114
Technische Universit¨ at Darmstadt Department of Computer Science Cryptography and Computer Algebra Prof. Dr. Johannes A. Buchmann Diploma Thesis Secure Client Platforms for Remote Internet Voting Author : Johannes Clos Advisor : Axel Schmidt Date of submission : February 14, 2008

Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

  • Upload
    others

  • View
    3

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

Technische Universitat Darmstadt

Department of Computer Science

Cryptography and Computer Algebra

Prof. Dr. Johannes A. Buchmann

Diploma Thesis

Secure Client Platforms for Remote Internet

Voting

Author : Johannes ClosAdvisor : Axel Schmidt

Date of submission : February 14, 2008

Page 2: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of
Page 3: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

Erklarung

Ehrenwortliche Erklarung

Hiermit versichere ich, die vorliegende Diplomarbeit ohne Hilfe Dritter und nur mitden angegebenen Quellen und Hilfsmitteln angefertigt zu haben. Alle Stellen, die ausden Quellen entnommen wurden, sind als solche kenntlich gemacht worden. DieseArbeit hat in gleicher oder ahnlicher Form noch keiner Prufungsbehorde vorgelegen.

Darmstadt, den 14.02.2008

Johannes Clos

iii

Page 4: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of
Page 5: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

Contents

1 Introduction 1

1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Objective of the Paper . . . . . . . . . . . . . . . . . . . . . . . . . . 21.3 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2 Fundamentals of Voting 5

2.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.1.1 Election . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.1.2 Electoral System . . . . . . . . . . . . . . . . . . . . . . . . . 62.1.3 Voting Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.2 Voting in Germany . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2.1 Voting Machines . . . . . . . . . . . . . . . . . . . . . . . . . 92.2.2 Absentee Voting . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3 Remote Internet Voting 13

3.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.2 Protection Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.3 E-Voting versus E-Commerce . . . . . . . . . . . . . . . . . . . . . . 17

4 Cryptographic Techniques 19

4.1 Requirements for Communication Channels . . . . . . . . . . . . . . 194.1.1 Anonymous Channel . . . . . . . . . . . . . . . . . . . . . . . 194.1.2 Untappable Anonymous Channel . . . . . . . . . . . . . . . . 194.1.3 Public Bulletin Board . . . . . . . . . . . . . . . . . . . . . . 20

4.2 Building Blocks of RIV . . . . . . . . . . . . . . . . . . . . . . . . . . 204.2.1 Threshold Encryption . . . . . . . . . . . . . . . . . . . . . . 204.2.2 Mixnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.2.3 Blind Signature Schemes . . . . . . . . . . . . . . . . . . . . . 244.2.4 Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . 26

5 Current Employment of RIV 29

5.1 Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295.1.1 CyberVote Project . . . . . . . . . . . . . . . . . . . . . . . . 295.1.2 Council of Europe’s Recommendations . . . . . . . . . . . . . 30

v

Page 6: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

Contents

5.2 Country Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315.2.1 Switzerland . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315.2.2 Estonia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345.2.3 The Netherlands . . . . . . . . . . . . . . . . . . . . . . . . . 365.2.4 Great Britain . . . . . . . . . . . . . . . . . . . . . . . . . . . 385.2.5 United States . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

5.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

6 Secure Platform Problem 45

6.1 Characteristics of the Platform . . . . . . . . . . . . . . . . . . . . . 456.2 Malicious Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

6.2.1 Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . . 466.2.2 Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466.2.3 Internet Worms . . . . . . . . . . . . . . . . . . . . . . . . . . 476.2.4 Mobile Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

6.3 Effects on RIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496.4 Counteractive Measures . . . . . . . . . . . . . . . . . . . . . . . . . 50

7 Methods of error detection 53

7.1 Test Ballots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537.2 Voter-Verifiable Voting Protocols . . . . . . . . . . . . . . . . . . . . 54

7.2.1 Neff’s Voting Scheme . . . . . . . . . . . . . . . . . . . . . . . 547.2.2 Chaum’s Visual Crypto Scheme . . . . . . . . . . . . . . . . . 597.2.3 Ryan’s Pret a Voter Scheme . . . . . . . . . . . . . . . . . . . 657.2.4 Chaum’s Scantegrity Scheme . . . . . . . . . . . . . . . . . . . 71

7.3 Evaluation of detection methods . . . . . . . . . . . . . . . . . . . . . 76

8 Methods of error prevention 79

8.1 Trusted Hardware Devices and Voting-CDs . . . . . . . . . . . . . . . 798.2 Code Voting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808.3 Multiple Casts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838.4 Trusted Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858.5 Discussion of the presented methods . . . . . . . . . . . . . . . . . . 90

9 Conclusion 91

Bibliography 95

A Abbreviations 103

vi

Page 7: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

List of Tables

7.1 Neff’s voting scheme - Source: modified from [KSW05] . . . . . . . . 577.2 Possible sequence for an adoption of Chaum’s scheme to RIV - Source:

modified from [KSW05] . . . . . . . . . . . . . . . . . . . . . . . . . . 627.3 Protocol sequence of Pret a Voter . . . . . . . . . . . . . . . . . . . . 677.4 Comparison of the evaluated voter-verifiable voting schemes . . . . . 77

vii

Page 8: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of
Page 9: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

List of Figures

2.1 Categorization of voting schemes - Source: modified from [Sta05] . . . 6

3.1 Categorization of vote classes - Source: modified from [VK06] . . . . 15

4.1 Functioning of a single mixnet server - Source: modified from [Wag06] 224.2 Decryption mixnet - Source: modified from [Wag06] . . . . . . . . . . 234.3 Audition of teller i - Source: modified from [CRS04] . . . . . . . . . . 24

7.1 Representation of a verifiable choice - Source: modified from [KSW05] 557.2 The parity cell patterns - Source: [BR03] . . . . . . . . . . . . . . . . 607.3 Possible combinations of bit patterns - Source: modified from [Cha04] 607.4 Bit patterns of the transparency layers, resulting image - Source: mod-

ified from [Sta05] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617.5 The filled in ballot - Source: modified from [RP05] . . . . . . . . . . . 667.6 Outline of the voting process - Source: modified from [CRS04] . . . . 677.7 Layers of the onion - Source: modified from [CRS04] . . . . . . . . . 697.8 Anonymizing mix with n tellers - Source: modified from [CRS04] . . . 697.9 Ballot structure and layout of the board - Source: modified from [Cha07] 727.10 Filled in ballot and obtained verification information - Source: modi-

fied from [Cha07] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727.11 Auditing the tally - Source: modified from [Cha07] . . . . . . . . . . 74

8.1 Example for a trusted platform - Source: modified from [ASSV06] . . 868.2 Chain of Trust - Source: [Stu07] . . . . . . . . . . . . . . . . . . . . . 87

ix

Page 10: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of
Page 11: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

1 Introduction

1.1 Motivation

The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of the democratic1 systems. In this context the term e-democracy is commonlyused. It includes the subjects of e-government which stand for modernization andsimplification of administration processes supposedly leading to higher efficiency andtransparency in the public sector2. But as a matter of fact the settings of e-democracylie beyond the typical applications discussed in the context of e-government. Effec-tively the borders are set by the respective corpus of legislation of modern democracies[BN02]. With the introduction of digital signatures3 the ambitious project of RemoteInternet Voting (RIV) seemed to be within reach. The term translates to the reformof our current voting procedures due to the rapid growth of computer usage andpromises such as higher voters’ participation and a reduction of the cost of elections4.

On the other side the possible risks must not be underestimated. The necessity of

1(Greek: demos = people, kratein = to govern) government of the people, by the people and forthe people

2A good example for the implementation for e-government techniques is to be found in the Europeancountry of Estonia. After the establishment of an infrastructure that guarantees free internetusage to every citizen in 1999 services were introduced to create methods of interaction betweencitizens and their government, e.g. a website was created to give citizens the possibility to poststatements and proposals for new laws and directives, vote for them, and direct them to theadministration. Furthermore the nationwide enrollment of a public key infrastructure was setup through the distribution of an identification card that includes a chip to ensure the securestorage of private keys. Hereby binding digital signatures were effectively enabled giving peoplethe possibility to sign and submit official documents from their computer.

3In 2001 the EU-Directive 1999/93/EC [Hof07] found its realization in German law. Binding digitalsignatures now represent a legal equivalent to traditional signatures.

4Currently many countries suffer from a decreasing participation during traditional elections. Lowturnout being a problem for the legitimation of democratic systems, the idea occurred to reducepeople’s personal cost for participation. Remote voting makes it more comfortable for the voterto cast a ballot. That is one of the reasons why many people see Remote Internet Voting as abig chance for democratic systems in general (especially in participative democracies with a highnumber of elections and referendums). This leads to the widespread opinion that countries couldmiss a chance if they do not amend their electoral law through adding the feature of RIV. Fearingthey could fall behind, it is often overseen that current systems do not fulfill the requirements ofa strict interpretation of the electoral law.

1

Page 12: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

1 Introduction

the voters’ trust in the election system and its acceptance cannot be stressed enough.As the act of voting has to be regarded as the core of democracy (it represents themost general and simple form of public participation, a fundamental prerequisite ofall democratic systems) all attempts of a reform have to be classified as critical andthe discussion accompanying a possible introduction of RIV needs to be lead withthe sum of all technical and social arguments taken into consideration.

1.2 Objective of the Paper

While a lot of actions have been taken to enhance voting protocols in order to makethem more secure, the technical devices used as interfaces between a voter and thevoting protocol have not yet received enough attention. This thesis deals with theissue of insecure client computers used as voting platforms. Currently it representsone of the major obstacles against RIV. Therefore it sketches RIV, describes its mostcommon cryptographic techniques and evaluates its usage in Estonia, Switzerland,the Netherlands, Great Britain and the USA. Subsequently, the thesis picks up theexperiences and analyzes the structure of personal computers commonly used as clientmachines, as well as their risks. Besides exposing the problem, possible ways to makethe platforms more reliable, thus trustworthy, are described. As possible securityenhancements for voting platforms consist of detective as well as preemptive mecha-nisms, both mechanisms will be presented. Furthermore, by estimating the complexadaptation of these mechanisms, it is tried to give an evaluation of the differentproposals. In the end, an implementation is recommended which seems to be mostpromising for the attempt to make client machines a more secure entity.

1.3 Outline

We start with a definition of some important electoral terms leading to a historicaldescription of electoral laws and the voting system currently being used in Germany.Hereby the reader is supposed to get a general idea of the current situation and thedevelopment so far. Afterwards the terms Absentee Voting and Voting Machines willbe explained to a deeper extent, since the first one represents an already being usedremote voting system whereas the latter describes an alternate type of electronicvoting that currently causes quite a stir. These two terms are introduced with theintention of giving a clear boundary definition. After a clarification of the termsRemote and Electronic Voting the reader is introduced to RIV and the prior is dis-tinguished from the topic of the thesis. In this context the protection goals are listedand the fundamental differences between Electronic Commerce and Electronic Votingare discussed. Among others the most important cryptographic techniques used in

2

Page 13: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

1.3 Outline

voting protocols are Mixnets, Homomorphic Functions and Blind Signatures. Thesewill be explained in chapter 4 that also deals with specific communication channels.But while RIV is still a fairly new topic enclosing a lot of unfinished construction sitesit has already been used several times for real-life elections and thereby lost a littlebit from its cutting-edge character. In the next chapter, an overview of countries isgiven that support such programs, or have run pilots or binding elections over theinternet, to present a picture of how widely spread this election type is. Additionallythere is a detailed description of the kind of elections RIV is currently used for. Fur-thermore, the succeeding discussion summarizes the lessons learned from practicalimplementation so far.

Since the infrastructure is the internet which, by itself, is highly insecure, the us-age of cryptographic protocols is fundamental to guarantee the correct functioningof every single element of the digital election (registration, voting, tallying and mostdefinitely recounting). So far many efforts have been made to provide secure commu-nication. Nevertheless, there is one big threat remaining, due to the fact that clientcomputers are highly insecure. Today’s personal computers run standard operatingsystems and software while users often are not skilled enough to maintain their com-puters in a sufficient way. Therefore there is a high chance that voters’ browsers (orother software, potentially including their operating system) may be compromisedand may thus not behave as the user wishes it to (even while deceiving the userinto thinking that it is). Generally speaking it has to be assumed that the votingplatform is open for all kinds of malicious software (malware) hidden in a piece ofsoftware that the user is unaware of, since detection is based on old definitions in amalware dictionary (if detection is used at all) and the actions taken to secure thesystem are mostly reactive. Since the weakness can be exploited automatically on alarge scale it is considered as the Achilles heel of RIV. As a consequence the softwarecould possibly interfere with the voting act by showing the voter a fake ballot andsending a ballot filled in with the intruder’s choice to the election authority. Malwarealso threatens other protection goals. An attacker could for example follow up on howsomeone casts a vote. Additionally the voter can be hindered from casting a vote atall. Consequently insecure platforms result in jeopardizing the voting principals whena ballot is cast from them. Highly sophisticated Trojan horses and worms possess thisability. Appearing in stealth mode they can run without being recognized by commonvirus detection systems. Thereby it becomes evident that a typical computer user isnot able to realize whether such code runs on his PC or not.

As an entry point to the principal topic the flaw is described more detailed. Whileexamining the risks of insecure voting clients, the clients have to be distinguishedby type because a voting client could be any service access device ranging frompersonal computers to personal digital assistance devices, or even cellular phones.Since voting clients cover a broad bandwidth in technical specification and in theirways of connecting to the internet, different kinds of attacks might be possible. The

3

Page 14: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

1 Introduction

discussion will show how the clients differ from each other but will concentrate onpersonal computer usage for the subsequent chapters.

In order to notice and prevent attacks on voting clients some of the most promisingmethods are evaluated. The strategies that promise to secure voting clients duringRIV include the following.� Voter-verifiable protocols focus on the issue of non-reliable voting systems. In

this context the principles of protocol designs for non-reliable voting machines(Neff, Chaum) and enhancements to optical scan voting (Ryan, Chaum) areexplained. Subsequently it is shown to which extent each of them is suitablefor a transfer onto a possible usage within RIV and which changes have to beapplied.� Code sheets and test ballots, introduced by Opplinger in [Opp02], provide aninteresting possibility to prevent automatic election fraud. Therefore sheetswith special codes for each election choice are distributed via a secure channel(e.g. letter post). If each ballot paper is unique a possible intruder cannot fakea ballot, since changing it would presume one knows the mapping between thecodes and the election candidates. On the other hand test ballots provide aneasy way of testing the proper functioning of the voting system.� The idea behind multiple casts as introduced by Volkamer and Grimm in [VG06]does not provide client security. It rather makes up for its absence. By admit-ting repetitive votes a later cast vote could overwrite a previous one which mighthave been cast coerced or from a hijacked platform. It is obvious that multiplecasts must prohibit multiple votes of the same person. It will be shown howthis feature could be implemented and discussed whether it fulfills the principleof equality.� Trusted Computing as presented by Alkassar et al. in [ASSV06] is another wayto ensure client safety. The chapter gives insight into the basic functioning ofTrusted Computing and shows how it can enhance RIV in a way that turnsvoting clients providing the necessary hardware into verifiable machines.

The conclusion of the work provides an analysis of the presented methods. Thisshould answer the question as to what extent they present possible solutions to theattacks that appear through the usage of PCs as voting platforms for RIV. Addition-ally, these methods are reviewed concerning some associated social aspects. Tryingto reach the goal of secure client platforms the conclusion closes with an attemptedoutlook for the utilization of remote internet elections in the nearer future.

4

Page 15: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

2 Fundamentals of Voting

In the first part of this chapter voting is conceptualized by giving the definitions foran election, an electoral system and a voting scheme. Afterwards the development ofvoting in Germany is explained. Thereby two important innovations to the electoralpractice consisting of remote and electronic voting represented by absentee votingand direct recording electronics are highlighted. Both constitute important changesto the electoral law in Germany. By going into the details it is intended to definethe characteristics of different voting schemes in contrast to each other. This isparticularly important because electronic and remote voting show two of the maincharacteristics of RIV.

2.1 Definitions

2.1.1 Election

Elections can be defined as the democratic method to appoint people to entities ofrepresentation and executive positions [Noh07]. Their usage ’may well be the bestpossible approximation to popular control of government that can be achieved inmodern, industrialized mobile mass society’ [Mil72]. In this context the citizens ina given society periodically have to answer the question who should be selected togovern for a period of time. Elections serve the purpose to obtain accurate data rep-resenting a set of participants’ answers to this question. In effect one vote can be seenas a single participant’s answer to this question in its physical representation. It con-sists of a selection, generally from a predetermined set of answers, called candidates.But, depending on the set of rules that regulates the election, the selection can alsobe independent of a default list. This is also known as a write-in vote. Ballots aregroups of questions combined into a certain structure. Each question of an election isrefered to as a single race. The electoral law includes legal requirements that organizeelections. For example it consists of legal requirements that regulate the eligibility ofparticipants in an election. Every person entitled to participate is called a voter.

5

Page 16: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

2 Fundamentals of Voting

2.1.2 Electoral System

An electoral system includes the mode by which the voter can express a politicalpreference and of how the vote is translated into decisions regarding the occupationof mandates and the composition of representative conventions. In case of parliamen-tary elections an electoral system translates the data of votes by specific measuresinto parliamentary seats. In a narrow interpretation it regulates this process by lo-calizing constituencies, defining the rules of candidature as well as vocalization andcommitting to the accounting of votes [Noh07]. In a wider interpretation it can alsoaffect matters of the voting scheme. Majority and proportional vote are commonlyreferenced as two examples for different electoral systems.

2.1.3 Voting Scheme

As described in [Sta05] voting schemes are commonly refered to as protocols thatdefine the procedure which turns cast votes into a final tally. As a result the termcan also be interpreted as any method that can successfully manage an election. Doingso, voting schemes can be differentiated by their technical nature. On the one handtraditional voting schemes are schemes such as ordinary paper ballots, mechanicalrecording machines and punch-card ballots. Absentee voting as described in Chapter2.2.2 is seen as a traditional voting scheme as well. By contrast electronic votingschemes use electronic devices to conduct an election. Direct recording electronicmachines as introduced in Chapter 2.2.1 and RIV as presented in Chapter 3 can beclassified as such. The categorization of specific voting schemes can be seen in Figure2.1.

Voting Schemes

Traditional

Voting

Electronic

Voting

Paper

Ballots

Mechanical

Recording

Machines

Remote

E−Voting

Poll Station

E−Voting

Absentee

VotingInternet

Voting

DRE

Machines

Figure 2.1: Categorization of voting schemes - Source: modified from [Sta05]

6

Page 17: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

2.2 Voting in Germany

2.2 Voting in Germany

The first use of paper ballots to conduct an election appears to have been in Romein 139 BCE. Nevertheless many forms of voting have been practiced since then. Wewill now give an overview of the electoral system in Germany followed by the mainaspects related to the development of electoral law.

In addition to the elections for the European Parliament Germany has parliamen-tary elections of universal kind for the Bundestag (the state parliament), in each ofits federal states, and for the parliaments of cities, counties and boroughs. Further-more direct elections are practiced for the appointment of district administrators andmayors (local elections).

Altogether the operation of elections is organized by the electoral laws that canbe found in the Constitution, Bundeswahlgesetz (federal election law) and Bun-deswahlordnung (federal electoral regulations on the national level and similar lawson the state level). Thereby the electoral system of Germany includes personalizedproportional representation which is a mix between proportional representation andmajority vote with the proportional component being the overall decisive factor. Halfof the members of the Bundestag are elected through a majority vote (one candidatefor each electoral district). At the same time the citizens can use their second votefor a party of their choice. The overall strength of parties represented in the Bun-destag exclusively results from the number of nationwide cast second votes [vP03].The parliamentary elections are carried out in obedience to the principles named inthe German Constitution (Art. 38 GG). These require the elections to be� universal: No citizen should be excluded from her right to vote.� direct: No intermediates, e.g. deputies, are assigned to vote in someone else’s

name.� free: Neither governmental nor any other coercion is allowed. This shouldassure a free choice between competing parties.� equal: All voters have the same amount of votes which are equal in weight.� secret: The voter’s decision, represented by a voter marking his choice on aballot, is confidential. Open and public votes are invalid.

Unlike other countries (e.g. Belgium, Luxembourg) the electoral law of Germanydoesn’t commit the citizens to vote (compulsory voting). The possibility to voteis rather seen as a basic right. It is usually controlled by a specific voting districtwhere the citizen is registered. Therefore eligible voters are listed in special registersmaintained by the local authorities.

Besides parliamentary elections Germany knows a variety of non-parliamentarianelections, amongst others for workers’ councils, universities’ boards and governing

7

Page 18: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

2 Fundamentals of Voting

boards of social security institutions. The decision-making abilities of these boardsare altogether very limited. This is the main reason for less strict requirements duringthese elections.

Before the principles of democratic elections (as named above) became widely ac-cepted there were a number of different electoral laws. Prussia, for example, intro-duced a three-class system of voting in 1849, where the voting population was dividedinto three groups with a different weighting of votes. The allocation to a certain groupdepended on the citizen’s income and the taxes he paid. The election was conductedin public and oral and by these means was not secret. Furthermore it was indirectsince electoral deputies were elected. In 1918 it was abandoned. Universal femalesuffrage was, similar to universal manhood suffrage, established in a step-by-stepprocess.

Taking a look at the history of voting shows that the situational context and formaldesign of how we vote has always been a controversial topic. Electoral regulationstend to influence who votes, how we vote and also affects the outcome of elections.Indications for this not only exist within the central questions of electoral law in the19th century (whether or not open or secret elections should be conducted and, ifat all, votes should be counted equally). Historic examples reach from the conse-quences of ostracism1 in ancient Greece to viva voce2 in medieval England and USAand the permission of voting machines in Scandinavia in 1950’s. Electoral laws arerarely neutral. Instead they always favor certain actors and discriminate others. Eachamendment of electoral laws led to political rejections and changed the voting behav-ior. But even though new benchmarks of political and technical development cameup within the past hundred years the typical way of how elections are conducted hashardly changed since the last reformation of electoral laws. With the introduction ofpolling booths and the Australian Ballot3, the system of voting in which voters marktheir choices in privacy on uniform ballots, printed and distributed by the governmentor designate their choices by some other secret means, the evolution of the voting actseems to have found its climax [Dom07]. The usage of paper and pen, counting ofvotes by hand and voting in the domestic voting district are still best practice. Butdespite the stability the electoral law highly depends on the changing political andconstitutional developments. Between 1956 and 2002 the German electoral law wasmodified by 34 amendments that document the continuing need for changes4. Some

1Aristotle claims Cleisthenes was responsible for the institution of ostracism. It allowed the citizensto send a fellow citizen into temporal exile if he was getting too powerful. The term ostracismwas derived from ostrakon, the Greek word for a piece of broken pottery on which the citizenswrote the name of their candidate. [Car07].

2Viva voce describes the practice of voting by publicly calling one’s election choice during a con-vention of voters [Jon03].

3Victoria and South Australia were the first states to introduce ballot secrecy in 1856.4The vast majority of these amendments dealt with administrative topics such as the customization

8

Page 19: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

2.2 Voting in Germany

of them are of great importance such as the introduction of the absentee vote in 1956and voting machines in 1975. While absentee voting lowers the personal cost thegovernmental operation of voting machines tries to simplify and speed up the tally-ing process. The combination of both, an automated counting and more comfortablevote cast clearly points in the direction of RIV.

2.2.1 Voting Machines

Voting machines are usually the first thing that comes to one’s mind when hearingthe term electronic voting. Basically RIV and voting machines have in common thatthey both make usage of electronic devices (terminals) as an interface between voterand ballot. Voting machines can be defined as being standalone technical devicesused to define ballots, to cast and especially to count votes, and possibly to producesome audit trail information - all done by a single machine. The first machines weremechanical but nowadays it is common to use electronic voting devices. Voting ma-chines are most often referenced as machines with direct recording electronic (DRE).After the election they produce a tabulation of the voting data stored in a remov-able memory component (and eventually as printed copy). Elections for the GermanBundestag and for the European Parliament are only legal if conducted with ’stand-alone’-devices. That is to say voting machines can only be part of a local networkat the polling station. They can’t be connected to a countrywide network where theelection results are sent to a central tallying server [oG07c].

According to the promoters of voting machines the benefits include a higher accu-racy, faster results, lower costs, easier voting for disabled people and the eliminationof invalid votes. Problematic is the fact that the usage of voting machines putsimportant steps of the voting procedure inside a black box. Thereby the positiveaspect of having a public verifiable election is eliminated. Most people cannot re-construct what happens to the votes inside the machine and how the results arecalculated. The integrity of an election highly depends on the proper functioning ofthe devices and their security against manipulation. Everybody has to rely on theability of experts who test the source code and analyze the components. In Ger-many the law for voting machines regulates the procedure of accreditation [oJ07]. Itassigns the National Metrology Institute providing Scientific and Technical Services(Physikalisch-Technische Bundesanstalt) with its duty to control the compliance ofthe following requirements:� correct implementation of the voting process� secure storage of cast ballots� guarantee of privacy

of the voting districts.

9

Page 20: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

2 Fundamentals of Voting� correct counting of cast ballots� usability of the machines� secure and long-lasting construction� security in case of malfunction� insensitivity against mechanical, climatic and electro-magnetic environmentalinfluences

However, the institute does its testing only on a sample machine. All others aredistributed by the vendor directly. A further point of criticism is caused by thefact that recounting of electronically cast votes is often not practicable due to thelack of voter verifiable paper trails (VVPT). The lack of transparency is anotherdisadvantage. While traditional elections allow the voters to observe the tallyingprocess DRE so far does not offer this feature. This illustrates a serious problemof DREs especially looking at real-life deficiencies throughout elections like the onesduring the elections for the US-presidency in 2004. The result of Florida includedan electronic miscount of 18.000 votes [Kru07]. So far methods of audition are notintended by most voting machine producers. We will cover this topic to a deeperextent during Chapter 7.

