analysis of the security of proposed internet...
TRANSCRIPT
1
Analysis of the Analysis of the Analysis of the Analysis of the Security of Security of Security of Security of Proposed Proposed Proposed Proposed Internet Voting Internet Voting Internet Voting Internet Voting SystemsSystemsSystemsSystems
Victor S. AndreiVictor S. AndreiVictor S. AndreiVictor S. Andrei George Mason University
Srinidhi SreepadSrinidhi SreepadSrinidhi SreepadSrinidhi Sreepad George Mason University
The introduction of Internet voting in the United States and other countries may potentially
improve participation in elections by the young, the disabled, rural voters, citizens living and
working overseas, and the military [1]. However, the development of Internet voting technologies has
been marked by controversy in the United States, including the successful penetration of the 2010
Washington, D.C. Internet voting pilot by researchers at the University of Michigan [7], as well as
the failures of Operation BRAVO and Project SERVE in the United States in 2004 [1]. Subsequently,
the security of Internet voting systems has drawn scrutiny from the public at large and is even the
subject of an ongoing massively open online course offered by Coursera [6].
The safety and soundness of elections is fundamental to the maintenance of democratic self-
governance in nations such as the United States. With the growing movement towards the leveraging
of the Internet and computer technologies to conduct elections, the issue at hand is whether Internet
voting technologies can support “safe and sound” elections.
Relevant WorkRelevant WorkRelevant WorkRelevant Work
We have identified a number of relevant sources, such as [1], which provides a history of voting
systems in the United States, leading up to the introduction of Internet voting. [4] and [5] give an
overview of Internet voting in other countries, including an analysis of the results of Swiss Internet
voting pilots over the past ten years. The massively open online course on the history of election
security in the United States is at [6], while [2] contains the cryptographic background needed to
evaluate different Internet voting schemes with respect to the requirements for what constitutes a
“secure” election. [2] also suggests a taxonomy for categorizing voting schemes.
Additionally, Grimm [8] and Neumann [9] define a set of requirements for electronic voting
systems, including Internet voting systems. [10] and [11] illustrate a method for evaluating such
systems. Lastly, we identified proposed Internet voting technologies that we plan to investigate,
including VoteBox [12], Helios [13], Sensus [14], and others [15-23].
Plan of InvestigationPlan of InvestigationPlan of InvestigationPlan of Investigation
We intend to examine a number of proposed Internet voting technologies with regard to their
abilities to ensure that a given election is “safe and sound.” In our investigation, we will define a set
of baseline requirements that must be met in order to conclude that a given election is “safe and
sound.” Such a standard would include the following requirements:
2
� Only eligible voters may vote in a given election (voter eligibility and authentication);
� Each eligible voter may vote only once in a given election and may not vote on behalf of any
other eligible voter (one man-one vote);
� Only individual voters should know the contents of their ballots (ballot secrecy);
� Individual voters should be able to verify the accuracy of their ballots (ballot verifiability)1;
� Individual voters should not be able to prove to a third party the contents of their ballots
(resistance against election buying, chain voting, and other attacks);
� Each ballot should not be subject to tampering and should match the intent of the voter who
cast the ballot (ballot integrity);
� All eligible voters should have the opportunity to vote (voter enfranchisement);
� The system should provide tools for auditing the results of a given election as well as the
operations of the system’s software and hardware (audit capability);
� The system should provide a paper-based backup (paper-based backup);
� The system should be easy to use by individual voters, including individual voters with
disabilities (usability); and
� The system should be available during the course of a given election (availability).
Additionally, Internet voting systems should be resistant to malware, including Trojan horses,
viruses, and worms, and third-party hacking attempts that may change the outcome of the election.
We plan to develop a means of classifying different Internet voting systems based on the degree
to which each system satisfies our standard. Thus, we will be able to conclude that the proposed
Internet voting system that best meets our standard is the one most likely to ensure a “safe and
sound” electoral outcome. Lastly, we plan to examine the role of Internet voting technologies in the
overall election processes of nations such as the United States.
QuestionsQuestionsQuestionsQuestions to Answerto Answerto Answerto Answer
We will answer several questions as part of our investigation, including the following:
1. What Internet voting systems have been proposed in the past ten years?
2. What are the defining characteristics of an Internet voting system that ensures
a “safe and sound” electoral outcome?
3. How can Internet voting systems be effectively classified?
4. How can the security of each particular proposed Internet voting system be improved
to better ensure that an election held with such a system is “safe and sound”?
5. What advantages, if any, could be obtained from combining Internet voting systems
with existing voting systems (e.g., Direct Recording Electronic and optical mark-sense)?
How do Internet voting systems fit in to the overall election process?
1 [24] and [25] examine verifiability. As part of this project, we intend to think about how an Internet voting
system could potentially provide ballot verifiability to individual voters.
