Privacy and verifiability in electronic voting

Privacy and verifiability refer to fundamental principles of democratic elections and therefore belong to the set of established security requirements which each electronic voting scheme is expected to meet. However, very different ideas and opinions about privacy and verifiability exist in the scientific community, which shows that both properties are not well understood yet. Moreover, although the desired properties (captured by the security requirements) should be separated from the assumed adversary model (expressed by adversary capabilities), specific adversary capabilities are inherently assumed for the privacy-related security requirements of receipt-freeness and coercion-resistance, which complicates the analysis of voting schemes. The first part of this thesis presents a taxonomy for privacy and verifiability in electronic voting. We compile the conceivable levels of privacy and verifiability and investigate the relation between both properties. To this end, we introduce a conceptual model capturing both privacy and verifiability. We also provide a comprehensive adversary model for electronic voting by considering different adversary capabilities. The conceptual model, the levels of privacy and verifiability, and the adversary capabilities together form our taxonomy for privacy and verifiability in electronic voting. The presented taxonomy provides a deeper understanding of privacy and verifiability and their correlation in electronic voting. We show how the taxonomy can be used to analyze the security of voting schemes by identifying the level of privacy and verifiability provided depending on the adversary capabilities assumed. Moreover, the taxonomy allows to select appropriate levels of the requirements for different types of elections, and to determine reasonable adversary models for individual election scenarios. The second part of this thesis considers long-term aspects of verifiability in remote electronic voting. The lawfulness of any legally binding election must be provable for several years due to possible scrutiny proceedings. Therefore, specific documents such as the ballots must be retained. The election records are usually retained for the legislative period of the elected body; however, this period may be extended if scrutiny procedures are pending. Retention obligations apply not only to conventional paper-based elections, but also to remote electronic voting. But contrary to the case of paper-based elections, general regulations or guidelines on retention of remote electronic election data have not been issued so far. In particular, the question which records should be retained is yet unanswered. The second part of this thesis sets out to identify the election records that have to be retained in order to prove the proper conduct of a remote electronic election. We derive retention requirements for online elections from legal regulations which apply to Federal Elections for the German Bundestag, and we make recommendations on how to meet these requirements. Establishing Internet voting in parliamentary elections presupposes that its technical implementation meets certain legal requirements, and conclusive retention of election data is one of them. Thus, our work contributes to establishing online voting as an additional voting channel in parliamentary elections in Germany. It may support legislative organs when issuing a legal framework on remote electronic voting. Moreover, our work is valuable for developing legally compliant voting systems as the need for record keeping should be considered already when designing and implementing a remote electronic voting scheme.

[1]  Peter Y. A. Ryan,et al.  Prêt à Voter : a Systems Perspective , 2005 .

[2]  Josh Benaloh,et al.  Receipt-free secret-ballot elections (extended abstract) , 1994, STOC '94.

[3]  Kazue Sako,et al.  Receipt-Free Mix-Type Voting Scheme - A Practical Solution to the Implementation of a Voting Booth , 1995, EUROCRYPT.

[4]  Costas Lambrinoudakis,et al.  Secure Electronic Voting: the Current Landscape , 2003 .

[5]  Carsten Hentrich,et al.  ArchiSafe: Legally Compliant Electronic Storage , 2008, IT Professional.

[6]  Atsushi Fujioka,et al.  An Improvement on a Practical Secret Voting Scheme , 1999, ISW.

[7]  C. M. Sperberg-McQueen,et al.  Extensible Markup Language (XML) , 1997, World Wide Web J..

[8]  David Chaum,et al.  A Practical Voter-Verifiable Election Scheme , 2005, ESORICS.

[9]  Wolter Pieters,et al.  La volonté machinale: understanding the electronic voting controversy , 2008 .

[10]  Detlef Hühnlein,et al.  eVoting with the European Citizen Card , 2008, BIOSIG.

[11]  Melanie Volkamer,et al.  Security Requirements for Non-political Internet Voting , 2006, Electronic Voting.

[12]  Yehuda Lindell,et al.  On the composition of authenticated byzantine agreement , 2002, STOC '02.

[13]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[14]  Emmanouil Magkos,et al.  Towards Secure and Practical E-Elections in the New Era , 2003, Secure Electronic Voting.

[15]  Peter Y. A. Ryan,et al.  A variant of the Chaum voter-verifiable scheme , 2005, WITS '05.

[16]  Radha Poovendran,et al.  A framework and taxonomy for comparison of electronic voting schemes , 2006, Comput. Secur..

[17]  Stefanie Fischer-Dieskau Das elektronisch signierte Dokument als Mittel zur Beweissicherung : Anforderungen an seine langfristige Aufbewahrung , 2006 .

