Electronic Voting: practice and theory

Mark RyanUniversity of Birmingham

based on joint work with

Stephanie DelauneSteve Kremer

Mounira KourjiehBen Smyth


1 The potential and the current situation

2 Desired properties

3 Some protocols

4 Verification

5 Conclusions

Electronic voting: potential

Electronic voting potentially offers


higher voter participationgreater accuracylower costs

Better security

vote-privacy even in presenceof corrupt election authoritiesvoter verification, i.e. theability of voters and observersto check the declaredoutcome against the votescast.

Governments world over havebeen trialling e-voting, e.g.USA, UK, Canada, Brasil, theNetherlands and Estonia.

Can also be useful forsmaller-scale elections(student guild, shareholdervoting, trade union ballots,local government).

Current situation

The potential benefits have turned out to be hard to realise.


May 2007 elections included 5 local authorities that piloted a rangeof electronic voting machines.

Electoral Commission report concluded that the implementation andsecurity risk was significant and unacceptable and recommends thatno further e-voting take place until a sufficiently secure andtransparent system is available.


Diebold controversy since 2003 when code leaked on internet.

Kohno/Stubblefield/Rubin/Wallach analysis concluded Dieboldsystem far below even most minimal security standards. Voterswithout insider privileges can cast unlimited votes without beingdetected.

Current situation in USA, continued

In 2007, Secr. of State for California commissioned“top-to-bottom” review by computer science academics ofthe four machines certified for use in the state. Result is acatalogue of vulnerabilities, including

appalling software engineering practices, such as hardcoding cryptokeys in source code; bypassing OS protection mechanisms, . . .

susceptibility of voting machines to viruses that propogate frommachine to machine, and that could maliciously cause votes to berecorded incorrectly or miscounted

“weakness-in-depth”, architecturally unsound systems in which evenas known flaws are fixed, new ones are discovered.

In response to these reports, she decertified all four types of votingmachine for regular use in California, on 3 August 2007.

Situation in USA – 2008 election

Several other states followed California’s lead, and decertifiedelectronic voting machines.

But other states have continued to use touch-screen systems, havinginvested massively. (E.g., the state of Colorado spent $41M onelectronic voting systems for its 3M voters, on machines thatCalifornia has now decertified. . . )

Diebold, one of the main suppliers, tried unsuccessfully to sell theire-voting business. Instead, they rebranded it ‘Premier ElectionSolutions’ and revised their forecasts downwards.

Current situation in Estonia

Estonia is a tiny former Soviet republic (pop. 1.4M), nicknamed“e-Stonia” because of its tech-savvy character.

Oct. 2005 local election allowed voters to cast ballots on internet.There were 9,317 electronic votes cast out of 496,336 votes in total(1.9%) participated online.

Officials hailed the experiment a success. Said no reports of hackingor flaws. System based on linux.

Voters need special ID smartcard, a $24 device that reads the card,and a computer with internet access. About 80% of Estonian votershave the cards anyway, also used since 2002 for online banking andtax records.

Feb. 2007 general election: 30,275 voters used internet voting.

Internet voting and coercion resistance

The possibility of coercion (e.g. by family members) seems very hard toavoid for internet voting.

In Estonia, the threat is somewhat mitigated:

Election system allows multiple online votes to be cast by the sameperson during the days of advance voting, with each vote cancellingthe previous one.

System gives priority to paper ballots; a paper ballot cancels anyprevious online ballot by the same person.

Where are we?

Voting system: desired properties

Eligibility: only legitimate voters can vote, and at most once (This also

implies that the voting authorities cannot insert votes)

Fairness: no early results can be obtained

Privacy: the fact that a particular voter in a particular way is not

revealed to anyone

Receipt-freeness: a voter cannot later prove to a coercer that she voted

in a certain way

Coercion-resistance: a voter cannot interactively cooperate with a

coercer to prove that she voted in a certain way

Individual verifiability: a voter can verify that her vote was really counted

Universal verifiability: a voter can verify that the published outcome

really is the sum of all the votes

. . . and all this even in the presence of corrupt election authorities!

Are these properties even simultaneously satisfiable?


