Knights and Knaves Run Elections: Internet Voting and Undetectable Electoral Fraud - UCLouvain
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
IN FOCUS
Knights and Knaves Run Elections: Internet
Voting and Undetectable Electoral Fraud
Chris Culnane | University of Melbourne
Aleksander Essex | Western University
Sarah Jamie Lewis | Open Privacy Research Society
Olivier Pereira | Université Catholique de Louvain
Vanessa Teague | University of Melbourne
The cryptographic weaknesses recently discovered in SwissPost’s e-voting system are described in this
article. We explain how they relate to security problems in other Internet voting systems and discuss the
necessary principles for building trustworthy elections.
A secure computer that runs system. In July 2018, the Maryland
the right voting software may look State Board of Elections informed
exactly like a compromised com citizens that one of their contrac
puter running malicious or buggy tors, ByteGrid LLC, was primarily
software. If you ask it whether it controlled by a Russian oligarch.
recorded the vote you asked for, it ByteGrid “hosts the statewide voter
will say yes. If you ask it to recount registration, candidacy, and election
the votes, it will perfectly repeat the management system, the online
first count performed. This tells you voter registration system, online
nothing about whether it was hon ballot delivery system, and unoffi
est in the first place. cial election night results website,”
The risk of foreign attacks on they announced.28
trusted voting systems and accounts So how can we derive evidence
has been widely documented, most of an accurate election outcome
O n the island of knights and
knaves, everyone looks iden
tical; however, knights always tell
recently in the Mueller report. 21
Russian agents
when the election is conducted by
computer when we cannot determine
who controls it or what it is doing?
the truth, and knaves always lie.24 targeted individuals and entities
When you arrive on the island you involved in the administration of Yet Another Fundamental
ask the first man you see whether [U.S.] elections. Victims included Cryptographic Weakness
he is a knight or a knave. “I’m a U.S. state and local entities, such as in an E-Voting System
knight, of course!” he says. What can state boards of elections, secretaries In early 2019, several of the authors
you infer? of state, and county governments as (Lewis, Pereira, and Teague) exam
He may be a knight who tells the well as individuals who worked for ined the source code for the Swiss
truth about being a knight. But we those entities. [They] also targeted Post e-voting system. The system,
give this puzzle to children so they private technology firms responsible provided by Scytl and intended for
can see that there’s another solution: for manufacturing and administer- use in Swiss elections in October
he might be a knave, lying about his ing election-related software and 2019, was in the process of certifica
own untrustworthiness. hardware … tion for use by up to 100% of Swiss
voters in the cantons that chose
Digital Object Identifier 10.1109/MSEC.2019.2915398
But breaking in from the outside to use it.29 The source code circu
Date of publication: 9 July 2019 isn’t the only way to compromise a lated reasonably freely online, likely
62 July/August 2019 Copublished by the IEEE Computer and Reliability Societies 1540-7993/19©2019IEEE
because of Swiss Federal Chancel cryptographic flaw in a verification i.e., both require assurances that
lery Ordinance 161.116,34 which mechanism in a system already being only eligible voters participate, and
mandates open public comment on used in government elections. This both provide public evidence of an
the source code. is significant because verification accurate tally; however, end-to-end
We discovered three different potentially allows a way out of the verifiability also provides each voter
ways in which a compromised com inscrutability of computers and per with a chance to check that his or
puter could manipulate votes while haps a way forward for securing elec her own vote was properly included.
pretending to provide a proof that tronic elections. There are many open source, pub
no manipulation occurred.15–17 One To explain the importance of this licly owned academic projects for
was a cryptographic trapdoor, which failure, we need to explain what end-to-end verifiability, some of
allowed a cheating authority to pro verifiability is, and what it is not, which are used for online voting while
vide a perfectly verifying proof that it and how to tell whether you can others are intended for e-voting in
had shuffled the votes correctly, even trust an election outcome without a polling place.2,6,9,12,14,22,25 All of
if the votes had been manipulated. trusting the computers, administra these were designed for government
This would leave no way for anyone tors, or vendors. elections, and some were deployed.
to detect the fraud, because the tam As far as we know, none of these have
pered proof would not only pass the Evidence-Based Elections experienced significant problems, yet
prescribed verification process, it One approach for accomplishing none remain in use. Many proprie
would actually be perfectly indistin this is to have voters produce paper tary systems claim to provide strong
guishable from a truthful proof. ballots, enforce a strict chain of cus verifiability properties, but upon
In light of our findings, and be tody on them, and then use a public further examination they are gener
cause at least one of them also af manual count or a risk-limiting audit ally found to be seriously lacking.