Recently DREs have continually failed to provide the standard of a trustworthyvoting system. A security check of electronic voting machines by computer scientistsof the University of California uncovered more than a dozen security risks throughoutall tested machines. A team of experts was assigned by the California election super-visor with the investigation of eight already used and certified e-voting-systems frommarket-leading companies (such as Diebold, ES&S, Hart Intercivic and Sequoia). Thescientists uncovered severe security problems and required massive system-updateson hardware and software prior to a possible recertification. In a decision issued inAugust 2007 the Secretary of State withdrew the certification of all vendors for thetime being [oS07]. Other countries have completely abandoned the usage of votingmachines. In 2006 Italy already stopped all ongoing projects with voting machinesdue to irregularities discovered during its parliamentary elections at the beginningof the year [Zie06]. The most recent decision was taken in the Netherlands. Afterthe Dutch group ’Wij vertrouwen stemcomputers niet’ and the German ’Chaos Com-puter Club’ published alarming facts that showed how easy it is to reconfigure themachine by exchanging the Erasable Programmable Read Only Memory (EPROM)5

the dutch government was in doubt whether voting machines could be safely used. Anappointed commission was supposed to investigate this topic. Amongst other thingsthe authors of the final report criticized the lacking of VVPT in a final report and

5Since the EPROM stores the voting software, this attack illustrated the infiltration of a votingsystem with a manipulated software. If designed properly, this software has the potential toeffect the counting without election officials noticing.

10

Page 21: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

2.2 Voting in Germany

advised to reconsider the ’Regulations for approval of voting machines 1997’. There-after the Secretary for the Interior immediately announced that the certification willbe withdrawn [Com07a].

2.2.2 Absentee Voting

While talking about remote internet elections absentee voting is sometimes used asa reference. This is because both are conducted in a remote way. Supporters of anabsentee vote argument with its smooth introduction and the high acceptance withinthe population. At the same time opponents fear the reinforcement of problemsrelated to the loss of privacy.

Traditionally the definition of an absentee vote is that it is cast by a citizen who isunable vote at his regular polling place on an election day. As a result it is independentof time and location of the presence demanding election using a ballot box. Since thepostal way takes its time absentee voting can also be referred to as voting in advance.

Absentee voting was established in Germany in 1956 with the introduction of thefederal election law and firstly used during the Bundestag elections in 1957 [Jes03].The voter is required to apply for the absentee vote after receiving the polling card.But the ballot paper will only be sent to citizens who

1. cannot be in the voting district on the day of election due to important reasons.

2. moved to another voting district after the time period of electoral registrationhas started.

3. cannot attend the election due to professional reasons, illness, high age or phys-ical problems.

Since these reasons are not checked anybody may proclaim that this is the case.

Absentee voting as a deviation from the strict requirements of the personal electionis interpreted by the Federal Constitutional Court (FCC) as a thorough hole of thisprinciple. But at the same time it considers it as being consistent with the consti-tution. In the decisions of the FCC concerning absentee voting in 1967 and in thesecond judgment 1981 the possibility of absentee voting was strengthened. For groupsof people who cannot attend on election day due to reasons as stated above shouldexist the possibility of an absentee vote if they can be accredited. Nevertheless, theabsentee ballot should remain the exception [Feh07].

The decisions of the FCC took place at a point in time where just a little portionof voters (1957: 4,9 %, 1980: 13 %) preferred this procedure. But the percentage ofabsentee voters increased steadily: 1998 the percentage was 16 and in 2002 almost

11

Page 22: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

2 Fundamentals of Voting

every fifth eligible voter made use of it. In large cities like e.g. Munich (31 %) andHamburg (28 %) it cannot be called an exception anymore [Ker04].

During the previous chapter the terms election, electoral system and voting schemewere defined. In addition they were applied to Germany by giving some backgroundinformation about held elections, amendments of the electoral law and thereby af-fected voting schemes. As demonstrated the biggest impact on voting was caused byamendments of the electoral law that included absentee voting and DRE machines inthe process. Illustrating the characteristics of these systems revealed hints that yieldin the direction of a stronger application of RIV in the future.

12

Page 23: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

3 Remote Internet Voting

In this chapter RIV is defined by assembling its different elements. They are describedbefore the details of inevitably required protection goals are addressed. While e-commerce and online-banking became widely accepted in our society many peopletend to believe that if they are possible RIV must be possible, too. This prejudice isclarified in sequence.

3.1 Definition

RIV combines the characteristics of electronic, online and remote voting schemes.The main difference between traditional and electronic voting (e-voting) consists ofthe respective underlying scheme. E-voting scenarios map the process of voting ontodigital technology. Technologies are DRE machines (voting machines, optical scannersand voting pens) and RIV. The phases of digital voting scenarios are quite similar tothe traditional approach. In the preparation phase voter and candidate lists need tobe prepared, ballots have to be designed and the according infrastructure is set up.The next phase consists of registration where voters are obliged to register and prooftheir identity before being admitted for voting. This procedure is optionally and itsdetails depend on the election law of a country. During the voting period voters casttheir ballots after authenticating themselves. In the end the votes are counted, thetally is prepared and finally published.

Per definition the usage of voting terminals connected to a network as well as thecasting of votes that are transferred to another computer where they are stored andcounted is called online voting [oG07b]. It represents a specialization of e-voting. Inreference to [Ins01] three different groups of online voting are distinguished dependingon where the voting terminals are located:

Poll site-voting system: The terminal is located in a safe environment like a pollingstation. In contrast to voting machines the terminal sends the results to a serverfor further counting. Since polling stations are staffed the voting terminals usedhere are administrated.

Kiosk e-voting system: The terminals are computers/ATM-like machines with spe-cial hardware and are situated at fixed locations (e.g. kiosks, libraries). For

13

Page 24: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

3 Remote Internet Voting

this reason the system does not provide the same convenience as the cast ofa remote vote. The machines are not under permanent staff-control but theyare assumably protected against the problems that voters’ private computershave (for example insufficient prevention of attacks through a lack of securitymechanisms) because the software that runs on kiosk systems is most likelyunaccessible. The configuration is provided by administrators instead.

Remote Internet Voting System: This type of system allows voters to cast theirvotes from any computer or digital device connected to the internet or to aprivate network, typically from home or at work. Devices such as personaldigital assistants, personal computers, mobile phones and even game machinescould be used to access these systems.

Remote voting is characterized by the fact that voters do not have to visit a speciallocation to cast a vote. Instead voters get the possibility to vote from wherever theyare. This lowers the personal cost for the voter1. But to make this possible a reliablecommunication channel is required. Absentee voting is the traditional applicationand uses postal mail for its purpose. The internet offers different communicationchannels. Regardless of the channel, remote systems demand from the voter to votein a responsible way that eliminates coercion and guarantees privacy. It is safe to saythat in the context of online voting poll-site voting does not represent a remote votingsystem. The kiosk e-voting system partly shows characteristics of a remote system,but only RIV distinguishes clearly enough from presence voting. A categorizationof the named voting systems by the terms presence and distance voting is shown inFigure 3.1.

1’The cost factor that might be reduced is the time and effort that it takes to go to the electoraloffice and cast a vote in person. However, there are other cost factors involved in electoralparticipation, most noteworthy among them being the time and effort that it takes to acquiresubjectively sufficient information to cast a ballot. Those other costs seem to remain unaffectedby e-voting’ [Sch02]

14

Page 25: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

3.2 Protection Goals

Presence Voting Distance Voting

Traditional

Voting

Electronic

Voting

Voting through polling box

Mechanical Recording

Machines

Absentee voting

DRE Machines

Networked Voting Machine

(voting at polling station)

Kiosk e−voting system

Remote Internet Voting

Figure 3.1: Categorization of vote classes - Source: modified from [VK06]

For RIV generic computers serve as voting platforms by running some kind ofvoting software plus various other possibly insecure software on top of a more orless stable operating system. Chapter 7 talks about the platform’s structure andthe resulting security problems. It is obvious that these problems are beyond thecontrol of electoral administrators. Naturally they affect the security required by theguidelines of electoral laws that remain a prerequisite for RIV as well as for all otherpossible types of voting used during elections.

3.2 Protection Goals

In order to assure the political election principles mentioned before RIV needs toachieve a variety of protection goals. The following security requirements for remoteinternet voting systems are the most important ones for the further course of thisthesis [SP06]:� Eligibility: It is necessary that only valid voters are eligible to vote. The pre-

determined criteria for eligibility depends on the election law of each country.The voting system has to verify the voter’s validity and ensure that each entitycan cast only a permitted number of votes.� Anonymity: Anonymous voting achieves privacy and prevents the identifica-tion of a voter from his vote. As a pre-condition it has to prohibit the trace-ability between vote and voter.� Coercion resistance: A voting system is defined as coercion resistant if it isinfeasible for a voter to cooperate with a coercer and prove to him that he votedin a certain way, abstained from voting, or disclose his secret keys.

15

Page 26: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

3 Remote Internet Voting� Accuracy: Accuracy requires the voting system to be error-free. Theefore thevoters’ ballots have to be cast as intended and counted as cast during tallying.Modified, duplicated or erased votes are not tolerable.� Robustness: The voting scheme has a limit of tolerance by which minor tech-nical errors can be tolerated.� Correctness: Every valid vote, no matter how it was cast, has to be includedin the final tally and counted correctly (of course only if it is not a repeatedvote).� Verifiability (universal and individual): The voters’ trust in a voting sys-tem is a prerequisite for the acceptance of the results. Creating trust in theintegrity of a voting system requires an independent verification along eachtranslation step of the election. Universal verifiability requires that anyone isable to verify the correctness of the voting process and its result, whereas in-dividual verifiability convinces each voter that his personal vote was correctlyrecorded.� Usability: The design of a voting system has to consist of intuitively and easilyusable interfaces and needs to render a usage possible for handicapped persons.

In the course of this thesis it can be seen that insecure voting platforms especiallyaffect the goals of anonymity, accuracy, coercion resistance and correctness. For thisreason and the additional goal of transparency during the election voting systemsstrongly benefit through verifiability. Nevertheless receipt freeness additionally playsan important role because individual verifiability usually comes along with receipts.� Receipt freeness: The voter has to be prohibited from gaining certain infor-

mation (refered to as a receipt) that might be used by him to prove his votingdecision to an attacker or coercer.

To be consistent with legal principles all of the requirements have to hold duringthe entire election, including voting clients, the communication channel and votingservers. While the single requirements are achievable, there is no protocol up to datethat fully meets all the said requirements at once.

Obviously some of the named requirements seem to be at odds with each other.For example it is not obvious how anonymity and verifiability can be achieved atthe same time. [Smi05] shows how some of the desires are simultaneously achievablewhile seemingly being incompatible.

In order to realize safe voting schemes clearly defined rules of communication be-tween the involved entities ensure the treatment of requirements. Voting protocolsplay this role by making use of standardized guidelines regarding syntax, semanticsand synchronization of the data transfer. The least ambiguity threatens the cor-rectness of the entire election. The fundamental cryptography of voting protocols

16

Page 27: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

3.3 E-Voting versus E-Commerce

exceeds the one of traditional communication protocols since its requirements aresignificantly stronger. The cryptographic primitives are explained in Chapter 4. Al-together research on protocols has reached a stage where important requirements likecorrectness, robustness, anonymity, coercion resistance and verifiability are possible.

3.3 E-Voting versus E-Commerce

Today financial transactions to the amount of millions of dollars are made via theinternet. It is a common and widespread opinion that it should be also possible touse the same medium for digital voting as well. Thereby it is often overseen thatdigital voting and digital commerce show fundamental differences. For this reason itdoes not make sense to transfer the feasibility of e-commerce onto remote e-voting.There are several reasons for this (see [Riv02] for more details):� Financial transactions are performed online, but there is always a separate

offline process for checking them and for correcting any errors detected (thebuyer typically gets a transaction receipt). Since this is not the case for e-voting so far, the prevention of fraud and error, while having no chance ofretroactive correction, has to be guaranteed.� Electronic commerce includes the possibility to dispute a transaction if some-thing did not work correctly. With e-voting in contrast there is always a deadlinethat has to be met. Disputing an election requires many objections commonlysettled in court.� Concerning electronic commerce, the involved parties can be identified by trans-action records. This is substantially different from electronic voting where thecast of a ballot should in no way identify the voter, as this violates the voter’sprivacy and anonymity. Furthermore, this would subject them to coercion.

The profile of an attacker in the electoral scenario is much different from such in e-commerce. People that aim at making some quick cash by manipulating transactionscertainly have to be skilled. But their profile is definitely lower compared to someforeign power with its intelligence apparatus and serious funding. They are motivatedby the ability to change the outcome without anyone noticing. Among others theadversaries of an election system are foreign governments with powerful interests athome and abroad.

17

Page 28: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

3 Remote Internet Voting

En route to a definition of the term RIV this chapter explained the character-istics of remote, electronic and online voting schemes. Similar to absentee votingthe voting process is uncontrolled regarding the enforcement of privacy during RIV.Importantly, the private voting platforms of a RIV system are uncontrolled as well.In this context the protection goals were defined. In order to achieve secure clientmachines anonymity, accuracy, correctness, coercion resistance and verifiability areof particular interest. Finally the fundamental differences between remote e-votingand e-commerce were pointed out.

18

Page 29: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

4 Cryptographic Techniques

The voter’s anonymity and authenticity are important protection goals during vot-ing. But anonymity is far from being a standard feature while communicating overthe internet. An eavesdropper can for example reveal the origin of electronic cor-respondence by observing the internet traffic and correlating it with the originatingIP-address. Later on, the identity of the originator can be determined by tracingback the IP to an individual user. However, voting protocols rely on the anonymityof the voter. In this respect, this chapter defines some requirements for the communi-cation channel before the functioning of important cryptographic measures for theirachievement is illustrated. These are mixnets, homomorphic encryption and blindsignatures. For a better understanding of these measures some knowledge of the ba-sic cryptographic principles (public key cryptography, hashes, digital signatures etc.)is advised. For a detailed explanation the reader is refered to [Buc04].

4.1 Requirements for Communication Channels

4.1.1 Anonymous Channel

The characteristic of an anonymous channel is that it guarantees anonymous commu-nication. Voting scenarios especially require anonymous voters. In effect, the recipi-ent of a casted vote cannot detect the identity of its sender. Methods for achievingthis type of communication will be illustrated in the following chapter. As noted by[Rja02] it is important that an anonymous channel does not have to be untappable.

4.1.2 Untappable Anonymous Channel

In contrast to the prior a further requirement is added here. This is the physicalsecurity of the transmission of a message. As a result no one should be capable of in-tercepting the transmission of a message and of sharing the content of a message witha third party. In practice, the implementation of untappable anonymous channels is

19

Page 30: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

4 Cryptographic Techniques

hard because it would require perfect secrecy1.

4.1.3 Public Bulletin Board

Generally an electronic bulletin board is a possibility to make information publiclyreadable. In the context of RIV it enables different forms of verification. If a votingprotocol’s definition requires proofs of correctness to be posted on a bulletin board,everyone might double-check if their votes were cast as intended. But while everybodycan read the postings it is important that write access is exclusively given to certainregistered and authorized users. These users can write to an assigned personal areawhereas the deletion of previous postings is prohibited. Besides universal verification,bulletin boards enable access control (before information is posted in the user’s areait is verified) and provide communication channels between participants. If used forvoting schemes bulletin boards typically display the information through the usageof web servers.

4.2 Building Blocks of RIV

4.2.1 Threshold Encryption

Threshold encryption describes a possibility to reconstruct a secret from the sharedknowledge of several participants in a fault-tolerant way. Doing so one can lower theprobability of an unauthorized person gaining access to sensible information becausethere is no need in trusting a single person. As described by Shamir in [Sha79]threshold encryption can be very helpful in the management of cryptographic keys.On this account it is an important measure to assure a more robust tallying processfor RIV.

According to Shamir a (t, n) threshold scheme is required to divide the secret dataD into n shares D1, . . . , Dn such that

1. the knowledge of any t or more pieces Di, where i ∈ 1 . . . n, makes D easilycomputable.

2. knowledge of any t − 1 or fewer Di pieces leaves D completely undetermined(in the sense that all its possible values are equally likely).

1Let M be the set of plaintexts, K the set of keys and C the set of ciphertexts. An encryptionscheme E : M → C is unconditional secure (perfect secure) if P (m|c) = P (m) holds for allm ∈ M and all c ∈ C and if the probability distribution of the keyspace is of equal distributionand a single key k exists for every plaintext m and ciphertext c such that Ek(m) = c [Buc04].

20

Page 31: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

4.2 Building Blocks of RIV

The threshold factor t determines the smallest number of shares necessary forthe reconstruction. The cooperation of t participants is sufficient to reconstruct thesecret whereas less than t of the shared secret carriers have no chance to obtain anyrelevant information about the secret. As a result the choice of the parameters t andn determines the strength of the system.

It is assumed that the definition of a polynomial of degree n requires n + 1 points.In order to share a secret S with a (t, n) threshold scheme it is necessary to producen shares. The first step consists of choosing t − 1 coefficients

a1, a2, . . . , at−1.

The secret S is considered to be a number and used as the coefficient a0. Next thepolynomial can be built as

f(x) = a0 + a1x + a2x2 + · · · + at−1x

t−1.

Now the shares that are given to the participants can be calculated by constructing npoints of the polynomial. Using the values i = 1, . . . , n these are retrieved as (i, f(i)).For the reconstruction of the secret any subset of t of these pairs are sufficient todetermine the coefficients of the polynomial by interpolation.

4.2.2 Mixnets

Mixnet-schemes as presented by Chaum [Cha81] are intended to establish anonymityfor the originator of a message. Besides the establishment of an untraceable email sys-tem mixnets can be used for achieving anonymization of web traffic. For anonymouschannels the purpose of achieving anonymity during RIV is of particular importance.We will now explain the functioning of a simple mixnet-scheme and enhance it withencryption functionality. For proofing the correctness of mixnets a survey of verifiablemixnets is added.

The goal of a mixnet scheme during RIV is to create anonymity for the voter.Under normal circumstances messages sent over the internet contain informationabout their origin. Mixnets reshape the communication between sender and receiverto make it unlinkable. The idea is straightforward and can be described by an analogy.Let’s imagine ten people putting boxes of the same size, color and weight into anintransparent bag. Next, it is laced up and shaken with the boxes still being inside.It is clear that afterwards no one can tell which box belongs to whom. A mixnet worksvery similar by re-ordering a batch of received messages. In order to prevent uniquemessages from being recognized, all messages have to be transferred into uniformappearance first. To this end, short messages are stuffed with random bits until theyreach a certain length. Larger messages have to be divided into shorter fragments.

21

Page 32: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

4 Cryptographic Techniques

Additionally the messages are encrypted. Otherwise sender and receiver could beidentified by simply looking at the headers of the messages. Next, the batch isshuffled randomly by a mix. If a proper permutation of the received input2 is appliedbefore resending the output the first step is taken. Now the output batch differs fromthe incoming in order of appearance of the elements (Figure 4.1). Additionally theelements of the batch cannot be distinguished. That way an adversary who observesthe communication cannot reveal the identity of the messages.

m1

m2

m3

m4

m5

m6

m2

m4

m1

m6

m5

m3

Figure 4.1: Functioning of a single mixnet server - Source: modified from [Wag06]

But so far the reached anonymity depends only on one single mix. This is notsatisfying because the permutation can be easily annulled by a corrupt mix-operator.To avoid the possibility of revealing the mapping between input and output furthermixes are needed to form a mixnet. This helps to maintain the original goal ofanonymity while not having to trust a single entity. In consequence a chain of severalservers is needed.

There are n mixes in the mixnet, where πi is equivalent to a single mix withi = 1, . . . , n.

π′ = π1 ◦ π2 ◦ ... ◦ πn.

The resulting mixnet π′ represents the n-fold concatenation of mixes. In the formulaabove ◦ represents the concatenation of two mixes. It is obvious that the connectionbetween input and output of the resulting mixnet can only be restored if every sin-gle server πi out of the n mix servers is corrupted and willing to reveal its secretpermutation.

Decryption mixnets require the participants to run a special software that encryptsthe message that is supposed to be anonymized multiple times. The number andorder of encryptions depends on the number of involved mixes and their sequence.Originally this is achieved by encrypting each message with the public keys of allmixes during an initial encryption phase. Then each mix first partially decrypts and

2For the functioning it is not important what the content of the communication is. For example itcan consist of messages or HTTP-requests.

22

Page 33: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

4.2 Building Blocks of RIV

then mixes the messages it permutes. Mix by mix one layer of encryption is peeled offuntil the final mix restores the original cleartext. In Figure 4.2 the input of the mixnetconsists of six messages, where each E(m) represents a multiple encrypted message.The intermediate mixes can neither see the plaintext nor the original sender and finalreceiver of the messages. All they learn is the address of the following mix. Afterthe batch is finally processed by all n mixes the communication is anonymized. As aresult the output batch does not correlate with the input batch anymore.

E(m1)

E(m2)

E(m3)

E(m4)

E(m5)

E(m6)

mx

mx

mx

mx

mx

mx

Mix 1 Mix n...

Mixnet

Figure 4.2: Decryption mixnet - Source: modified from [Wag06]

Within re-encryption mixnets each mix mixes and additionally reencrypts its inputbefore resending. The idea behind is the fact that without reencryption the resultingmessages do not change. This makes it easy to recover the voter related to it. Ourconcern is an implementation for protocols of RIV where the tallying is conductedin the end. In between mixing and tallying the decryption has to take place. [RS06]explains how a re-encryption mixnet can be implemented by using a Threshold El-Gamal Cryptosystem where all authorities responsible for running the mixnet jointlygenerate the system parameters using a distributed key generation protocol. In theend, the encrypted ballot in the final output can only be decrypted if all authoritiesparticipate in this.

Verifiable Mixnets

The integrity goal is that all plaintexts at the input of the mixnet yield the samedecrypted ciphertexts at the output of the mixnet. To prove this goal a mixnetoperator would have to reveal all of the secrets like practiced permutations and usedkeys. This would destroy the established anonymity that was just achieved by settingup the mixnet. To serve the original purpose while reaching verifiability withoutgiving away the secrets one can make use of a zero-knowledge interactive proof (ZKIP)as presented in [Buc04, Wag06]. To show correct functioning every mix-server wouldhave to participate in such a ZKIP to proof.

A ZKIP has the requirement that the verifier does not know a secret the proverpossesses. The goal of the prover is to convince the verifier of his knowledge of the

23

Page 34: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

4 Cryptographic Techniques

secret without revealing it. The most important aspect of a ZKIP is that for theverifier it can be mathematically proven not to have learned anything about thesecret while becoming totally convinced of the prover’s knowledge of the secret. Inpractice, a ZKIP must have an efficient run-time to be seriously considered.

One implementation of a ZKIP for mixnets is given through randomized partialchecking. Based on the usage of two mixing rounds it is made possible to uncoverhalf of the connections and still verify the correct functioning of the server. Whilegoing down the intermediate messages of each mixing server (represented by themiddle column) the verifier randomly chooses whether to uncover the left or the rightmixing round. This procedure is illustrated in Figure 4.3. As a result, randomizedpartial checking allows to audit the server while maintaining the achieved anonymity.For a deeper discussion of randomized partial checking and verifiable mixnets thereader is refered to [JJR02] and [Che07].

Teller

L

L

R

L

R

L

from

Teller

to

Teller i−1 i+1

i

Figure 4.3: Audition of teller i - Source: modified from [CRS04]

4.2.3 Blind Signature Schemes

Conventional digital signatures succeed in creating secure authentication. After amessage was signed a verifier can verify the signed message with the public keymatching the private signature key. For successful verification of the signature theresult needs to match the plaintext. Since this mechanism reveals the identity ofthe signer it is not ideal for a usage during RIV. As first mentioned by Fujioka etal. [FOO93], blind signatures make anonymous authenticity possible by includinga couple of additional steps. An analogy can be seen in a message sealed in anenvelope and additionally including a sheet of carbon paper. The originator putsthe envelope into another envelope that is passed to a trustee with administrativefunctionality. The trustee takes off the outer envelope. The inner envelope has theaddress of the originator written on it. Thereby the trustee can decide whetherthe originator is eligible to be authenticated. If so, the trustee signs the envelopeon the outside of the envelope. Of course, the carbon paper passes the signaturedown to the message. Since it is invisible what is inside, the signing of the messagehappens blindly. Afterwards the message is returned. After unblinding by removing

24

Page 35: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

4.2 Building Blocks of RIV

the envelope the sender gets a message signed by the trustee. Blinded signatures arethe digital equivalent of this procedure. In the case of a voting scenario, the messageis of course a ballot. It can now be filled out and returned to a tallier.

According to Chaum [Cha83] blind signatures require� A signing function s with a publicly known inverse s’ so that s′(s(x)) = x.Additionally it should not be possible to derive s from s’.� A blinding function b with an inverse b’ such that b′(s(b(x))) = s(x). It isimportant that b and b’ are only known to the originator. Furthermore, it isimportant that s and b(x) reveal nothing about x.

As one example, RSA can be used as a procedure for blind signatures. Traditionally,the RSA signature is built as follows

md mod n

where d is the secret factor, n the RSA module and m the plaintext message. Thematching public factor is called e. The calculation of d and e requires that thefollowing holds3:

de ≡ 1 mod n (4.1)

For a blind signature a random factor r (with r ∈ Zn), is used that is a relativeprime to n. Therefore the greatest common divisor (gcd) of both has to be equal toone.

gcd(r, n) = 1

Next the blinding factor bf is calculated by taking r to the power of e.

bf = re

In order to blind the message the voter multiplies the message with the blindingfactor.

m′ ≡ m · re mod n

Then the voter sends m’ to the signing authority, where it is signed with thecorresponding private key.

3See [Buc04] for details on the calculation.

25

Page 36: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

4 Cryptographic Techniques

s′ ≡ (m′)d mod n

The resulting s’ is equivalent to the signed inner envelope. It is returned to theoriginator. To remove the envelope the voter multiplies s’ with the inverse of r.

s ≡ s′ · r−1 mod n

The voter has now succeeded in obtaining the true signature s of m. As a result,the voter’s message has a signature the voter could not have constructed on his ownbecause it is subject to the signer’s secret key d. The scheme’s security is subjectto the hardness of factoring module n into its primes. The signature scheme is blindsince r is random. It does not allow the signer to learn about the message even if hecan solve the underlying hard problems.

