Secure Electronic Voting Dr. Costas Lambrinoudakis Lecturer Dept. of Information and Communication Systems Engineering University of the Aegean Greece & e-vote Project, Technical Director European Commission, IST Program
What is electronic voting? An electronic voting (e-voting) system is a voting system in which the election data is recorded, stored and processed primarily as digital information. Voting Network Voting System Standards, VoteHere, Inc., April 2002 Paper voting E-voting Paper ballots... Punch cards Polling place voting Internet voting Precinct voting Kiosk voting 2
Do we need electronic voting systems? * Electronic voting has been considered to be an efficient and cost effective alternative / complement of the conventional voting procedure They could lead to increased voter turnout, thus supporting democratic process. They could give elections new potential (by providing ballots in multiple languages, accommodating lengthy ballots, etc.) thus enhancing democratic process. They could open a new market, supporting the commerce and the employment. * D. Gritzalis (Ed.),, Kluwer Academic Publishers, USA, January 2003. 3
Opportunities for electronic voting Most countries believe that Internet voting will occur within the next decade. Internet voting options satisfy voter s desire for convenience. Internet voting can satisfy the requirements of people with special needs. Several countries are willing to try Internet voting for a small scale election (local regional). The technology is available. 4
Barriers to electronic voting Lack of common voting system standards across nations. Time and difficulty of changing national election laws. Time and cost of certifying a voting system. Security and reliability of electronic voting. Equal access to Internet voting for all socioeconomic groups. The Digital Divide problem (both for election organisers and voters). Political risk associated with trying a new voting system. Need for security and election experts. 5
Generic voting principles Only eligible persons can vote. No person can vote more than once. The vote is secret. Each (correctly cast) vote gets counted. The voters trust that their vote is counted. Internet Policy Institute, Report of the National Workshop on Internet Voting, March 2001 6
Identifying e-voting Requirements but do we really know what is the expected functionality from an e-voting system? to which election process does it apply (General Elections, Internal Elections, Polls.)? Does it comply with the existing legal framework? Is it secure? Are the actors (users) of the system and their roles clearly defined? 7
Identifying e-voting Requirements Two approaches for.. what we need: An e-voting system may be specified either as a set of guidelines to be adopted for ensuring conformance to the legislation. ( State Authority point of view) or in terms of the problems associated with the provision of the adequate level of security (anonymity, authentication, tractability, etc.). ( System Engineer point of view) 8
Identifying e-voting Requirements none of these approaches is complete! Legal Requirements Abstract formulations (Laws, Principles etc) Functional Requirements Usability Properties Non-Functional Requirements Security and System Properties (flexibility - efficiency etc) 9
Identifying e-voting Requirements A third approach, proposed by the e-vote project * : Requirements elicitation based on a Generic Voting Model, taking into account the: European Union legislation. Organisational details of the conventional voting processes. Opportunities offered and the constraints imposed by stateof-the-art technologies. Aim of the developers is to express: The legal requirements. The security (non-functional) requirements. The functional requirements. as a User Requirements Specification document that sets specific Design Criteria. Consortium: Q&R (GR), Univ. of the Aegean(GR), Cryptomathic (DK), Univ. of Regensburg (D), Municipality of Amaroussion(GR), Self Governing Region of Kosice (SK) 10
Design Criteria (Non-functional: Security and other System Properties) For an electronic voting system to comply with the constitutional and legal requirements, it must exhibit specific security properties,, aiming at protecting the: Democracy: Only eligible voters are allowed to vote and each eligible voter can only cast a single vote. Accuracy: The announced tally exactly matches the actual outcome of the election, implying that no one can change anyone else s vote, all valid votes are included in the final tally and no invalid vote Privacy: Integrity: Verifiability: is included in the final tally. No one should be able to determine how any other individual voted. Votes should not be able to be modified without detection. Mechanisms for auditing the election in order to ensure that it has been properly conducted (Universal or Individual). 11
Design Criteria (Non-functional: Security and other System Properties) Robustness: Non-coercibility Fairness: No reasonably sized coalition of voters or authorities may disrupt the election. Protection against external threats and attacks, e.g. denial of service attacks. coercibility: Voters should not be able to convince any other participant on what they have voted. There is no receipt proving the content of their vote. Ensures that no one can learn the outcome of the election before the announcement of the tally. Verifiable Participation:Ensures that it is possible to find out whether a particular voter has participated in the election by casting a ballot or not. Transparency: Participants should be able to possess a general understanding of the entire process. 12
Design Criteria (Non-functional: Security and other System Properties) Flexibility: Convenience: Reliability: Voter Mobility: Efficiency: Equipment should allow for a variety of ballot question formats, in various languages and adaptable to many types of election processes. Voters should be able to cast votes with minimal equipment and skills. The system must be resistant to randomly generated malfunctions. There should be no restrictions on the location from which a voter can cast a vote. Overall system performance (the complexity of the scheme becomes a crucial system parameter). The time needed by a voter to cast a ballot poses an upper boundary to the number of voters that are allowed to participate in a specific election (scalability). 13