fected an earlier version of the of the paper ballots to verify the So why does this idea sound ideal
same voting system (which includes computerized count.18 Currently, but is not in use? Why do deployed
fewer security features), SwissPost this appears to be the only routinely systems with some of these verifi
decided to not offer this e-voting deployed method of incorporating ability properties fail so miserably in
system for elections in May of the advantages of computers into practice? In this article, we explain
2019.30 Switzerland’s Federal Chan electoral processes without sacrific what end-to-end verifiability is,
cellery approved this decision and ing integrity. It does, however, rely on describe the imitations that should
announced its intention to review carefully securing the paper ballots. be avoided, and examine how to
their licensing and certification pro For many years, the cryptography improve the integrity of election sys
cedures for e-voting systems.31 research community has investigated tems worldwide.
When our first finding was dis an alternative. End-to-end verifiabil
closed, Australia’s New South Wales ity5 provides evidence to voters that Trust No One: What
(NSW) Electoral Commission, their vote is accurately recorded and End-To-End Verifiability
which had purchased an e-voting included; it then provides evidence Would Be If We Had It
system from the same supplier, un to everyone that every electronic End-to-end verifiability is typically
expectedly declared that their system vote was properly tallied. achieved in three steps:
was affected by the same error. At the The main point is simple: imag
time, the system was being used for ine you are on the island of knights 1. cast-as-intended verification,
their state election; however, the com and knaves. You cannot tell which which must be performed by the
mission said it would be fixed prior to people or computers behave in a individual voter and allows the
decryption time two weeks later.32 trustworthy fashion, but you insist voter to check that his or her bal
When we identified a second on deriving meaningful evidence lot accurately reflects his or her
problem in the same components of an accurate election outcome. intention
of the Swiss system 12 days later, An end-to-end verifiable election 2. recorded-as-cast verification,
the NSW Electoral Commission system should provide an opportu which can be outsourced but
insisted that it did not affect them.33 nity to detect an incorrect election is usually expected to be per
Because their code is secret, there is result, regardless of whether all the formed by the voter and allows
no way that this can be verified. computers and the people running for checking that his or her vote
Although numerous serious secu the election might be knaves. was recorded unaltered (usually
rity problems have been found in The properties of end-to-end on a public list of votes)
e-voting systems before,13,23,26,27 verifiability are complementary 3. universal verifiability, which
this was the first discovery of a to those of risk-limiting audits, allows any member of the public
www.computer.org/security 63
IN FOCUS
to check that all of the recorded method has been run on computers A cryptographic commitment is a
votes have been legitimately sub used in government elections in a poll digital equivalent of putting a written
mitted by voters and have been ing place, where it provides a comple number into an envelope. First, the
correctly entered into the count. mentary evidence trail that enhances number cannot be changed once it is
(although, arguably, does not replace) in the envelope, i.e., the commitment
The SwissPost–Scytl system a risk-limiting audit of paper votes.2 is binding; and second, nobody can
claimed to achieve “complete verifi Perhaps a solution to this problem is read the number until the envelope
ability,” which is an incomplete to combine some of the advantages is opened, i.e., the commitment is
alternative to end-to-end verifiability, of end-to-end verifiability with a hiding. The commitment scheme
in which at least some electoral authori risk-limiting audit of paper evidence. is a critical part of the shuffle proof
ties must be trusted not to cheat and In the following section, we because the mixer commits to the
cannot be identified if they do.34 explain why the SwissPost–Scytl permutation it will use to rearrange
e-voting system did not achieve its the votes, proves that it is a true per
Criticisms and Limitations intended verifiability properties. mutation, and then proves that it has
of End-To-End Verifiability applied it properly. If the binding
End-to-end verifiability is a fault- The SwissPost–Scytl property of the commitment scheme
detection mechanism, so the poten System and Why Its Results is broken, the mixer can apply a func
tial for unintended consequences Are Not Verifiable tion other than a permutation to
exists.10 Voters may claim to have the votes, and hence, add, drop, or
detected faults where none occurred, Trapdoor Commitments: change them.
