Certification of e-voting systems

Mirosław Kutyłowski, Poland

Overall methodology

1. goals

2. subgoals & proofs

3. checking, reports

4. evaluation

the state

a system designer

a certificating body

general public

Goals

1. list of requirements: following from election law specific for each country

2. assumptions, e.g.: social issues technical issues risk level evaluation system

Goals - examples

Requirement: each vote counted as cast transparency: average voter can convince

himself that this is true vote secrecy: also in long term run

Assumption: DoS in case of up to 1% of voters is

acceptable

What is not a goal?

Requirement: use code voting

Assumption: the user’s PC cannot be influenced by

malicious software/hardware

Subgoals

Each goal matches a list of subgoals such that: • fulfilling them leads to fulfilling the goal from the

list of requirements… • and this is self-evident

• subgoals are formulated by system designers, standard organisations (ongoing work in NIST), …

Subgoals -example

Popoveniuc, Kesley, Regenscheid, Vora: Performance requirements for End-toEnd Verifiable Elections

E2E verifiable if: 1. presented ballots are well-formed2. cast ballots are well-formed3. recorded as cast4. tailed as recorded5. consistency6. each recorded ballot is subject to the „recorded as cast”

check

Subgoals -example

Popoveniuc, Kesley, Regenscheid, Vora: Performance requirements for End-toEnd Verifiable Elections

For each subgoal: irregularity checked when the check can be made what is checked detection probability proof is system fails to check observations

Proofs

Each e-voting system must be presented together with:

• lists of subgoals matching the state goals,• proofs that the subgoals are achieved,• list of assumptions under which the proofs are

valid,• risk evaluation.

Certification versus evaluation

• Evaluation can be done by just by everybody, but nobody is obliged to do it and bears no responsibility for the result of examination.

• In case of certification, the author of the certificate is legally liable for its correctness and must perform checks declared.

Certification process

1. Examining the goals and the lists of subgoals.

2. Examining the proofs for: – correctness– potential flaws

Certification process

• Examining the assumptions for: – validity

• Examining the risk evaluation for:– correctness– completeness

Certification report

• report on: – correctness of the proof – potential known risks and threats

• must be self-evident, transparent and complete

Certification process properties

• Should not relay on trustworthness of a body performing certification.

• The report must be checkable.

Certification scope

follows from the proposed proof, for example:

• check before running the system during elections,

• built-in check during and after elections, • …

Evaluation: Challenging Certification Report

• Any flaw or incorrectness or a wrong assumption invalidates the whole certification result.

• Any third party can challenge the report.

• Invalidating may occur e.g. due to unpredictable advances in technology.