Design Criteria (Functional Requirements) Support all essential services for organizing and conducting an opinion expressing process: Poll Decision-making (e.g. Referenda) Internal election General election Depending on the specific process, the services may include voter registration, vote casting, voter authentication, calculation of the vote tally, verification of the election result, etc. 14
Requirements for different types of election processes The General Election requirements are practically a superset of those regarding the other election processes Polls Decision-making procedures (e.g. Referenda) Internal elections General elections 15
The e-vote System Provides all the necessary services for organising and conducting a voting process. Election Set-up; Supports election organisers to register all eligible voters, issue authentication means, ballot generation, management and specification of voting districts etc. Election in Progress; Offers an easy and user friendly environment for the interaction of the voter with the system through a conventional WWW browser. Election Concluded; Automatic generation of the vote tally Modular and highly flexible multi-tier architecture that supports a wide range of voting processes (use of election templates ) Its operation is independent of the geographical coverage of the voting process and thus the number of voting districts and voters. 16
The e-vote System The Voting Protocol (Damgaard-Jurik) has been based on a homomorphic encryption scheme known as the Generalised Paillier encryption scheme. Instead of hiding the identity of the voters, using anonymous voting methods, the protocol hides the contents of the ballot itself. The ballot is submitted in a traceable manner, attached to the voter identity, so that the verifiability property is easily satisfied. The vote tally can be calculated without decrypting any of the ballots. E(T 1 ) E(T 2 ) = E(T 1 T 2 ) 17
The e-vote System The clear text vote (M j ) is encrypted, and a zeroknowledge proof that the cipher-text vote is of the form M j for j in [0,..,L-1] is produced. The encrypted vote is the pair of the cipher text and the zero-knowledge proof. The encryption of the vote is done through a public key. The decryption of the result is done through a private key that has been secret-shared to the tally servers. The shares have to be constructed w.r.t. a threshold value t so that no information about the private key leaks as long as t servers are corrupt. t+1 servers are needed for decrypting the result. No competing protocols using homomorphic encryption; the ordinary ElGamal is too slow for large number of voters and candidates. 18
The e-vote System Decryption shares Registration client CA Tally server PKCS#10/PKCS#7 Web browser Web server Message board Voter Administrative client Tally server 19
Is a Secure Voting Protocol Enough?? A lot of research effort has been spent on designing and building voting voting protocols that can support the voting process, while fulfilling the security requirements (design criteria). However, not much attention has been paid in the administrative part of an electronic voting system that supports the actors of the system to set-up the election. Possible security security gaps in the administrative workflow of the system may result in deteriorating the overall security level of the system. 20
Workflow 21
Identified System Actors Actors Election Organizers Election Personnel Judicial Officers Party Representatives Independent Third Parties Voters Description People responsible for organizing the election process and ensuring that it is properly conducted. People actually performing the system use-cases, under the supervision of Election Organizers. People responsible for monitoring the election process and ensuring that it is carried out in a legal way. People appointed by parties to monitor the election process. People neutral from participating parties, responsible for monitoring the election process and for providing reasonable assurance with regard to the integrity of it. People eligible to participate in the voting process. 22
Actors participation in e-voting: Authorization and Validation Use cases can only be performed by authorized actors ("roles") An additional validation phase is employed before committing the outcome of a use case The validation phase is implemented through a separate use case, namely the "Validate Action" 23
Actors participation in e-voting Use Case Validate Action Use Case activation Participating Roles Election Organizer Party Representative Election Personnel Voter Judicial Officer Independent Third Party Authenticate Actor A A A A A A Validate Action N/A A A A A Modify System State A V V Manage Election Districts Provide Election System Parameters V A V A V 24
Actors participation in e-voting Use Case Validate Action Use Case activation Election Organizer Party Representative Participating Roles Election Personnel Voter Judicial Officer Independent Third Party Manage Voters V A Provide Authentication Means V A Manage Parties V A Manage Candidates V A Preview Ballots A A A Cast Vote A Tally Votes A V V V Verify Result Integrity A V V 25
(Secure) Electronic voting: (instead of) Conclusions Description of actor roles together with clear indication of what each actor is allowed to do with the system, formulate an operational framework that complements the technological security features of the system Rapidly emerging issue... Of a socio-technical nature... Contradicting views... Further experimentation is needed in the meantime, as complementary only! 26
The debate is still going on... The shining lure of this hype-tech voting schemes is only a technological fool s gold that will create new problems far more intractable than those they claim to solve. P. Newmann (SRI) (2002) An Internet voting system would be the first secure networked application ever created in the history of computers. B. Schneier (Counterpane) (2002) At least a decade of further research and development on the security of home computers is required before Internet voting from home should be contemplated. Ron Rivest (MIT) (2001) 27
Something like a moto... Electronic voting: Between pessimism (bureaucracy) and optimism (technology) we choose realism (democracy)! 28