which is especially damaging if third When Is a Proof Not a Proof? In the SwissPost–Scytl system,
parties cannot distinguish system In the SwissPost–Scytl system, each the chosen commitment scheme
misbehavior from spurious accu voter submits his or her encrypted offered a very specific feature—a
sations by voters who want to cast vote to an election server. These trapdoor. In their protocol, this trap
doubt on an election’s outcome. votes are then reencrypted and door is computed privately by the mix
Verification is required at mul shuffled by a series of mixers to ers when they produce the keys used
tiple levels, and a verifiable system protect individual voter privacy. in the commitment. Should a mixer
may be rendered useless without it. Each mixer that shuffles votes is decide to make use of this trapdoor,
Voters or auditors may not bother supposed to prove that the set of it would be able to break the binding
to verify; if no one or too few peo input votes it received corresponds property of every commitment. As a
ple verify, then we cannot express exactly to the differently encrypted result, it becomes possible to manip
any confidence in the election re votes it outputs. This is intended to ulate votes while also producing what
sult. Furthermore, evidence sug provide an electronic equivalent of passes for a valid shuffle proof. This is
gests that even when the system shaking a publicly observable ballot similar to the electronic equivalent of
correctly detects a fault, voters may box. It must secure both the privacy shaking the ballot box in full view of
incorrectly attribute it to their own of each voter’s choice and the over observers, while somehow managing
actions and fail to report it.20 all integrity of the votes. to substitute ballots.
The system verification process Proofs of shuffle are among While we were discussing this
must be carefully verified as well. the most complex cryptographic issue with SwissPost, two other
Protocol errors, implementation protocols used and notoriously teams of researchers independently
vulnerabilities, or hidden trapdoors difficult to design and imple discovered and reported it (Haenni11
in end-to-end verification software ment correctly. In this case, Scytl and Haines).
could be exploited to produce a decided to make use of a proof
valid-looking proof of a false elec of shuffle proposed by Bayer and How hard is it to cheat? In this arti
tion result, similar to that which was Groth.3 This proof makes use of var cle, we have presented two cheating
demonstrated in the SwissPost sys ious cryptographic primitives and examples, which are available for
tem (described previously) or the depends on their security. Should testing by anyone with access to the
Helios system.4,8 any of these primitives fail, then the Scytl–SwissPost code (https://people
Nevertheless, end-to-end verifi proof of shuffle loses its security. .eng.unimelb.edu.au/v jteague
ability has the potential to offer a kind This is exactly what occurred here; /SwissVote). The first example requires
of transparency that is more robust the Bayer–Groth proof of shuffle knowing the randomness used to
than that offered by traditional relied on a cryptographic commit generate the vote ciphertexts that
paper-based systems and absent ment scheme, which was incor will be manipulated. There are
in many electronic systems. This rectly implemented. several ways this could be achieved.
64 IEEE Security & Privacy July/August 2019
For example, an attacker could com thereby determining how particular After submitting this issue, we
promise the clients used for voting. people voted. were informed that this error was pres
Weak randomness generation would Alternatively, we could simply ask ent in voting systems that had previ
allow the attack to be performed the authority to decrypt and trust ously been used in Swiss elections in
without explicit collusion. it to do so correctly; however, this the belief that the code-return verifica
The second cheating example would call into question the integrity tion mechanism was sound. Although
does not require any extra infor of the process because the authority exploiting the problem was detectable
mation at all, although it does rely could produce votes that were differ in principle, by checking for invalid
on the election parameters to have ent from the true interpretation of votes appearing at decryption time,
been set up in a particular way. the votes it had received. it was not an explicit part of the veri
In both cases, a mixer controlled The SwissPost–Scytl system, like fication process (formal verification
by the voting system operator must many cryptographic voting systems, would have passed even if the votes
cheat. Such a cheat could have several instead provided a zero-knowledge had been changed in this way). Fur
sources: for instance, it may hap proof of correct decryption. It aimed thermore, although we could not find
pen because the mixing server was to prove that the votes were correctly an undetectable way to exploit this
hacked by a third party, because a deciphered, but unfortunately, it suf weakness, there is no reason to be con
corrupted server manager is a victim fered from a known error,4, i.e., the fident that no such opportunity exists.
of blackmail, or simply because the construction of the zero-knowledge At this point, given news of a seri
operator is willing to cheat to support proof allowed a cheating author ous problem in a system that had
a specific candidate. Such potential ity to construct an apparently valid already been established, SwissPost
issues are precisely the reason why a decryption proof, which passed decided to put the previously used sys
verifiable voting system is required in verification, but turned a valid input tem in standby mode. It was not used
the first place: the trustworthiness of vote into nonsense that could not in the Swiss elections of May 2019.
