Electronic voting promises the possibility of a convenient, efficient and secure facility for recording and tallying votes in an election. Recently highlighted inadequacies of implemented systems have demonstrated the importance of formally verifying the underlying voting protocols. We study three privacy-type properties of electronic voting protocols: in increasing order of strength, they are vote-privacy, receipt-freeness, and coercionresistance. We use the applied pi calculus, a formalism well adapted to modelling such protocols, which has the advantages of being based on well-understood concepts. The privacy-type properties are expressed using observational equivalence and we show in accordance with intuition that coercion-resistance implies receipt-freeness, which implies vote-privacy. We illustrate our definitions on three electronic voting protocols from the literature. Ideally, these three properties should hold even if the election officials are corrupt. However, protocols that were designed to satisfy receipt-freeness or coercion-resistance may not do so in the presence of corrupt officials. Our model and definitions allow us to specify and easily change which authorities are supposed to be trustworthy.

Abstract not found

Election audit procedures usually rely on precinctbased audits, in which workers manually review all paper ballots from selected polling places, but these audits can be expensive due to the labor required. This paper proposes an alternative audit strategy that allows machines to perform most of the work. Precincts are audited using auditing machines, and their output is manually audited using efficient ballot sampling techniques. This strategy can achieve equal or greater confidence than precinctbased auditing at a significantly lower cost while protecting voter privacy better than previous ballot-based auditing methods. We show how to determine which ballots to audit against the auditing machines ’ records and compare this new approach to precinct-based audits in the context of Virginia’s November 2006 election. Far fewer ballots need to be audited by hand using our approach. We also explore extensions to these techniques, such as varying individual ballots ’ audit probabilities based on the votes they contain, that promise further efficiency gains. 1

In elections employing electronic voting machines, we have observed that poor procedures, equipment failures, and honest mistakes pose a real threat to the accuracy of the final tally. The event logs kept by these machines can give auditors clues as to the causes of anomalies and inconsistencies; however, each voting machine is trusted to keep its own audit and ballot data, making the record unreliable. If a machine is damaged, accidentally erased, or otherwise compromised during the election, we have no way to detect tampering or loss of auditing records and cast votes. We see a need for voting systems in which event logs can serve as robust forensic documents, describing a provable timeline of events leading up to and transpiring on election day. To this end, we propose an auditing infrastructure that draws on ideas from distributed systems and secure logging to provide a verifiable, global picture of critical election-day events, one which can survive individual machine malfunction or malice. Our system, the Auditorium, joins the voting machines in a polling place together in a private broadcast network in which all election events are logged redundantly by every machine. Each event is irrevocably tied to the originating machine by a digital signature, and to earlier events from other machines via hash chaining. In this paper we describe in detail how to conduct an election in the Auditorium. We demonstrate our system’s robustness to benign failures and malicious attacks, resulting in a believable audit trail and vote count, with acceptable overhead for a network the size of a polling place. 1

Without a threat model and a system model, voting standards cannot ensure the integrity or accuracy of the voting process. In elections throughout the U.S., electronic voting machines have failed to boot, tallied 10 times as many votes as registered voters, and drawn criticism from academics, election officials, and concerned citizens alike. High-profile exploits (such as the Hursti attack [4] and the Princeton group’s Diebold virus [2]) have brought media attention to the fragility just below the surface of electronic voting systems. In light of these problems, it is perhaps an understatement to say

This paper reports on an analysis of the Hart Inter-Civic DAU eSlate unit equipped for disabled access and the associated Judge’s Booth Controller. The analysis examines whether the eSlate and JBC can be subverted to compromise the accuracy of vote totals, the secrecy of the ballot, and the availability of the system under the procedures in place for Yolo County. We describe several potential attacks, and show how election officials can block or mitigate them. 1

Abstract not found

As a result of well-publicized security concerns with direct recording electronic (DRE) voting, there is a growing call for systems that employ some form of paper artifact to provide a verifiable physical record of a voter’s choices. In this paper, we present a system we are developing to support a multi-institution, cross-disciplinary research project examining issues that arise when paper ballots are used in elections. We survey the motivating factors behind our work, discuss the special constraints raised in processing ballots as opposed to more general document images, and describe the current status of our system. 1.

1The authors thank Greg Huber and seminar participants at Dartmouth College and the University of Chicago for comments on an earlier draft of this paper and thank election officials in Charlotte, Collier, DeSoto, Hardee, Hillsborough, Lee, Manatee, Pinellas, and Sarasota Counties for providing data and assistance. The most recent version of this paper can be found

The electronic voting machines known as Direct Recording Electronic (DRE), that are used in many states in the US have been shown to contain security vulnerabilities [16, 9, 3]. One of the problems is that the elections held on these machines cannot be independently audited. In this paper we address this issue by designing a new all-electronic independent audit framework for DRE voting systems. Our framework leverages system virtualization concepts and image recognition techniques to maintain an audit of the vote totals. The architecture we present is a step towards meeting the software independence requirements as defined by Rivest et al. [21,2]. Wehaveimplementedaprototypeusingthe Diebold Accuvote TS DRE voting software and the XEN hypervisor and demonstrate that our system can achieve a robust election audit with negligible overhead.