3
Verification ProceduresVerification ProceduresVerification ProceduresVerification Procedures
Aside from implementing and testing the different Internet voting systems in actual, live
elections, or through a pilot election, there are no effective ways to compare the “real world” ability
of the proposed Internet voting systems against existing voting systems such as Direct Recording
Electronic or optical mark-sense ballots. We could, however, design and implement a model Internet
voting system that fully meets our requirements and builds upon existing proposals. We could test
this implementation in a pilot election in our class, time permitting.
TimelineTimelineTimelineTimeline
We intend to conduct our research based on the following timeline, which is approximate and
subject to change based on the progress of our project.
Week Activities Deliverables
Oct. 8-14 • Determine requirements for what constitutes
a “safe and sound” election. [Question 2]
• Review the proposed Internet voting systems.
Discard any systems that are too simple to
analyze. Add new systems that we discover.
[Question 1]
Oct. 15-21 • Finish activities from previous week. [Question 1] Progress Report 1Progress Report 1Progress Report 1Progress Report 1
Oct. 22-28 • Develop a system for classifying proposed
Internet voting schemes. [Question 3]
Oct. 29-Nov. 4 • Classify the Internet voting systems
that we have identified. [Question 3]
Progress Report 2Progress Report 2Progress Report 2Progress Report 2
Nov. 5-11 • Develop improvements to each Internet voting
system that we have identified. [Question 4]
Nov. 12-18 • Finish activities from previous week. [Question 4] Progress Report 3Progress Report 3Progress Report 3Progress Report 3
Nov. 19-25 • Analyze where Internet voting fits in
to the overall election process. [Question 5]
Nov. 26-Dec. 2 • Finish activities from previous week. [Question 5] Progress Report 4Progress Report 4Progress Report 4Progress Report 4
Areas for Potential ChangeAreas for Potential ChangeAreas for Potential ChangeAreas for Potential Change
During the course of our investigation, we may identify additional proposals for Internet voting
systems and discard existing proposals that we deem are too simple or otherwise not appropriate for
this project. We may discover that no existing proposal fully meets our standard for what constitutes
a model Internet voting system that ensures that an election is “safe and sound.” Furthermore, we
may discover that no existing proposal fully meets a given requirement within our standard. We may
seek to develop our own model system that satisfies our requirements.
4
Tentative Tentative Tentative Tentative Table of Contents for Final ReportTable of Contents for Final ReportTable of Contents for Final ReportTable of Contents for Final Report
1. Introduction
2. What makes an election “safe and sound”?
3. Analysis of proposed Internet voting systems
a. Sensus
b. VoteBox
c. Helios
d. Other systems
4. Results; discussion
5. Improvements to proposed Internet voting systems
6. Our “model” Internet voting system
7. The role of Internet voting within the election process
ReferencesReferencesReferencesReferences
[1] D.W. Jones and B. Simons. Broken Ballots: Will Your Vote Count?
[1] Stanford, Calif.: Center for the Study of Language and Information, 2012.
[2] B. Schoenmakers. “Voting Schemes,” in Algorithms and Theory of Computation Handbook,
[2] M.J. Atallah and M. Blanton, Eds., 2nd ed. Boca Raton, Fla.: CRC Press, 2010.
[3] Towards Trustworthy Elections: New Directions in Electronic Voting.
[3] D. Chaum, M. Jakobsson, R.L. Rivest, et al., Eds. Berlin: Springer, 2010.
[4] J. Gerlach and U. Gasser, “Three Case Studies from Switzerland: E-Voting,” Berkman Center
[4] for Internet and Society, Harvard University, Cambridge, Mass., Res. Pub. 2009-03.1, Mar. 2009.
[5] D. Cavadini, L. Cimasoni, A. Meier, et al., “Case Studies on E-Voting,” Info. Sys. Res. Group,
[5] Dept. Informatics, Univ. of Fribourg, Fribourg, Switzerland, eGov HS07 Student Project, Fall 2007.
[6] Coursera. “Securing Digital Democracy.”
[6] Available: https://www.coursera.org/course/digitaldemocracy.
[7] S. Wolchok, E. Wustrow, D. Isabel, et al., “Attacking the Washington, D.C. Internet Voting
[7] System,” in Proc. 16th Conf. Financial Cryptography and Data Security, Bonaire, Feb. 2012.
[8] R. Grimm, “Security Requirements for Internet Voting,” in Proc. 4th Workshop on Multimedia
[8] and Security: New Challenges (MM&Sec ’01), Ottawa, Ont., Oct. 2001, pp. 56-59.
[9] P.G. Neumann, “Security Criteria for Electronic Voting,” in Proc. 16th Natl. Computer Security
[9] Conference, 1993, Baltimore, Md., Sep. 1993, pp. 478-482.