an election result should not depend be counted.17 This is the electronic
on the security of a specific server or equivalent of leaving the ballot box Stepping back: other broken proofs,
on the reliability of the voting sys in plain sight all day, but somehow unused code, and quality. Although the
tem operators. And in this case, the substituting nonsense votes into failures of shuffle proof and decryp
claimed authenticity of the system the poll when it’s time to display the tion proof compromised the secu
may actually work against its secu votes on the counting table. rity of the SwissPost–Scytl system,
rity; because the system is expected these failures alone do not fully cap
to be correct, the operational secu Proof failure in deployed systems. ture the extent of the issues with it.
rity of the mix servers may be con Finally, we showed that the same We also documented that the
firmed by a proof of shuffle passing error in the Fiat–Shamir heuristic source code included the imple
verification, and further investiga was also present in the voting step15 mentation of an OR proof (a proof
tions may be overlooked. (and in other places as well, with an of logical disjunction) construct that
unknown impact). also contained a critical defect (a
The Weak Fiat–Shamir The Swiss e-voting system uses missing verification step), rendering
Transform, and the a code-return system, i.e., voters it insecure. The SwissPost system
Implications for Decryption receive a paper mailout with random did not require an OR proof, and
and Voter Verification “yes” and “no” codes for each vot conversations with Scytl revealed
The second part of proving a proper ing option (candidate). When their that it was not the only part of the
election outcome—given a set of vote is cast, voters expect to receive code that was unused.
received votes—is to prove that they the yes code for the candidate they Considering that the ostensible
have been properly decrypted. Sup chose and the no code for all the purpose of making the code avail
pose there is an authority (human or rest. We showed that the weakness able was to allow third-party audit
machine) who knows the decryption in the zero-knowledge proof imple ing, it is concerning that the code as
key for all the votes. This author mentation applied here, too, thus provided was significantly bloated
ity could prove that it had properly allowing a cheating voting client to with unnecessary (not to mention
decoded by publishing its private send a nonsense vote while ensuring broken) constructs. Source code
decryption key, which would cer that the voter received exactly the review is inherently a difficult task,
tainly allow everyone to check that return codes he or she was expect especially when the code itself was
the translation was correct. Unfortu ing. In this way, an apparently suc never designed to be easily audited,
nately, it would also allow everyone cessful vote verification would hide where important cryptographic
to decrypt individuals’ input votes, the submission of an invalid vote. verification is spread across multiple
www.computer.org/security 65IN FOCUS
files or packages, even without evidence. If the software provider certificate. It was also reported that
the addition of unnecessary (and is a knight, then the software sends several members were registered
unused) functionality. the right vote the first time; how using the same email address as the
Taken as a whole, it is possible to ever, if it is a knave, it sends the wrong business of one of the candidates.19
draw two distinct, but complemen vote and then lies about what vote it
tary, conclusions from the Swiss sent. In neither case does the voter Western Australia:
Post–Scytl system. The first is one receive any information by asking it. Outsourcing Trust
of a system so lacking in basic qual Nor does the voter have any way to An earlier version of the NSW iVote
ity controls that a keen eye anywhere prove if it did misbehave. Even inno system ran in Western Australia in
would unearth critical bugs. The cent programming or configuration 2017.7 All voter-facing parts of the
second is one of skilled researchers errors, such as switching the names system were set up behind a TLS
making educated guesses regard or positions of two candidates, could proxy. It was not obvious to voters
ing where the critical flaws are most be repeated in both programs and that such a service was being used.
likely to be and finding them. Nei cause the verification step to produce A TLS proxy counters distributed
ther conclusion by itself tells the what the voter expected regardless of denial-of-service (DDoS) attacks
full story, but both combined paint whether the true vote was different. against a server by inserting an autho
an accurate picture of real-world rized man in the middle as a gate
voting software that contained Alberta: Eligibility keeper. The TLS proxy can see the
election-stealing vulnerabilities and Unverifiability decrypted traffic and analyze it for
was simply not fit for use. And sadly, The current governing party in the any potential threats. The actual tar
this story is not unique. province of Alberta, Canada, held get server does not respond to normal
its leadership vote in 2017 using an external requests, it accepts commu
Security and Verification online voting system. The election nication only from the TLS proxy.