Because of (4.1) the correctness of the above assumptions can be shown:

s ≡ s′ · r−1 ≡ (m′)d · r−1 ≡ md · rde · r−1 ≡ md · r · r−1 ≡ md mod n

As mentioned above, RSA relies on factoring being mathematically hard. Newforms of computing as well as the finding of an easier mechanism to solve this problemmight eventually make classic cryptographic mechanisms useless. For informationabout blind signature schemes based on the hardness of other problems the reader isrefered to [Nau07]. Further information about implementing blind signatures can beobtained from [FOO93].

4.2.4 Homomorphic Encryption

Homomorphic encryption for anonymous voting was introduced by Benaloh [Ben87].The basic concept is to publish the signed and encrypted ballots together with a proofof validity. After the verification of signature and proof an encrypted sum of all votescan be obtained by taking advantage of the homomorphic property. Afterwards, thefinal tally can be decrypted by the tallying server. This procedure effectively hidesthe contents of the original ballots while providing a publicly computable tally.

A homomorphism is the mapping between two algebraic structures (e.g. groups,rings or vector spaces) preserving the original structure. Several different homomor-phisms are known. The most well-known is the group homomorphism with the basicrules as defined below.

Let (G,⊕) and (H,⊗) be two groups. Now a function h : G → H is needed suchthat for all u and v in G it holds that

26

Page 37: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

4.2 Building Blocks of RIV

h(u ⊕ v) = h(u) ⊗ h(v)

.

From this property, one can deduce that h maps the identity element eG of G tothe identity element eH of H, and it also maps the Inverse of G to the Inverse of Hin the sense that h(u−1) = h(u)−1. Hence one can say that h ’is compatible with thegroup structure’.

As an example (R, +) and (R+, ·) are chosen as our groups and ex : (R, +) → (R+, ·)as the function that transfers R into R

+. Now the following equation has to hold.

∀u, v ∈ R :

eu+v = eu · ev

For the sake of completeness, two things have to be added: We have to show thatthe identity element exists in both groups and that the encryption maps the Inverseof R to the Inverse of R

+. Here, the identity element eR+ = 1 and the identity elementeR = 0 (since adding 0 and multiplying with 1 simply has no effect for the membersof R and R

+).

1. e0 = e0 · 1 = e0 · e0 · (e0)−1

= e(0+0) · (e0)−1

= e0 · (e0)−1

= 1

2. e(−m) = e(−m) · em · (em)−1

= e(−m+m) · (e0)−1

= e0 · (e0)−1

= (e0)−1

Now let M be the group of all plaintext messages (or filled-out ballots) with thegroup operation ∗. Analogous C is the group of all encrypted messages with the groupoperation •. An encryption scheme is called (∗, •)-homomorph if the following holdsfor all plaintexts m ∈ M , encryption functions E, keys k and encryptions E(m) ∈ C.

∀m1, m2 ∈ M :

E(m1 ∗ m2) = E(m1) • E(m2)

The homomorphic encryption can be illustrated by using RSA as the encryptionfunction.

For (M, ·) let M be the set of plaintext messages. The group order here is |G| = n.Encryption with public key e transfers M into (C, ·), the resulting set of encryptedmessages. Again, m1, m2 ∈ M represent two plaintext messages with the matchingencryptions c1, c2 ∈ C:

c1 = m1e mod n and c2 = m2

e mod n

27

Page 38: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

4 Cryptographic Techniques

Then the multiplication of the encrypted messages is an encryption of the multipliedplaintext messages:

c1 · c2 = m1e · m2

e mod n

During this example the operations of both groups are defined as multiplication bycomponents. Indeed can ⊕ and ⊗ be the same operation.

For election systems, a scheme where the encrypted votes are added is preferred.The main advantage of an additive homomorphism is the operational characteristicof the shortest runtime. See [Sch07b] for more details upon this.

The essence of this section was the definition of different communication chan-nels and the illustration of the most important cryptographic techniques that areused as building blocks for RIV. Mixnets as well as homomorphic encryption succeedto achieve anonymity in differing ways. Blind signatures follow a slightly differentapproach by providing anonymous authenticity. Further threshold encryption wasproposed as a mechanism to make voting schemes more robust.

28

Page 39: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

5 Current Employment of RIV

This chapter describes the most recent events in the context of adopting RIV forreal elections. The first part deals with happenings on the supranational level of theEuropean Union such as the CyberVote Project and Council of Europe’s Recommen-dations for e-voting in general. The succeeding part will go into the details of nationalprograms of RIV. We chose Estonia, Switzerland, the Netherlands and Great Britainbecause these countries already run more or less advanced programs. Additionallythe United States were examined because they already acted as a pioneer in the con-text of voting machines. These countries will be looked at relating to reasons forintroduction, type of elections during which RIV was used, applied voting protocolsand gained experiences.

5.1 Europe

5.1.1 CyberVote Project

The CyberVote Project [Pro03a] was launched by the European Commission (EC)in September 2000. It was partially funded by the EC and aimed at demonstratingthe possibility of fully verifiable online elections guaranteeing absolute privacy of thevotes and using fixed and mobile internet terminals. The project’s objective was tocontribute to the development of a democracy in Europe by enabling the use of a mod-ern electronic voting system. Another goal was to implement a trustworthy e-votingprotocol which could be integrated to existing infrastructures for the identification ofvoters.

The CyberVote design was driven by solutions which had to allow the user au-thentication while guaranteeing the ballot’s secrecy, sanctity and integrity, on theone hand, as well as the voter’s freedom of expression, the user-friendliness and theacceptability of the system on the other hand.

The project was carried out by a consortium and involved partners from industry(EADS Matra Systemes & Information of France, Nokia Research Centre of Finland,British Telecommunications of the United Kingdom), universities (K.U.Leuven Re-search & Development of Belgium, Technische Universiteit Eindhoven of the Nether-

29

Page 40: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

5 Current Employment of RIV

lands) and potential users (Freie Hansestadt Bremen of Germany, Mairie d’Issy-les-Moulineaux of France, Kista Stadsdelsnamnd of Sweden).

The final voting system is a homomorphic public-key threshold encryption scheme.It is able to handle multiple and concurrent elections and different versions of cryp-tographic protocols. Voters’ identification is handled through smartcards or a loginwith secret PIN codes. The software was implemented in Java and HTML to comeup with a platform independent voting application. The voting itself was possiblethrough internet connected computers, java enabled mobile phones and PDAs.

After the development of the voting system the CyberVote project involved itstesting in different elections in 2002/2003. The first test was held in December 2002in the French town of Issy-les-Moulineaux. The second test took place in Germanyin January 2003 at the University of Bremen. The trial covered the elections of thethree representative bodies of the University. The turnout of internet votes was quitelow during both elections. The last test took place in the Swedish city of Kista.The target audience were elderly citizens. Much work was needed to attract thesevoters. Although the trial was open all day for an entire week, roughly 200 votersparticipated in the electronic voting. In July 2003, the CyberVote project has endedofficially. According to the final report the pilot elections encountered only minorproblems1 but the overall achievement of the project was successful.

However, an intermediate report stresses the vulnerability of voting clients to differ-ent groups of malware that might affect the voting software, or allow remote controlof the client, or allow an intruder to get access to the computer’s screen and keyboard[Pro03b].

5.1.2 Council of Europe’s Recommendations

The Council of Europe (CoE) is an organization of 46 member states, from in andaround Europe. It is not directly connected to the European Union (EU), thoughall current EU member-states are members of the CoE. According to its statute theaim of the CoE is to ’achieve a greater unity between its members for the purposeof safeguarding and realizing the ideals and principles of their common heritage andfacilitating their economic and social progress’ [oE07]. In terms of voting the CoEhas the clear purpose in protecting democracy, the rule of law, and human rights.

The Recommendations [oE04] were adopted by the Committee of Ministers inSeptember 2004 and set out a blueprint for governments currently using or plan-ning to use e-voting for elections and referendums. It is based on the experience

1Primarily due to trouble with the Java Runtime Environment (JRE) a compatibility test with aMac was not successful during trial in Kista.

30

Page 41: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

5.2 Country Reports

gained by Member States during pilot projects as well as on knowledge from legaland technical experts.

The main aspects are common-sense and include the following:� e-voting shall respect all the principles of democratic elections and shall be asreliable and secure as elections which do not use electronic means.� the interconnection between the legal, operational and technical aspects of e-voting set out in the Recommendations must be taken into account on applica-tion.� while they are not required to change their voting procedures, Member Statesshould consider reviewing their relevant domestic legislation in the light of therecommendation.

Although it is not binding, the recommendation, described by the CoE as ’thefirst international legal text on e-voting’, is nonetheless a valid and internationallyagreed point of reference in terms of emerging e-voting standards and the generalrequirements for implementing e-voting systems. It clearly calls on the governmentsof the Member States to ensure that their e-voting systems meet the standards andrequirements set out in the three appendices of the Recommendations relating tolegal, operational and technical aspects. It is particularly stressed that in case ofe-voting the voter must be able to obtain some sort of confirmation for his vote. Alsoit should be possible for the voter to correct it if necessary without the secrecy of theballot being violated.

The CoE standards are not ambitious in the sense that they do not aim to meetparticularly challenging quality criteria. In fact, the specific role of the Recommen-dations are stated in a generic form. In their analysis McGaley and Gibson [MG04]criticize the Recommendations because of their lack of adhering to the propertiesof requirement models in software design. From a software engineer’s view over-and under-specifications result in too concrete and abstract regulations. In addition,redundancy and repetitions increase the risk of the underlying requirements modelbeing misunderstood.

5.2 Country Reports

5.2.1 Switzerland

The voting participation in Switzerland averaged to 58 % from 1945 to 1997. Thisnumber represents one of the lowest turnouts of democratic countries [Noh07]. From1967 until today it declined in a percentage of 10 %. The possibility of mobilizing

31

Page 42: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

5 Current Employment of RIV

especially young people to take part in elections is one of the main motivations forthe country’s work and interest in RIV [dMV07]. Another reason that supports thisproject is the fact that Swiss citizens vote four to five times a year, sometimes evenmore. Through its various elections and referendums the system of ’direct democracy’asks for this. In this context it seems more comfortable for the citizens to vote at arandom place and in a given time period.

The work on RIV in Switzerland began in 2000 with the appointment of a workinggroup led by the Federal Chancellery (consisting of representatives from the Fed-eral Government, the cantons, and computer experts). Its intention was to discussthe topics of electronic administration (’guichet virtuel’) as well as remote electronicvoting (’vote electronique’) [Ker04]. The electronic voting group was supposed to in-vestigate chances and risks of RIV. Further goals of the working group consisted of theharmonization of voters’ registration as a fundamental prerequisite, the organizationof pilot projects for electronic elections, the search for methods of implementation forthe electronic signing of referendums, and ways for the proposing of candidates. TheFederal Chancellery authorized the three participating cantons (by name Geneva,Neuchatel and Zurich) to conduct several pilots during national referendums basedon a legal basis respecting the Council of Europe’s Recommendations [Ker04]. Thetrials follow a similar scheme, which is a system of prior voter identification whereevery person entitled to vote is sent a random secret by mail. These secrets are savedanonymously and are used for the authentication of the voter during the election. Asa result, the encrypted ballot is only saved and counted if the secret is valid and hasnot already been used for a prior vote. This method by itself ensures the anonymityof the voting act because no one knows the mapping between voter and secret ex-cept the voter himself [VK06]. A complete technical description of the used votingprotocol has not been published. But a general description [dMV07] implies that theprotocols of Zurich and Geneva both rely on anonymous channels based on mixnets.

Geneva was the first canton that tested RIV. It took place in the borough of Anieresin 2003 and especially benefited from Geneva’s pre-existing central voting registers.Since then the canton held seven additional trials. Currently the usage of RIV is onlyintended as an additional voting method [oG07a].

For the pilot project in the canton of Zurich the first step consisted of establishing adigital and central register of eligible voters for the entire canton. The sent out secretis written on the voter’s polling card and protected by a seal. The polling card withits information grants access to the voting system. Then an electronic ballot papercan be filled in. By entering the secret code the vote is effectively transmitted anddeposited. The voting scheme of Zurich also makes use of code voting. Here the voterdoes not vote by choosing the name of a candidate. Rather one chooses a number froman individual and personalized code table included on the polling card and receivedvia mail. These tables are freshly generated for each election. Zurich uses code voting

32

Page 43: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

5.2 Country Reports

only for the purpose of encryption via mobile phones. A demonstration of its votingscheme can be found at [oZ07]. In general code voting presents an interesting methodto prevent election fraud over insecure client platforms and will be further explainedin Chapter 8.2. The first test during a national referendum took place in 2005. On theoccasion of a confederated referendum, Zurich executed further testings of its votingscheme in chosen voting districts in June 2007. This was the third time that RIV wasapplied during a confederated referendum. Eligible voters were able to chose betweencasting a vote traditionally, or electronically by using RIV or sending a message fromtheir mobile phones. According to its organizers the pilot experiments succeededwithout special occurrences [Bun06].

Neuenburg held pilots of RIV during the same referendum. It represented the fifthapplication of the system within the scope of a confederated referendum. The firsttest took place in 2005. The canton’s citizens entitled to vote had the possibility tocast their vote traditionally or electronically by using RIV. Neuenburg also intendsto establish RIV as a third alternative to the traditional ways of voting. Thereforepeople who want to take part in it must register in time through an official internetportal (’Guichet Unique’) that offers other services as well [Spe07].

Results

The pilot trials in Switzerland were evaluated several times and under different as-pects. Already in 2002 the chancellery of the state of Geneva published the finalreport of the committee that was appointed to evaluate the security of the applica-tion of RIV [Bun02]. Its result was that the pilots had a reasonable level of security.At the same time it stressed the problems of server authenticity and platform security.The chancellery then appointed the expert Rolf Opplinger to study and comment onthe suggestions made in the committee report. According to him the secure platformproblem is known to be hard in the scientific community where an implementationof RIV on a larger scale and in a sufficiently secure way is not regarded as feasible.For this reason Opplinger advised different mechanisms to secure the platforms someof which already found partial realization in the voting system of Geneva [Opp02].The Swiss system, however, has been criticized for its use of proprietary softwareand for the ease of allowing coercion and vote-selling. Nevertheless Swiss officialsdraw a positive conclusion based on their pilot trials of secure RIV being possible.Still this conclusion bears some risks as the evaluation also states that the ongoingsecurity depends on maintaining control of continually changing threats and risks.Potential risks and sources of danger still exist in hackers, viruses, Trojan horses orthe like [Bun06]. They demand further methods of protection from the voter. Sincethe threats are continually changing the security measures also have to be continuallyimproved (which again results in increasing personal costs) [BB06].

33

Page 44: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

5 Current Employment of RIV

For the future, the Swiss government is determined to continue further testings ofthe e-voting project. According to a new law pilots are limited to a maximum of 10%of entitled voters until 2011. At the same time the government demands from thecantons to create a country-wide register for enlisted voters in order to enable RIVfor the Swiss citizens living abroad until 2009 [Wil07].

5.2.2 Estonia

The basis for the application of RIV in Estonia is its infrastructure of free internetusage for every citizen established in 1999, and the nationwide public key infrastruc-ture consisting of a distribution of identification cards that enable a secure storage ofprivate keys and binding digital signatures. In 2005, Estonia for the first time offeredthe possibility of RIV to its citizens during local elections [Thi07]. Every Estoniancould choose it as an additional method of voting. As this was the first time RIV wasused for binding elections, there was an enormous response by observers. Afterwardstwo Estonian parties objected RIV for the reason that the secrecy of the vote couldnot be ensured and that the system was not transparent. But their criticism did notprevent further application. In March 2007, the next step was taken by the usageduring the Riigikogu (parliamentary) election. It represents the first usage of RIV ina binding countrywide election so far. Of course one has to keep an eye on the basiclocal parameters. Estonia is a very small country with a total of 1.3 million inhab-itants (approximately the size of Munich). According to [UMM06] the motivationfor RIV in Estonia is, due to a low participation rate, to create an additional vot-ing method with the aim of increasing the voter turnout (similar as in Switzerland)besides fighting a possible political alienation.

Specifically the scheme has the following features. The legislation offers all voterswith digitally enabled ID cards the possibility to cast their votes in an advance votingperiod (from six to four days before the election day). During this period an inter-esting security feature is provided by giving the voters’ the opportunity of castingmultiple ballots. The Estonian election law provides e-voters with the right to altera vote that was cast by electronic means infinitely with additional electronic votes.This presents an evident security feature since e-voters whose voting act is disturbedby a person trying to gain influence on their decision now have the possibility tosimply cast another vote. A timestamp indicates the latest cast. New problems arisethrough the necessity of verifiable timestamps. But Estonian law still guarantees theprimacy of the paper ballot. This can be seen by the fact that a cast paper balloton election day overrides all previous electronic votes. We will take a closer look atmultiple casts in Chapter 8.3.

The Estonian scheme as described by [OSC07a] and [Com05] makes use of the socalled envelope method. First the voter’s ID card must be inserted into a smart card

34

Page 45: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

5.2 Country Reports

reader. To proceed, the voter inputs a first personal code (PIN1). Upon voting avoter makes a choice that is encoded with the public key of the election server. Thispresents the inner envelope. Next the voter must approve his choice by digital signing,thus providing the outer envelope. Therefore the voter must enter a second personalcode (PIN2). The signed and encoded vote is stored until the election day, with theaim of ascertaining that the person has cast only one vote. After this is checkedand repeated votes have been eliminated the outer envelopes (digital signatures) areseparated from the inner envelopes (encrypted votes). During this step voter lists arecompiled from the outer envelopes. Inner envelopes (which are not associated withthe identity of the voter anymore) are forwarded to the tallying computer that hasthe decryption key of the system. Because of its particular importance the server isnot connected to the internet. Assurance of the voter’s anonymity is only providedby the fact that the signatures on the votes are removed before they are passed tothe tallying instance. For this reason the National Electoral Committee stresses thatat no point a party is supposed to be in possession of the digitally signed e-vote andthe private key of the system [Com05].

Results

From a technological point of view the secret used for authentication purposes inEstonia consists of several elements (hybrid authentication). Here the authenticationconsists of possession (of the smartcard) and knowledge (PIN numbers). Togetherthey are more secure than an authentication scheme that relies on either one. Thiscan be seen as a big advantage in comparison to the Swiss method of authentication.

Madise and Martens [UMM06] point out that the layout of the scheme also hasthe theoretical drawback of providing privacy only to a certain extent. This is thecase because, due to the open signature, there is no way of keeping it secret if aperson has voted or not. In practice this presents no problem since the fact whethera person entitled to vote did participate in voting is not regarded as a part of theprinciple of secrecy. Voter lists that contain information about participation andchosen voting method are preserved in the archive and can be accessed (countries withcompulsory voting might favor voting schemes with this functionality). Furthermoreit is stated that the major risks for RIV are various attacks that could be usedto compromise the voting results, to break the voter’s anonymity, or to interruptthe elections. The vulnerabilities behind these attacks arise from the fundamentalproperties of the internet architecture and current PCs. Also seemingly successful,e-voting trials usually do not prove the security of the system. This is justified bythe fact that it is difficult to prove that no security breach has occurred and, if noneoccurred, successful trials cannot eliminate security risks for future elections.

The question of this new possibility’s effect on the voter turnout cannot be clearly

35

Page 46: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

5 Current Employment of RIV

answered. The reports for the Council of Europe were based on a telephone surveyafter the elections in 2005/2007 and conducted concomitantly with the elections. Theprior one concludes that RIV will probably not motivate those people who principallydo not participate in any voting act. Still it proclaims that a slight increase of turnoutmight be possible. If this is the case, it must be assumed it does so only within thosegroups of voters that vote occasionally [Tre05]. In 2007 the follow-up report comesup with the estimated figure of a possible 0.5% lower turnout without the featureof RIV. This estimation is based on the figures of 5.4% e-voters of all participatingvoters (opposed to 1.9% in 2005) and the result of the survey saying that roughlyone tenth of the e-voters would not have voted without having had the possibility tovote by internet. Consequently it did not present a significant impact on the overallturnout [Tre07].

5.2.3 The Netherlands

The Remote Voting Project in the Netherlands (in Dutch: ’Kiezen op Afstand’) waskicked off by the Dutch Ministry of the Interior and Kingdom Relations in 2000.Intentionally the project was supposed to facilitate voting for the Dutch citizensby two experiments. The first one intended to enable voting in any polling stationwithin a voter’s municipality (’Stemmen in een willekeurig stemlokaal’). Instead ofthe former informative polling card the voter now received an indispensable one. Sincethe passport was not sufficient to vote at someone’s own polling station anymore thepolling card really was indispensable. For the present thesis the second experimentis significantly more interesting because it deals with the implementation of internetvoting for the Dutch voters abroad.

The first use of RIV in the Netherlands took place during the elections for theEuropean Parliament in 2004 where a proprietary voting application was utilized. Atthe Dutch parliamentary elections in November 2006 RIV was applied for the secondtime. But this time the Rijnland Internet Election System (RIES) was used. Theproperty of voters being able to check their vote and everybody being able to checkthe final outcome makes RIES transparent and presents a major advantage over theprior. Nevertheless, RIV was strictly limited to expatriates who were requested toexplicitly register in advance (meanwhile the regular postal way of voting was alsoavailable to Dutch citizens living abroad as well as posting a ballot through a proxy).The time period for the registration ended two month prior to the actual electionday. RIES was developed for usage during the Rijnland Water Board elections. Theboards administrate all matters dealing with water politics (building of dikes, waterquality and the like) and do not depend on the electoral law. Their decisions are ofessential significance concerning the threat of floods. Contrary to its importance, theelections to the Rijnland Water Board traditionally have a very low turnout because

36

Page 47: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

5.2 Country Reports

citizens seem not to be fully aware of the actual impact on their everyday life. In 2004RIES was used for the first time during the Water Board elections in the provincesof ’Rijnland’ and ’De Dommel’.

Technically RIES is based on the use of hash functions. Before the election a pre-election table (reference table) is published containing, for each voter, key-less hashesof all possible votes and their linking to the candidates. At one point the voterreceives a voting code for authentication by post. After entering it one can choosethe political party of choice and a candidate from this party. This is possible during acertain time period prior to the election day. During the election a post-election tableis created. First the voters have to hash their votes, this time using their personalsecret keys. This results in a so called technical vote. The technical votes are sent tothe vote server who is going to publish them. Additionally the voter is recommendedto save a personal version for verification purposes. The vote server can now build akey-less hash of the technical votes and use them for building the post-election table.Afterwards it will also be published. A voter can verify his own vote by checkingif the technical vote appears on the post-election table. It is also possible to see ifit appears as a vote for the chosen candidate. For the final calculation it has to bechecked if a hash appears in the reference table. If it does, the vote is valid and theindicated candidate’s sum can be incremented. Anybody who cares to download thepre- and post-election tables may independently count the votes. Thus, a vote thathas been registered wrongly, or not at all, can be detected. Given the received votes,an incorrect result can be detected as well. Additional technical information aboutRIES can be found in [HJP05] and [Kru06].

Results

Hubbers et al. [HJP05] mention several threats in their summary. First of all thecompany that designed the scheme plays the role of an authority and generates thesecret keys. According to the creator of the survey compartmentalization or a strongerseparation of powers should be accomplished by having more parties taking overresponsibilities. Especially the key management process should be accomplished ina distributed way. Also the keys must be destroyed at the right time in order toprevent misuse. Another serious threat is seen in malware on the voter’s PC that canmodify the votes (even so fraud can be detected). An alternative to protect againstsuch malware is seen by the usage of candidate identities that are different for eachvoter (code sheets). In response to this security problem the Dutch governmentcommissioned the development of an open-source voting system in 2003/2004 thatwas based on code sheets [KMC+05]. Trying to manipulate a vote now the malwaredoes not know how to select the desired option. Code Voting will be covered moreprecisely in Chapter 8.2.

37

Page 48: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

5 Current Employment of RIV

The OSCE Assessment [OSC07b] of RIES found broad consensus amongst both, de-velopers and critics of electronic voting. Besides the threats named above it criticizesthat designers surrender protection against coercion in favor of greater transparency.Possessing a voter’s authorization code and technical vote anyone can determine theactual vote. It concludes that RIES is not a suitable system for the possible expansionof RIV to the general population and encourages the development of an open sourceversion free of proprietary issues and secret functionality.

The Dutch elections make it very hard to come up with a result regarding the voterturnout. The Rijnland Water Board elections suffered a historically low turnout whileusing RIV in 2003 and 2004. It decreased to 17% in ’Rijnland’ of which 31% votedvia the internet. ’De Dommel’ showed a similar turnout.

Altogether the Dutch Electoral Commission seems to have experimented with RIVin a careful way [PvH07]. A commission for the development of the future electoralprocess was appointed. It recommends the Ministry of the Interior and KingdomRelations to make RIV the regular voting method for expatriates only. In its reportthe commission arguments that during the trials it was found to improve access.Additionally it says that ’a large majority of these voters explicitly wishes to voteusing the internet’ and that ’postal voting should be retained for those Dutch citizenswho do not have internet access or are unable or unwilling to use it’ [Com07a].Currently there exists no plan to apply RIV for binding elections on a countrywideperspective in the nearer future.

5.2.4 Great Britain

The British government started exploring the options of RIV in 2002. The mainmotivation for this, besides the lowering of costs, an increased turnout and betteraccuracy, was to provide the voters with more choices to cast their ballots. In orderto hold pilots local authorities have to submit proposals. After a review the Secretaryof State for Justice decides which proposals are accepted. Additionally a federalElectoral Commission was assigned to review the administration and processing ofelections, including every electoral pilot scheme. In order to support further pilotswith RIV, the Commission emphasized that a wider enrollment of these methods inGreat Britain should only become possible after security and reliability have beenfully tested and proven, and can command a wide public confidence. Additionally,the necessary costs for a secure and reliable system must lie within a frame whichcould reasonably be met. Furthermore, the Commission demands from the testedsystems to increase the transparency of the solutions adopted in order to ensurecontinued stakeholder acceptance of the technology, and to follow a centrally managedaccreditation and certification process to provide independent assurance of e-votingsolutions. This is supposed to enable local authorities to make a well-informed choice

38

Page 49: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

5.2 Country Reports

regarding the use.

