In elections employing electronic voting machines, we have observed that poor procedures, equipment failures, and honest mistakes pose a real threat to the accuracy of the final tally. The event logs kept by these machines can give auditors clues as to the causes of anomalies and inconsistencies; however, each voting machine is trusted to keep its own audit and ballot data, making the record unreliable. If a machine is damaged, accidentally erased, or otherwise compromised during the election, we have no way to detect tampering or loss of auditing records and cast votes. We see a need for voting systems in which event logs can serve as robust forensic documents, describing a provable timeline of events leading up to and transpiring on election day. To this end, we propose an auditing infrastructure that draws on ideas from distributed systems and secure logging to provide a verifiable, global picture of critical election-day events, one which can survive individual machine malfunction or malice. Our system, the Auditorium, joins the voting machines in a polling place together in a private broadcast network in which all election events are logged redundantly by every machine. Each event is irrevocably tied to the originating machine by a digital signature, and to earlier events from other machines via hash chaining. In this paper we describe in detail how to conduct an election in the Auditorium. We demonstrate our system’s robustness to benign failures and malicious attacks, resulting in a believable audit trail and vote count, with acceptable overhead for a network the size of a polling place. 1

In this paper, as a step towards the ultimate aim of developing an evoting system that would be likely to gain and retain the trust of the general voting public, we describe a design for a manual voting scheme that has, we claim, significant security-related advantages over existing well-trusted manual schemes. We then use this design as the basis for a small set of (in most cases partially-automated) voting systems which could improve the efficiency of our proposed manual voting scheme, without endangering the public’s trust. Our approach to the design of these schemes is thus as much socio-technical as technical.

A direct recording electronic (DRE) voting machine must satisfy several requirements to ensure voter privacy and the integrity of the election. A recent proposal for a vote storage system due to Molnar et al. provides tamper-evidence properties while maintaining voter privacy by storing ballots on a programmable, read-only memory (PROM). We achieve the same properties and protect against additional threats of memory replacement through cryptographic techniques, without the use of special hardware. Our approach is based on a new cryptographic primitive called History-Hiding Append-Only Signatures. 1

Commercial electronic voting systems have experienced many high-profile software, hardware, and usability failures in real elections. While it is tempting to abandon electronic voting altogether, we show how a careful application of distributed systems and cryptographic techniques can yield voting systems that surpass current systems and their analog forebears in trustworthiness and usability. We have developed the VoteBox, a complete electronic voting system that combines several recent e-voting research results into a coherent whole that can provide strong end-to-end security guarantees to voters. VoteBox machines are locally networked and all critical election events are broadcast and recorded by every machine on the network. VoteBox network data, including encrypted votes, can be safely relayed to the outside world in real time, allowing independent observers with personal computers to validate the system as it is running. We also allow any voter to challenge a VoteBox, while the election is ongoing, to produce proof that ballots are cast as intended. The VoteBox design offers a number of pragmatic benefits that can help reduce the frequency and impact of poll worker or voter errors.

This paper reports on an analysis of the Hart Inter-Civic DAU eSlate unit equipped for disabled access and the associated Judge’s Booth Controller. The analysis examines whether the eSlate and JBC can be subverted to compromise the accuracy of vote totals, the secrecy of the ballot, and the availability of the system under the procedures in place for Yolo County. We describe several potential attacks, and show how election officials can block or mitigate them. 1

In the United States, computer-based voting machines are rapidly replacing other older technologies. While there is potential for this to be a usability improvement, particularly in terms of accessibility, the only way it is possible to know if usability has improved is to have baseline data on the usability of traditional technologies. We report an experiment assessing the usability of punch cards, lever machines, and two forms of paper ballot. There were no differences in ballot completion time between the four methods, but there were substantial effects on error rate, with the paper ballots superior to the other methods as well as an interaction with age of voters. Subjective usability was assessed with the System Usability Scale and showed a slight advantage for bubble-style paper ballots. Overall, paper ballots were found to be particularly usable, which raises important technological and policy issues.

We present a voting protocol that protects voters ’ privacy and achieves universal verifiability, receipt-freeness, and uncoercibility without ad hoc physical assumptions or procedural constraints (such as untappable channels, voting booths, smart cards, third-party randomizers, and so on). We discuss under which conditions the scheme allows voters to cast write-in ballots, and we show how it can be practically implemented through voter-verified (paper) ballots. The scheme allows voters to combine voting credentials with their chosen votes applying the homomorphic properties of certain probabilistic cryptosystems.

Recently, two e-voting technologies have been introduced and used extensively in election procedures: direct recording electronic (DRE) systems and optical scanners. The latter are typically deemed safer as many recent security reports have discovered substantial vulnerabilities in a variety of DRE systems. In this paper we present an attack against the Diebold Accuvote optical scan voting terminal (AV-OS). Previously known attacks direct to the AV-OS required physical access to the memory card and use of difficult to find hardware (card reader/writer). Our attack bypasses these issues by using the serial port of the AV-OS terminal and reverse engineering the communication protocol, in essence, using the terminal itself as a reader/writer. Our analysis is based solely on reverse-engineering. We demonstrate how an attacker can exploit the serious security vulnerability of weak (non-cryptographic) authentication properties of the terminal. The attack payload delivers a tampered ballot layout that, depending on the scenario, allows swapping of candidate votes, neutralizing votes, or even shifting votes from one candidate to another. 1

Abstract not found

Special purpose trusted computing devices are currently being deployed to offer many services for which the general purpose computing paradigm is unsuitable. The nature of the services offered by many of these devices demand high security and reliability, as well as low cost and low power consumption. Electronic Voting machines is a canonical example of this phenomenon. With electronic voting machines currently being used in much of the United States and several other countries, there is a strong need for thorough security evaluation of these devices and the procedures in place for their use. In this work, we first put forth a general framework for special purpose trusted computing devices. We then focus on Optical Scan (OS) electronic voting technology as a specific instance of this framework. OS terminals