Problems in Other has since become the subject of a However, in the case of the Western
E-Voting Systems criminal investigation into allegations Australian election, the voting server
of fraud after it was discovered that in Sydney was visible on the Internet
2019 Voter Verification in NSW some party members were recorded in the normal way, thus completely
Although the shuffle proof used in as having voted, despite never having undermining any DDoS protec
NSW in 2019 seems to have been received their login credentials. tion until we pointed this out to the
very similar to SwissPost’s, its cast-as- New members of the govern authorities. Figure 1 shows the use of
intended verification mechanism was ing party completed a membership a proxy certificate used for elections
completely different. application form, which included in Western Australia, where the West
Each voter casts a vote using his or an email address field. The fraud ern Australian Electoral Commission
her web browser. At the end of the is alleged to have occurred as fol is one of numerous alternative names
voting session, the browser would lows: at some time between when that all use the same certificate.
send an encrypted version of the the membership applications were Protection comes at a price:
vote the voter entered and then print completed and when the online vot there is a third party that intercepts
a QR code on the screen. If the voter ing period began, fraudulent email and inspects voters’ communica
didn’t trust the software in his or her addresses were allegedly substi tions with the Electoral Commis
web browser to cast the vote correctly, tuted into the membership records. sion. The physical analog would
he or she could download a closed When the login PINs were emailed be if the Electoral Commission
source app from the same company to the new party members during was inundated with junk mail, so it
onto his or her smartphone, hold its the voting period, they went to the decided to outsource the processing
camera up to the QR code, and ask malicious accounts instead. of postal votes to a third-party com
the app what vote the browser code Media reports described several pany by redirecting all of its mail
had sent. instances where email addresses to a warehouse. In that warehouse,
were modified or inserted with the company would open all of the
Suppose the company’s second piece out the voter’s knowledge.1 The envelopes, decide which ones were
of software tells you that its first piece domains of several email addresses genuine, and then forward them on
of software sent the vote that you in question were registered to the to the Electoral Commission.
asked for. What can you infer? same provider in the United States At the very least, one would
around the time of the election and expect scrutineers to be present dur
We hope it is clear that this verifi are linked together by the Subject ing the opening to monitor what was
cation mechanism does not add any Alternative Name for the public-key being rejected and what was being
66 IEEE Security & Privacy July/August 2019sent on; however, in a digital setting,
meaningful scrutiny is impossible.
The certificates and key pairs
that authenticate connections to the
electoral commission are distributed
globally. In the case of the Western
Australia deployment, there were
points of presence serving the certif
icate in numerous countries, includ
ing China, Canada, the United
States, and the United Kingdom.
Even if we put aside the risk of a
nation-state attack, this use of a TLS
proxy presents a number of problems
in the context of a voting system.
JavaScript injection. When the TLS
proxy first received a connection from
a voter, it injected its own obfuscated
JavaScript into the response from the
Electoral Commission. This JavaScript
is normally used to profile the cli
ent to assist in DDoS protection.
However, the Electoral Commis
sion has no oversight of, or control
Figure 1. The certificate used to protect the connections between Western
over, what was contained within that Australian Internet voters and the electoral commission. Note that
JavaScript. As such, the client effec elections.wa.gov.au is one of many domains that rely on this Incapsula certificate.
tively ran a modified version of the
election system, albeit a version modi
fied hopefully with good intentions.
Name, Address, Birthdate
It was deemed possible to construct a Medicare/Passport Number,
malicious, obfuscated JavaScript that Choose a PIN
extends the profiling functionality to
WA
leak the voter’s credentials via a cookie, Registration Registration
while still maintaining the overall TLS Connection Server
length of the obfuscated JavaScript.7
TLS Proxy
Bridging the separation of roles. The Encrypted Vote,
TLS proxy was also used for the reg Voting iVote ID, Receipt NSW EC Vote
istration service, as shown in Fig Number Server
ure 2. The iVote system was designed
Figure 2. The TLS proxy deployed for iVote in Western Australia. WA: Western
with a separation between the regis Australia; EC: Electoral Commission.
tration server—which inevitably
learned the voter’s identity—and the
voting server, where people voted cookies, the TLS proxy would be including a foreign entity as a trust
with a pseudonymized ID they had able to identify it is as the same cli ed man in the middle in an election
acquired at registration time. ent as part of the normal operat system. It is particularly concern
Unfortunately, the TLS proxy ing procedure. This means it could ing that the use of such a service
service automatically downloaded learn the voters’ name (at registra was not communicated to the
persistent cookies to the voter’s tion time) and later link it with their voters or the public until after we
device at registration time. Thus, vote (at voting time). published our findings.7 As such,
voters accessed the registration voters were interacting with a sys
and voting service from the same Summary of trust and transpar- tem that gave the impression it was
browser without clearing their ency issues. It is difficult to justify communicating directly with the
www.computer.org/security 67IN FOCUS
Electoral Commission, when in attackers (who are willing to break recognize that it is their own sys
fact it was not. the law) a huge advantage over secu tems, employees, and suppliers who
rity researchers who would other might be the most easily exploited
Who Wants Election wise be able to identify problems threat to election security.
