coalition of voters or authorities may disrupt the election. Protection against external threats and attacks, e.g. denial of service attacks. Non-coercibility: coercibility Voters should not be able to convince any other participant on what they have voted. There is no receipt proving the content of their vote. Fairness: Ensures that no one can learn the outcome of the election before the announcement of the tally. Verifiable Participation:Ensures that it is possible to find out whether a particular voter has participated in the election by casting a ballot or not. Transparency: Participants should be able to possess a Transparency general understanding of the entire process.
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis Secure Electronic Voting 12

Design Criteria

Robustness: Robustness

(Non-functional: Security and other System Properties) Flexibility: Flexibility Convenience: Convenience Reliability: Reliability Voter Mobility: Mobility Efficiency: Efficiency Equipment should allow for a variety of ballot question formats, in various languages and adaptable to many types of election processes. Voters should be able to cast votes with minimal equipment and skills. The system must be resistant to randomly generated malfunctions. There should be no restrictions on the location from which a voter can cast a vote. Overall system performance (the complexity of the scheme becomes a crucial system parameter). The time needed by a voter to cast a ballot poses an upper boundary to the number of voters that are allowed to participate in a specific election (scalability). scalability
C. Lambrinoudakis Secure Electronic Voting 13

Design Criteria

COMPSEC-2003 / Friday 31-10-2003

Design Criteria
(Functional Requirements)

Support all essential services for organizing and conducting an opinion expressing process:
Poll Decision-making (e.g. Referenda) Internal election General election

Depending on the specific process, the services may include voter registration, vote casting, voter authentication, calculation of the vote tally, verification of the election result, etc.

COMPSEC-2003 / Friday 31-10-2003

C. Lambrinoudakis Secure Electronic Voting

14

Requirements for different types of election processes

The General Election requirements are practically a superset of those regarding the other election processes

Polls Decision-making procedures (e.g. Referenda) Internal elections General elections

COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis Secure Electronic Voting 15

The e-VOTE System

Provides all the necessary services for organising and conducting a voting process.
Election Set-up; Supports election organisers to register all eligible voters, issue authentication means, ballot generation, management and specification of voting districts etc. Election in Progress; Offers an easy and user friendly environment for the interaction of the voter with the system through a conventional WWW browser. Election Concluded; Automatic generation of the vote tally

Modular and highly flexible multi-tier architecture that supports a wide range of voting processes (use of election templates) Its operation is independent of the geographical coverage of the voting process and thus the number of voting districts and voters.
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis Secure Electronic Voting 16

The e-VOTE System

The Voting Protocol (Damgaard-Jurik) has been based on a homomorphic encryption scheme known as the Generalised Paillier encryption scheme. Instead of hiding the identity of the voters, using anonymous voting methods, the protocol hides the contents of the ballot itself. The ballot is submitted in a traceable manner, attached to the voter identity, so that the verifiability property is easily satisfied. The vote tally can be calculated without decrypting any of the ballots. E(T1) E(T2) = E(T1 T2)

COMPSEC-2003 / Friday 31-10-2003

C. Lambrinoudakis Secure Electronic Voting

17

The e-VOTE System

The clear text vote (Mj) is encrypted, and a zeroknowledge proof that the cipher-text vote is of the form Mj for j in [0,..,L-1] is produced. The encrypted vote is the pair of the cipher text and the zero-knowledge proof. The encryption of the vote is done through a public key. The decryption of the result is done through a private key that has been secret-shared to the tally servers. The shares have to be constructed w.r.t. a threshold value t so that no information about the private key leaks as long as t servers are corrupt. t+1 servers are needed for decrypting the result. No competing protocols using homomorphic encryption; the ordinary ElGamal is too slow for large number of voters and candidates.
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis Secure Electronic Voting 18

The e-VOTE System

Decryption shares

Registration client CA

Tally server

PKCS#10/PKCS#7

Web browser

Web server

Message board

Voter Administrative client Tally server

COMPSEC-2003 / Friday 31-10-2003

C. Lambrinoudakis Secure Electronic Voting

19

Is a Secure Voting Protocol Enough ??

A lot of research effort has been spent on designing and building voting protocols that can support the voting process, while fulfilling the security requirements (design criteria). However, not much attention has been paid in the administrative part of an electronic voting system that supports the actors of the system to set-up the election. Possible security gaps in the administrative workflow of the system may result in deteriorating the overall security level of the system.

COMPSEC-2003 / Friday 31-10-2003

C. Lambrinoudakis Secure Electronic Voting

20

Workflow

COMPSEC-2003 / Friday 31-10-2003

C. Lambrinoudakis Secure Electronic Voting

21

Identified System Actors

Actors
Election Organizers Election Personnel Judicial Officers

Description
People responsible for organizing the election process and ensuring that it is properly conducted. People actually performing the system use-cases, under the supervision of Election Organizers. People responsible for monitoring the election process and ensuring that it is carried out in a legal way.

appointed by parties to monitor the election Party Representatives People process.

Independent Third Parties Voters

People neutral from participating parties, responsible for monitoring the election process and for providing reasonable assurance with regard to the integrity of it. People eligible to participate in the voting process.

COMPSEC-2003 / Friday 31-10-2003

C. Lambrinoudakis Secure Electronic Voting

22

Actors participation in e-voting: Authorization and Validation

Use cases can only be performed by authorized actors ("roles") An additional validation phase is employed before committing the outcome of a use case
The validation phase is implemented through a separate use case, namely the "Validate Action"

COMPSEC-2003 / Friday 31-10-2003

C. Lambrinoudakis Secure Electronic Voting

23

Actors participation in e-voting

Use Case Validate Action Use Case activation Election Organizer Party Representative Participating Roles

Election Personnel

Voter

Judicial Officer

Independent Third Party

Authenticate Actor Validate Action N/A

A A A

A A

A A V

A A V

Modify System State Manage Election Districts Provide Election System Parameters

COMPSEC-2003 / Friday 31-10-2003

C. Lambrinoudakis Secure Electronic Voting

24

Actors participation in e-voting

Use Case Validate Action Use Case activation Election Organizer Manage Voters Provide Authentication Means Manage Parties Manage Candidates Preview Ballots Cast Vote Tally Votes Verify Result Integrity Party Representative Participating Roles Election Personnel Voter Judicial Officer Independent Third Party

V V V V A A

A A A A A A

A A

V V
C. Lambrinoudakis Secure Electronic Voting

V V
25

COMPSEC-2003 / Friday 31-10-2003

(Secure) Electronic voting: (instead of) Conclusions

Description of actor roles together with clear indication of what each actor is allowed to do with the system, formulate an operational framework that complements the technological security features of the system Rapidly emerging issue... Of a socio-technical nature... Contradicting views... Further experimentation is needed in the meantime, as complementary only!
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis Secure Electronic Voting 26

The debate is still going on...

The shining lure of this hype-tech voting schemes is only a technological fools gold that will create new problems far more intractable than those they claim to solve. P. Newmann (SRI) (2002) An Internet voting system would be the first secure networked application ever created in the history of computers. B. Schneier (Counterpane) (2002) At least a decade of further research and development on the security of home computers is required before Internet voting from home should be contemplated. Ron Rivest (MIT) (2001)
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis Secure Electronic Voting 27

Something like a moto...

Electronic voting: Between pessimism (bureaucracy) and optimism (technology) we choose realism (democracy)!

COMPSEC-2003 / Friday 31-10-2003

C. Lambrinoudakis Secure Electronic Voting

28