Security Aspects of Electronic Voting Systems

Hristina Mihajloska, Vesna Dimitrova and Ljupcho Antovski

Ss Cyril and Methodius University Faculty of Natural Sciences and Informatics Institute of Informatics, Skopje, Macedonia

{hristina@ii.edu.mk, vesnap@ii.edu.mk, anto@ii.edu.mk}

Abstract. An electronic voting (e-voting) system is a voting system in which the election data is recorded, stored and processed primarily as digital information. There are two types of e-voting: on-line, e.g. via Internet, and off-line, by using a voting machine or an electronic polling booth. Security is the main challenge of e-voting. This is the reason why designing a secure e-voting system is very important. In many proposals, the security of the system relies mainly on the black box voting machine. But, security of data, privacy of the voters and the accuracy of the vote are also main aspects that have to be taken into consideration when is building secure e-voting system. So, that is why in this paper we discuss about the security aspects for e-voting systems. The focus of this paper is on the data security. It means that cast ballot cannot be altered. The electoral register used in the system does not contain names, but only numeric identifiers. Also the electronic ballot box is sorted in a random way, before being decrypted, which offers a protection of privacy of the voters. Indeed, it might be possible to reconstruct the order of arrival of the electronic ballots and break the vote anonymity by comparing this order with the date and time of each vote.

Keywords: E-voting system, security, privacy, cryptography.

1 Introduction

Today we live in the era of modern communications and Internet, where almost everything is accessible electronically. The rapid growth of number of computer technology users, i.e., Internet users, brings the increasing need for electronic services and their security. So, using the new technology in the voting process to improve our elections is natural. This new technology refers to electronic voting systems where the election data is recorded, stored and processed primarily as digital information [2]. In the past, usually, information security was used mostly in military and government institutions. But, now need for this type of security is growing in everyday usage. In computing, e-services and information security it is necessary to ensure that data, communications or documents (electronic or physical) are enough secure and privacy

2 Hristina Mihajloska, Vesna Dimitrova and Ljupcho Antovski

enabled. Advances in cryptographic techniques allow pretty good privacy on e-voting systems. Security is adjective, not a noun in e-voting process. This is the reason why designing a secure e-voting system is very important. Usually, mechanisms that ensure the security and privacy of an election can be time-consuming, expensive for election administrators, and inconvenient for voters. It is important to mention that the system has to be secured, but simple for usage, i.e., user-friendly and the voter must be sure that his/her vote will be count [7]. There are different levels of e-voting security. Therefore serious measures must be taken to keep it out of public domain. Also, security must be applied to hide votes from publicity. However, there is no complete security, because everything that can be secured can be unsecured. There is no measurement for acceptable security level, because the level depends on type of the information. An acceptable security level is always a compromise between usability and strength of security method [8]. It is very important to notice that if a system is not carefully designed then it will be easy to manipulate the final ballots. In this paper we will focused on the information security, which means that cast ballot cannot be altered, the electoral register used in the system does not contain names but only numeric identifiers and the electronic ballot box is sorted in a random way, before being decrypted, which offers a protection of privacy of the voters. In the beginning we give a brief introduction to the cryptographic primitives (secret key, public key cryptography, hash functions and digital signatures). Next we give a description and types of e-voting systems. In the last part of this paper the analysis of security protocol of e-voting system is given. As the end we finished with our conclusion about security and privacy of this system.

2 Cryptographic primitives

The most important and used things for supplying security of the e-voting system are cryptographic primitives. Cryptography is the science of information security. Also, it is said that cryptography is the science of writing in secret code and is an ancient art [10]. The first documented use of cryptography in writing dates back to circa 1900 B.C. when an Egyptian scribe used non-standard hieroglyphs in an inscription. Some experts argue that cryptography appeared spontaneously sometime after writing was invented, with applications ranging from diplomatic missives to war-time battle plans. It is no surprise, then, that new forms of cryptography came soon after the widespread development of computer communications. In data and telecommunications, cryptography is necessary when communicating over any untrusted medium, which includes just about any network, particularly the Internet. Cryptography includes techniques such as microdots, merging words with images, and other ways to hide information in storage or transit. Until modern times, cryptography referred almost exclusively to encryption which is the process of converting ordinary information plaintext into unintelligible ciphertext.