Verification Anyway? and fix them. It is hard work as well as a
In the following section, we attempt Neither the updated SwissPost short-term reputational risk to offer
to explain the structural and incen nor the NSW systems are openly citizens a genuine way of check
tive problems that have contributed available for public scrutiny, which ing whether the election outcome
to the numerous technical issues we makes it impossible to verify that is correct. It might seem easier,
have observed. the flaws we identified have been cheaper, and safer for the country’s
correctly repaired. And even if they stability to offer an nontransparent
Vendor Transparency, were, there is no reason to think that system, with code available only
Source Code, Incentives, those are the only errors that expose under a secrecy agreement, and a
and Legal Punishments an election to undetectable fraud or reassuring appearance of verifica
The errors we detected in the Swiss privacy breaches. tion regardless of whether there was
Post system were widely publi Part of the problem is that elec error or fraud. However in the long
cized, but the problems in the 2019 tronic elections often correspond term, this undermines trust in the
NSW system may have been worse, to outsourcing, i.e., the software is integrity of elections.
especially because they were iden provided by a commercial entity We do not know whether any
tified only after the election began. with entirely different incentives paperless e-voting system will ever
Both code bases were available only from those of an electoral author prove itself adequate for govern
under a nondisclosure agreement, ity. Nobody likes to admit they’ve ment elections; thus far, none has.
which we did not sign. However, made a mistake, but a commercial Certainly no election should be
the Swiss law that mandates open enterprise makes money by con entrusted to a system that has never
access allowed the code to circulate vincing people to trust its systems, had meaningful open scrutiny.
quite freely in practice, so we could which is inconsistent with com We will begin to see improve
examine it without restrictions. plete frankness about problems ments in the world’s election con
NSW law is the opposite; it crimi and errors. duct only when ordinary voters and
nalizes the sharing of source code, Outsourcing reduces costs, but candidates begin thinking critically
making it completely unavailable it also means outsourcing the trust about what sort of evidence they
in practice. Aside from the absur that citizens place in their elec demand before they accept an elec
dity of sending Swiss officials to toral authorities. Compromising tion result.
jail (because the e-voting systems on trust, privacy, and security to
have a common source code appar deploy a voting system just because Acknowledgments
ently), this means that decisions are it is cheaper or more convenient is We thank Andrew Conway, Matt Green,
made in NSW without any public not an acceptable course of action. Peter Ryan, and Hovav Shacham for their
feedback about the system. Cur To do so is a betrayal of democracy. help with the code, math, and report.
rently, Switzerland is deciding
whether or not to trust this sys References
tem, and while we are uncertain of
their decision, at least they will
have more information than their
c ryptographic protocols for
election verification are no dif
ferent from cryptographic protocols
1. D. Anderson, C. Dunn, A. Dempster,
B. Labby, and A. Neveu, “Fraudulent
emails used to cast votes in UCP lead
NSW counterparts. for anything else: a protocol may ership race, CBC finds,” CBC News,
Unlike electronic voting ma have errors or weaknesses, but even Apr. 10, 2019. [Online]. Available:
chines, Internet voting systems can if it doesn’t, the implementation https://www.cbc.ca/news/canada
not be examined outside of election may suffer from errors or mistaken /calgary/ucp-leadership-voter-fraud-
time unless the authorities make assumptions that can be exploited. membership-lists-data-1.5091952
a specific decision to make them In this case, exploitation means that 2. S. Bell et al., “Star-vote: A secure,
available; attempting to demon the election may appear to come transparent, auditable, and reliable
strate manipulation during a real with a proof of its integrity, when in voting system,” USENIX J. Election
election is (quite rightly) a serious fact, the proof can be fabricated to Technol. Syst. (JETS), vol. 1, no. 1, pp.
crime. However, if the authorities conceal a successful manipulation. 18–37, Aug. 2013.