First pilots were held in the following years. In 2002, pilots of RIV were onlyconducted in a small number of wards of 14 local authorities. Following these testruns the Communications-Electronics Security Group (CESG) conducted a securitystudy that came up with a solution that does not rely on trust in client systems.The solution consisted of pre-encrypted ballots based on a full implementation ofcode sheets as presented in Chapter 8.2. The pilots of 2003, conducted authority-wide pilots, based on a larger number of participants, and partly implemented theproposals of the CESG. However, the full implementation was only used for remotevoting via mobile phones. For the usage of RIV the voter had to select an optionfrom a rendered representation of the ballot in his browser. Later on this option wastranslated into a code. As a result the intended protection against malicious softwarewas not accomplished [Com03].

In the run-up to the local government elections in 2007 seven applications for pilotsusing RIV were received. According to the final report of the Electoral Commissionseveral applications already demonstrated insufficient understanding of importantsecurity issues in this early stage (especially lack of documentation as well as effectiveproject and risk management plans). Afterwards local authorities were notified ofthese concerns and had to address them. Finally, after the Electoral Commission wassatisfied, pilot schemes in the five councils of ’Rushmoor’, ’Sheffield’, ’Shrewsbury &Atcham’, ’Southbucks’ and ’Swindon’ were approved. All of them involved the useof a paper-based pre-registration process in which electors had to provide personalidentifiers in order to be issued with the credentials for RIV. Swindon was the onlycouncil that piloted the use of supervised, networked electronic facilities at pollingstations and allowed electors to vote at any polling station within the borough. Theintended learning from these pilots focused on building up the evidence gained fromthe 2003 pilots and on assessing the impact of requiring electors to provide personalidentifiers in order to register [Com07c].

Results

All pilots relied on proprietary software with its source code being unavailable in time.This is why the certification did not provide any measures to increase the transparencyof the voting system (due to the lack of verifiable checkpoints or audit trails). Thelack of certain certification steps for the systems and their operation meant that thetechnology’s validity had to be taken for granted. The evaluation of the pilots in2007 by the Electoral Commission classifies this as a major shortcoming. In spiteof variations between the different pilots, the quality and testing procedures werefound to be inadequate in all cases. Significant quality management failings includedthe lack of evidence concerning effective configuration management, comprehensive

39

Page 50: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

5 Current Employment of RIV

testing, strong technical development processes or detailed design documentation.Best practice in security governance was not followed and the security assurance wasbelow the one associated with typical governmental IT projects.

The report also lists that it is not feasible for local authorities themselves to realizethe degree of scrutiny required to achieve sufficient security assurance in terms oftimescales, costs or the type and level of required resources. Therefore a significantcentrally guided evaluation and testing provided outside the context of an election isindispensable. This would be achieved best through the provision of an accreditationand certification scheme. The certification process should involve an evaluation oftechnology, including a more detailed design, or code review, for critical componentsof the system. Further investigation is required to identify the optimum approachand level of detail to be undertaken in this field. Extensive testing is required, in-cluding the conduct of a mock election, suitability and accessibility testing, securitypenetration testing of the standard configuration as well as volume and stress testing.

But the Commission finds that even with the implementation of commercial bestpractice security methods and assurance, there are residual risks associated with theuse of remote e-voting channels compared to other remote voting channels. Theseprincipal risks include:� the compromise of voting devices, such as home computers, by viruses or other

malicious software� attacks by people with privileged access to the system, either system develop-ers or system administrators (this is also a significant risk for supervised RIVchannels)� DoS attacks, which can have a particularly high impact given the shorttimescales associated with elections

Summing up the findings of the Electoral Commission’s evaluation in [Com07c],the 2007 pilots seemed to work. But the level of risk placed on the availabilityand integrity of the electoral process was unacceptably high. There are wider issues(related to the underlying security and transparency) that need to be addressed inorder for the benefits of pilots to take effect. One specific point of criticism stressedby the Commission is the absence of a clear strategy. This lead to the situation thatpromising attempts (such as the usage of pre-encryption and independent verificationservices) resulting from the previous evaluation of the 2003 pilots, have not beentried out any further. Therefore, the Commission currently does not recommend theconduction of further pilots [Com07b].

40

Page 51: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

5.2 Country Reports

5.2.5 United States

The U.S. Department of Defense kicked of the Federal Voting Assistance Program(FVAP) in 1986. Its mission was to reduce the barriers of registration and voting forAmerican citizens who reside outside of the USA, especially military personnel andtheir dependents. Both groups are covered by the Uniformed and Overseas CitizensAbsentee Voting Act (UOCAVA). There are different reasons for the American in-terest in RIV [JRSW04]. Applying for registration forms and absentee ballots fromthe home county, receiving them, and then sending them back is a time-consumingand unreliable process, and must be accomplished in a timely manner to avoid legaldeadlines. The process is especially hard for people who are mobile, or who are lo-cated at places with a poor mail service. This partly applies to a large amount ofAmerican soldiers based in different regions of the world. Furthermore, due to theU.S. system of majority voting (similar to Great Britain) past elections have shownthe importance of accurate and verifiable counting. Sometimes some hundred voteseffect the outcome of an entire election [Way01].

One of the first studies of RIV was conducted by the California Internet VotingTask Force (CIVTF) that was commissioned by the Secretary of State in the year 2000[For00]. It was also the first one to clearly articulate numerous security problems ingeneral. The Secure Electronic Registration and Voting Experiment (SERVE) was thefollow-up of a previous FVAP voting system called Voting Over the Internet (VOI).VOI ignored key parts of the internet voting security problem by completely excludingthe citizen’s workstation from the security perimeter of the system. A report on VOIpublished by the FVAP in 2001 recommended to continue the research for adequatesecurity measures to counteract especially the malicious software threat and denialof service attempts. Disregarding the fact that 4 years after 2000 many securityproblems mentioned by the CIVTF remained unsolved, and ignoring the result fromthe VOI report, officials seriously considered SERVE [JRSW04].

SERVE was designed for deployment during the 2004 primary and general elections.Its name (especially the term experiment) is misleading since it was intended for thecounting of real votes and not just a trial. It was planned to restrict it to overseasvoters and military personnel and additionally limit it to people who vote in one of 50counties in the seven participating states (Arkansas, Florida, Hawaii, North Carolina,South Carolina, Utah, and Washington). The program was expected to handle up to100,000 votes over the course of the year, including both, primaries and the generalelection (By comparison, approximately 100 million votes have been totally cast in the2000 general election). But the eventual goal of SERVE was to determine a similarsystem to be suitable for the future expansion to the entire population of eligibleoverseas citizens, plus military personnel and their dependents. This population isestimated to number about 6 million, so the 2004 SERVE deployment must be judgedas a prototype for a very large possible future system.

41

Page 52: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

5 Current Employment of RIV

To participate in SERVE, an entitled voter first had to enroll, which had to be doneelectronically if the voter was in possession of suitable military ID, or by presentingsuitable citizenship and ID documents face-to-face to a trusted agent (e.g. some sortof official person similar to that of a notary public). Then, before being able to vote,the voter had to register. Registration and voting were possible in one or two shortsessions from any PC connected to the internet. Requirements for participating werea Microsoft Windows operating system, a web browser, JavaScript, either Java orActiveX scripting, and additionally it had to permit session cookies. SERVE wasdesigned as a web-based service. After establishing a connection voters were ableto register and vote through the web interface. SERVE required direct interactionbetween the voting service and the Local Election Official (LEO) in the voters’ homeprecincts. Thus, when people registered to vote, their information was stored on thecentral web server for the purpose of a later download by the LEO (for an update ofits database). After a vote was cast the completed ballots were stored on the cen-tral server, and later downloaded by the LEO, who stored it for later canvass. Thecommunication between the user’s web browser and the voting application on thecentral server was protected by using the encryption and authentication built intothe Secure Socket Layer (SSL) protocol. Once that connection was established, anActiveX control was downloaded to the voter’s PC, because the voting applicationrequired functionality that was not available in current standard browsers. For Inter-net Explorer users, the ActiveX control ran natively on the voter’s machine. For allothers a Java applet ran to interpret the ActiveX.

In 2003 the FVAP assembled the Security Peer Review Group (SPRG) consistingof a group of experts in computerized election security, whose job was to evaluate thescheme of SERVE. Their report, published in 2004, consisted of technical criticismof the scheme, and over and above criticism of the entire project [JRSW04]. Afterthe findings were published in the Washington Post the Pentagon discontinued theproject [Kea07]. Nevertheless, an expansion of the usage of RIV technology for theUOCAVA citizens is still intended by the Department of Defense. As a new project theIntegrated Voting Alternative Site (IVAS) allowed eligible absentee voters to requestand receive their absentee ballots over the internet. Taking part in it the votercould request a ballot via a secure connection to the IVAS website. After the LEOapproved the request, IVAS notified the voter via email that the ballot was availableto download. Next the voter could download and print the ballot, mark it by handand return it by mail to the LEO. IVAS was applied in the general elections in 2004and 2006. In 2007, a report published by Department of Defense compliments IVASand calls the development of a secure RIV scheme possible without mentioning thefundamental criticism of VOI and SERVE [oD07]. However, IVAS does not provideany mechanisms to encrypt or authenticate ballots. Therefore Jefferson et al. call itless secure than SERVE [JRS07]. In the same report they repeat the arguments of2004, most importantly saying that the described vulnerabilities ’are fundamental in

42

Page 53: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

5.3 Discussion

the architecture of the internet and of PCs and their software’.

Results

Evaluating SERVE, the SPRG found many possible vulnerabilities that could enableattacks on the system. They ranged from the closed software and a lacking of VVPTto a variety of cyber attacks such as insider attacks, DoS attacks, spoofing, automatedvote buying, or viral attacks on voters’ PCs. The group estimated the most seriousattacks to be very easy to perpetrate. Since the problems were based on the natureof the system they did not recommend an overhaul. The great danger of a successfullarge-scale attack lead to their recommendation of shutting down the developmentof SERVE instead, and not attempting anything like it in the future until both theinternet and home computer infrastructure had been fundamentally redesigned. Thisrecommendation was repeated by Jefferson et al. in 2007 clarifying the fact that themost dangerous vulnerabilities apply to every RIV scheme because the weaknesses’cannot be eliminated for the foreseeable future and it is quite likely that they willnever be eliminated without a wholesale redesign and replacement of much of thehardware and software security systems that are part of, or connected to, today’sinternet’.

5.3 Discussion

As the different experiences of countries with RIV in trials and binding electionshave shown, a state of secure and reliable application has not been reached so far.All countries’ schemes had in common that the source code was not available to thepublic. Therefore the transparency of the voting system, commonly an importantnecessity for people’s trust, could only be partly established. That was the case for theelections in Estonia as well as for the trials in Holland, Great Britain and Switzerlandand one of the reasons for the abandonment of SERVE in the USA. Since the firms whodesigned the voting schemes in Great Britain and Switzerland were separately chosenby each of the regarding counties there was no common level of security. Anyway,Rivest [Riv02] states there are also advantages to a variety of voting technologieswithin the same country. The first argument is that they provide resistance to anadversary’s attack, as there is no common point of vulnerability for the whole system.Secondly ways are needed to gain experience with new voting systems. One goodway is to allow individual counties to experiment with techniques that are differentfrom the state-wide norms. Another problem is the concentrated knowledge of ascheme and its important secrets (like decryption keys) as seen in Holland. It isnot tolerable that the public must trust the vendors without any possibilities of

43

Page 54: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

5 Current Employment of RIV

verification. Additionally, insider attacks are more likely, the shortcomings of a systemare definitely best-known to the people who designed it. Furthermore, a voting systemdesigned for a specific purpose is not scalable in the sense of transferring it to adifferent context. There is a huge difference between the security requirements for asmall, unbinding or a large-scale, binding election. Due to its much higher importancethe latter definitely requires a rethinking of the design. One key factor of a good votingsystem is the method of authentication. Estonia gains profit by its already enrolledpublic key infrastructure. The Estonian form of severe authentication, based on asecret and the possession of a smartcard shows big benefits compared to a passwordbased scheme (Holland, Switzerland, Great Britain, USA). Even more severe forms ofauthentication, like biometrics, have not been used in any of the compared countries.Another lesson learned regards the importance of election management. The differentsteps of software development have to be followed and respected, the requirementshave to be defined clearly and understandable and the organization, certification andevaluation of schemes must be conducted by a central authority with expert knowledgerather than local voting officials. Especially the evaluation of the electoral committeein Great Britain showed the importance of a system’s testing. Testing is already avery important phase during normal software enrollment, but for security sensitivesystems it gains even more importance. And, as mentioned in several evaluations,the absence of bugs does not proof its correctness. In addition, Great Britain andthe security evaluation of SERVE demonstrated the importance to keep in mindthe results of previous studies. The greatest correlation between the schemes of allinvestigated countries are possible attacks based on the nature of the infrastructureand platforms. The possibility of a denial of service (DoS) attack is always present,and poses a big threat to the internet being an insecure network. While cryptographycan ensure privacy, integrity and authenticity it is not possible to eliminate the riskof a malfunction of the internet. If the adequate servers are disabled by too manyrequests and voters are prevented from casting their votes, an election is at stake.Elections have the property of being temporally restricted. For this reason the votingprocess has to be guaranteed within a certain time period. Within this period Estoniamonitored the network traffic with the intention to find out if a DoS attack hasoccurred. But this is not a serious possibility of prevention. Two months after theelection, Estonia suffered a severe DoS attack shutting down many governmental andadministrative servers [Bus07]. This showed that in case of a distributed DoS (DDoS)attack, there is hardly anything that can be done. At least as severe, however, arethe threats caused by insecure voting platforms. Every country report mentions theunsolved risks of voting clients as a major problem. It will be explained in depthduring the next chapter.

44

Page 55: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

6 Secure Platform Problem

In agreement the previous country reports as well as many other papers (for example[For00], [Rub00], [Riv02], [VK06]) have identified current voting platforms as themost problematic entities within the process of RIV. In the following chapter thenature of the possible attacks is explained based on the characteristics of the usedplatforms.

6.1 Characteristics of the Platform

Voting platforms for e-voting represent a highly complex recording entity that replacespen and paper of traditional voting schemes. For this thesis the voting platforms ofinterest are PCs that run operating systems and software under control of the voter.In contrast to DRE machines (that are more or less closed systems that count thevotes and locally run the voting application) the PCs of RIV act only as the interfacebetween the voter and the used voting software. Voting platforms and especially PCsconsist of hardware components that build a fundament for the software that runs ontop. A platform structure includes the processor, different memory entities as well asinput and output units. Input devices are typically keyboard and mouse while outputcan be generated on a monitor or through a printer. However, the named devices areonly examples and far from being complete. The devices communicate with each otherover a bus and need drivers to be detected by the operating system. Talking aboutPCs as multipurpose machines, the user typically installs applications for specialneeds on top of this. Therefore the sum of hardware and software configuration isextremely diverse. Most importantly its administration is the user’s private affair. Itis totally uncontrolled by official administration and possibly unmaintained by theowner of the platform. As a result we must deal with new threats that cannot besolved by traditional cryptography. So far the problem was often neglected. Mostvoting schemes assume secure voting platforms and therefore only ensure secrecy andthe integrity of voting from the point thereafter (including the communication channeland servers). For example [Sch00] hypothetically relies on trusted hardware andoperating systems. In reality, however, this is not the case. When [MD04] introducedCommon Criteria to RIV the usage of standard criteria to evaluate and certify internetvoting systems was their goal. But again, one necessary prerequisite consisted of the

45

Page 56: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

6 Secure Platform Problem

used platforms being really secure. This is an example of the precariousity of thetopic.

6.2 Malicious Software

PCs have the drawback of being vulnerable to many influences. The typical and well-known hazards are Trojan horses, viruses and computer worms. They are generallyreferenced as malicious software (malware) because they intend to do diverse harmto computers [Tan01]. The usage of other technical devices such as mobile and smartphones as platforms for internet voting also face these threats. We have recentlyexperienced the first virus for mobile devices [BBC04] and it is quite realistic to expectan increase of malware on such devices while they advance in computing power andnetworking functionality.1

6.2.1 Trojan Horses

A Trojan horse is a seemingly innocent program that contains hidden code (maliciouspayload) to perform other actions than expected by the user. In the case of RIV thisspecial feature could read the temporary files of a voting software and send them overa hidden channel to the software’s author. Other possibilities include interferencewith the voting process in order to change the voter’s choice before it is treatedcryptographically by the voting software and sent out to the collecting server andthe opening of backdoors that allow remote administration. In contrast to virusesand worms that infect computers against their owner’s will, a Trojan horse is ofteninstalled on purpose because of its appearance as a good program.

6.2.2 Viruses

Viruses are programs that (similar to biologic viruses) reproduce themselves by at-taching their code to another program. Once the main program is started they infectother programs on the machine. They also contain special payload that is executed

1Nevertheless mobile phones are also vulnerable to other kind of attacks as well. Talking aboutthe Global System of Mobile Communication (GSM), a drastic scenario would be the shutdownof the mobile services. This presents a threat for the principle of a universal election (whereno one is excluded) and is caused by the fact that mobile phones always communicate with theclosest base station. This base station could be operated by an attacker since authenticationduring GSM only happens one-sided. The attacker would then stop the service because thecommunication is not passed on to the base station controller. For more details on secure mobilecommunication the reader is refered to [Eck04].

46

Page 57: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

6.2 Malicious Software

afterwards. The damage scenario of the payload includes several threats. The codecan cause the consuming of computer’s resources until a full process table prohibitsany other process from starting. But it can also erase, modify, destroy, or steal files.For an election scenario a virus is likely to be programmed with a specific targetdepending on the nature of the voting system. At its beginning, a virus was spreadby infected files on floppy disks. There are many kinds of viruses distinguishable bytheir different ways of execution. The most important examples are Companion, Ex-ecutable Program, Memory Resident, Boot Sector, Device Driver, Macro and SourceCode Viruses. Companion Viruses are started instead of another program. Exe-cutable Program Viruses attach themselves to another program by overwriting, andenhance them with a malicious feature. If the original program keeps on functioningnormally, they are also referred to as parasitic. Memory Resident Viruses hide inmemory and jump on a system call. As they do not cause a lot of disk activity,they are less conspicuous and therefore harder to detect. Boot Sector Viruses usedto be very common. They overwrite a clean master boot record or boot sector andare executed every time a computer is turned on. No further actions by the user areneeded. The device drivers of a computer system are usually loaded at start time. Ifone of them is infected with a parasitic virus, the virus will always be officially loadedat boot time from there on. Since drivers run in kernel mode this Device Driver Viruscan capture the system call trap vector. Macros are comfortable routines of programssuch as Word and Excel written in Virtual Basic and usually attached to other pro-gram functions. Macro Viruses are macros containing malicious code. They are fairlyeasy to create, which means to write a virus of this kind less skills are necessary thanfor the interference with boot sectors.

6.2.3 Internet Worms

Internet worms are typically self-replicating computer programs making usage ofbugs in network protocols, applications and operating systems. Unlike viruses, theydo not need to attach themselves to an existing program. Internet connections enableinfections of files outside the host system, possibly servers in a local network. Butthe spreading of a worm can also happen by attaching an itself to an email andbroadcasting it to a mailing list. After the arrival and execution by an unskilled user,the worm is released and might mail itself to every person noted in the user’s addressbook. A nice subject line increases the probability of execution.

One of the first major internet worms was the Morris Worm (followed by the massmailers Melissa and Loveletter, Code Red and Nimda, two internet disrupting Win-dows worms, then the continued presence of the mass mailer in Sober, MyDoom,Stration). As a result to the replication traffic they most definitely harm the func-tioning of a network in their attempt to spread. But the payload often contains

47

Page 58: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

6 Secure Platform Problem

code that has other goals than just spreading the worm, including the deletion andencryption of files or the previous mentioned sending of files via email. The instal-lation or modification of a program with the intention of allowing to bypass normalauthentication or to secure remote access to a computer (backdoor) is also possible.

[Rub00] especially highlights that malicious payload and its delivery mechanismshave advanced in sophistication and automation in the past couple of years. Natu-rally malware makes use of the detection escape mechanisms mentioned above. Theattacks have also become more sophisticated in the sense that they can do moredamage, are more likely to succeed, and disguise better than before. Besides they aremore automated because more and more toolkits have been developed to enable un-sophisticated computer users to launch the attacks. While talking about the future ofmalware Schneier differentiates a new manifestation of worms [Sch07a]. He mentions’old-style’ worms were mainly written ’for fame’ by spreading as quickly as possible,whereas newer worms’ programmers have other goals like taking over computers forassembling botnets. A botnet consists of many computers that run a program (typ-ically a worm) attaching them to common control infrastructure. To gather a largebotnet these worms spread more subtly and can sit dormant for a long time. Laterthe botnet can be used for various purposes (e.g. DoS attacks, spambots, informationtheft). Using the newer Storm worm (formerly Peacomm) as an example shows themore sophisticated techniques in contrast to traditional viruses.� The delivery mechanism changes regularly. Spreading via email it accommo-

dates the subject line to important news.� The worm’s payload morphs really quick (30 minutes), making typical antivirusand intrusion detection techniques less effective.� Worms attack anti-spam sites that focus on identifying it.� Rather than having all hosts communicate to a central server or set of servers,these worms use peer-to-peer networks for communication (making the botnetmuch harder to disable).

6.2.4 Mobile Code

Another aspect while talking about client security is mobile code that might be usedfor displaying the voting application. While viruses and worms enter the client plat-form without the voter’s knowledge and against his will, foreign code is often importedand run on purpose by computer users. [Tan01] defines mobile code as ’programs thatare shipped from one machine to another for execution on the destination machine’.There are many varieties of mobile code. One possible form is an applet. Appletsare software components that consist of a finite number of functions and run in the

48

Page 59: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

6.3 Effects on RIV

surrounding of other applications (containers). The function of an applet usually ex-pands the capability of its container (for example a web browser) by adding non-staticoptions that enable interaction with the user. In contrast to a servlet, applets onlyexecute on the client platform. Other examples include agents and PostScript files.The biggest concern with mobile code is that an applet is imported by a process intoits address space. During its execution the mobile code is running as part of a validuser process and inherits the user’s rights. Running applets as separate processeslooks like a good idea. But applets often interact with each other and with theircontainer. So running applets as different processes would make the concept infea-sible. Sandboxing, interpretation and code signing present other methods of dealingwith applets in a more thorough way. Computer users, however, first have to getaccustomed to these mechanisms.

6.3 Effects on RIV

Our concern applies to influences threatening data confidentiality and integrity aswell as the system’s availability as a whole, because they affect the protection goalsof voting. Specifically a system’s unavailability potentially threatens the goal ofan election being robust. If the confidentiality cannot be guaranteed, it affects therequired anonymity whereas the lost integrity of a vote affects the overall accuracyof the voting procedure. The named hazards do not exclude each other. They rathercooperate in order to affect the election. One possibility of an attack vector consistsof a worm that smuggles hidden code into a computer system. Theoretically, thecode could then open a backdoor for remote administration of the PC, wiretap thekeyboard to get information about voting credentials, check upon memory entries ofthe voting software or participate in DoS attacks - just to name a few. Sure enoughthere are other possibilities. But attacks that remain unnoticed by the voter are notthe end of the line yet. With a PC, the voter can also generate receipts that areunintended by the voting scheme (for example by taking screenshots) or generatefake receipts to challenge an election. Unintended receipts pose an additional threatto the protection goal of elections being receipt-free. We will show this in the contextof verifiable voting schemes in Chapter 7.2. To estimate the danger of these attacksit is important to make the following clear: Elections have always been subject tofraud. But in traditional elections, an attacker was not able to affect the outcome ofan election all by himself. To do so, the corruptness of the central tallying process,or any other form capable to exercise massive influence, was needed. Voter coercionand the tampering of ballots usually required physical presence. Therefore, this kindof attack was hard to achieve on a large scale. RIV, however, makes fraud mucheasier because vote tampering is now possible with the help of digital tools as namedabove. Thus, the danger is much greater, since this can happen in an automated

49

Page 60: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

6 Secure Platform Problem

way. Nevertheless the attacker can do so via the internet and does not need to belocally present. As a result, anybody might radically alter election results (at least intheory). This fact dramatically extends the known adversary model of elections. Atthe bottom line, digital elections bear incredibly large risks that could be exploitedby foreign governments as well as single perpetrators.

6.4 Counteractive Measures

Firewalls have the purpose to prohibit the spreading of worms by closing irrelevantports of a computer system and signaling any ’strange’ behavior including access at-tempts by untrusted internet computers. They do not provide detection functionality.Their security, again, depends on the computer user’s know-how. If one does not un-derstand the meaning of a message there is a good possibility of access allowance.

Anti-virus software is the traditional protection mechanism against viruses. Todetect a virus it scans the local hard disk and RAM for known signatures. Nowadaysmost vendors of anti-virus software expand the detection capability into other mal-ware as well. Still it has the important drawback of being only able to find knownmalware. A worm that hides very well while spreading and only executes its payloadafter enough computers are affected, has a good chance to cause great damage. Onceknown, the vendors will update their detection rules with its signature. The originalworm can only be detected, if people update their malware definitions regularly. Evenif detected, the elimination of the virus might not be achieved while the system isrunning. The detection of unknown viruses and worms is possible by their behavior.But these heuristically based functions are not reliable. Additional threats are posedby new virus types. Retro Viruses for example, have the goal to limit the functioningof firewalls and anti-virus software. Polymorphic and Metamorphic Viruses are pro-grammed in a way that enables their mutation and the evolution to a next generation.Variable re-encryption or source code mutation are very capable methods.

Intrusion Detection Systems (IDS) monitor the traffic caused by a computer systemand its applications for attacks and security breaches. Their utilization can help tooptimize the overall configuration of a system. To prevent, limit, or react to potentialdamage it is required to detect preparative attacks in time. Network-based IDS use asensor to catch all packets that come to a network interface. Next, IDS analyze thepackets that cross the network, check if they contain suspicious content and decidehow to react according to signatures of previously stored scenarios. While interactingwith a firewall new rules could be created to block the originating IP address ofan attack. Another possibility is to send security alerts to the administrator of thecomputer network or system. Host-based IDS work similarly but require a securityguideline by the operating system. Here the state of a computer system is monitored

50

Page 61: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

6.4 Counteractive Measures

by checking if the dynamic behavior (e.g. changes to registry, temporary variables,RAM, the file-system, log and kernel files) complies with the expected behavior. Incase of suspicious behavior the user is alarmed. The basis is formed by the assumptionthat an intruder leaves detectable traces.