[18]  Alexander Prosser,et al.  Electronic Voting in Europe - Technology, Law, Politics and Society, Workshop of the ESF TED Programme together with GI and OCG, July, 7th-9th, 2004, in Schloß Hofen / Bregenz, Lake of Constance, Austria, Proceedings , 2004, lectronic Voting in Europe.

[19]  Hugo Jonker,et al.  Security matters : privacy in voting and fairness in digital exchange , 2009 .

[20]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[21]  Ben Adida,et al.  Advances in cryptographic voting systems , 2006 .

[22]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[23]  C. Andrew Ne,et al.  Practical high certainty intent verification for encrypted votes , 2004 .

[24]  Ralph C. Merkle,et al.  Protocols for Public Key Cryptosystems , 1980, 1980 IEEE Symposium on Security and Privacy.

[25]  Robert James,et al.  Requirements Engineering for E-Voting Systems , 2006, Software Engineering Research and Practice.

[26]  Matt Bishop,et al.  Fixing federal e-voting standards , 2007, Commun. ACM.

[27]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[28]  Michael K. Reiter,et al.  The Rampart Toolkit for Building High-Integrity Services , 1994, Dagstuhl Seminar on Distributed Systems.

[29]  Donald E. Eastlake,et al.  (Extensible Markup Language) XML-Signature Syntax and Processing , 2002, RFC.

[30]  Jeroen van de Graaf,et al.  A Verifiable Voting Protocol Based on Farnel , 2010, Towards Trustworthy Elections.

[31]  Melanie Volkamer Evaluation of Electronic Voting - Requirements and Evaluation Procedures to Support Responsible Election Authorities , 2009, Lecture Notes in Business Information Processing.

[32]  Lothar Schmitz,et al.  Long-term preservation of digital documents - principles and practices , 2006 .

[33]  Josh Benaloh,et al.  Simple Verifiable Elections , 2006, EVT.

[34]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[35]  Moni Naor,et al.  Receipt-Free Universally-Verifiable Voting with Everlasting Privacy , 2006, CRYPTO.

[36]  Markus Jakobsson,et al.  Designated Verifier Proofs and Their Applications , 1996, EUROCRYPT.

[37]  Ralf Brandner,et al.  Evidence Record Syntax (ERS) , 2007, RFC.

[38]  P. Y. A. Ryan,et al.  Prêt à Voter with Paillier Encryption - extended journal version , 2008 .

[39]  David A. Wagner,et al.  Cryptographic Voting Protocols: A Systems Perspective , 2005, USENIX Security Symposium.

[40]  Jacques Traoré,et al.  A practical and secure coercion-resistant scheme for remote elections , 2007, Frontiers of Electronic Voting.

[41]  Jörn Müller-Quade,et al.  Bingo Voting: Secure and Coercion-Free Voting Using a Trusted Random Number Generator , 2007, VOTE-ID.

[42]  Senator,et al.  The ThreeBallot Voting System , 2006 .

[43]  Wolfgang Schreiber Handbuch des Wahlrechts zum Deutschen Bundestag : Kommentar zum Bundeswahlgesetz unter Einbeziehung der Bundeswahlordnung, der Bundeswahlgeräteverordnung und sonstiger wahlrechtlicher Nebenvorschriften , 1986 .

[44]  Wolter Pieters,et al.  Combatting Electoral Traces: The Dutch Tempest Discussion and Beyond , 2009, VoteID.

[45]  Andrea Pasquinucci Web voting, security and cryptography , 2007 .

[46]  Jeremy Clark,et al.  Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes , 2008, EVT.

[47]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[48]  Johannes A. Buchmann,et al.  On Coercion-Resistant Electronic Elections with Linear Work , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[49]  Volker Hartmann,et al.  Verifiability and Other Technical Requirements for Online Voting Systems , 2004, Electronic Voting in Europe.

[50]  Lam Berry Schoenmakers,et al.  Fully auditable electronic secret-ballot elections , 2000 .

[51]  Melanie Volkamer,et al.  Development of a Formal IT Security Model for Remote Electronic Voting Systems , 2008, Electronic Voting.

[52]  Melanie Volkamer,et al.  From Legal Principles to an Internet Voting System , 2004, Electronic Voting in Europe.

[53]  Kazue Sako,et al.  An Efficient Scheme for Proving a Shuffle , 2001, CRYPTO.

[54]  Moeen Cheema,et al.  Convention for the Protection of Human Rights and Fundamental Freedoms. , 2004, Annual review of population law.

[55]  Henry M. Gladney,et al.  Preserving digital information , 2007 .