choose to make no such oppor Electoral authorities often make 3. S. Bayer and J. Groth, “Efficient
tunity available, this gives the real poor decisions because they do not zero-knowledge argument for
68 IEEE Security & Privacy July/August 2019correctness of a shuffle,” in Proc. Available: https://eprint.iacr.org 19. A. MacVicar, “Alberta NDP calls
Advances in Cryptology (EURO- /2017/325.pdf for special prosecutor to oversee
CRYPT), 2012, pp. 263–280. 13. J. A. Halderman and V. Teague, “The RCMP investigation of UCP lead
4. D. Bernhard, O. Pereira, and B. Warin New South Wales iVote system: ership race,” Global News, May 2,
schi, “How not to prove yourself: Pit Security failures and verification 2019. [Online]. Available: https://
falls of the Fiat–Shamir heuristic and flaws in a live online election,” in globalnews.ca/news/5233913
applications to Helios,” in Proc. Int. Proc. Int. Conf. E-Voting and Identity, /notley-special-prosecutor-ucp-
Conf. Theory and Application Cryptol- 2015, pp. 35–53. leadership-race/
ogy and Information Security, 2012, 14. A. Kiayias, T. Zacharias, and B. 20. E. Moher, J. Clark, and A. Essex,
pp. 626–643. Zhang, “Demos-2: Scalable E2E “Diffusion of voter responsibil
5. J. Benaloh, R. Rivest, P. Y. Ryan, verifiable elections without random ity: Potential failings in E2E voter
P. Stark, V. Teague, and P. Vora, oracles,” in Proc. 22nd ACM SIGSAC receipt checking,” USENIX J. Elec-
End-to-end verifiability. 2015. Conf. Computer and Communications tion Technol. Syst. (JETS), vol. 3,
[Online]. Available: https://arxiv Security, 2015, pp. 352–363. no. 1, pp. 1–17, Dec. 2014.
.org/abs/1504.03778 15. S. J. Lewis, O. Pereira, and V. Teague, 21. R. S. Mueller, “Report on the inves
6. R. Carback et al., “Scantegrity II “Addendum to how not to prove tigation into Russian interference in
municipal election at Takoma Park: your election outcome: The use the 2016 Presidential Election,” U.S.
The first E2E binding governmental of non-adaptive zero knowledge Dept. of Justice. Washington, D.C.,
election with ballot privacy,” in Proc. proofs in the Scytl-SwissPost Internet 2019. [Online]. Available: https://
19th USENIX Security Symp., 2010, voting system, and its implica www.justice.gov/storage/report
pp. 291–306. tions for cast-as-intended verifi .pdf
7. C. Culnane, M. Eldridge, A. Essex, cation,” Univ. Melbourne, Parkville, 22. Wombat. [Online]. Accessed on: May
and V. Teague, “Trust implications Australia, 2019. [Online]. Avail 22, 2019. Available: https://wombat
of DDOS protection in online elec able: https://people.eng.unimelb .factcenter.org/
tions,” in Proc. Int. Joint Conf. Elec- .e d u . a u / v jteague/HowNotTo 23. D. Springall et al., “Security analysis
tronic Voting, 2017, pp. 127–145. ProveElectionOutcomeAddendum of the Estonian Internet voting sys
8. N. Chang-Fong and A. Essex, “The .pdf tem,” in Proc. ACM SIGSAC Conf.
cloudier side of cryptographic 16. S. J. Lewis, O. Pereira, and V. Teague, Computer and Communications
end-to-end verifiable voting: A “Ceci n’est pas une preuve: The Security, 2014, pp. 703–715.
security analysis of Helios,” in Proc. use of trapdoor commitments in 24. R. M. Smullyan, What Is the Name of
32nd Annu. Conf. Computer Security Bayer-Groth proofs and the impli This Book? New York: Touchstone
Applications, 2016, pp. 324–335. cations for the verifiability of the Books, 1986.
9. C. Culnane, P. Y. Ryan, S. Schneider, Scytl-SwissPost Internet voting 25. Verificatum. [Online]. Accessed on:
and V. Teague, “vVote: A verifiable system,” Univ. Melbourne, Parkville, May 22, 2019. Available: https://
voting system,” ACM Trans. Inform. Australia, 2019. [Online]. Available: www.verificatum.com.
Syst. Security (TISSEC), vol. 18, no. 1, https://people.eng.unimelb.edu 26. S. Wolchok et al., “Security analy
p. 3, 2015. .au/vjteague/UniversalVerifiability sis of India’s electronic voting
10. A. Essex, “Detecting the detectable: SwissPost.pdf machines,” in Proc. 17th ACM Conf.
Unintended consequences of cryp 17. S. J. Lewis, O. Pereira, and V. Teague, Computer and Communications
tographic election verification,” “How not to prove your election Security, 2010, pp. 1–14.