In order to set up a more secure computer system, users have to decide upon acombination of the named measures. Out of the box protection entails additionalexpenses whereas personal customization requires more experienced users. Once run-ning the protective system has to be configured and administered. In this context theuser needs to configure the firewall, determine the right time to scan the system formalware and keep the definitions up to date. Further the user needs to be aware ofthe correct treatment of dubious emails. Altogether this is a task that overburdensmost regular computer users. In addition, the illustrated measures are only valuablefor known threats. Unknown attacks that have the purpose to interfere with a singleelection and that are released just in time still pose a big threat.

51

Page 62: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of
Page 63: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7 Methods of error detection

Besides the risk of running malicious code the main drawback of electronic votingplatforms is that their functioning is not obvious to the voters. Talking about DREone faces the additional problem of tampered hardware chips that might include codefor an incorrect tallying of the cast votes. With regard to RIV the voting scheme’scorrect functioning might be severely restricted by insecure platforms and the involvedrisks. The most severe problems were described in the previous chapter. Thereforeelectronic voting platforms have to be generally referenced as being untrusted. Inorder to develop strategies for more secure remote voting platforms a first step consistsof the attempt to make possible malfunctions visible. Trying to fulfill this purposethe following section is dedicated to methods of detection. If no errors are detectedthese methods can establish trust.

The methods of detection introduced here are test ballots and voter-verifiable pro-tocols. Test ballots have the purpose to test the voting system before a counting voteis cast on it. Voter-verifiable protocols pose a different approach. They also test thevoting system but do so under real conditions. For this purpose they provide voterswith a receipt that they can use for the purpose of verification. Then, in case ofencountering a problem during the election, voters can use this receipt to dispute theelection.

7.1 Test Ballots

To verify the correct construction of the ballot and the functioning of the tallyingservers, voters and voting administrators have the further possibility of testing thesystem with test ballots. For this purpose they can cast one or several dummy votesthat have to be generated by the voting client and processed by the system. Doingso the tally has to return the correct number of votes as cast. Similar to voter-verifiable protocols test ballots might help to increase the voter’s trust in the systemby providing correct dummy results. If conducted by officials, test ballots can simplybe cast prior to the start of the real voting process. But the practicability issueremains unclear, if the voter is supposed to cast the test ballot. This is the casebecause the voting system requires a way to distinct between real and dummy votes.Further it is beyond question that sophisticated malware could be developed such

53

Page 64: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7 Methods of error detection

that it is possible to distinguish between test and true ballots. Regardless to theseproblems, test ballots present a simple method for detecting low-profile attacks thatmight as well be caused by malicious software. In this context Opplinger notes that’test ballots can also be seen as an intrusion detection system specifically designed andused for RIV’ [Opp02]. In compliance with the following protocols test ballots onlymake malfunctions visible. Therefore it makes sense to combine them with additionalpreventative approaches.

7.2 Voter-Verifiable Voting Protocols

This section introduces four different voting protocols that also attempt to make upfor the lack of trust. None of the protocols prohibit attacks such as vote tampering orthe loss of privacy. Instead they make a big effort in enabling methods to detect theprior. Their method of choice is to make a vote cast verifiable by providing physicalreceipts that enable public auditing without violating voter privacy. Until now moste-voting schemes tried to bypass printouts of the ballot because they could be used asa proof for vote buying and coercion. This is not the case for the following protocolsbecause the printouts contain reduced information. Generally, the verification can beeither individual or universal. Individual verification consists of a proof method forevery voter ensuring that a vote was counted as cast. In contrast universal verifica-tion usually tries to proof the correctness of the complete tallying process to anyoneinterested. Each of the protocols provides a different approach and achieves the goalof a voter-verifiable voting protocol to a different extent. Being originally intendedfor the usage in combination with DRE it is additionally attempted to sound thepossibility of an application for RIV. On this behalf the foundations of the protocolsare examined for possible problems. While presenting the protocols the term ’votingsystem’ is used for both, voting machines and systems of RIV.

7.2.1 Neff’s Voting Scheme

The goal of Neff’s voting scheme is to gain universal verifiability for DRE. In thelast years the American public’s trust in correct tallying reached a low level [Fis04].Neff’s scheme responds to this by making it possible to prove whether or not the usedvoting protocol worked correctly, and especially whether or not the voting platformdid fulfill its job in a sound way. This is accomplished by providing the voterswith a strip of paper that provides receipt freeness since it does not reveal anythingabout their choice, except on a personal basis. With this receipt and the printed oninformation the voters can later verify whether their votes were correctly recorded.The application of an anonymizing mixnet permits to verify if the tallying was correct

54

Page 65: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7.2 Voter-Verifiable Voting Protocols

and the votes were counted as cast. So far the protocol is only intended for votingmachines, but an extension to internet voting might be worth considering. After theprotocol’s explanation some critical remarks are made about its possible drawbacks.

Protocol Functioning

Before explaining the protocol in practice, the voting system needs to be initialized.For the computation of a master public key the trustees perform a distributed keygeneration protocol. As a result the final decryption is only possible if all trustees ofthe cryptosystem work together. Additionally a security parameter l is introduced.This parameter determines the system’s level of security. The interaction of thissecurity parameter and the level of security will become clear in the following. Forreasons of simplification, the election is assumed to be a single race of n candidatesC1, . . . , Cn. After choosing one candidate the voter has to communicate his decisionto the voting system. Let us assume this is candidate Ci with i being in range from1 to n. The first action of the voting system is the construction of a verifiable choice(VC) as an encrypted representation of the voter’s chosen candidate Ci. This can beseen in Figure 7.1.

1 2 3 l

C1

Ci

Cn

...

...

...

.

.

.

1 1 1 1 0 0 1 1

0 1 1 0 1 0 1 0

1 0 1 0 0 1 0 1

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Figure 7.1: Representation of a verifiable choice - Source: modified from [KSW05]

Precisely it is a matrix that consists of n rows (every candidate is represented byone row) with l ballot mark pairs (BMPs). Each of the BMPs consists of an encryptedciphertext Enc(b1, b2) of the plaintext bits b1, b2 ∈ {0, 1}. By definition, for k = 1 . . . l,i = 1 . . . n, j = 1 . . . n and i 6= j, the k-th BMP of an unchosen row j is Enc(bjk,¬bjk)and the k-th BMP of a chosen row i is Enc(bik, bik). After decrypting the chosen ballotrow i again it only consists of pairs (0, 0) and (1, 1). Since all other unchosen rowsconsist of the bit-pairs (0, 1) and (1, 0) the chosen candidate Ci is clearly indicatedand can be identified and counted by a tallying server. The encryption function inthis context has the requirement of being randomized and deterministic1. The ballot’ssequence number (BSN) and the hashed VC are then printed.

1Deterministic encryptions always produce one cipher for the same plaintext and a given key. Of

55

Page 66: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7 Methods of error detection

Next the hashed VC and the BSN is printed as a receipt. Later this informationcan be checked mathematically for its correct construction. In order to provide an-other level of verification the protocol tries to convince the voter that each BMP inhis chosen row i is of the correct form (bik, bik) and on account of this was cast asintended. For this purpose Neff’s scheme uses the concept of pledge bits. For thechosen candidate in row i all BMPs contain Enc(bik, bik) with bik being either 0 or1. For each BMP in this row the pledge bit is simply the decrypted bik (which orig-inally occurred on both positions of the BMP). The pledges have to be printed onthe receipt as well. Therewith the voting system has committed itself. Now the voterhas to select a challenge bit string ci for the row i of a chosen candidate. Each ofits bits represents one BMP, where the k-th bit equal to 0 means ’I want to verifythe left position’ and equal to 1 means ’I want to verify the right position’ of thek-th BMP. This challenge is communicated to the system. Now the voting systemin turn has to provide a proof of correctness. This is done by the construction of anopened verifiable choice (OVC) according to the voter’s challenge ci. It consists ofopened encryptions for one bit in each BMP. An opened encryption basically consistsof the voting system separately posting the encryption’s random factor (used duringthe construction of the VC) for the positions indicated by the voter’s challenge. Thisis sent to the bulletin board. From there the voter can receive the random factorand start another type of verification known as the concept of fake and real proofs.Thereby it becomes possible for the voter to individually verify the voting systemfor its correct functioning. Together with the talliers’ public key he can encrypt thereceived pledges using the random factor provided on the OVC and check whetherhis own encryption really appears in the row for the chosen candidate and at thepositions corresponding to his chosen challenge. The BMPs of the unchosen rows arealso half-opened because the voter’s choice has to be hidden from anybody else. Thisis referenced as a fake proof. Such a proof is indistinguishable from the real one. In areal proof, the DRE commits to the pledge, then the voter enters a random challengeand the DRE responds to it. In the fake version, the voter first gives the randomchallenge and then the DRE commits and responds. Neither of the proofs revealsany information about the vote itself. The purpose of the fake proof is the indistin-guishable treatment of chosen and unchosen rows. Without it, the voter’s chosen rowis obvious for any observer (because then it is the only partly encrypted row on theOVC). The opened encryptions are constructed according to the one of the chosenrow. To reduce the risk of vote buying and coercion, it is possible for the voter tochoose whether he wants to specify only the challenge for his candidate row ri or forall of the unchosen rows as well. If he chooses not to do so, the voting system byitself selects l -bit challenges cj for the unchosen rows rj, opens the encrypted BMPs

course the encryption hides the binary number but the visible pattern reveals the chosen row.For the sake of a secret ballot this has to be prohibited. By using random elements duringencryption a given plaintext encrypts to one out of several possible ciphers which avoids theappearance of a pattern.

56

Page 67: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7.2 Voter-Verifiable Voting Protocols

according to them for the construction of the OVC, and finally sends the OVC to thebulletin board for its publishing.

The overall protocol design is illustrated in Figure 7.1.

1. Voter → voting system: i2. Voting system → printer: BSN, hash(V C)3. Voting system → printer: p1, . . . , pn

4. Voter → voting system: ci

5. Voting system → printer: c1, . . . , cn

6. Voting system → bulletin board: OVC

Table 7.1: Neff’s voting scheme - Source: modified from [KSW05]

For the purpose of changing a ballot the cheating voting system would have touse BMPs of the form (b,¬b) for the intentionally chosen row. But it has a verylow chance of getting away with it since it committed itself to the pledges (step 3)before it gets to know the challenges of the voter (step 4). By telling the votingsystem to uncover the left or the right position of a BMP, as it is done through thechallenges, chances are only P = 1

2that a voter does not detect if the voting system

manipulated a BMP in his chosen row. Since this is done for all of the BMPs in thisrow, the probability of the voter not detecting the cheating voting system is reducedto P = 1

2l and depends on the previous mentioned security parameter l.

Adaptation to RIV

An adaptation of Neff’s protocol for an election conducted online might be possible.Regarding the problem of insecure platforms precautions will become necessary. Foran implementation it is especially important that the protocol’s sequence does notchange. This is important for a correct functioning. In respect to a customizationthe calculation of VC, hashed VC, pledges and OVC has to be done by the votingsoftware (most likely mobile code such as an applet). Therefore the software is nowthe centerpiece of the verification purpose (together with the talliers, where nothingchanges). Verification can only happen if voters have a local printer connected totheir computers, which is assumed as a matter of fact. But while an official printermight ensure the validity of a printout and prevent forgery through special paper,this is not the case with private printers. Instead the printout needs to be signed bythe authentic voting software.

57

Page 68: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7 Methods of error detection

Security Problems

The risk of coercion and vote buying is prevented by the fact that the voter canchoose some/all challenges himself. If he could not do so someone might tell himwhat candidate to vote for as well as the challenge to choose for the correspondingrow. Then the voter could proof that he carried out the order by presenting thereceipt (with the coercer’s challenge in the respective row). The coercer could finallyverify if the voter voted in the way he was told by encrypting the printed pledges withthe random numbers of the OVC and the available public key (the steps of regularvoter verification). The result should be the same as the one that is written ontothe bulletin board. While this is ruled out, there is another major protocol problemwhich might be caused by a voting system that cheats by using BMPs that are notconform to the standard encoding. This way, the malicious software might eventuallyprevent someone from voting. For example the ballot’s encoding could be unclear inthe way that the row of an unselected candidate might consist of both possible BMP-patterns, identical bit pairs (1, 1) or (0, 0) and mixed bit pairs (0, 1) or (1, 0). Duringthe current state of the protocol, this would represent a violation of the protocol rulesthat should lead to its termination. The voter has neither a chance of detection nor ofproofing its occurrence, so there is no full auditability. The problem might be solvedby allowing unchosen rows to be encoded by a mixture of identical and mixed BMPs.But the extension would also stop random errors from being detected. At this pointthe protocol needs to be clarified.

An additional problem regarding the ballot encoding exists in the possibility of amalicious voting software using BMPs with identical bits - not only for the chosenbut also for the unchosen rows. If this is the case the talliers do not know which rowrepresents the original choice of the voter. So finally they would have to mark the voteas being invalid. The main reason for the presence of this gap in the protocol’s currentstate is the voter lacking a possibility to check for its occurrence. This circumstanceclearly represents more than an underspecification of the protocol since it fails toprovide the promise of full auditability.

As shown by Karlof et al. [KSW05], message reordering attacks and subliminalchannels form additional risks. If an attacker succeeds in compromising the votingsoftware by infiltrating code that leads to a different sequence of events, messagereordering becomes possible. Therefore the voting system has to learn the voterschallenge before computing the VC. Knowing the challenge for the chosen row enablesthe voting application to calculate a fake proof for an unchosen line that is realizedby the voter as a real proof. This clearly breaks the security of the voting system.

Furthermore, subliminal channels are a possibility of attacking the principle of pri-vacy. They are a problem if critical information can be hidden inside of an encryptedballot without being noticed. This is the case if several valid representations or en-

58

Page 69: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7.2 Voter-Verifiable Voting Protocols

cryptions of the voter’s choice are possible. One prerequisite of subliminal channels isthe usage of bulletin boards that are public and anonymously accessible. If the votingplatform can choose the representation for the bulletin board, then this choice canrepresent a subliminal channel. The detection of subliminal channels is very difficult.A ballot might look perfect for anybody lacking specific knowledge of how to decodethe subliminal channel. In practice, adversaries could for example danger the voters’privacy by including some Trojan code into the voting software. Then they couldsell the information on how to access the subliminal channel to a coercer. Neff’sprotocol is especially vulnerable to random subliminal channels. Random values areused in many different ways to establish security during the protocol. For encryp-tion schemes they enable attackers to extract information about encrypted messages.However, the usage of random values makes subliminal channel attacks possible forrandomized encryption schemes, especially if the client platform can choose theserandom values. Thereby different valid ballot representations become possible. Asshown earlier, each BMP is encrypted in a randomized way (for example ElGamal).Let’s call the randomness that is used to encrypt b in the VC ω. For the OVC,each BMP is partly decrypted and thereby reveals half of the random value ω. Inconsequence a malicious voting system could embed |ω|/2 data-bits for each BMP(or |ω| if it uses the same ω for both encryptions). For an election with 8 races and 5candidates per race this adds up to a total of 51,200 bytes of information that couldleak per ballot. This is sufficient to embed the voter’s choice.

7.2.2 Chaum’s Visual Crypto Scheme

Chaum’s voting protocol focuses on creating transparency for DRE machines. By theuse of end-to-end auditing mechanisms, the correctness of the protocol can be provenfor each election step. For this purpose the scheme utilizes three different, pre-existingelements. These are visual cryptography, mixnets and randomized partial checking.The idea of visual cryptography was introduced by Naor and Shamir [NS95] withthe intention to cipher in a way that permits the human visual system to recoveran encrypted message. The basic functioning is similar to the one of see-throughnumbers as a security feature on bills. But instead of printing parts of a splittedimage on either layer (where filling in the gaps is easily possible) visual cryptographyuses a more sophisticated method to avoid human associativity. Mixnets, as describedin Section 4.2.2, provide the anonymity of votes by covering the communication link.Randomized partial checking is used to detect cheating trustees. The explanationof Chaum’s voting scheme starts by giving an overview and a description regardingthe protocol’s implementation of visual cryptography. This is followed by a shortconsideration of a visual cryptography scheme for RIV. The experienced securityproblems of the Chaum’s protocol are mentioned in succession.

59

Page 70: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7 Methods of error detection

Protocol Functioning

Chaum’s voting scheme uses visual cryptography. The underlying idea is to providethe voter with an encrypted receipt he can use for verification, yet achieving receiptfreeness by not providing a proof for the original choice. The construction of thereceipts works as follows. Both layers are generated in such a way that only thecombination of both reveals the voter’s original choice. Therefore, the original choiceis encoded as two layers with a grid of m × n parity cells. Each of these paritycells consists of four pixels, two black and two white, whereupon each color is sorteddiagonally. As a result only the following two parity cell patterns are possible.

Figure 7.2: The parity cell patterns - Source: [BR03]

Black pixels are opaque and white pixels are more or less translucent. As a result,the combination of two different patterns returns a totally opaque one, whereas thecombination of two identical patterns returns the original semi-opaque one. The fourdifferent combinations with their possible outcomes can be seen next.

Figure 7.3: Possible combinations of bit patterns - Source: modified from [Cha04]

The voter’s visual checking verifies whether the voting system calculated the layerscorrectly and is the first verification step of the scheme. Figure 7.4 illustrates howthis mechanism combines two fuzzy looking sheets into a readable image that displaysthe letter ’e’.

60

Page 71: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7.2 Voter-Verifiable Voting Protocols

TOP layer BOTTOM layer

RESULT

Figure 7.4: Bit patterns of the transparency layers, resulting image - Source: modifiedfrom [Sta05]

In the first step of the protocol, the authenticated voter makes his choice andsubmits it to the voting system by entering it with the given input device. Thereafterthe voting system generates two receipts by printing grids of black or white pixelsonto two transparent sheets. Each layer by itself looks like random noise and doesnot reveal anything about the original choice. This represents the encryption. Theoriginal choice can only be seen if both layers are aligned correctly. Using the visualsenses of the voter is advantageous for our purpose, because visual checking canreplace complex computations and thereby open the voting scheme to the public.Next, the voter verifies whether the aligned receipts show the original ballot image.If this is the case, the voting system proceeds by printing a ballot sequence number(BSN) and some additional information on each receipt. This information is necessaryfor the trustees’ decryption later on and refered to as the top doll and the bottom doll(DT,DB)2. Afterwards the voter is expected to choose one of the layers as a receipt.This information is also passed to the voting system. In the protocol’s final step thevoting scheme appends signatures to the printed information. Importantly, the voteris assured verifiable integrity by providing different signatures for the BSN and the

2The name comes from the Russian Matrjoschka dolls. The latter consists of several dolls that arehidden inside the biggest one. It has the additional characteristic that it can be disassembled.By doing so the next smaller doll is uncovered.

61

Page 72: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7 Methods of error detection

receipt information. The BSN is signed by the voting system, whereas the signatureof the receipt information depends on the voting system’s layer specific key kx (wherex represents top or bottom). A schematic overview of the protocol is illustrated inTable 7.2.

1. Voter → Voting sytem: candidate choices2. Voting system → Printer: transparency imagesVisual check of the correct construction. If successful, the protocol proceeds:3. Voting system → Printer: BSN, DB, DT4. Voter → Voting system: c, where c ∈ top, bottom5. Voting software → Printer: signkc

(BSN),signko

(signkc(BSN), DT, DB, chosen

transparency)

Table 7.2: Possible sequence for an adoption of Chaum’s scheme to RIV - Source:modified from [KSW05]

Subsequently it is the voter’s turn to separate the receipts and destroy the unchosenone in order to prevent the visibility of his original choice. The chosen receipt maybe used for the first verification step. Independent observers can test the authenticityand correct construction of the receipts based on digital signatures and the calculateddoll. Just as well the voting system keeps only an electronic copy of the chosen receiptand posts it on a bulletin board for additional verification. Thus, each voter can checkfor the correct recording of his vote by looking for a copy of his receipt on the bulletinboard. The next step of the protocol consists of the tallying. In order to decrypt thevotes, a batch of posted votes is sent through a decryption mixnet. The output of themixnet consists of the original choices in anonymized form. The output of each mixingstep is also posted on the bulletin board for further auditing. Now the calculation ofthe final tally is possible. To ensure its correctness, it may be recalculated by anyoneinterested.

The achievement of Chaum’s protocol relies on the fact that, at the point of thelayers’ creation, the voter’s decision, whether to choose the top or bottom layer, isnot known. Therefore, the chance for the detection of a malformed layer is 50%.Hence the probability for the detection of n malformed layers is 1− 1

2n . Randomizedpartial checking gives the same probability for the detection of a trustee altering avote. The reason for this is that each trustee executes two rounds of mixing. Theseprobabilities tend to become very small for an increasing number n. As a result, onecan say that the correctness of the final tally is strongly verifiable.

As seen, visual cryptography requires the voting system to construct a top and abottom layer such that a decryption is possible by placing them on top of each other.

62

Page 73: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7.2 Voter-Verifiable Voting Protocols

For this purpose a different representation of the ballot image is needed. Technicallythe combinations shown in Figure 7.3 can be illustrated by a truth table as well.Therefore one of the parity cell patterns is considered as the binary digit ’1’ andthe other one as the binary digit ’0’. The operation that pictures the explainedwatermark constraint is defined as the visual operator ⊕v. As seen before, threedifferent outcomes are possible. For the binary representation both of the semi-opaquepatterns are interpreted as being ’0’ and the fully opaque pattern is considered to be’1’. This gives the following table:

0 ⊕v 0 = 00 ⊕v 1 = 11 ⊕v 0 = 11 ⊕v 1 = 0

In practice the ballot image needs to be represented in a way that the letters standout from the background. In our case letters are made up off semi-translucent and thebackground of fully opaque pixel patterns (as can be seen in the resulting image ofFigure 7.4). Thereafter the image is translated into a binary representation whereassemi-opaque patterns are interpreted as ’0’ and fully opaque patterns as being ’1’.

On this basis the binary representation of the ballot image (consisting of m × nbits) is split into a top and a bottom part. The process is called checkerboardingbecause it divides the image in top and bottom strings according to a checkerboardwith alternating black and white fields. Respectively the ’black’ binary digits formthe top string (Bt) and the ’white’ binary digits form the bottom string (Bb). As aresult each of the strings consists of m×n

2bits.

By calculating l hashes from the signed BSN with different seed values, where l isthe number encryptions/decryptions performed by the trustees, we come up with lvariables dl. The xor of all the variables dl respectively forms the binary strings W t

and W b for top and bottom layer.

W t = ⊕dtl , W b = ⊕db

l

Sequentially another xor operation forms the binary strings Rt and Rb.

Rt = W b ⊕ Bt and Rb = W t ⊕ Bb

One can say that the swapping between the top and bottom enhances the encryp-tion by diluting the ballot image with random noise woven in between the two layers.In the final step Rt, W t and Rb, W b are checkerboarded again to form the top and

63

Page 74: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7 Methods of error detection

bottom layer. This time the checkerboard consists of alternating the binary numbersof both strings to form a matrix with the original dimensions.

After the vote cast, both, voter and voting system, possess only the chosen layer.In order to decrypt and obtain the original ballot image the talliers have to use thevalue of the provided dolls printed on the receipt. The calculation of the dolls isbased on an encryption of the d hashes that were formed during the construction oftop and bottom layer. For i ranging from 1 to l, every di is encrypted several timeswith all of the talliers’ public keys in succeeding order.

Doll = {dl−1{dl−2{. . . {d1{d0}PKT0}PKT1

. . . }PKTl−3}PKTl−2

}PKTl−1

Only if all of the talliers cooperate and incrementally decrypt the dolls, it is possibleto uncover the d -variables that are needed for reconstructing the unchosen layer.More details on the calculation of the layers, dolls and the details of verification canbe obtained from [Cha04], [BR03] and [Sta05].

Adaptation to RIV

Talking about the protocol’s functioning transferred to RIV, the basic steps areskipped to rather concentrate on the occurrence of problems. Normally both layersare printed out as two overlaid pixel patterns that can be checked visually accord-ing to the watermark example. If this works out, the voting system prints the dollsand signatures onto the layers before the voter chooses one of them. The other oneis destroyed. A mapping of this onto RIV is hard for different reasons. First, thevisual check must happen in a different way. After the calculation of the layers itcould happen on screen, using a layer that was locally printed. Holding the printoutagainst the screen should reveal the originally chosen candidate. As before the visualcheck requires both layers being exactly laid on top of each other as well as the sameresolution. If the visual check proceeds as expected (showing the compliance with theoriginal ballot image) the voter needs to signal his satisfaction to the voting system.Now the voting system should print the dolls and signatures on both of the trans-parency images. Therefore, either the already printed receipt would have to be fedinto the printer again or another receipt enhanced with this information is printed.Either way the voter gets a hold of both layers and most likely keeps them. Thisdefinitely violates the original intention of preventing coercion. Normally the voter isassumed to choose a layer and dispense the unchosen one. Again, the receipt needsto be reprinted, this time with the adequate signature. Naturally the repeated print-ing affects the overall usability. In order to register a malfunction the voter wouldfor example have to compare reprinted information with the information that waspreviously printed. Another important method of verification consists of using the

64

Page 75: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7.2 Voter-Verifiable Voting Protocols

dolls on the printout for a calculation that shows whether they were correctly formed.Originally this was supposed to happen regularly at the polling station. Employingthe protocol for RIV, the voter would have to visit a special verification place. Thusanother problem is raised by the fact that the inconvenience makes this form of veri-fication more likely not to happen. For this reason a mechanism of digital verificationis anticipated.

