Civitas is the first electronic voting system that is coercion-resistant, universally and voter verifiable, and suitable for remote voting. This paper describes the design and implementation of Civitas. Assurance is established in the design through security proofs, and in the implementation through information-flow security analysis. Experimental results give a quantitative evaluation of the tradeoffs between time, cost, and security. 1.

We present three new paper-based voting methods with interesting security properties. Our goal is to achieve the same security properties as recently proposed cryptographic voting protocols, but using only paper ballots and no cryptography. From a security viewpoint we get reasonably close, particularly for short ballots. However, our proposals should probably be considered as more “academic ” than “practical.” In these proposals, not only can each voter verify that her vote is recorded as intended, but she gets a “receipt ” she can take home that can be used later to verify that her vote is actually included in the final tally. But her receipt does not allow her to prove to anyone else how she voted. All ballots cast are scanned and published in plaintext on a “public bulletin board ” (web site), so anyone may correctly compute the election result. In ThreeBallot, each voter casts three paper ballots, with certain restrictions on how they may be filled out. These paper ballots are of course “voterverifiable.” A voter receives a copy of one of her ballots as her “receipt”, which she may take home. Only the voter knows which ballot she copied for her receipt. The voter is unable to use her receipt to prove how she voted or to sell her vote, as the receipt doesn’t reveal how she voted. A voter can check that the web site contains a ballot matching her receipt. Deletion or modification of ballots is thus detectable; so the integrity of the election is verifiable. VAV is like ThreeBallot, except that the ballotmarking rules are different: one ballot may “cancel” another (VAV = Vote/Anti-Vote/Vote). VAV is better suited to – i.e. yields better security properties ∗ The latest version of this paper is always at

Abstract. This paper defines and explores the notion of “software independence” in voting systems: A voting system is software-independent if an undetected change or error in its software cannot cause an undetectable change or error in an election outcome. We propose that software independent voting systems should be preferred, and software-dependent voting systems should be avoided. VVPAT and some cryptographically-based voting systems are software-independent. Variations and implications of this definition are explored. This white paper is also for discussion by the Technical Guidelines Development Committee (TGDC) in its development of the Voluntary Voting System Guidelines (VVSG) of 2007. 1

In this paper, we analyse information leakage in Ryan’s Prêt à Voter with Paillier encryption scheme (PAV-Paillier). Our analysis shows that although PAV-Paillier seems to achieve a high level of voter privacy at first glance, it might still leak voter’s choice information in some circumstances. Some threats are trivial and have appeared in the literature, but others are more complicated because colluding adversaries may apply combined attacks. Several strategies have been suggested to mitigate these threats, but we have not resolved all the threats. We leave those unsolved threats as open questions. In order to describe our analysis in a logical manner, we will introduce an information leakage model to aid our analysis. We suggest that this model can be applied to analyse information leakage in other complex mixnet based e-voting schemes as well. Furthermore, we introduce a simplification of PAV-Paillier. In our proposal, without degrading security properties such as voter privacy, verifiability and reliability, we no longer need to apply the homomorphic property to absorb the voter’s choice index into the onion, thus we step back to employ the ElGamal encryption. This results in a simpler and more straightforward threshold cryptosystem. Some other attractive properties of our proposal scheme are: unlike traditional Prêt à Voter schemes, the candidate list in our scheme can be in alphabetical order. Our scheme not only handles approval elections, but also it handles ranked elections (e.g. Single Transferable Voting). Furthermore, our scheme mitigates the randomisation attack. 1

In a previous paper, a version of the Pret a Voter verifiable election scheme using ElGamal encryption and enabling the use of re-encryption mixes was presented. In order to ensure that the construction of the ballot forms mesh with the re-encryption mixes, it was necessary to draw the seed values from a statistical distribution, e.g., a binomial. In this paper we present a similar construction of the ballot forms but using Paillier encryption in place of ElGamal. The advantage of this is that the homomorphic properties of Paillier are ideally suited to our construction and removes the need to constrain the distribution of seed values. As with the scheme using ElGamal, we have a distributed construction of encrypted ballot forms. This enables on-demand decryption and printing of the ballot forms and so eliminates the need to trust a single authority to keep this information secret. It also avoids chain of custody issues as well as chain voting style attacks.

The Pret a Voter election scheme allows voters to confirm that their vote is accurately counted whilst maintaining ballot secrecy. Initial analysis indicates that the scheme is highly trustworthy, due to the high degree of transparency and auditability. However, the assurance arguments are subtle and involve some understanding of the role of cryptography. As a result, there remain challenges regarding public understanding and trust. It is essential that a voting system be not only trustworthy but also widely trusted. In this note, I propose a simple mechanism to generate a conventional paper audit trail that can be invoked should the outcome of the cryptographic count be called into question. It is hoped that having such a familiar mechanism as a safety net will encourage public confidence. Care has to be taken to ensure that the mechanism does not undermine the carefully crafted integrity and privacy assurances of the original scheme.

We discuss some vulnerabilities, threats and counter-measures for voter-verifiable, cryptographic election schemes: Chaum [1], Neff [7] and Prêt à Voter schemes [2]. Our analysis shows that such schemes are potentially prey to a wide variety of threats, both technical and sociotechnical. On the other hand, counter-measures can be deployed to all the threats identified. This paper strives to take initial steps towards a more systematic therat analysis for such schemes. We briefly address the issue of how to ensure such threat analyses are as systematic and complete as possible. 1

A number of voter-verifiable electronic voting schemes have been introduced in the recent decades. These schemes not only provide each voter with a receipt without the threat of coercion and ballot selling, but also the ballot tallying phase can be publicly verified. Furthermore, these schemes are robust because the power of authorities can be threshold distributed. Generally speaking, the homomorphic encryption schemes are efficient but they are unable to handle some preferential elections, such as STV elections and Condorcet elections. The mix network schemes are versatile, but they are not as efficient as the homomorphic encryption schemes in approval elections. In this paper, we will present a new electronic voting schemes which is secure, versatile and efficient. We call our proposal scheme the Prêt à Voter: All-In-One because it is based on the re-encryption version of the Prêt à Voter scheme and inherits most of its security properties. Our scheme not only handles both approval elections and preferential elections, but also the ballot tallying phase will always be the most efficient because according to different elections, different tally strategies can be applied. 1

Abstract not found

doi:10.1098/rsta.2008.0149