IEEE Security Privacy, vol. 15, no. 3, outcome: The use of non-adaptive 27. S. Wolchok, E. Wustrow, D. Isabel,
pp. 30–38, 2017. zero knowledge proofs in the and J. A. Halderman, “Attacking the
11. R. Haenni, “Swiss post public intru Scytl-SwissPost Internet voting Washington, DC Internet voting
sion test: Undetectable attack system, and its implications for system,” in Proc. Int. Conf. Finan-
against vote integrity and secrecy,” decryption sound proofness,” Univ. cial Cryptography and Data Security,
Bern Univ. Appl. Sci. Biel, Switzer Melbourne, Parkville, Australia, 2019. 2012, pp. 114–128.
land, 2019. [Online]. Available: [Online]. Available: https://people 28. https://elections.maryland.gov/press_
htt p s : / / e -vo t i ng .b f h .c h / ap p .eng.unimelb.edu.au/v jteague room/documents/July%2013%20
/download/7833162361/PIT2 /HowNotToProveElectionOutcome Press%20Statement.pdf
.pdf .pdf 29. Swiss Post, “Swiss Post’s e-voting
12. R. Haenni, R. E. Koenig, P. Locher, 18. M. Lindeman and P. B. Stark, “A solution: Electronic voting and
and E. Dubuis, “CHVote system gentle introduction to risk-limiting elections for Switzerland.” Accessed
specification,” Bern Univ. Appl. audits,” IEEE Security Privacy, vol. on: May 22, 2019. [Online]. Avail
Sci. Biel, Switzerland, 2019. [Online]. 10, no. 5, pp. 42–49, 2012. able: https://web.archive.org/web
www.computer.org/security 69IN FOCUS
/20190428114751/https://www /Mediacentre/Newsmediareleases Contact him at christopher.culnane@
.post.ch/en/business/azofsubjects /NSWElectoralCommissioniVote unimelb.edu.au.
/industrysolutions/swisspostevoting andSwissPostevo
30. O. Flüeler, “Ballot box not hacked, 33. NSW Electoral Commission, “NSW Aleksander Essex is an associate pro
errors in the source code—Swiss Electoral Commission iVote and fessor of software engineering at
Post temporarily suspends its e Swiss Post evoting update.” Accessed Western University, Canada. Con
voting system,” Swiss Post, Mar. 29, on: May 22, 2019. [Online]. Avail tact him at aessex@uwo.ca.
2019. [Online]. Available: https:// able: https://elections.nsw.gov
www.post.ch/en/aboutus/company .au/Aboutus/Mediacentre/News Sarah Jamie Lewis is the executive
/media/pressreleases/2019/swiss mediareleases/NSWElectoral director at the Open Privacy Re
posttemporarilysuspendsits CommissioniVoteandSwissPost search Society, Canada. Contact
evotingsystem 34. The Federal Counc i l . (2013). her at sarah@openprivacy.ca.
31. R . Lenzin, “Federal Chancellery 161.116 Federal Chancellery ordi
to review evoting,” The Federal nance on electronic voting (VEleS), Olivier Pereira is a professor of cryp
Council, Mar. 29, 2019. [Online]. article 5.5. Federal Council. Bern, tography at Université catholique
Available: https://www.admin Switzerland. [Online]. Available: de Louvain, Belgium. Contact him
.ch/gov/en/start/documentation https://www.admin.ch/opc/en at olivier.pereira@uclouvain.be.
/mediareleases.msgid74508.html /classifiedcompilation/20132343
32. NSW Electoral Commission, “NSW /index.html Vanessa Teague is an associate pro
Electoral Commission iVote and Swiss fessor of cryptography at the
Post evoting.” Accessed on: May 22, Chris Culnane is a lecturer of cyber University of Melbourne, Aus
2019. [Online]. Available: https:// security and privacy at the Uni tralia. Contact her at vjteague@
elections.nsw.gov.au/Aboutus versity of Melbourne, Australia. unimelb.edu.au.
IEEE TRANSACTIONS ON
BIG DATA
SUBMIT
TODAY
SUBSCRIBE AND SUBMIT
For more information on paper submission, featured articles, calls for papers,
and subscription links visit: www.computer.org/tbd
TBD is financially cosponsored by IEEE Computer Society, IEEE Communications Society, IEEE Computational Intelligence
Society, IEEE Sensors Council, IEEE Consumer Electronics Society, IEEE Signal Processing Society, IEEE Systems, Man &
Cybernetics Society, IEEE Systems Council, and IEEE Vehicular Technology Society
TBD is technically cosponsored by IEEE Control Systems Society, IEEE Photonics Society, IEEE Engineering in Medicine &
Biology Society, IEEE Power & Energy Society, and IEEE Biometrics Council
Digital Object Identifier 10.1109/MSEC.2019.2922090
70 IEEE Security & Privacy July/August 2019You can also read