Security Problems

One issue concerning the robustness of the protocol is the reliance in the trustees.If only one trustee refuses to decrypt, the whole tallying process is in danger. Thisproblem exists for every decryption mixnet. To produce relief for this, Ryan [RS06]advices to rather incorporate a re-encryption mixnet in combination with a key-sharing threshold technique. Additionally the protocol’s complexity is noted to bevery high. Because the functioning is hard to understand for the average voter he hasto ’trust’ the corresponding mathematics. However, this is not an exclusive problemof this scheme. Yet another problem is the possibility of malfunctions escaping fromdetection. If the order of the voting protocol is slightly changed, the voter can befooled in his verification attempt. The cause might be a corrupt DRE as well as, incase of the protocol’s adaptation for RIV, a tampered voting software. Either way,the problem arises if the protocol behaves differently without attracting the voter’ssuspicion. In practice the voting software simply asks the voter if he chooses the top orbottom layer before the calculation of the onion-values. Then the answer can be usedfor falsely calculating the layer that most likely will not be checked. Normally thevoting system commits to transparency image, sequence number, and dolls beforethe voter makes his choice between top and bottom. Here, the voter reveals thisimportant information too early and lets the adversary gain profit through his simple-mindedness. This security issue was raised by Karlof et al. in [KSW05]. Accordingto them, Chaum’s protocol is also vulnerable to semantic subliminal channels. Thesechannels are of a different nature than the subliminal channels possible in Neff’sprotocol. Since here the scheme encrypts an image of the ballot rather than an ASCIIversion, the voting system could embed subliminal challenge information by choosingspecial representations of the ballot. One representation might be a special font. Thevoter would not realize the occurrence because during verification he mainly cares forthe content. For him the form used for the purpose of representation is negligible.

7.2.3 Ryan’s Pret a Voter Scheme

The goal of Pret a Voter is to assure the voters of an accurate vote recording andcounting in the final tally while making the usability more intuitive. In contrast to the

65

Page 76: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7 Methods of error detection

first two schemes it uses optical scanning for the recording of a traditional vote. Preta Voter as presented by Ryan [RP05] and Chaum et al. [CRS04] is based on Chaum’sVisual Crypto scheme but applies a different way of representing an encrypted votevalue in the ballot receipt. Instead of the visual cryptographic technique the voterscan deal here with more familiar-looking ballots.

Protocol Functioning

The preparation phase starts with an authority that creates the ballots. Thereforethe candidate list is changed from the election’s basic order. By doing so ballots geta unique appearance. During Pret a Voter each ballot consists of two parts: On theleft hand side the candidates are listed in random order of the official ballot order,on the right side a voter can mark a certain row according to the position of a chosenparty or candidate. On the bottom this strip also contains a unique onion value thatis necessary for the extraction and counting of votes. A sample ballot can be seen inFigure 7.5.

After the voter marked the according row, both parts are separated and the one withthe list of choices is destroyed. The other one is processed by the system (meaningits digitalization by an optical scanner in the original version) before being handed tothe voter as a receipt. It does not present a proof of voting for a certain candidate orparty because each ballot paper looks different in the way that the list of candidatesappears in a random order. Thereby coercion and vote-buying can be avoided. Aslong as the strips are not attached to each other the strip with the voter’s choice onit does not indicate for what candidate a vote was cast. The protocol steps can beseen in Table 7.3

Grey

Pink

Turquoise

Maroon

Cyan

7rj94K

Grey

Pink

Turquoise

Maroon

Cyan

(LH−strip) (RH−strip)(base ordering)

Figure 7.5: The filled in ballot - Source: modified from [RP05]

66

Page 77: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7.2 Voter-Verifiable Voting Protocols

1. Voting system generates ballot: ballot = candidate list + vote2. Voter → voting system: candidate choice3. Vote is detached from the candidate list and scanned by the voting system.4. Voting system → voter: vote

Table 7.3: Protocol sequence of Pret a Voter

After the election is closed, all processed receipts are sent to a central tabulationserver that posts the votes to a generally trusted bulletin board. Now voters havethe possibility to individually verify, if their vote was recorded correctly by lookingat these posts. To do so, one has to find the value of the onion printed on the paperreceipt and compare the location of his mark with the one published. To proof thecorrect functioning, both of them have to be identical. As a final step the extractionand counting of the vote takes place. Encrypted with the public keys of the tellers, thebasic candidate list can be reconstructed from the onion - assuming all of the secret-sharing tellers cooperate. Only when cooperating the tellers can jointly conduct therequired anonymizing decryption mix to the batch of posted receipts. The output is abatch of decrypted, anonymous votes ready to be interpreted. See [RP05] for details.The overall tallying process appears in Figure 7.6.

The onions as printed on the voter’s receipt represent the only information thathelps to reconstruct the original candidate list from the order of the voter’s ballot.The construction of the cyclic shift and the onion is shown next. It is the prerequisitefor a tallying and comparable to the construction of the dolls as explained in Section7.2.2.

A basic necessity for the preparation of the onion are the seeds. For each ballot theauthority generates a unique and random one. If there are k tellers a seed consists of

Grey

Pink

Turquoise

Maroon

Cyan

7rj94K

Grey

Pink

Turquoise

Maroon

Cyan

Tellers

base orderingprocessed RH−stripRH−stripLH−strip

Figure 7.6: Outline of the voting process - Source: modified from [CRS04]

67

Page 78: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7 Methods of error detection

2 ∗ k values that are called germs.

seed := g0, g1, g2, . . . , g2k−1

The offset of the candidate list from the base ordering is based on these germs. Firsteach of the germs is hashed (using a publicly known cryptographic hash function).Here v represents the number of candidates on the list and determines the numberrange to be Zv.

di := hash(gi) mod v; i = 0, 1, 2, . . . , 2k − 1

The cyclic offset ⊖ that will be applied to the base ordering of the candidate listas a number of cyclic shifts is now computed as the sum of these values. Afterwardsthe personalized ballot is printed.

⊖ =

2k−1∑

i=0

di mod v

To audit the tellers while ensuring the voters’ anonymity the scheme uses random-ized partial checking. Therefore each teller performs two mixes and is provided withtwo keypairs, each consisting of a private key and its public counterpart. Then theonion is built by nested encryption as follows. To start with, D0 is generated whichis supposed to be a random seed that is unique for each ballot. The first teller usesthe first public key and encrypts g0 and D0. The result is D1 which is encrypted withthe second public key. To form a verifiable mixnet 2 ∗ k encryptions are applied fork tellers and the final result is D2k.

D2k = {g2k−1, {g2k−2, {. . . , {g1, {g0, D0}PKT0}PKT1

. . . }PKT2k−3}PKT2k−2

}PKT2k−1

This is illustrated graphically in Figure 7.7. Moving from the inside to the outsideeach box represents an encryption with the appropriate teller’s public key. Finally,the outer box represents the used onion value D2k.

68

Page 79: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7.2 Voter-Verifiable Voting Protocols

Dogo = D1g1 = D2g2k−1 = D2k...

PKT0

PKT1

PKT2k−1

Figure 7.7: Layers of the onion - Source: modified from [CRS04]

To reveal the true votes from the batch of collected ballot strips the original orderfirst has to be recovered. Therefore, the construction of the onions has to be reversed.To start with, r2k represents the encoding of the place where a voter placed his markon the ballot. Each teller needs to decrypt the message received by the previousteller using its private keys. If the message was (r2i, D2i), then stripping the onion byone layer reveals D2i−1 and g2i−1. After hashing the germ, di is calculated exactly asabove and subtracted from r2i to form r2i−1. Now the two parts (r2i−1, D2i−1) form anew pair for the second round (each teller executes this operation twice with its bothkeys). The resulting pair is passed to the next teller. After all of the tellers havedone so, the resulting r0 is the encoding of the voter’s mark in the base ordering ofthe voters and ready to be counted. For a mixnet with n tellers 2 ∗ n mixing stepsoccur. This scenario is illustrated in Figure 7.8.

ballots

Teller n Teller i Teller 0

votes

... ...

Figure 7.8: Anonymizing mix with n tellers - Source: modified from [CRS04]

Similar as for Chaum’s Visual Crypto scheme, Pret a Voter allows universal andindividual verification. First of all, the correct construction of the ballot can beverified. Therefore a random number of unused ballots is chosen. The matchingonions have to be decrypted by the tellers. Subsequently, the resulting germs arereturned to the auditor. Now the auditor can recalculate the onion to see if it matchesthe printed one. Additionally he can recalculate the offset value and verify, if itmatches the one applied. These tests may be carried out by anyone interested sincethe verification algorithms are publicly known. However, to keep anonymity thismethod is only intended for blank ballots. In addition the vote recording can beindividually verified by each voter. This is done in the same manner as for Chaum’s

69

Page 80: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7 Methods of error detection

protocol. A voter just has to check the bulletin board for the correct appearance ofhis receipt information. More generally, the tellers’ successive postings on the bulletinboard and the usage of randomized partial checking offer a verification of universalkind.

Adaptation to RIV

Adopting the protocol for RIV seems theoretically possible. One advantage overChaum’s Visual Crypto scheme is that Pret a Voter works without visual checksthat are hard to realize with home computers and standard printers. As for theother protocols, the feasibility of verification partly solves the problems of insecureplatforms. After filling in the right side of the ballot it is printed as a receipt. Inorder to avoid false receipts it needs to be signed by the ballot’s issuer. Again, theprinted receipt has to fulfill the purpose of being a proof of evidence in case the votecannot be found on the bulletin board. At the same time it makes the vote recordingverifiable. For the adaptation it is especially important to prohibit the printing ofthe left side (candidate order) for the avoidance of coercion. This is troublesomebecause the complete avoidance is impossible for a voting platform that is underprivate control. A simple digital image (the voter himself can photograph his screen)might already be sufficient to convince a coercer. A screenshot of the ballot withboth sides next to each other might present a piece of evidence for the voter’s choice.If this proof is produced by the voter, it effectuates coercion, if it is done behind hisback (by some corrupt software), it threatens the principle of privacy. Consequentlyit is necessary to find a way that makes such images useless. Chapter 6 pointed outhow uncontrolled environments especially endanger privacy due to their receptivityfor remote control. This kind of problems have not been treated and need to beaddressed if an adaptation is seriously considered.

Security Problems

Ryan and Peacock describe some potential weak points of Pret a Voter in [RP06].One of the mentioned problems is the openness for chain voting. In order to influenceother voters the coercer first needs to get a hold of a blank ballot (e.g. from a corruptelection official). After marking it with his personal choice it is passed to a voter.Along the way the coercer also promises the voter a reward, if he returns with ablank ballot from the polling station. If the election scheme uses personal ballots,the returned blank ballot fungates as a proof for the successful exercise of influence.At the same time the coercer can now repeat the procedure. However, chain votingis a problem caused by the poll-site based nature of a traditional voting scheme. Itdoes not apply to RIV because here virtual ballot forms are generated on demand

70

Page 81: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7.2 Voter-Verifiable Voting Protocols

and cannot be exchanged. Other weak points are seen in the trust assumptions madefor authorities and voting software. Ryan and Peacock mention the required trustof the authority not leaking confidentiality through seed based subliminal channelsas well as the possibility of invalid signatures, insufficient ballot verification, and theunreliable destruction of the left-hand strips. Same as for Chaum’s Visual Cryptoscheme, the usage of a decryption mixnet also affects the robustness of the scheme.For this purpose Ryan proposed to replace the mentioned decryption mixnet with are-encryption mixnet as described in [RS06].

7.2.4 Chaum’s Scantegrity Scheme

Similar to Pret a Voter, Scantegrity intentionally provides a paper-based votingscheme like optical scanning, with a verification mechanism as additional securityfeature. Again, this security feature tends to win the voters’ trust by giving them thechance to verify the complete processes of vote recording and tallying as a whole.

Protocol Functioning

The general procedure as explained in [Cha07] consists of four stages including pre-voting, voting, pre-audit and audit. During the pre-voting phase ballots are gen-erated. They only differ in the letters attached to the candidates’ names and theunique serial number that is printed on the upper right-hand corner. The letter Aon top and B underneath shows that it is the original candidate order, whereas Batop and A underneath indicates a flipped order. For audition the scheme makes useof a bulletin board. In the first column of the bulletin board the ballots’ sequencenumbers are listed, whereas the last column, on the far right, lists the election results,filled simultaneously by posting the results. It is important to mention that the re-sult column appears in random order and is therefore independent from the order ofthe first column. The bulletin board consists of two additional columns in between,containing digital envelopes3. Each of these two columns has one digital envelope perrow and includes a space that is later filled with a letter. The first column of digitalenvelopes on the left, adjacent to the serial number column, is in the same order.The second digital envelope column has a row order that neither relates to the serialnumber column nor to the results column, but it provides an extra level of indirection,which allows effective audits still being able to preserve ballot secrecy. The encryptedcontent of the digital envelopes is only decrypted during the audit phase. The initialstate of the ballots and the bulletin board can be seen in Figure 7.9.

3All of the digital envelopes represent encrypted messages that can be decrypted by authorizedkeyholders.

71

Page 82: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7 Methods of error detection

3401

3402

3403

3404

3405

3406

?

?

?

?

?

?

Pre−Voting Printing and Posting

Ballots

3401J. Madison

T. Jefferson

B

A

sw

ap

ped

3404J. Madison

T. Jefferson

B

A

sw

ap

ped

3402

J. Madison

T. Jefferson

B

A

not s

wap

ped

3405

not s

wap

ped

3403J. Madison

T. Jefferson

B

A

sw

ap

ped

3406

not s

wap

ped

J. Madison

T. Jefferson

B

A

J. Madison

T. Jefferson

B

A

Figure 7.9: Ballot structure and layout of the board - Source: modified from [Cha07]

During the voting phase the voters are supposed to make their choice, mark it onthe ballot, and detach the serial from the ballot. An important feature is the barcodewhich is printed halfway on the serial segment, halfway on the main ballot. Thus, itcan be proven during the audit phase that serial segment and ballot at one point wereconnected. Before the ballots are cast, the voters have to make a decision whetherthey want to participate in the audit process or not. If they decide to do so theyhave to make a note of (or at least remember) the letter next to their election choice.This situation is illustrated in Figure 7.10. The reason for this will become clear inthe next paragraph.

3403J. Madison

T. Jefferson

B

A

J. Madison

T. Jefferson

B

A

3403

A

Ballot provided

to the voter

What the voter leaves

in the ballot box

What the voter

takes home

Figure 7.10: Filled in ballot and obtained verification information - Source: modifiedfrom [Cha07]

Scantegrity realizes voter verification as follows: If voters decide to verify the votingprocess they can do so by looking at the public bulletin board. In the first column theyhave to locate their personal sequence number. Right next to it, in the correspondingsecond column, a letter can be found. This letter was extracted from the scanned

72

Page 83: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7.2 Voter-Verifiable Voting Protocols

ballot and posted by election officials. It is obvious that it has to match the ballot’sletter next to the voter’s chosen candidate. If the memorized and displayed lettersmatch, then, for a start, the vote was at least recorded. If voters believe that what wasposted on the bulletin board does not match the published letter, an in-person disputeresolution can be conducted. To perform an in-person voter check of the ballot thevoter first needs to tell a trusted party the serial number from the chit. After issuinga complaint, election officials have to locate the adequate ballot. Afterwards theyhave to transfer it to an envelope that just reveals the upper right-hand corner withparts of the bar code. Now the voter can take the kept sequence segment to see if thepresent ballot is the correct one. The letter and election choice itself are hidden ofcourse. For still being able to verify the mistrusted letters, the selected ballot needsto be transferred to an envelope that exposes both, candidate names and the letters,but not the sequence number. The transfer could be done while the envelopes areturned upside down and while a verifying person or trusted party is present. Nowanother ballot with an analogue letter, but different candidate ordering, is treatedthe same way. By doing so, the verifying person can be convinced that the processedletter is the correct one, without revealing the secret vote. This is possible becausetwo partly decrypted ballots with the same letters marked can still present opposingvotes, and either one might be the adequate ballot. Without a second envelope thesequence number could be matched to the vote.

Yet this is not a proof of the vote’s integrity. So far it was only shown that theprocess of scanning worked out and the ballot was indeed recorded by the electionsystem. Due to the fact that the candidates are listed in random order, one letterdoes not always represent the same candidate. To ensure that the letter ’A’ in thepicture above is truly counted as a vote for ’T. Jefferson’ another chain of evidenceis needed as the final auditing. It proceeds as follows:

On the bulletin board the sequence number and the second columns’ entries arelisted in the same order. During the course of the election, the results will be postedin the last column but this time in random order. The third column’s entries neithercorrespond to the order of sequence numbers. The path leading from a sequencenumber to the corresponding result, is hidden by the information posted in the en-velopes of column 2 and 3. Both of them can never be opened at the same timebecause the inside numbers indicate the correct row of the next column and wouldfinally reveal the original vote (this would break the principle of secrecy). But onlyone of the envelopes being decrypted would not be sufficient to connect a voter tothe matching vote. This rule is incorporated by the fact that some digital envelopesof the second column are randomly opened (for example by tossing a coin) by theelection officials publishing the decryption keys. The information revealed consists ofa pointer to the corresponding row in the next column, and one of the strings ’same’or ’differ’. Following the pointer, the entry in the subsequent column consists of apair of one letter and one envelope each. The letter here depends on the previous

73

Page 84: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7 Methods of error detection

string. The string ’differ’ changes the following letter and for ’same’ it remains. Byrevealing the strings, everybody can verify that the posted intermediate letters ofthe third column are correct. As said before, a complete path cannot be tolerated.That is why the unreferenced envelopes are opened in the third column. After de-crypting the information, a number points to the final result, and a string tells uswhether the final result (symbolized by the letters) is, again, same or different fromthe letter in the previous column of the verification chain. In the end, each partic-ular chain is partly opened in an unpredictable manner. Only in case of a spoiledballot the chain is completely opened. Here it can be seen that in case of an invertedcandidate order on the ballot there is an odd number of ’differs’ in the envelopes(differ-same/same-differ), and that in case of an alphabetical order the number of’differs’ is even (differ-differ/same-same). The procedure can be seen in Figure 7.11.

3401

3402

3403

3404

3405

3406

B=

Jefferson

Audit completion

A

A

A

A

B

2,differ

4,same

3,same

4,differ

5,same

B=

Jefferson

A=

Madison

A=

Madison

B=

Jefferson

B

B

B

A

A

Figure 7.11: Auditing the tally - Source: modified from [Cha07]

As voters were able to check the postings in column one (and the dispute resolutionprocedure), it can be assumed with high probability that these letters were postedcorrectly. For manipulation purposes one would have to post incorrect letters in thesecond to last column, or incorrect results in the last one. But for every incorrectposting there is a probability of P = 1

2that it is detected (if the envelope leading to

it, is opened, it is revealed). Mathematically, this gives a negligible small probabilityfor n manipulated votes staying undetected.

Adaptation to RIV

Attempting to adapt the Scantegrity for RIV, the protocol starts with the ballotgeneration. Doing so, we instantly face the problem of the ballots’ representation.Looking at the traditional approach, the ballot needs to be digitalized while findingan equivalent concept to the barcode (to enable a later proof for receipt and votebelonging together). By assuming that the voting system still has to proof its trust-worthiness strong interest consists to make it subject to appeal. In that case, the

74

Page 85: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7.2 Voter-Verifiable Voting Protocols

authenticity of the receipt, and the clear classifiability of receipt and vote slip, aremandatory. The authentication of the receipt can easily be assured with a digitalsignature by the voting system. The classification however, of receipt and vote as oneentity, is rather complicated. A big problem is based on the fact that the anticipatedseparation of the ballot into vote and receipt would make a previously attached overallsignature invalid. Even so there are other cryptographical measures that can accom-plish the task, e.g. a hash of both parts could be calculated. In practice, the ballot isdisplayed electronically by the voting software. After the voter has marked his choice,the voting software needs to sign vote and receipt separately with the matching keys.Then the receipt is passed to the voter by printing it on a local printer. At the sametime the vote is sent to the election server for further posting and processing. Sincethe interest is directed towards getting an abstract idea, further details are skipped.After the voting phase the receipt’s signature can be easily verified (and thereforeassure voter and authority of the ballot’s correctness) and the hash proofs that re-ceipt and ballot have been attached at an earlier time. Anonymity can be ensuredby using a public bulletin board and partly opened verification chains as explainedin the standard variant. After finishing the tally, the pre-audit and audit phase takeplace in the same way as before. Therefore, the feasibility of Scantegrity’s adaptationto RIV seems practical. However, due to insecure clients loss of privacy and possiblecoercion remain threatening and demand further attention.

Here, the main problem consists of the integration with RIV. In its original con-ception, it allows an end-to-end audit and the confirmation of the election results.At this point, it is hard to imagine how the protocol steps can be implemented insuch a manner to come up with a practical voting scheme. Especially a proof for thecorrelation between detached receipt and vote (as the rest of the ballot) is difficult.

Security Problems

For the same reason as for Pret a Voter, chain voting is also possible for Scantegrity.Chain voting is caused by a shortage of ballots during paper-based elections. There-fore the availability of sufficient blank ballots might circumvent the threat. For thesame reason as for Pret a Voter, it is not seen as a security problem for the adap-tation to RIV. Other problems are based on the the paper-based voting procedure.The voting scheme is open to vote selling and coercion because a voter simply needsto create an image of his filled in ballot. The built-in cameras of cellular phones suitthis purpose. However, this is not a unique problem of Scantegrity and applies toother protocols as well. Some trust assumptions have to be made for Scantegrity aswell. For example the possibility of invalid signatures given by the voting system andinsufficient ballot verification by the authority have to be ruled out. A different kindof problem is caused by the ballots’ sequence numbers. Thereby the confidentiality is

75

Page 86: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7 Methods of error detection

affected because the numbers could be used to determine individual votes. For thisreason many countries prohibit the unique labeling of ballots in their election laws.

7.3 Evaluation of detection methods

Test ballots help to detect constant malfunctions of the client platforms. If no errorsoccur prior to an election this, however, does not indicate the correctness of thesucceeding election. Therefore test ballots, if at all, only convince the election helpers,they will not affect the voters’ belief in the correctness of the election results. Thatis why test ballots are not considered as the most valuable assurance benefit.

In contrast, the evaluated protocols break new grounds by giving voters the op-portunity to individually verify their ballot cast. For this reason, all of them allowa personal check by the voter that shows the correct recording. Requiring a trustedbulletin board that displays the processed votes, every voter can compare if his receiptis correctly displayed. If not, he can use it to dispute the election. Individually, theprotocols go separate ways to proof the correct ballot generation. Especially Neff’sscheme, the Visual Crypto scheme and Pret a Voter share that they provide voterreceipts that contain some sort of identification number and verifiable calculations foranother proof of correctness. Still all of the protocols achieve universal verificationby adding mechanisms for a transparent tallying.

Additionally paper receipts provide a potential basis for a VVPT that is valuable forelection verification in the traditional sense. However, this remains only a possibilityif the paper receipts carry the cast vote and are centrally collected. Then a recountwould be possible. It is especially hard for elections where the receipts need tobe collected from the voters first. For the introduced protocols only Scantegrityand Pret a Voter as proposed by Ryan in [Rya07] fulfill the required criteria for aVVPT. Further it was shown that the robustness of Chaum’s Visual Crypto schemeand Ryan’s Pret a Voter are afflicted with the application of decryption mixnets.However, this is not considered to be a serious problem, since it can be corrected byusing re-encryption mixes in combination with threshold encryption as proposed byRyan.

In detail, the protocols’ specific verification methodologies, encountered securityproblems, original implementation as well as problematic issues of the adaptation forRIV are shown in Table 7.4.

76

Page 87: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

7.3 Evaluation of detection methods

Voting

Scheme

Intended

Usage

Methods of

Verification

Security

Problems

Adaptation

Difficulties

Neff’s

scheme

Voting machines Verifiable choice,pledge bits,hashes, verifiablemixnet

Mix of identicaland mixed BMPs,message reorder-ing, subliminalchannels

Loss of privacyand coercionresistance, needfor local printer

Chaum’s

Visual

Crypto

scheme

Voting machines Visual cryptogra-phy, dolls, verifi-able mixnet

Reliance intrustees, messagereordering, se-mantic subliminalchannels

Loss of privacyand coercion re-sistance, need forlocal printer andhigh-resolutionprint-out

Pret a

Voter

Optical scanningof paper ballots

Shifted candidateorder, detachedcandidate list,onions, verifiablemixnet

Reliance in au-thority, chainvoting, illegalreceipts

Loss of privacyand coercionresistance, needfor local printer

Scantegrity Optical scanningof paper ballots

Shifted candidateorder, dispute res-olution, verifiablemixnet

Reliance in au-thority, chainvoting, illegalreceipts

Loss of privacyand coercionresistance, needfor local printer,proof for corre-lation betweenreceipt and vote

Table 7.4: Comparison of the evaluated voter-verifiable voting schemes

77

Page 88: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of
Page 89: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

8 Methods of error prevention

After talking about the possibilities of fraud detection possible attempts to make upfor insecure voting platforms are of specific interest. For this purpose five possiblemethods were found that are taken into account here. Two of them, namely trustedhardware devices and secure voting software distributed on a live-CD distinct forvoting, can be dismissed due to cost issues and compatibility problems. Thereforethe following chapter concentrates on the remaining methods of code voting, mulitplecasts and trusted computing. Afterwards the different approach to each of them shouldhave become clearer.

8.1 Trusted Hardware Devices and Voting-CDs

Trusted hardware devices require special security hardware being connected to thevoter’s PC (that only provides the connection to the internet). This device has todisplay the ballot, execute all of the cryptographic actions and must be closed forexternal software. For these reasons, it is far more costly than a typical smartcardreader. Taxing the actual costs for a usage during an election in Germany (assuming60 million eligible voters and a unit prize of 50 euro) easily results in billions (evenexcluding conceptual design). Live-CDs are far cheaper in terms of production costs.In the simplest version they require a minimal, secure operating system with driversfor the broadest possible support for network- and display devices. Instead of a specialvoting software, applets could be used. Then the included browser would functionlike the voting software. This raises the question of how the server is supposed todistinct if the voter uses the ’clean’ or any other operating system. Another drawbackis based on the fact that live-CDs require the voters being able to boot it. Assumingunskilled users with out-of-date hardware it seems only too probable that this cannotbe handled by the vast majority. Necessarily, special purposed hardware devices aswell as live-CDs need to be constructed by a trusted manufacturer. The developmentof either one is highly complex and demands expert knowledge. See [Eck04] for moredetails on the development process.