[10] J. Puiggali and V. Morales-Rocha, “Remote Voting Schemes: A Comparative Analysis,”
[10] in E-voting and Identity: 2nd Intl. Conf., VOTE-ID 2007, Bochum, Germany, Oct. 4-5, 2007:
[10] Revised Selected Papers, A. Alkassar and M. Volkamer, Eds. Berlin: Springer, 2007, pp. 16-28.
[11] P.L. Vora, B. Adida, R. Buchloz, et al., “Evaluation of Voting Systems,” Comm. ACM
[11] vol. 47, no. 11, p. 144, Nov. 2004.
[12] D. Sandler, K. Derr, and D.S. Wallach, “VoteBox: a Tamper-Evident, Verifiable Electronic
[12] Voting System,” in Proc. 17th Conf. on Security Symp. (USENIX Security ’08), San Jose,
[12] Calif., Jul.-Aug. 2008, pp. 349-364.
5
[13] B. Adida, “Helios: Web-Based Open-Audit Voting,” in Proc. 17th Conf. on Security Symp.
[13] (USENIX Security ’08), San Jose, Calif., Jul.-Aug. 2008, pp. 335-348.
[14] L.F. Cranor and R.K.Cytron, “Sensus: A Security-Conscious Electronic Polling System for the
[14] Internet,” in Proc. Hawai’i Intl. Conf. System Sciences (HICSS ’97), Waliea, Hawai’i, Jan. 1997.
[15] C. Wang and H. Leung, “A Secure Voter-Resolved Approval Voting Protocol over Internet,”
[15] in Proc. 7th Intl. Conf. on Electronic Comm. (ICEC ’05), X’ian, China, Aug. 2005, pp. 646-652.
[16] K. Gjøsteen, “Analysis of an Internet Voting Protocol,” in Cryptology ePrint Archive,
[16] Report 2010/380. Available: http://eprint.iacr.org/2010/380.
[17] T.K. Ahmed and M. Aborizka, “Secure Biometric E-Voting Scheme,” in Intelligent Computing
[17] and Information Science: Intl. Conf., ICICIS 2011, Chongqing, China, Jan. 8-9, 2011, Proc.,
[17] R. Chen, Ed., Berlin: Springer, 2011, pp. 380-388.
[18] D. Gray and C. Sheedy, “E-Voting: A New Approach Using Double Blind Identity Based Encryption,”
[18] in Public Key Infrastructures, Services, and Applications: 7th European Workshop, EuroPKI 2010,
[18] Athens, Greece, Sep. 23-24, 2010: Revised Selected Papers, J. Camenisch and C. Lambrinoudakis,
[18] Eds., Berlin: Springer, 2010, pp. 93-108.
[19] X. Yi and E. Okamoto, “Practical End-to-End Voting Scheme,” in Electronic government and the
[19] Information Systems Perspective: 2nd Intl. Conf., EGOVIS 2011, Toulouse, France, Aug. 29-Sep. 2,
[19] 2011: Proc., K. Normann, et al., Eds., Berlin: Springer, 2011, pp. 386-400.
[20] K. Peng and F. Bao, “A Design of Secure Preferential E-Voting,” in E-Voting and Identity:
[20] 2nd Intl. Conf., VOTE-ID 2009, Luxembourg, Sep. 7-8, 2009: Proc., P.Y.A. Ryan, B. Schoenmakers,
[20] Eds., Berlin: Springer, 2009, pp. 141-156.
[21] H. Wei, Z. Dong, and C. Ke-fei, “Filling the Gap Between Voters and Cryptography in E-Voting,”
[21] in Cryptology ePrint Archive, Report 2007/266. Available: http://eprint.iacr.org/2007/266.
[22] M.A. Based and S.F. Mjolsnes, “A Secure Internet Voting Scheme,” in Algorithms and Architectures
[22] for Parallel Processing: 11th Intl. Conf., ICA3PP, Melbourne, Aus., Oct. 24-26, 2011: Proc., Y. Xiang,
22] et al., Eds., Berlin: Springer, 2011, pp. 141-152.
[23] M. Klonowski, M. Kutyłowski, A. Lauks, et al., “A Practical Voting Scheme with Receipts,” in
[23] Information Security: 8th Intl. Conf., ISC 2005, Singapore, Sep. 20-23, 2005: Proc., J. Zhou, et al.,
[23] Eds., Berlin: Springer, 2005, pp. 490-497.
[24] D.R. Arllen, “Electronic Voting Survey and Recommendations,” Department of Electrical and Computer
[24] Engineering, George Mason University, ECE 646 Student Project, Dec. 2011.
[25] D. Burtner, “Voting Machine Security,” Department of Electrical and Computer Engineering,
[25] George Mason University, ECE 646 Student Project, Dec. 2011.