Security Aspects of Electronic Voting Systems 3

Decryption is the reverse, in other words, returning the unintelligible ciphertext back to plaintext. A cipher is a pair of algorithms which create the encryption and the reversing decryption. The detailed operation of a cipher is controlled both by the algorithm and in each instance by a key. This is a secret parameter (known only to the communicants) for a specific message exchange context. Keys are important, as ciphers without variable keys are trivially breakable and therefore less than useful for most purposes. Historically, ciphers were often used directly for encryption or decryption without additional procedures such as authentication or integrity checks. Within the context of any application-to-application communication, there are some specific security requirements, including [1]:

Privacy/confidentiality: Ensuring that no one can read the message except the intended receiver.

Authentication: The process of proving one's identity. (The primary forms of host-to-host authentication on the Internet today are name-based or address-based, both of which are notoriously weak.)

Integrity: Assuring the receiver that the received message has not been altered in any way from the original.

Non-repudiation: A mechanism to prove that the sender really sent this message.

Cryptography, then, not only protects data from theft or alteration, but can also be used for user authentication. There are, in general, three types of cryptographic primitives typically used to accomplish these goals: secret key cryptography, public-key cryptography and hash functions, each of which is described below. In all cases, the initial unencrypted data is referred to as plaintext. It is encrypted into ciphertext, which will in turn (usually) be decrypted into usable plaintext. In all cases the benefit of encryption is that the ciphertext does not have to be kept secret, it could be broadcast over a satellite or published in a newspaper since only someone with the correct key can read the message. Encryption has transformed the problem of keeping lots of message secret into the problem of keeping a single key secret. A key is relatively small and usually will be used for long periods of time.

2.1 Secret key cryptography

Secret key cryptography is an encryption scheme consisting of the sets of encryption and decryption transformations {Ee K} and {Dd K}, respectively and K is the key space. The encryption scheme is said to be symmetric-key if for each associated encryption/decryption key pair (e,d), it is valid e=d (Fig. 1).

4 Hristina Mihajloska, Vesna Dimitrova and Ljupcho Antovski

Fig. 1.: Two-party communication using secret key cryptography with a secure channel for key exchange [1]

2.2 Public key cryptography

Let {Ee K} be a set of encryption transformations, and let {Dd K} be the set of corresponding decryption transformations, where K is the key space. Consider any pair of associated encryption/decryption transformations (Ee; Dd) and suppose that each pair has the property that knowing Ee it is computationally infeasible, given a random ciphertext c, to find the message m, such that Ee(m)=c. This property implies that with given public key e it is infeasible to determine the corresponding secret key d (Fig. 2).

Fig. 2.: Two-party communication using public key cryptography using unsecured channel for key exchange [1]

Secret key and public key systems are often used together. The secret key method provides the fastest decryption, and the public key method provides a convenient way to transmit the secret key. This is called a "digital envelope." Another nice property of private key method is the process known as digital signing. Digital signature is used to verify the origin of the message of the sender. It is used to resolve any authentication issues between sender and receiver. If sender encrypts a

Security Aspects of Electronic Voting Systems 5

message with his private key, the recipient of the message can decrypt it with senders public key.

2.3 Hash Functions

Hash functions, also called message digests and one-way encryptions are algorithms that, in some sense, use no key. Instead, a fixed-length hash value is computed based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered. Hash algorithms are typically used to provide a digital fingerprint of a file's content, often used to ensure that the file has not been altered by an intruder or virus. Hash functions are also commonly employed by many operating systems to encrypt passwords, and provide a measure of the integrity of a file [10]. The most common cryptographic uses of hash functions are with digital signatures but also for data integrity and in protocols involving a priori commitments. With digital signatures, a long message is usually hashed and only the hash-value is signed. The party receiving the message then hashes the received message, and verifies that the received signature is correct for this hash-value.