Eligibility: only legitimate

voters can vote, and only once

Effectiveness: the number of

votes for each candidate is

published after the election

Privacy: the fact that a

particular voted in a particular

way is not revealed to anyone

(not even the election



Receipt-freeness: a voter

cannot later prove to a coercer

that she voted in a certain way

Individual verifiability: a

voter can verify that her vote

was really counted

How could it be secure?

Security by trusted client software

→ → → → → → → → → →

trusted by user

does not need to betrusted by authoritiesor other voters

not trusted by user

doesn’t need to betrusted by anyone

First, some cryptoraphy

Blind signatures

Normally, when Alice signs amessage M, creatingSignSKA

(M), she knows whatthe message M is.

In a blind signature, Bob canask her to sign a blinded versionof the message, blindb(M).

After she signs it, he canunblind it.

unblindb(SignSKA(blindb(M))) =



Alice can send Bob acommitment commitc(M) to amessage M.

Later, she can reveal c and M,and Bob can verify that it isindeed the correct M that shecommitted to.

Alice cannot lie, e.g., cannotfind some other c ′ and M ′ thathave the same commitmentcommitc′(M ′).

FOO 92 protocol [FujiokaOkamotoOhta92]

Alice aDministrator Collector

{ } 1)),,(( −Abcvcommitblind

{ } 1)),,(( −Dbcvcommitblind

{ } 1),((...) −= Dcvcommitunblind

{ } 1),( −Dcvcommit


)),(,(. cvcommitlpubl),( cl




vopen =(...)

FOO 92 properties

Eligibility X

Fairness X

Privacy X

Receipt-freeness ×Coercion-resistance ×Individual verifiability X

Universal verifiability half

FOO usability in a real election: an exercise for the reader!

Attacker model

Ideally, we want to model a very powerful attacker:

It has “Dolev-Yao” capabilities, i.e.

it completely controls thecommunication channels, so it is able torecord, alter, delete, insert, redirect,reorder, and reuse past or currentmessages, and inject new messages(The network is the attacker)

manipulate data in arbitrary ways,including applying crypto operationsprovided has the necessary keys

It includes the election authorities.

It includes the other voters.

The applied π-calculus

Applied pi-calculus: [Abadi & Fournet, 01]

basic programming language with constructs for concurrencyand communication

based on the π-calculus [Milner et al., 92]

in some ways similar to the spi-calculus [Abadi &Gordon, 98], but more general w.r.t. cryptography


naturally models a Dolev-Yao attacker

allows us to model less classical cryptographic primitives

both reachability and equivalence-based specification ofproperties

automated proofs using ProVerif tool [Blanchet]

powerful proof techniques for hand proofs

successfully used to analyze a variety of securityprotocols

Equations to model the cryptography


1 Encryption and signatures

decrypt( encrypt(m,pk(k)), k ) = m

checksign( sign(m,k), m, pk(k) ) = ok

2 Blind signatures

unblind( sign( blind(m,r), sk ), r ) = sign(m,sk)

3 Designated verifier proof of re-encryptionThe term dvp(x,rencrypt(x,r),r,pkv) represents a proof designated forthe owner of pkv that x and rencrypt(x,r) have the same plaintext.

checkdvp(dvp(x,rencrypt(x,r),r,pkv),x,rencrypt(x,r),pkv) = ok

checkdvp( dvp(x,y,z,skv), x, y, pk(skv) ) = ok.

Coding protocols as processes

Example ([FOO’92]):

processV =

new b; new c;

let bcv = blind(commit(v,c),b) in

out(ch, (sign(bcv, skv)));


if getMess(m2,pka)=bcv then

let scv = unblind(m2,b) in

str phase 1;

out(ch, scv);

in(ch,(l, =scv));

str phase 2;


Alice aDministrator Collector

{ } 1)),,(( −Abcvcommitblind

{ } 1)),,(( −Dbcvcommitblind

{ } 1),((...) −= Dcvcommitunblind

{ } 1),( −Dcvcommit


)),(,(. cvcommitlpubl),( cl




vopen =(...)