[56]  Jun Pang,et al.  Weak Probabilistic Anonymity , 2007, SecCO@CONCUR.

[57]  Ralf Brandner,et al.  Langzeitsicherung qualifizierter elektronischer Signaturen , 2002, Datenschutz und Datensicherheit.

[58]  Mark Ryan,et al.  Verifying privacy-type properties of electronic voting protocols , 2009, J. Comput. Secur..

[59]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[60]  Alexander Roßnagel,et al.  Langfristige Aufbewahrung elektronischer Dokumente: Anforderungen und Trends , 2007 .

[61]  Michael J. Fischer,et al.  A robust and verifiable cryptographically secure election scheme , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[62]  Jan Camenisch,et al.  Blind Signatures Based on the Discrete Logarithm Problem , 1994, EUROCRYPT.

[63]  Stuart Haber,et al.  How to time-stamp a digital document , 1990, Journal of Cryptology.

[64]  Peter Y. A. Ryan,et al.  Improving the Farnel Voting Scheme , 2008, Electronic Voting.

[65]  Kazue Sako,et al.  Efficient Receipt-Free Voting Based on Homomorphic Encryption , 2000, EUROCRYPT.

[66]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[67]  Martin Hirt,et al.  Multi party computation: efficient protocols, general adversaries, and voting , 2001 .

[68]  C. Andrew Neff,et al.  Ballot Casting Assurance , 2006, EVT.

[69]  Josh Benaloh Verifiable secret-ballot elections , 1987 .

[70]  Jean-Jacques Quisquater,et al.  Electing a University President Using Open-Audit Voting: Analysis of Real-World Use of Helios , 2009, EVT/WOTE.

[71]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[72]  Markus Jakobsson,et al.  Making Mix Nets Robust for Electronic Voting by Randomized Partial Checking , 2002, USENIX Security Symposium.

[73]  Tatsuaki Okamoto,et al.  Receipt-Free Electronic Voting Schemes for Large Scale Elections , 1997, Security Protocols Workshop.

[74]  C. Andrew Neff,et al.  A verifiable secret shuffle and its application to e-voting , 2001, CCS '01.

[75]  Erik P. de Vink,et al.  Formalising Receipt-Freeness , 2006, ISC.

[76]  Ben Adida,et al.  Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[77]  Melanie Volkamer,et al.  Secrecy forever? Analysis of anonymity in Internet-based voting protocols , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[78]  Mark Ryan,et al.  Election verifiability in electronic voting protocols ? (Preliminary version ?? ) , 2009 .

[79]  Ralf Küsters,et al.  An Epistemic Approach to Coercion-Resistance for Electronic Voting Protocols , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[80]  Wolter Pieters,et al.  What proof do we prefer? Variants of verifiability in voting , 2006 .

[81]  Warren D. Smith,et al.  Cryptography meets voting , 2005 .

[82]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[83]  Jacques Stern,et al.  Practical multi-candidate election system , 2001, PODC '01.

[84]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[85]  Byoungcheon Lee,et al.  Receipt-Free Electronic Voting Scheme with a Tamper-Resistant Randomizer , 2002, ICISC.

[86]  Peter Y. A. Ryan,et al.  Prêt à Voter with Re-encryption Mixes , 2006, ESORICS.

[87]  Kaoru Kurosawa,et al.  Efficient Anonymous Channel and All/Nothing Election Scheme , 1994, EUROCRYPT.

[88]  Zhe Xia,et al.  A New Receipt-Free E-Voting Scheme Based on Blind Signature (Abstract) , 2006 .

[89]  Melanie Volkamer,et al.  Elektronische Wahlen: Verifizierung vs. Zertifizierung , 2009, GI Jahrestagung.

[90]  Ronald Cramer,et al.  A Secure and Optimally Efficient Multi-Authority Election Scheme ( 1 ) , 2000 .

[92]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[93]  Peter Y. A. Ryan,et al.  Human Readable Paper Verification of Prêt à Voter , 2008, ESORICS.

[94]  Josh Benaloh,et al.  Ballot Casting Assurance via Voter-Initiated Poll Station Auditing , 2007, EVT.

[95]  Wolter Pieters,et al.  Receipt-freeness as a special case of anonymity in epistemic logic , 2006 .

[96]  Markus Jakobsson,et al.  Coercion-resistant electronic elections , 2005, WPES '05.

[97]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[98]  Robert Krimmer,et al.  3rd International Conference, Co-organized by Council of Europe, Gesellschaft für Informatik and E-Voting.CC, August 6th-9th, 2008 in Castle Hofen, Bregenz, Austria , 2008, Electronic Voting.