3 Electronic voting systems

An electronic voting system is a voting system in which the election data is recorded, stored and processed primarily as digital information [11]. E-voting is short for electronic voting and refers to any voting process where an electronic means is used for votes casting and results counting. Also e-voting is an election system that allows a voter to record his or her secure and secret ballot electronically. A number of electronic voting systems are used worldwide, from optical scanners which read manually marked ballots to entirely electronic touch screen voting systems. Specialized voting systems like DRE (direct recording electronic) voting systems, punch cards, national IDs, the Internet, computer networks, and telephony systems are also used in voting processes.

3.1 Types of e-voting systems

A computer system whose main element is software component that maps the voting procedure electronically is called an e-voting system [13]. Today there are quite a lot of e-voting systems. All these systems we can separate into two groups as follow: paper-based e-voting systems and DRE e-voting systems. Paper-based e-voting system belongs to the group of electronic voting systems, because a touch screen is used in voting process and counting is electronically using optical-scan voting system. After the voter has finished casting his votes, the unit prints out a hardcopy of the ballot which the voter has to pass to the election officer in charge so that it can be counted in a centralized location. The ballots will then be counted through optical-scan voting systems. This system has the advantage of a

6 Hristina Mihajloska, Vesna Dimitrova and Ljupcho Antovski

paper trail as every persons votes are recorded on a piece of paper. This tangibility reassures voters that their choices are being counted. However, holes that are not properly aligned in punch card or stray marks on an optical-scan card may lead to a vote not being counted by the machine. Moreover, physical ballots can still be lost during or after transit to the counting stations. DRE stands for "Direct Recording Electronic" voting system. As the name suggests, the voter directly enters the votes, which are recorded electronically. DRE machine is a special case of such a system as it implements all steps of voting process, from identification the identity of the voter and ballot casting to counting the votes and producing a tabulation of the voting data. Almost all touch screen voting machines are DREs, although there are other DREs that have knobs or switches instead of touch screens. Voters view ballots on a screen and make choices using an input device such as a set of buttons or a touch screen. Many DRE devices also have the capacity to print a paper record of ballots cast, so voter cast it in a traditional ballot box. This can help in the verification process of the counting. Votes in DRE are stored on a memory card, compact discs or other memory device. Election officials transport these memory devices to a centralized location for tabulation, just as they would with paper-based ballots [3]. Also a DRE system can have many advantages over paper-based systems, like no limitations on a ballots appearance, ballots in any language, fully accessible for persons with disabilities. Since votes are recorded on a memory device, tabulation takes less time. There are no paper ballots to scan, so theres less risk of mechanical error. While human error is still a factor and there is always a concern about software bugs. In an ideal system, tabulation is instantaneous with no need for recounts.

3.2 E-voting process

When the voter enters the voting place, he must have same kind of valid identity verification. When a poll worker confirms that the voter is registered, the voter is found in the electoral lists, he/she gave a smart-card to the voter. A "smart-card" is a card the size and shape of a credit-card which contains a computer chip, some memory and basic data such as the voter's voting language and political party. The voter than takes a smart card to a voting machine and inserts it into the machine to allow him/her voting. Than the machine presents the ballot on the screen and waits for the voter choice. After using the touch screen to vote, the record of the vote is directly recording electronically to multiple, internal flash memory cards and the voters smart card is reset to ensure that it can only be used to vote once. The smart card pops out of the machine with a loud click and the voter returns it to a poll worker. When the polls close, a poll worker or election official inserts a different-type of smart card, i.e., an administrator card, into each voting machine and puts the machine into a postelection mode where it will no longer record votes. At this point, the machine writes the votes from its internal memory to flash memory on a "PCMCIA card". A printed tape of all votes cast or vote totals for the voting machine can also be printed out at this time depending on local procedure and regulations.