Formalisation of vote-privacy

Classically modeled as observational equivalences between two slightlydifferent processes P1 and P2, but

changing the identity does not work, as identities are revealed

changing the vote does not work, as the votes are revealed at the end

↪→ consider two honest voters and swap their votes

Definition (Privacy)

A voting protocol respects privacy if

S [VA{a/v} | VB{b/v}] ≈` S [VA{b/v} | VB{a/v}].

Receipt-freeness: leaking secrets to the coercer

To model receipt-freeness we need to specify that a coerced votercooperates with the coercer by leaking secrets on a channel ch

P ::=0P | Pνn.Pin(u, x).Pout(u,M).Pif M = N then P else P!P. . .

Pch in terms of P

0ch = 0

(P | Q)ch = Pch | Qch

(νn.P)ch = νn.out(ch, n).Pch

(in(u, x).P)ch = in(u, x).out(ch, x).Pch

(out(u,M).P)ch = out(u,M).Pch

. . .

We denote by P\out(chc,·) the process νchc .(P |!in(chc , x)).

Lemma: (Pch)\out(chc,·) ≈` P

Receipt-freeness: definition


There exists aprocess V ′


votes a,

leaks(possiblyfake)secrets tothe coercer,

and makesthe coercerbelieve shevoted c

Definition (Receipt-freeness)

A voting protocol is receipt-free if there exists aprocess V ′, satisfying

V ′\out(chc,·) ≈` VA{a/v},S [VA{c/v}chc | VB{a/v}] ≈` S [V ′ | VB{c/v}].

Case study: Lee et al. protocolWe prove receipt-freeness by

exhibiting V ′

showing that V ′\out(chc,·) ≈` VA{a/v}showing thatS [VA{c/v}chc | VB{a/v}] ≈` S [V ′ | VB{c/v}]

Coercion resistance: talking with the coercer

Like receipt-freness, but: voter interacts with the coercer during theprotocol (instead of just supplying data at the end).

The voting booth makes coercion resistance possible.

Interactively communicating with the coercer:

Pc1,c2 in terms of P

0c1,c2 = 0,

(P | Q)c1,c2 = Pc1,c2 | Qc1,c2

(νn.P)c1,c2 = νn.out(c1, n).Pc1,c2

(in(u, x).P)c1,c2 = in(u, x).out(c1, x).Pc1,c2

(out(u,M).P)c1,c2 = in(c2, x).out(u, x).Pc1,c2

(!P)c1,c2 = !Pc1,c2 ,

(if M = N then P else Q)c1,c2 = in(c2, x). if x = true then Pc1,c2

else Qc1,c2

Coercion resistance: definition

Definition (Coercion resistance)

VP is coercion resistant if there exists aprocess V ′ such that for anyC = νc1.νc2.( | P) satisfying

n ∩ fn(C ) = ∅S [C [VA{?/v}c1,c2] | VB{a/v}] ≈`

S [VA{c/v}chc | VB{a/v}]we have

C [V ′]\out(chc,·) ≈` VA{a/v},S [C [VA{?/v}c1,c2 ] | VB{a/v}] ≈`

S [C [V ′] | VB{c/v}].

Intuitively, C together withthe environment representthe coercer. The definitionsays there’s a strategy V ′

for the voter such that

if the coercer is tryingto force A to vote c


A can do V ′, whichwill result in an avote, but will satisfythe coercer.

Doesn’t take account of fault attacks (cf. Kusters/Truderung).

Privacy properties


Let VP be a voting protocol. Then

VP is coercion-resistant⇓

VP is receipt-free⇓

VP respects privacy

Election verifiability


A voter cancheck her ownvote is includedin the tally.


Anyone cancheck that thedeclaredoutcomecorresponds tothe tally.


Anyone cancheck that onlyeligible votes areincluded in thedeclaredoutcome.


Verifiability 6= correctness

What system components need to be trusted in order to carry outthese checks?

Individual verifiability

Intuition: a protocol satisfies individual verifiability if there is a test

R IV(my vote , my secrets , bb entry

)that a voter can apply after the election.The test succeeds iff the bulletin board entry corresponds to the voter’svote and secrets.

Acceptability conditions

For all votes s, there is an execution of the protocol that producesM such that some bulletin board entry T satisfies R IV (s, M,T ).

