A Threat Analysis of Prêt à Voter

It is widely recognised that the security of even the best-designed technical systems can be undermined by socio-technical weaknesses that stem from implementation flaws, environmental factors that violate (often implicit) assumptions and human fallibility. This is especially true of cryptographic voting systems, which typically have a large user base and are used infrequently. In the spirit of the this observation, Karlof et al [11] have performed an analysis of the Chaum [5] and Neff [18] schemes from the “systems perspective”. By stepping outside the purely technical, protocol specifications, they identify a number of potential vulnerabilities of these schemes. In this paper, we perform a similar analysis of the Pret a Voter [6]. Firstly, we examine the extent to which the vulnerabilities identified in [11] apply to Pret a Voter. We then describe some further vulnerabilities and threats not identified in [11]. Some of these, such as chain-voting attacks, do not apply to the Chaum or Neff schemes, but are a potential threat in Pret a Voter, or indeed any crypto system with pre-printed ballot forms. Where appropriate, we propose enhancements and counter-measures. Our analysis shows that Pret a Voter is remarkably robust against a large class of socio-technical vulnerabilities, including those described in [11].

[1]  Atsushi Fujioka,et al.  A Practical Secret Voting Scheme for Large Scale Elections , 1992, AUSCRYPT.

[2]  Goodman Nw The trouble with technology. , 1993 .

[3]  Alfredo De Santis,et al.  Advances in Cryptology — EUROCRYPT'94 , 1994, Lecture Notes in Computer Science.

[4]  Moni Naor,et al.  Visual Cryptography , 1994, Encyclopedia of Multimedia.

[5]  Moti Yung,et al.  The Dark Side of "Black-Box" Cryptography, or: Should We Trust Capstone? , 1996, CRYPTO.

[6]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[7]  C. Andrew Neff,et al.  A verifiable secret shuffle and its application to e-voting , 2001, CCS '01.

[8]  Rebecca T. Mercuri A better ballot box , 2002 .

[9]  Dan S. Wallach,et al.  Hack-a-vote: Security issues with electronic voting systems , 2004, IEEE Security & Privacy Magazine.

[10]  Thomas W. Lauer The Risk of e-Voting , 2004 .

[11]  David Chaum,et al.  Secret-ballot receipts: True voter-verifiable elections , 2004, IEEE Security & Privacy Magazine.

[12]  Dan S. Wallach,et al.  Analysis of an electronic voting system , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[13]  David Chaum,et al.  A Practical Voter-Verifiable Election Scheme , 2005, ESORICS.

[14]  David A. Wagner,et al.  Cryptographic Voting Protocols: A Systems Perspective , 2005, USENIX Security Symposium.

[15]  Dieter Gollmann,et al.  Computer Security - ESORICS 2005, 10th European Symposium on Research in Computer Security, Milan, Italy, September 12-14, 2005, Proceedings , 2005, ESORICS.

[16]  Mark Ryan,et al.  Analysis of an Electronic Voting Protocol in the Applied Pi Calculus , 2005, ESOP.

[17]  Peter Y. A. Ryan,et al.  Putting the Human Back in Voting Protocols , 2006, Security Protocols Workshop.

[18]  Günter Müller Emerging Trends in Information and Communication Security , 2006, Lecture Notes in Computer Science.

[19]  Peter Y. A. Ryan,et al.  Prêt à Voter with Re-encryption Mixes , 2006, ESORICS.

[20]  Marek Klonowski,et al.  Kleptographic Attacks on E-Voting Schemes , 2006, ETRICS.

[21]  Brian Randell,et al.  Voting Technologies and Trust , 2006, IEEE Security & Privacy.

[22]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.