Security Aspects of Electronic Voting Systems 7

The PCMCIA cards are taken out of each machine and either taken to a central tabulation facility or to remote tabulation facilities. At the tabulation facility the votes are read out of the PCMCIA cards and into a central computer database where precincts are combined to result in an aggregate vote. For remote facilities, the votes are transmitted to the central tabulation facility via a closed "Intranet", the Internet or modem. The PCMCIA cards and any printouts from the voting machines can then become part of the official record of the election.

4 Security of the e-voting systems

The main goal of a secure e-voting is to ensure the privacy of the voters and accuracy of the votes. A secure e-voting system shall fulfill (at least) the following requirements [4]:

Eligibility: only votes of legitimate voters shall be taken into account; Unreusability: each voter shall only be able to cast one vote; Anonymity: all votes shall be secret; Accuracy: cast ballot cannot be altered. Moreover, it must not be possible to

delete ballots nor to add ballots once the election has been closed; Fairness: partial tabulation before the end of the election must be impossible; Vote and go: once a voter has cast his vote, there is no further action he

needs to take; Public verifiability: anyone should be able to readily check the validity of the

whole voting process. Anonymity and secrecy of the vote are guaranteed by three measures:

1. The electronic ballot box, which contains the encrypted votes, is not linked to the electoral register.

2. The electronic ballot box is sorted in a haphazard way before being decrypted, which offers a protection against the misuse of log files. Indeed, it might be possible to reconstruct the order of arrival of the electronic ballots and break the vote anonymity by comparing this order with the date and time of each vote.

3. The electoral register used in the system does not contain names but only numeric identifiers. Accessing this register would not allow to know the voters identities.

One of the differences between electronic voting and e-banking lays in the fact that, in the former, it is impossible to give the voter a proof of his transaction. In e-banking as in any other e-business transaction, the user can see the result of his action by receiving the goods he ordered, or by seeing his accounts position. In the vote procedure, giving a formal proof of the ballot content is contrary to the principle of anonymity and secrecy of the vote. It is however possible to give a receipt for the registered vote. Our opinion is that unique formal proof for voter which can enabled him/her to be sure that the vote will be count is to obtain printed ballot after he/she will cast the vote on the e-voting machine. In all other cases voting will be unsecured and rules of privacy of the voter and secrecy of the vote will be broken.

8 Hristina Mihajloska, Vesna Dimitrova and Ljupcho Antovski

We analyze one of the most popular cryptographic e-voting security software, Pnyx.core which is developed by Scytl. It is a software module that implements a cryptographic protocol especially developed to solve the problems of privacy and security in e-voting systems. A voter prepares a ballot, encrypts and signs the ballot, and finally sends the resulting pair of ciphertext and signature to a voting server. The ballot is encrypted using the public key of the mixing service, and the ballot is signed using the voters signing key. At the end of the election, the mixing service verifies the signatures of all of the votes, decrypts all of the ballots using the canvassing board private key, and then stores the decrypted ballots in a random order. The resulting list of decrypted ballot is signed using the canvassing board private key. Because there is no public key infrastructure for all voters, each election requires the generation of signature keys for each voter. Therefore, a key generation step, which occurs on the Mixing Service before the election begins, generates random new keys (and certificates) for all of the voters. The secret portion of the signature key is then encrypted with a randomly chosen password. Finally this password is encrypted under the encryption key of the poll workers. This process results in three files: (a) one file consisting of secret signature keys encrypted under a password, (b) one file consisting of corresponding passwords encrypted under the poll worker keys, and (c) a file consisting of the public parts of the signature keys. Part (a) is transferred manually to the Voting server, and (b) is transferred manually to the Credential Provisioning Service, and (c) is made public (in particular, transferred to the mixing server). When the voter arrives at the polling place and has been confirmed as a voter, the poll worker downloads the encrypted password for that voter from the Credential Provisioning Service, decrypts it and stores it onto a smart card. The poll worker then accompanies the voter to the voting laptop, inserts the smart card, and leaves. The voting client then downloads the voters signing key from the Voting server and uses the password on the smart card to decrypt the secret part of the signature key. In order to distribute trust across many parties, the mixing services decryption key is split into several parts and distributed to different canvassing board officials. During the tally process, these officials need to enter their own parts of the key into the mixing server to decrypt the ballots [6]. After analyzing this security protocol we conclude that this protocol has implemented all of the requirements need for secure e-voting system. In technical sense, an idea of Scytl to build this kind of system with quoted cryptographic primitives is interesting and technically sophisticated. We feel that there is a room for improvement [9]. The focus is on the randomness of the generated numbers. It is very important that randomly generated signature keys are implemented as well, because of the probability of a collision are much greater. Also, it is important that the keys are generated in a truly random way. If for a group of voters is possible to generate the same key for all of them, so it is still theoretically possible some valid votes to be discarded by the centralized tabulating entity. It is a good practice to use separate cryptographic key pairs for the processes of encryption and signing.