The bulletin board entry determines the vote, that is,

R IV (s, M,T ) ∧ R IV (t, N,T )⇒ s = t

The potential and the current situation Desired properties Some protocols Verification Conclusions

Universal and elegibility verifiability

Universal verifiability

There exists a test RUV such thatthe observer can match up votesv1, v2, . . . , vn in the declared outcomewith bulletin board entriesz1, z2, . . . , zn to obtain, for all1 ≤ i ≤ n:

RUV (vi , zi ).

Acceptability conditions

R IV (s, M, T )⇒ RUV (s, T )

RUV (s, T ) ∧ RUV (t, T )⇒ s = t

Eligibility verifiability

There is a test REV such that theobserver can match up voter publiccredentials y1, y2, . . . , yn with bulletinboard entries z1, z2, . . . , zn to obtain,for all 1 ≤ i ≤ n:

REV (yi , zi ).

Acceptability conditions

REV (U, T ) ∧ REV (V , T )⇒ U = V

If voter with credential U andsecrets M generates bulletin boardentry T thenR IV (s, M, T )⇔ REV (U, T )

Election verifiability

A voting process C [!νa.(P | Q[c〈U〉])] satisfies election verifiability ifthere exists tests R IV ,RUV ,REV with

fv(R IV ) ⊆ bv(P) ∪ {v , z}fv(RUV ) ⊆ {v , z}fv(REV ) ⊆ {y , z}(fnRUV ∪ fnREV ) ∩ bn(P) = ∅

such that the augmented voting process satisfies the following conditions:

the unreachability assertion: fail〈true〉.the reachability assertion: pass〈true, x〉.


In the case of FOO,

R IV = eq(z2, commit(v ′, r)) ∧ checksign(z3, blind(z2, r′), pk(skR))

The potential and the current situation Desired properties Some protocols Verification Conclusions

Augmented process

Given a voting process C [!νa.(P | Q[c〈U〉])] and tests R IV ,RUV ,REV ,the augmented voting process is

νb.(C [!νa, b′.(P | Q)] | R | R ′) | R ′′ | R ′′′


P = b(v).P.c(z).b′(y).(pass〈R IV , z〉 | fail〈ψ〉)Q = Q[b′〈U〉 | D〈U〉 | c〈U〉]R = !νs.((!b〈s〉) | c〈s〉)R ′ = b(v ′).b(v ′′).c(x ′).c(x ′′).c(y ′).c(y ′′).c(z ′).fail〈φ′ ∨ φ′′ ∨ φ′′′〉R ′′ = pass(e).pass(e′).fail〈e1 ∧ e′1 ∧ (e2 = e′2)〉R ′′′ = D(e).D(e′).fail〈¬(e = e′)〉

ψ = (R IV ∧ ¬RUV ) ∨ (R IV ∧ ¬REV ) ∨ (¬R IV ∧ REV )

φ′ = R IV {v ′,x′,z′/v ,x,z} ∧ R IV {v ′′,x′′,z′

/v ,x,z} ∧ ¬(v ′ = v ′′)

φ′′ = RUV {v ′,z′/v ,z} ∧ RUV {v ′′,z′

/v ,z} ∧ ¬(v ′ = v ′′)

φ′′′ = REV {y ′,z′/y ,z} ∧ REV {y ′′,z′

/y ,z} ∧ ¬(y ′ =E y ′′)

Results and trustworthiness requirements

Property FOO’92 Oka. ’97 LBDKYY’03 Civitas ’08

Vote-privacy X X X Xtrusted compnts client clt./timel.mbr. clt./admin. client

Receipt-freeness × X X Xtrusted compnts client clt./timel.mbr. clt./admin./coll. client

Coercion resist. × × X Xtrusted compnts clt./admin./coll. client

Individual verif. X Xtrusted compnts client client

Universalal verif. X Xtrusted compnts

Elig. verif. × Xtrusted compnts

Conclusions and future work


First formal definitions ofreceipt-freeness andcoercion-resistance

coercion-resistance ⇒receipt-freeness ⇒ privacy

First generic formaldefinitions of electionverifiability. Suitable forautomation.

Future work

Decision procedure forobservational equivalence forprocesses without replication.

Voting systems that are notclient-crypto-based.