79

Page 90: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

8 Methods of error prevention

8.2 Code Voting

The treatment of the secure platform problem demands new measures. Verificationby itself does not solve the issue. One could be the previously mentioned voting incontrolled environments. Unfortunately this is contrary to our picture of RIV. Forthis reason other security measures are necessary. Code voting is a very effectiveway to solve the issues of privacy and integrity. It can protect against automaticvote manipulation at the voter’s computer and thereby become very precious for thepurpose of making client platforms more secure. The chapter starts with a generalexplanation before going into the details on how the practical implementation of codevoting might work.

Code voting was first mentioned by Chaum [Cha01] and is based on the creationof code numbers. Opplinger referenced the idea as code sheets [Opp02]. The mainidea behind code voting was to safeguard voting privacy. During the voting process,threats caused by spyware and other malicious software are considerably smaller ifthe identification of a specific vote is not possible anymore. The usage of randomlooking strings (codes) to cast a vote provides this feature. On the one hand theintegrity of the vote is protected because no one but the voter should know thecodes and their meaning. The integrity of the ballots is only at risk if the voterlets others access his personal codes. On the other hand, this guarantees privacybecause someone monitoring the voter’s actions (for example through the usage ofremote administration) cannot draw a conclusion from the code that is entered. Forencrypted votes this is not the case because an adversary can access the vote beforeit is cryptographically secured.

[Opp02] lists three different types of code voting:� In a full implementation, code numbers and verification numbers are used. Af-ter a vote was cast by entering the appropriate code, the server sends back averification number to the voter. With this code, the voter is able to verify thatthe vote was cast to an authentic server and that it was properly registeredthere.� A code number-only implementation excludes the server authentication and usesonly code numbers. Still the voter is advised to check the server’s public-keycertificate before voting. This is a risky procedure since many people do notknow what details they have to pay attention to.� The verification number-only implementation naturally cannot provide ballotsecrecy in the case of spyware and remote administration tools residing on acomputer. He also notes that without using code numbers it is possible for thevoter to ignore the verification numbers sent by the server. This is due to theabsence of a technical device that enforces manual verification.

80

Page 91: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

8.2 Code Voting

The foundation for the usage of code voting consists of the creation of code num-bers. In order to make the probability of malicious software guessing a code numbernegligible, one prerequisite is that the codes have to be (pseudo-)randomly chosenfrom a large range of numbers. If a number consists of ten bits then the probabilityof correctly guessing it would be P = 1

1024. This is believed to be difficult enough.

Ten bits can be represented by four decimal digits. Consequently, four digits are suf-ficient to encode a code number (leaving some redundancy to detect errors). Besides,for a full implementation of code numbers the server additionally needs to generaterandom confirmation codes. Of course, it is necessary for the codes to be generatedin a secure environment. One option for the composition of code numbers is a server-sided generation. Therefore the server has to be located in a safe environment andthe generated data must be stored in a secure database. After their generation, thecodes have to be secretly distributed to the voters. This could be achieved througha personalized code card (with code numbers as well as a voting and confirmationcode printed on it) that is transported by using postal mail. Electronic distributionvia the internet is no option. This is because a code sheet present on the local com-puter would enable residing malicious software to change the ballot according to itscreator’s interest1.

Having accomplished the setup, voting itself consists of entering the appropriatecode number (the one that appears next to the candidate of choice on the code sheet)into a field on the voting web page. For verification purposes, Helbach suggeststo use different confirmation codes, one for every possible choice [Hel07]. Whileproviding the voter with an accurate method of verification this protocol also asks fortrouble because it lacks the property of receipt-freeness. The combined possession ofconfirmation-code and code card makes it possible for the voter to proof his choice toan attacker. To return to receipt-freeness, the proposed voting scheme includes thepossibility of multiple casts. Multiple casts (also refered to as vote updating) make itpossible to revoke a possibly influenced vote by simply overwriting it. Of course, theydemand special forms for recognizing the actual vote that is to be counted (for moredetails see Chapter 8.3). For protecting the confidentiality and integrity of the ballotduring transmission, the author of the scheme sees no necessity for encryption anddigital signatures. He rather sees the confidentiality of the original choice protected’by the fact that the Transaction Authentication Number (TAN) is only a randomlychosen handle to this name, known only to the central database and to the voter’ andits integrity protected ’by the fact that the TAN’s are sparsely distributed in a largenumber space’. Since authentication is done through a code as well no signature isrequired. This means, someone observing the network traffic cannot gain information

1All of the above, regarding generation, distribution and storage, applies for Transaction Authenti-cation Numbers (TANs) as well. But there is a big difference in their impact for security. WhileTANs only provide a method of authenticating a financial transaction voting codes are supposedto provide integrity as well as privacy while the feature of authentication is also included.

81

Page 92: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

8 Methods of error prevention

about somebody else’s voting behavior because the vote is additionally covered untilthe server-sided retranslation. Nevertheless, a correlation between voter and vote ispossible thereafter.

During the final phase of the voting process, the codes need to be retranslated intothe real candidates. In order to present the final tally, once the election phase is overand all eligible and coded votes have been stored in a database, the tallying serversneed access to the retranslation schemes. Finding the correct retranslation schemeobviously depends on the identification of the voters. As noted by Joaquim andRibeiro [JR07], this has the important drawback that cryptographic voting protocolsprotecting voters’ privacy and preventing vote manipulation at server side cannotbe used anymore. Instead they suggest the usage of a paper based code card anda voting card that is similar to a smartcard. Again, the distribution of the codesis carried out on the code card. But this time the codes are only used for coveringthe local communication between the voter and his voting card. This card carriesthe private key of the voter as well as the public key of the election authority andthe retranslation codes necessary for translating secret codes into candidate codes.After retranslation, the card is supposed to execute all cryptographic computationsin the trusted environment. The proposed protocol also uses a full implementationof code numbers, but this time with two different confirmation codes. The first onehas to be entered by the voter. This requirement gives him a chance to additionallycheck his selected code option before the vote protocol proceeds by transmitting theinformation to the voting card. If it is correct, the entered code is then translated toa true candidate code, ciphered with the election’s public key and signed with thevoter’s private key. Afterwards it is sent to the bulletin board. If the signature veri-fies correctly, the bulletin board publishes the signed and encrypted code and returnsa signed hash of the voter’s vote. The voting card releases the second confirmationcode (the confirmed-vote delivery code) only if the signed hash corresponds to theissued vote. The confirmed-vote delivery code has to match the one printed ontothe voter’s code card and, in contrast to the prior protocol, is the same for everysuccessful vote delivery. For this reason, this model does not violate the principleof receipt-freeness. It certifies only a correct sequence of protocol steps (rather thanthe actual recording of a cast vote). Since the retranslation of codes does not hap-pen server-sided this model approach can be embedded in any other cryptographicvoting protocol to achieve extended privacy and integrity for the entire election. Asample implementation possibility consists of using re-encryption mixnet for creatingintegrity and anonymity at the server side and code voting for the same on votingplatforms. Joaquim and Ribeiro suggest this before the votes are finally decryptedand counted.

As mentioned before, code voting was used for the purpose of encrypting votes castwith cell phones during the elections in the Swiss canton of Zurich. The advice foran application during PC-based RIV was not further considered pointing out that

82

Page 93: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

8.3 Multiple Casts

its possible usage was not user-friendly. Pilot schemes in GB also used codes forthe vote cast from cell phones but did not specify why they were not used for RIV.The Netherlands have developed the mentioned prototype for a voting system. Butin practice codes are only used for the identification of the voter. Nevertheless, theusage of code voting is strongly anticipated for the purpose of client security eitherby a full or a code number-only implementation. The full implementation ensuresa verification mechanism not being necessary at all costs since verification could bepossibly provided by other means. But if it is used in the way as described above (withthe verification codes varying depending on the cast vote) the protocol turns out morecomplex as additional security arrangements like multiple casts have to be taken. Theidea of using smartcards as a trusted anchor is not new (being the typical applicationof a smartcard). In the context of voting, however, the voting card is definitely aninteresting idea that needs to be examined. The main counter-arguments are therequirement of an available smartcard infrastructure with additional distribution ofhardware and skilled users. For these reasons, a possible deployment of this protocolvariant is expected to be rather impractical.

8.3 Multiple Casts

Multiple casts give voters the possibility of repeated voting in a timely distributedway. In some countries this form of voting is already possible. Lately, they have beenused in practice with RIV during the Estonian elections. Our interest in multiple castsis because they bear the possibility to make up for the problem of casting a vote frompotentially insecure platforms. Further they present a way to prohibit coercion. Ifthis applies, a voter can simply overwrite the vote. In the previous chapter, it couldbe seen that multiple casts present an additional security feature for code voting. Thischapter starts by talking about the technical aspects, especially the details of differentimplementations. In this context, some of the resulting problems are named, beforeconcluding how they provide a way to face the danger of uncontrolled environments.

The possibility of repeated voting allows voters not only a timely but also a locallydistributed vote cast until the end of the election day. Usually a voting phase ofseveral days forms the basis of multiple casts. During this phase, voters may vote foran undefined number of times. The act of voting can either happen in the traditionalway or through online-voting by making use of the internet. At a certain point intime the voting phase usually ends. This could be the final deadline for the entireelection. But another possibility is to allow mixed forms of voting (online, postal andtraditional). In that case, online voting could precede and the election day might bededicated to an additional paper-based voting in the polling station.

Volkamer and Grimm [VG06] list four different forms of multiple casts during online

83

Page 94: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

8 Methods of error prevention

voting:� Exclusive online votingExclusive online voting presents the most simple form of repeated voting. Au-thorized voters can vote as often as they want using an online voting channel.� Decision-taking before the electionWithin this form, voters can either vote on paper or use an online channel.This requires the voters to decide upon the channel prior to the election. Thendifferent electoral registers are built depending on the voters’ decision. Thiscreates a clear boundary that ensures the usage of one channel or the other. Insuccession, authorized online voters can repeatedly vote whereas paper-basedvoters can vote only once (using their postal voting ballot or voter card for avote cast at the polling station).� Decision-taking during the electionThis form allows the voter to decide at any point of time during the electionhow to cast his vote. Then, by casting an online-vote he ultimately decides notto vote with a paper ballot. Online-voters can recast their vote ad infinitum.At a certain time online polls are closed and an electoral register is printed thatlists everybody who has not yet voted. A basic condition for this form is thatvoters receive both an authentication token for online voting and the typicalvoting card for paper-based voting.� No need for ultimate decision-takingIn the case of the previous variant, online voters cannot react to the latestpolitical events and surveys because the polls close before the final election day.In this form, remote votes and especially online votes can be cast until the endof the election day. Only the casting of a ballot in the polling station couldterminate online voting earlier. In that case, officials have to be provided witha method to somehow filter postal ballots and the ones cast online since votingin-person is supposed to overwrite all others. There exists also the theoreticalpossibility to allow an additional online voting after the occurrence of in-personvoting in a polling station. However, this last case is not considered as beingimportant since it does not help to adjust the previous mentioned problems.

In consequence, there are some questions that have to be addressed while consid-ering multiple casts. First of all, there is the problem of how to assign the correctcasting time to a voter’s cast ballot. This is definitely a fundamental requirement.Otherwise the tallying servers would not have a chance to recognize the ballots theyhave to count. Neither the voter’s computer nor the tallying servers’ time fulfillsthe requirement (the first one is too easy to be changed and the second might beattached to a ballot after an instant transmission is prevented by an attacker). In-stead there should be a mechanism that integrates a trusted timeserver for granting

84

Page 95: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

8.4 Trusted Computing

reliable timestamps. Another problem arises in the context of fairness. Naturally itis effected if only online-voters can cast new votes over and over while people thatcannot vote online (because they do not possess a PC) are excluded.

There are certain arguments for multiple casts such as the previously mentionedovercoming of the fact that remote and early voters are not able to respond to short-term political events, the reduced personal cost to cast a ballot by allowing the voterto decide by himself at what time he wants to vote and the lower sensitivity of thevoting system to DoS attacks. But for our purpose, the main argument is that itmakes the entire voting system more stable. The reboot of a computer after a bluescreen in the middle of the voting process has the effect that the voter does not knowif the vote was counted or not. Normally, there is nothing that can be done in thissituation. With an implementation of multiple casts the voter could cast another votethat (if the other was counted) updates the previous one. The same is possible in caseof a system breakdown due to other reasons. This shows that the feature of multiplevote casting indeed helps to prevent manipulation attacks through malware. Aftera voter identifies an incorrect system behavior he can now take measures. Servingthe purpose of identification, it has to be made clear to e-voters that they have toreassure themselves whether their cast ballots are listed correctly on a bulletin board.The verification schemes from above could fulfill this purpose. If verification doesnot succeed, an additional vote cast from a different (hopefully more secure) votingplatform or even on paper might solve the issue. For the issue of privacy this is thecase as well. As Volkamer and Grimm put it, ’the information from the maliciouscode cannot be used to break the election secrecy because the voter could cast lateron another ballot from another device’. By the same modality, multiple casts alsopromise to make voting resistant against coercion.

8.4 Trusted Computing

The main idea of Trusted computing (TC) is the creation of a technology that allowshardware and software to enforce certain rules the computer consistently behavesby. In accordance to this, the original purpose of TC was the application of DigitalRights Management (DRM). In the context of RIV, especially the Remote Attestation(RA) of machines and programs running upon them could allow the certification ofa voting platform. This section begins with a general explanation of TC before it isshown how the issue of insecure home computers could be theoretically solved usingRA. By presenting the prototype of a protocol with TC an illustration of a possibleimplementation is tried. The examination concludes with some critical remarks.

As specified by the Trusted Computing Group (TCG)2 every trusted computing

2The TCG develops industry standard specifications for trusted computing building blocks and

85

Page 96: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

8 Methods of error prevention

consists of a minimal Trusted Computing Base (TCB) that includes hardware andsoftware that is necessary to enforce rules established through formally stated securityrequirements. If the TCB works as required there should be no way to compromisethe system security. As noted by Stumpf [Stu07] the TCB consists of a TrustedPlatform Module (TPM), a passive hardware module that is similar to a PC-boundsmartcard with the following functions:� Hardware-based random number generator (used for the key generation).� Hash calculation (essential for the trusted boot).� Hardware-protected memory (for storage of restricted usage keys).� Creation of signed integrity information.

Unlike smartcards, the TPM is not migratable. It includes an Endorsement Key(EK) and an Endorsement Key Certificate that allow the identification of the com-puter platform the TPM is associated with and it further offers a reporting functionthat enables other components to receive a signed acknowledgment of the system’sconfiguration. The latter allows the validation of whether the platform currentlyhas the desired configuration [Eck04]. Figure 8.1 shows the necessary elements for atrusted voting platform. They consist of TPM, the system monitoring hypervisor, atrusted software layer, and the software used for online voting.

Trusted Software Layer

Conventional

Operating

System

Existing Hardware TPM

Online V

oting

untrusted

trusted

Hypervisor

Figure 8.1: Example for a trusted platform - Source: modified from [ASSV06]

Most importantly for building secure voting platforms, the TPM enables anony-mous attestation. A prerequisite for this is the realization of a secure boot sequence.It consists of the kernel of the platform’s operating system calculating hash-valuesthat depend on each other and the system’s configuration. The sum of these metricsconstitute a Chain of Trust. For the purpose of calculating the base value, the TPMacts as the Root of Trust. Beginning with this calculation, also known as the Core

software interfaces across multiple platforms. The list of members includes major software andhardware vendors (such as AMD, Hewlett-Packard, IBM, Infineon, Intel, Lenovo, Microsoft andSun) [TCG07].

86

Page 97: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

8.4 Trusted Computing

Root of Trust Measurement (CRTM), the system subsequently calculates more check-sums, one for every step of the boot sequence and signs them with the correspondingAttestation Identity Key (AIK). The AIK is an internally created key signed by theEK. To allow a trusted third party to see if the signed hashes truly originate from anauthentic TPM the AIK additionally needs a matching certificate issued by a trustedCertificate Authority (CA)3. As a result, AIKs serve as pseudonyms for various pur-poses. In Figure 8.2 the steps of the Chain of Trust consist of the CRTM as well asgradual hash calculations for Read Only Memory (ROM), Basic Input Output Sys-tem (Bios) and Master Boot Record (MBR), until the kernel of the operating systemis finally reached. The entire boot sequence is logged and stored in the ProtectedConfiguration Registers (PCR) of the TPM. For every step, the calculated hash codehas to be validated. The building of the Chain of Trust only succeeds if this succeeds.After all, the system’s security strongly depends on the integrity of the Root of Trust.If an incorrect value occurs the boot process should be stopped. But if correct, thebuilding of a secure path from the TPM to the corresponding security-sensitive appli-cation succeeds. Anonymous attestation is achieved by the voting platform sendingthe hashed system configuration that is additionally signed with its AIK. The votingapplication could then check the soundness of the AIK with the issuer of the cer-tificate. Afterwards, it has to approve the metric of the system configuration. Onlythen, the voting platform gets the permission to vote.

CRTM ROM BIOS MBR Kernelstart hash

start

hash

start

hash

start

hash

start

Figure 8.2: Chain of Trust - Source: [Stu07]

Based upon this, the usage of TC requires an adjustment of voting protocols asshown by Alkassar et al. [ASSV06]. Because the participating servers and clientsdo not know each other voting protocols require methods of authentication. Theapplication of trusted platforms on client and server side allows the simplificationof potential protocols to encryption and signing for the establishment of a securecommunication channel. As described above, respective attestation is achieved byexchanging the current platform configuration. In a first registration step, the remoteattestation protocol is conducted between voter and authentication server. In doingso, they exchange their public sealing keys SKE and the result of the secure bootthat was stored in the PCR. Each of the messages is signed with the sender’s privateAIKD. Additionally, the certificate for the public AIKE is added. This gives thereceiver the possibility to have it validated by the originating CA. Afterwards voterand server can check whether the configuration of their voting platform is satisfying

3To certify the public part of the AIK, the user also needs to send the public EK to the chosenCA. With this, the user’s platform can be identified. As a result, a corrupt CA might uncoverthe identity of an AIK. For our purpose, a privacy respecting CA is assumed.

87

Page 98: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

8 Methods of error prevention

and whether it possesses the respective encryption keys.

1. V oter → Server1: signAIKV

D

(PCRV , SKVE ), CertAIKV

E

2. Server1 → V oter: signAIK

S1D

(PCRS1, SKS1

E ), CertAIK

S1E

In the next step, the voters have to provide a proof of themselves being eligible tovote. This is done by sending an encrypted and signed message with their ID andPIN code. With the valid signature, the client platform indicates to the voting serverthat it is in the signaled state with the authentic voting software running on thetrusted platform. The decryption of this message is only possible for the server if thisis the case (because the TPM only then releases the decryption key). In response,the server only replies with an encrypted and signed message consisting of the voterID and an ’ok’ if the server’s eligibility check has a positive result. Now the votingsoftware has to check this message by the same criteria. The registration phase onlycompletes in case of an ’ok’. In this case, the voting software proceeds and displaysthe ballot.

3. V oter → Server1: signAIKV

D

(encSK

S1E

(ID, PIN))

4. Server1 → V oter: signAIK

S1D

(encSKV

E

(ID, ok))

After acknowledging his decision the voter’s voting software first informs the votingserver of the ballot cast. Based on this information, the server can mark the corre-sponding voter in the electoral register to prohibit multiple votes. He additionallyanswers the message by signaling that he has done so.

5. V oter → Server1: signAIKV

D

(encSK

S1E

(ID, voted))

6. Server1 → V oter: signAIK

S1D

(encSKV

E

(ID, flagged))

Before the final steps of the main voting protocol take place an additional at-testation is necessary, this time between the voter and the tallying server. Here aconnection between TPM (comparable to the voter’s id) and the encrypted vote isnot tolerable because of the privacy requirement. For this reason, the voter uses dif-ferent keys. As before, after the attestation protocol finishes the tallying server andthe voter have exchanged the platform configuration and the new encryption keys.

88

Page 99: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

8.4 Trusted Computing

7. V oter → Server2: signAIK′V

D

(PCRV , SK ′VE ), CertAIK′V

E

8. Server2 → V oter: signAIK

S2D

(PCRS2, SKS2

E ), CertAIK

S2E

The main voting protocol basically consists of two steps. One is the voter sendingthe vote to the tallying server. The server believes that an authentic voting softwarerunning on a trusted platform only sends the ballot if the voter’s right to vote waschecked during earlier protocol steps did happen. Afterwards the tallying serversignals the successful transmission by sending its ’ok’. Again, both messages areencrypted and signed. Now the voting software can display the successful transmissionto the voter. After the election is over the stored votes only need to be decryptedand counted.

9. V oter → Server2: signAIK′V

D

(encSK

S2E

(vote))

10. Server2 → V oter: signAIK

S2D

(encSK ′V

E

(ok))

The client software of a remote voting application needs to run on any voting plat-form, interact with the voter, and establish a connection with the voting server. Theattestation of the necessary hardware (I/O device drivers, network protocol stack andnetwork adapter driver) and present software demands metrics that must be calcu-lated by a secure operating system. Without this, the concept of trusted platformswould not be feasible.

Especially with the functionality of secure boot sequence and the possibility ofanonymous attestation TC theoretically provides mechanisms to achieve trustworthyvoting platforms. With TC, a client computer that runs certain malware could beprevented from interfering with the voting software. Since TC also controls the in-ternal communication sequence and, in the case of RIV, establishes a trusted pathbetween user and voting platform the voter’s private choices can neither be alterednor read during the cast. Unwanted malicious software as well as foreign communi-cation channels that are not part of the vote casting process could be detected andwould have to cause an instant protocol termination. Alkassar et al. argue that TCnot only prevents malware from accessing critical applications on the client comput-ers, but that it also protects from corrupt voters and manipulated voting software.Additionally, the sealing of the incoming messages by the voting server makes vot-ing even more secure because it would make processing only possible for the correctvoting application on the appropriate platform.

While TC appears to be beneficial in theory, there are some serious issues thatremain critical in practice. When talking about a secure boot and the establishing of

89

Page 100: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

8 Methods of error prevention

a Chain of Trust it is important to stress that not every component of a system can becovered. For example, most drivers are dynamically loaded and possess administrativerights. It is an open question how to decide which components are critical. Vacanciesin the Chain of Trust are therefore more than likely. In consequence, it is possible formalicious software to make use of applications that are covered [Eck04]. In practice,this leads to the problem of acceptance. Voters that are prohibited from voting mightnot understand the reason and feel excluded. Moreover, there are also technicalproblems concerning the maturity of the currently deployed technology [SSS06] andconcerning the revocation of cracked machines [BCC04].

8.5 Discussion of the presented methods

Code Voting presents a simple way to react to some of the dangerous hazards named inChapter 6 by covering up the voter’s choice. Two different approaches of code votingwere presented during this chapter. One was the consistent usage of codes during theoverall voting process. In order to consider it, there needs to be a way to disassociatethe used codes from the identity of the voter while retranslating. The other possibilityfacilitates smartcards. As a result, the codes cover only the communication of theplatform, namely between the voting software and an externally connected smartcard.The usage of code voting is compatible with most voting protocols. We categorize theusage of codes as an important improvement for guaranteeing the necessity of a privateand unaltered vote. Multiple casts are effective in adjusting the problems causedby insecure problems as well as coercion. A precondition for this are possibilitiesto detect them. Importantly, the recasting of a vote does not prevent election fraudfrom happening. In addition, multiple casts make the voting system more complicatedbecause they require a safe implementation that prohibits voters to cast several votes.At last, TC was tested for the same purpose. Theoretically, it provides a technicalinnovation that re-organizes the functioning computer platforms such that unwantedchanges of system configuration can be detected. As a result, remote attestationcan help to proof the security of a platform to a verifier and the implementation ofother mechanisms could be omitted. Thereby voting protocols could benefit froma reduced complexity. Apart from the fact that functioning and effects of TC arehighly controversial it can be seen as a mechanism that might effectively secure openplatforms (such as a PC) for vital applications (such as voting software) to run on.

90

Page 101: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

9 Conclusion

DRE-based voting machines have earned a lot of criticism lately. Recent securityreports brought about a negative rebound that led to a declining usage in manycountries. This affected the perception of RIV as well, because it is also an electronicvoting scheme. So some of the mentioned criticism applies for both. The function-ing here and there mainly relies on the adaptation of a secure voting protocol thatruns on top of a computer system representing the voting platform. This thesis hasdemonstrated that especially the remote form of internet voting is even more endan-gered. It was made clear that, together with insecure networks, the design of clientplatforms presents the major obstacle against RIV. This has not changed since thefirst description of the problem in [Rub00]. Today’s computers suffer more than everfrom malicious software. It was shown how this might affect the principles of voting.For this reason, PCs as client platforms for RIV currently cannot be considered atrusted entity.

The easiest way to solve the problem would be to simply distribute the responsibil-ity for the functioning of a voting platform onto the voters. However, talking aboutvoting and its importance for democratic systems as mentioned at the beginning ofthe thesis, this is not an option. That is why conducting elections that enable asecure vote cast by the principles of the specific electoral law is considered as a dutyof the government.

Transparency of the voting process is particularly important. Voting protocolsthat offer verifiable voting respond to this issue. Individual verification can helpto eliminate personal worries whether a vote was recorded correctly. Vice versa itmight as well inform someone that a sent ballot has not been recorded. Assumingthat all other steps of the voting process work correctly, this is a promising methodfor checking if one’s voting platform is properly functioning. Furthermore, universalverifiability provides provable arguments for the correctness of electronic elections. Bygiving voters the possibility to verify the recording of every vote as well as the correcttallying, they can take on the role of election observers. A voter who does not trustthe voting system, but has access to methods for auditing it, might as well use them.If he does not succeed in proofing the system wrong he might eventually changehis opinion. Consequently, mechanisms of voter-verification can create substantialtrust in electronic voting systems that are too complicated to be transparent. Ourattempts of adapting the chosen protocols for RIV have revealed different problems

91

Page 102: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

9 Conclusion

that need to be regarded separately. However - all of them have in common thatan adaptation for a remote usage was unintended. Therefore the protection goal ofcoercion resistance cannot be guaranteed.