Security Aspects of Electronic Voting Systems 9

The randomness used to shuffle votes by the mixing service should be cryptographically very strong not to always rely on the use of embedded standard library random number generator.

5 Conclusion

Electronic voting systems have many advantages over the traditional way of voting. Some of these advantages are lesser cost, faster tabulation of results, improved accessibility, greater accuracy, and lower risk of human and mechanical errors. It is very difficult to design ideal e-voting system which can allow security and privacy on the high level with no compromise. Something to which we will tend is to design a system which can be easy to use and will provide security and privacy of votes on acceptable level.

References

1. Alfred, J., Menezes, Paul, C., van, Oorschot, Scott, A., Vanstone: Handbook of applied cryptography. CRC Press, October (1996)

2. Antovski, Lj. Ribarski, P., Mobile Voting: Overview of the Road from Paper to Mobile. In: Proc. of the mLife 2009 Conference, ISBN 0-9763341-3-5, Barcelona (2009)

3. Bonsor, K., Strickland, J.:How e-voting works. In: http://www.howstuffworks.com 4. Canard, S., Sibert, H.: How to fit cryptographic e-voting into smart cards. In: Fundamental

Informaticae XXI, pp. 1001--1012. IOS Press (2001) 5. Chaum, David: Secret-Ballot Receipts: True Voter-Verifiable Elections. In: IEEE Security

and Privacy, vol. 2, no. 1, pp. 3847, January (2004) 6. Clarkson, M., Hay, B., Inge, M., Shelat, A., Wagner, D., Yasinsac A.: Software Review and

Security Analysis of Scytl Remote Voting Software. September (2008) 7. Cranor, L., Cytron, R.: Design and implementation of a practical security-conscious

electronic polling system. Technical Report WUCS-96-02, Washington University (1996) 8. Dimitrova, V.: Security aspects for mobile communications. In: M.Gushev (ed.) Wireless

and Mobile Technologies, Institute of Informatics, Faculty of Natural Science and Mathematics, pp 6980, Skopje (2003)

9. Dimitrova, V., Markovski, J: On Quasigroup Pseudo Random Sequence Generators, In: Proc. of the -st Balkan Conference in Informatics, pp.393 401,Thessaloniki, Greece (2003)

10. Gary., C., Kessler: An Overview of Cryptography. In: 1999 Edition of Handbook on Local Area Networks. Auerbach, September (1998)

11. Gritzalis, D.:Secure Electronic Voting New trends, new threats In: 7-th Computer Security Incidents Response Teams Workshop, Syros, Greece, September (2002)

12. Information Security Laboratory http://islab.oregonstate.edu 13. Ondrisek, B.: E-Voting System Security Optimization. In: Proceedings of the 42nd Hawaii

International Conference on System Sciences (2009)