In this thesis several strategies were presented that promise to bridge the gap fortypical client computers. Currently, the most promising mechanism for the preventionof attacks on client platforms seems to be code voting. As has been shown, it succeedsin achieving integrity and privacy through secret ballots for the process of RIV ona fairly simple basis. Furthermore, it can be combined with most current votingprotocols, nearly independent of the voting style. The only prerequisite is a racebetween a prior-determined amount of choices. So write-in voting is not supported.Still code voting enables its combination with voter-verifiable protocols. Intending tovote with codes, one would be confronted with a rather cryptic-looking ballot. Insteadof candidate names the voter has to deal with cryptic characters whose meaning firstneeds to be looked up on a code sheet. Despite the criticism of bad usability, this canbe considered as a minor problem. To reveal the voter’s original choice the attackerwould need to get hold of the translation table. This means that by code voting, theexposure of privacy is reduced to a level known from absentee voting. Due to thenature of remote voting systems it is hard to do any better than this. A combinationof code voting with smartcards also makes a different implementation possible. Herethe decryption tables for the codes do not have to be stored in a central database.Instead, they are distributed with the card. However, this is strongly related to legalconcerns such as the establishment of a countrywide smartcard infrastructure andvoters purchasing additional hardware such as smartcard readers. Other problemsconsist of the unfulfilled protection goals of coercion resistance and completeness.

As mentioned before, so far most voter-verifiable protocols fail to solve the issueof coercion resistance. In fact, Helbach [Hel07] refers to multiple casts as a goodmeasure to be used for the avoidance of vote selling. Intuitively it sounds reasonableto eliminate coercion as well as other threats by simply overwriting a coerced vote.But in practice it is no more than a measure of adjustment and does not prevent fromthreats. Another severe effect can be seen in its impact on general voting behavior.Instead of making a careful decision based on long-term personal views, voters mightstart reacting to current affairs and the results of surveys. Its practice is neithercommon for democratic elections nor for voting protocols. For these reasons theusage is not advised. Promising in this context is the work of [Web06] and [MaKo06].

In the author’s opinion, code voting should be included in future RIV systems. Themain reason for this is its effectiveness in creating valuable security by straightforwardmechanisms. Verifiable voting is also promising, but requires further accommodationfor the safe use with remote systems.

Most likely the situation will change with the appearance of trusted computingsystems. It was explained how voting schemes might benefit from its usage. Most

92

Page 103: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

importantly, the initiative is approved because of its promises to create confidencein the platforms’ integrity and authenticity. In addition, TC helps to simplify vot-ing protocols by providing the responsibility of trustworthy clients. But the correctfunctioning cannot be verified with its own measures. For this and other reasons, TCdoes not represent an option for the time being. Instead, the approach to client andnetwork security must be critically observed while trying to clarify the question as towhat extent definitions and other important aspects remain unclear.

Every amendment of the electoral law was accompanied by controversial discus-sions. As for every introduction of security critical mechanisms, promised benefitsand estimated negative consequences have to be weighed up against each other. Thepromise of a better participation, and therefore higher legitimacy for a democraticsystem, is surely tempting. But social and political scientists are doubting these ar-guments. Ewert et al. [EFK06] for example opine the view that the turnout of anelection is not affected by the necessity of a short walk to the polling station. Theybelieve that the state of a democratic system, and especially the importance of anelection, rather play a more decisive role. Carrying on this line of argumentation, thereduction of personal costs is not so important.

Regardless of this question, the compliance with the election primitives is funda-mental. The issue of secrecy has to be treated specially because it is hard for remotevoting systems to fully guarantee this protection goal. For absentee voting the con-straint of secrecy has been tolerated because it is a supplemental form of voting, andofficially associated with strict regulations. Here, the benefits are more importantthan the losses.

Meanwhile the prospect of RIV often remains unclear, because the broadness ofpossible usage is not well defined. If, as often argumented, RIV is introduced as asequel to absentee voting (only with different means, and the participating groupdefined by the strict guidelines mentioned before), it has to be measured by the samerules. However, some arguments used for RIV point in the direction of establishingit as a primary voting technique. In order to seriously achieve a cost reduction forelections, economization would imply the elimination of traditional voting at somepoint. Perspectively, the observed countries deal quite differently with this issue ofRIV. Estonia introduced RIV as an additional method of voting for all citizens. TheNetherlands and Switzerland are working on an introduction of RIV as a methodof voting for the citizens abroad only. The Electoral Commission of Great Britainopposes any further pilots, because there is no general strategy for a modernizationof the electoral system. Additionally, the trials have shown that the aspired costreduction is questionable.

To find out about the voters’ acceptance of voting schemes that include preventa-tive methods, as well as about mechanisms for verification, further testing is advised,preferably during elections that are not legally binding (e.g. workers’ councils, univer-

93

Page 104: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

9 Conclusion

sities’ boards or governing boards of social security institutions). Here, the proposedmethods can be further evaluated within borders of adequate control and limiteddanger. With regard to the incapability of current voting schemes to fully guaranteethe principles of voting, it is necessary to dissociate from the broad usage of RIVtechniques for legally binding elections such as parliamentary elections at present.

94

Page 105: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

Bibliography

[ASSV06] A. Alkassar, A. Sadegi, S. Schulz, and M. Volkamer. Towards TrustworthyOnline Voting. 2006.

[BB06] Nadja Braun and Daniel Brandli. Swiss E-Voting Pilot Projects: Evalu-ation, Situation Analysis and how to proceed. In Electronic Voting 2006,pages 27–36. Robert Krimmer, 2006.

[BBC04] BBC. First mobile phone virus created. http://news.bbc.co.uk/1/hi/technology/3809855.stm, 2004. last visited 05.18.2007.

[BCC04] E. Brickell, J. Camenisch, and L. Chen. Direct anonymous attestation.In Proceedings of the 11th ACM conference on Computer and communi-cations security, pages 132–145, NewYork, NY, USA, 2004.

[Ben87] J. Benaloh. Verifiable Secret-Ballot Elections. PhD thesis, Yale University,1987.

[BN02] Hubertus Buchstein and Harald Neymanns. Online-Wahlen, chapter Ein-leitung, pages 7–22. Hubertus Buchstein and Harald Neymanns, 2002.

[BR03] Jeremy Bryans and Peter Ryan. A dependability analysis of the Chaumdigital voting scheme. Technical Report CS-TR-809, University of New-castle upon Tyne, July 2003.

[Buc04] Prof. Dr. Johannes Buchmann. Einfuhrung in die Kryptographie.Springer, Berlin Heidelberg, third edition, 2004.

[Bun02] Schweizerischer Bundesrat. Bericht uber den Vote electronique - Chan-cen, Risiken und Machbarkeit elektronischer Ausubung politischer Rechte.Technical report, 2002.

[Bun06] Schweizerischer Bundesrat. Bericht uber die Pilotprojekte zum Voteelectronique. Technical report, 2006.

[Bus07] Nikolas Busse. Krieg im Cyberspace. http://

www.faz.net/s/Rub4C34FD0B1A7E46B88B0653D6358499FF/

Doc~E8FC83492878245149FFE5322F9A5F182~ATpl~Ecommon~Scontent.

html, November 2007. last visited 12.19.07.

[Car07] Paul Cartledge. Ostracism: selection and de-selection in ancient Greece.http://www.historyandpolicy.org/papers/policy-paper-43.html,2007. last visited 12.14.07.

95

Page 106: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

Bibliography

[Cha81] David Chaum. Communications of the ACM, volume 24(2), chapter Un-traceable Electronic Mail, Return Addresses, and Digital Pseudonyms,pages 84–90. 1981.

[Cha83] D. Chaum. Blind signatures for untraceable payments. In In Crypto’82,pages 199–203. New York: Plenum Press, 1983.

[Cha01] David Chaum. SureVote: Technical Overview. In Proceedings of theworkshop on trustworthy elections (WOTE’01), 2001.

[Cha04] David Chaum. Secret-Ballot Receipts: True Voter-Verifiable Elections,2004.

[Cha07] David Chaum. The Scantegrity System - An Introductory Whitepaperand Example. http://www.scantegrity.org/papers/whitepaper.pdf,2007. last visited 12.4.07.

[Che07] Jun Chen. Verifiable Mixnets Techniques and Prototype Implementation.Master’s thesis, Darmstadt University of Technology, 2007.

[Com03] The Electoral Commission. Technical Report on the May 2003pilots. http://www.electoralcommission.org.uk/files/dms/

Copyofcoverandreport-final_11369-8944__E__N__S__W__.pdf,November 2003.

[Com05] The National Election Committee. E-Voting System. Technical report,2005.

[Com07a] Election Process Advisory Commission. Voting with confi-dence - Summary, Conclusions and Recommendations. http:

//www.minbzk.nl/bzk2006uk/subjects/constitution-and/press_

releases?ActItmIdt=109259, 2007. last visited 11.14.07.

[Com07b] Electoral Commission. Electoral Commission calls for end to ’piece-meal’ election pilots. http://www.electoralcommission.org.uk/

media-centre/newsreleasereviews.cfm/news/657, 2007. last visited12.5.07.

[Com07c] The Electoral Commission. Summary of Electronic Voting - May 2007electoral pilot schemes. http://www.electoralcommission.org.uk/

files/dms/Electronicvotingsummarypaper_27194-20114__E__N__S_

_W__.pdf, August 2007.

[CRS04] David Chaum, Peter Ryan, and S.Schneider. A Practical, Voter-VerifiableElection Scheme. Technical report, University of Newcastle upon Tyne,December 2004.

[dMV07] Marie-Fleur Auf der Maur and Samuel Vontobel. Case Studies on E-voting. Master’s thesis, University of Freiburg, Switzerland, 2007.

96

Page 107: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

Bibliography

[Dom07] Mario Domgorgen. Vernetzte Demokratie. Internetwahlen in Deutschland.Master’s thesis, Rheinische Friedrich-Wilhelms-University Bonn, 2007.

[Eck04] Prof. Dr. Claudia Eckert. IT-Sicherheit. Oldenburg Wissenschaftverlag,Munchen, third edition, 2004.

[EFK06] Burkhard Ewert, Nermin Fazlic, and Johannes Kollbeck. E-Demokratie- Stand, Chancen und Risiken. http://www.bpb.de/files/5XSXDC.pdf,2006. last visited 12.1.07.

[Feh07] Martin Fehndrich. Briefwahl. http://www.wahlrecht.de/lexikon/

briefwahl.html, 2007. last visited 11.14.07.

[Fis04] Thomas Fischermann. Neue Maschinen, neues Ergebnis? Zeit.de, 2004.

[FOO93] A. Fujioka, T. Okamoto, and K. Ohta. Advances in Cryptology -AUSCRYPT 1992, chapter A practical Secret Voting Scheme for LargeScale Elections, pages 244 – 251. 1993.

[For00] California Internet Voting Task Force. A Report on the Feasibility ofInternet Voting. Technical report, 2000.

[Ges07] Hans Geser. E-Voting projects in Switzerland. http://socio.ch/

intcom/t_hgeser12.htm, 2007. last visited 09.16.07.

[Hel07] Jorg Helbach. Secure Internet Voting with Code Sheets. In Pre-Proceedings Vote-ID, 2007.

[HJP05] Engelbert Hubbers, Bart Jacobs, and Wolter Pieters. RIES - InternetVoting in Action. 2005.

[HKM+07] J. Helbach, R. Krimmer, A. Meletiadou, N. Meißner, and M. Volkamer.Zukunft von Online-Wahlen. Datenschutz und Datensicherheit, (31):434–440, 2007.

[Hof07] Dirk Hoffmann. Benchmarking of existing national legal e-businesspractices. http://ec.europa.eu/enterprise/ict/policy/legal/

2006-bm-cr/germany.pdf, 2007. last visited 11.14.07.

[Ins01] Internet Policy Institute. Report of the Noational Workshop on InternetVoting: Issues and Research Agendas. March 2001.

[Jes03] Eckhard Jesse. Reformvorschlage zur Anderung des Wahlrechts. Wahlsys-tem und Wahlrecht, Aus Politik und Zeitgeschichte, 2003.

[JJR02] M. Jakobsson, A. Juels, and R. Rivest. Making mix nets robust for elec-tronic voting by randomized partial checking. In Proceedings of the 11thUSENIX Security Symposium, 2002.

[Jon03] Douglas W. Jones. A Brief Illustrated History of Voting. http://www.

cs.uiowa.edu/~jones/voting/pictures/, 2003. last visited 12.14.07.

97

Page 108: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

Bibliography

[JR07] R. Joaquim and C. Ribeiro. Code Voting Protection Against AutomaticVote Manipulation in an Uncontrolled Environment. In Pre-ProceedingsVote-ID, 2007.

[JRS07] David Jefferson, Avi Rubin, and Barbara Simons. A comment on theMay 2007 DoD report on Voting Technologies for UOCAVA Citizens.http://servesecurityreport.org/SERVE_Jr_v5.3.pdf, June 2007.

[JRSW04] D. Jefferson, A. Rubin, B. Simons, and D. Wagner. A Security Analysisof the Secure Electronic Registration and Voting Experiment (SERVE).January 2004.

[Kea07] D. Keating. Pentagon Calls Off Voting by Internet. The WashingtonPost, June 2007.

[Ker04] Norbert Kersting. Online-Wahlen im internationalen Vergleich. In Mod-ernes Regieren / E-Government, number 18, pages 16–23. Bundeszentralefu r politische Bildung, 2004.

[KMC+05] Joseph R. Kiniry, Alan E. Morkan, Dermot Cochran, Fintan Fairmichael,Patrice Chalin, Martijn Oostdijk, and Engelbert Hubbers. The KOARemote Voting System: A Summary of Work To-Date. 2005.

[KP07] David Knori and Elisabeth Prader. So funktioniert das ZurcherE-Voting. http://www.infoweek.ch/archive/ar_single.cfm?ar_id=

15991\&ar_subid=3\&sid=0, 2007. last visited 10.26.07.

[Kru06] Lucas Kruijswijk. I-voting with RIES analyzed. 2006.

[Kru07] Paul Krugman. When votes disappear. http://www.truthout.org/

docs_2006/112406C.shtml, 2007. last visited 11.29.07.

[KSW05] Chris Karlof, Naveen Sastry, and David Wagner. Cryptographic VotingProtocols: A Systems Perspective. Technical report, University of Cali-fornia, Berkeley, 2005.

[MaKo06] Filip Zago rski Miros l aw Kuty l owski. Verifiable Internet VotingSolving Secure Platform Problem. http://zagorski.im.pwr.wroc.pl/

felippo/papers/Verifiable_Internet_Voting.pdf, 2006. last visited12.5.07.

[MD04] M.Volkamer and D.Hutter. From Legal Principles to an Internet VotingSystem. 2004.

[MG04] Margaret McGaley and J. Paul Gibson. A Critical Analysis of the Councilof Europe Recommendations on e-voting, 2004.

[Mil72] L.W. Milbrath. Political Participation. 1972.

[Nau07] Frank Nauheimer. Development of a lattice based blind signature scheme.Master’s thesis, Darmstadt University of Technology, 2007.

98

Page 109: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

Bibliography

[Naz07] Jose Nazario. Estonian DdoS Attacks - A Summaryto date. http://asert.arbornetworks.com/2007/05/

estonian-ddos-attacks-a-summary-to-date, 2007. last visited09.10.07.

[Noh07] Dieter Nohlen. Wahlrecht und Parteiensystem, volume 5. Verlag BarbaraBudrich, 2007.

[NS95] M. Naor and A. Shamir. Visual Cryptography. In Proc. Advances inCryptology, Eurocrypt 94, pages 1–12. Springer-Verlag, 1995.

[oD07] Department of Defense. Expanding the Use of Electronic Voting Tech-nology for UOCAVA Citizens. http://servesecurityreport.org/

DoDMay2007.pdf, May 2007.

[oE04] Council of Europe. Legal, Operational and Technical Stan-dards for E-Voting. CoE Publishing, http://www.coe.int/t/e/

integrated_projects/democracy/02_activities/02_e-voting/01_

recommendation 2004.

[oE07] Concil of Europe. Statute of the Council of Europe.url=http://conventions.coe.int/Treaty/EN/Treaties/Html/001.htm,2007.

[oG07a] State of Geneva. E-Voting. http://www.geneve.ch/evoting/english/welcome.asp, 2007. last visited 12.15.07.

[oG07b] Federal Ministry of Germany. Online-Wahlen. Lexikon der Innenpolitik,http://www.bmi.bund.de, 2007. last visited 10.23.07.

[oG07c] Federal Ministry of Germany. Wahlgerate. Lexikon der Innenpolitik,http://www.bmi.bund.de, 2007. last visited 11.13.07.

[oJ07] German Federal Ministry of Justice. Verordnung uber den Einsatz vonWahlgeraten bei Wahlen zum Deutschen Bundestag und der Abgeord-neten des Europaischen Parlaments aus der BRD. http://bundesrecht.juris.de/bwahlgv/index.html, 2007. last visited 11.14.07.

[Opp02] Rolf Oppliger. Addressing the Secure Platform Problem for Remote In-ternet Voting in Geneve, 2002.

[oS07] California Secretary of State. Top-To-Bottom-Review. http://www.sos.ca.gov/elections/elections_vsr.htm, 2007. last visited 11.14.07.

[OSC07a] OSCE/ODIHR. Republic of Estonia, Parliamentary Elections, 03.04.07,June 2007.

[OSC07b] OSCE/ODIHR. The Netherlands, Parliamentary Elections, 11.22.06,March 2007.

99

Page 110: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

Bibliography

[oZ07] City of Zurich. E-Voting Demo. http://evotingdemo.zh.ch, 2007. lastvisited 10.26.07.

[Pro03a] EU Cybervote Project. Final Report. http://www.eucybervote.org/

MSI-WP6-D21-v1.0.pdf, 2003. last visited 10.21.07.

[Pro03b] EU Cybervote Project. Report on Review of Cryptographic Protocolsand Security Techniques for Internet Voting. http://www.eucybervote.org/TUE-WP2-D6V1v1.0.pdf, 2003. last visited 10.21.07.

[PvH07] Wolter Pieters and Robert van Haren. E-Voting Discourses in the UKand the Netherlands. 2007.

[Riv02] Ronald L. Rivest. Electronic Voting. Financial Cryptography ’01,SpringerVerlag, LNCS 2339, 2002.

[Rja02] Zuzana Rjaskova. Electronic Voting Schemes. Master’s thesis, ComeniusUniversity, Bratislava, 2002.

[RP05] P. Y. A. Ryan and T. Peacock. Pret a Voter: a Systems Perspective.Technical report, University of Newcastle upon Tyne, 2005.

[RP06] P. Y. A. Ryan and T. Peacock. Threat Analysis of Cryptographic Elec-tion Schemes. University of Newcastle upon Tyne, Computing Science,Technical Report Series, No. CS-TR-956, 2006.

[RS06] P. Y. A. Ryan and S. A. Schneider. Pret a Voter with Re-encryptionMixes. In European Symposium on Research in Computer Security, num-ber 4189 in Lecture Notes in Computer Science. Springer-Verlag, 2006.

[Rub00] Aviel D. Rubin. Security Considerations for Remote Electronic Votingover the Internet. Communications of the ACM, 2000.

[Rya07] P. Y. A. Ryan. Pret a Voter with a Human-Readable, Paper Audit Trail.University of Newcastle upon Tyne, Computing Science, Technical ReportSeries, No. CS-TR-1038, 2007.

[Sch00] Berry Schoenmakers. Fully Auditable Electronic Secret-Ballot Elections.http://www.xootic.nl/magazine/jul-2000/schoenmakers.pdf, 2000. lastvisited 11.29.07.

[Sch02] Hermann Schmitt. Second-Order Elections to the European Parlia-ment: Is E-Voting the Solution? http://www.mzes.uni-mannheim.de/

publications/papers/HS_Florence.pdf, 2002. last visited 11.28.07.

[Sch07a] Bruce Schneier. Gathering ’Storm’ Superworm Poses Grave Threat to PCNets. http://tinyurl.com/2xevsm, 2007. last visited 11.23.07.

[Sch07b] Jorn Schweisgut. Elektronische Wahlen unter dem Einsatz kryptografis-cher Observer. PhD thesis, Justus-Liebig-University Gießen, 2007.

100

Page 111: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

Bibliography

[Sha79] Adi Shamir. How to share a secret. Communications of the ACM, Novem-ber 1979.

[SHNR06] G. Skagestein, A. Haug, E. Nødtvedt, and J. Rossebø. How to CreateTrust in Electronic Voting over an Untrusted Platform. In ElectronicVoting 2006, pages 107–116, Bonn, 2006. Robert Krimmer.

[Smi05] Warren D. Smith. Cryptography meets voting. 2005.

[SP06] Krishna Sampigethaya and Radha Poovendran. A framework and tax-onomy for comparison of electronic voting schemes. Computers Security,25:137–153, 2006.

[Spe07] Tom Sperlich. Zurichs e-Voting-Projekt erhalt Auszeichnung der Verein-ten Nationen. c’t - magazin fur computertechnik, 2007.

[SSS06] Ahmad-Reza Sadeghi, Marcel Selhorst, and Christian Stuble. TCG In-side? A Note on TPM Specification Compliance. In Proceedings of the 1stACM Workshop on Scalable Trusted Computing, Fairfax, Virginia, USA,November 2006.

[Sta05] Julie Ann Staub. An Analysis of Chaum’s Voter-Verifiable ElectionScheme. Master’s thesis, University of Maryland, 2005.

[Stu07] Frederic Stumpf. Attestation eines TC-geschu tzten Systems. Lecturenotes of the CAST Workshop on Trusted Computing, May 2007.

[Tan01] Andrew S. Tanenbaum. Modern Operating Systems. Prentice Hall, UpperSaddle River, NJ07458, second edition, 2001.

[TCG07] TCG. About the Trusted Computing Group. https://www.

trustedcomputinggroup.org/about/, 2007. last visited 12.7.07.

[Thi07] Siegfried Thielbeer. Im Wohnzimmer wahlen. FAZ, (232), October 2007.

[Tra07] Ian Traynor. Web attackers used a million computers, says Estonia. http://www.guardian.co.uk/international/story/0,,2082584,00.html,2007. last visited 09.10.07.

[Tre05] Alexander H. Trechsel. Report for the Council of Europe E-Voting in the2005 local elections in Estonia. http://www.coe.int/t/e/integrated_projects/democracy/02_Activities/02_e-voting/00_E-voting_

news/FinalReportEvotingEstoniaCoE6_3_06.asp, 2005. last visited12.16.07.

[Tre07] Alexander H. Trechsel. Internet voting in the March 2007 ParliamentaryElections in Estonia. Report for the Council of Europe, 2007.

[UMM06] Ulle Madise and Tarvi Martens. E-Voting in Estonia 2005. The first prac-tice of country-wide binding Internet voting in the world. In Electronic

101

Page 112: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

Bibliography

Voting 2006, pages 15–26. GI Lecture Notes in Informatics, Robert Krim-mer, 2006.

[VG06] M. Volkamer and R. Grimm. Multiple Casts in Online Voting: AnalyzingChances. In Electronic Voting 2006, pages 97–106, Bonn, 2006. GI LectureNotes in Informatics, Robert Krimmer.

[VK06] Melanie Volkamer and Robert Krimmer. Die Online-Wahl auf dem Wegzum Durchbruch. Informatik Spektrum, (29):98–113, 2006.

[vP03] Volker von Prittwitz. Vollstandig personalisierte Verhaltniswahl. InWahlsystem und Wahlrecht. Bundeszentrale fu r politische Bildung, 2003.

[Wag06] David Wagner. CS 276: Cryptography - Lecture 24. http://www.cs.

berkeley.edu/~daw/teaching/cs276-s06/l24.ps, April 2006. last vis-ited 11.10.07.

[Way01] Erika Wayne. Election 2000 Chronology. http://www.law.stanford.

edu/publications/stanford_lawyer/issues/60/election2000_

chronology.html, 2001. last visited 10.5.07.

[Web06] Stefan Weber. A Coercion-Resistant Cryptographic Voting Protocol -Evaluation and Prototype Implementation. Master’s thesis, DarmstadtUniversity of Technology, 2006.

[Wil07] Hans-Urs Wili. Anderung der Bundesgesetzgebung uber die politischenRechte per 1.1.2008 in Kraft gesetzt. http://www.bk.admin.ch/themen/pore/evoting/00773/index.html?lang=de, 2007. last visited 12.16.07.

[Zie06] Peter-Michael Ziegler. Italien stoppt Wahlcomputer-Projekte. c’t - mag-azin fur computertechnik, 2006.

102

Page 113: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

A Abbreviations

AIK Attestation Identity Key

ATM Automated Teller Machine

BIOS Basic Input Output System

CA Certification Authority

CIVTF California Internet Voting Task Force

CoE Council of Europe

CRTM Core Root of Trust Measurement

DDoS Distributed Denial of Service

DoS Denial of Service

DRE Direct Recording Electronic

EC European Commission

EK Endorsement Key

EPROM Erasable Programmable Read-Only Memory

FVAP Federal Voting Assistance Program

FCC Federal Constitutional Court

IDS Intrusion Detection System

IVAS Interim Voting Assistance System

LEO Local Election Official

MBR Master Boot Record

OVC Opened Verifiable Choice

PCR Protected Configuration Registers

PIN Personal Identification Number

103

Page 114: Secure Client Platforms for Remote Internet Voting · 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of

A Abbreviations

PK Public Key

PKI Public Key Infrastructure

RA Remote Attestation

RIV Remote Internet Voting

ROM Read Only Memory

SERVE Secure Electronic Registration and Voting Experiment

SK Sealing Key

SPRG Security Peer Review Group

SSL Secure Socket Layer

TAN Transaction Authentication Number

TC Trusted Computing

TCB Trusted Computing Base

TPM Trusted Platform Module

UOCAVA Uniformed and Overseas Citizens Absentee Voting Act

VC Verifiable Choice

VOI Voting Over the Internet

VVPT Voter Verifiable Paper Trail

ZKIP Zero Knowledge Interactive Proof

104