Technical challenges and solutions for remote electronic voting

1. E-voting
Bozhidar Bozhanov

2. Vanity slide
• Still a developer
• http://blog.bozho.net
• http://techblog.bozho.net
• http://twitter.com/bozhobg
• E-government adviser to the deputy prime
minister of Bulgaria

3. E-voting
• e-voting / i-voting / machine voting / remote
e-voting
• a.k.a. “let’s vote from home”
• sounds tempting
• ...and risky

4. Complicated task
• uncontrolled environment
• single vote AND vote secrecy
• coercion prevention
• verifiability
• independent observers
• results should not be replaceable
• defence against attacks and viruses

5. Before technology
A fundamental question:
• Is it required that every voter understands
the whole voting process?
• Does every voter understand fully the
current process?

6. Identification
• necessary precondition
• e-id (“chip in the ID card”)
• other practices
• preliminary registration
• scratch-cards
• TAN

7. Who would develop it?
• companies with e-voting expertise
• Cybernetica AS (Estonia)
• Scytle (Switzerland, France, Norway)
• ...
• it’s “how” that’s important

8. How
• open source from day 1
• peer-reviewed
• audited
• with pilots
• in-person at first
• 7 days before paper election day

9. Wait, wait...
There are unanswered questions.
There are problems to be solved.
There is a lot of noise...

10. Invalid arguments “for”
• if e-banking works, then e-voting should
also work
• breaches and fraud
• different task
• if anyone can hack voting, why doesn’t he
hack banks instead?
• why not both?

11. Invalid arguments “for”
• “what can happen”
• everything
• we have many good software specialists
• the task is complicated and niche
• it will solve the problems of our democracy
• no, it won’t (bit it can help)

12. Invalid arguments “against”
• someone will buy your IP
• it’s a devil’s creation
• it must be 100% secure
• paper voting is not 100% secure
• someone can change something
• there is no guarnatee for ballot secrecy
• there is no guarantee for one voter-one vote

13. Invalid arguments “against”
• “It’s not being used in big countries”
• “Germany banned it”
• “The Estonian system doesn’t work”
• mainly OpSec problems
• client malware
• Press-conference a week prior to the elections
saying “it doesn’t work”?
• “It will be developed by incompetent people”

14. Questions
• vote secrecy and one voter = one vote
• verifiability of the validity of the result
• access for observers
• coercion prevention
• usability

15. Vote secrecy
• double-envelope method
• identity is separated from the vote before counting
• votes are encrypted with the public key of the
counting server
• anonymized votes are sent to the counting server
on a CD
• the private key is activated by multiple owners

16. Vote secrect
• blind signature
• e.g. carbon paper envelope with your name used
for blind stamping
• confirms the vote without knowledge of it
• requires trust in the client software

17. Vote secrecy
• Mixnets
• layers of decryption
• receiver doesn’t know who the sender is
• Tor-like

18. Revoting
• е-voting before the paper voting
• manual removal of the e-vote
• automatically guarantees 1 man = 1 vote
• with double envelope
• the unanonymized (encrypted) ballot is replaced
• with blind signature and mixnet
• using a receipt code?

19. Verifiability
• E2E verifiable
• “stored as cast”, “counted as stored”
• receipt, incl. a mobile phone
• checking the vote for a limited period of time (risks
the secrecy)
• checking if receipt codes are matching

20. Validity of the result
• individual checks
• independent counting
• public bulletin board
• public ledger (blockchain, votecoin?)
• push to registered observers?

21. Observers
• monitoring public logs (or blockchain
transactions)
• on-site in the server room
• live streaming

22. Coercion prevention
• panic/tamper PIN
• PIN written backwards :)
• hard to implement
• webcam with face recognition
• partial guarantee that nobody else is in front of the
monitor
• cooldown period
• against multiple voting from a single machine

23. Usability
• if paper voting is removed from polling
stations as well
• touch-screen is very intuitive
• everyone can use it, even uneducated voters
• UX-tests

24. Problems
• client-side malware
• DDoS attacks
• network attacks (dropping packets)
• remote penetration attacks
• OpSec
• insider attacks
• 0-day vulnerabilities

25. Client-side malware
• desktop client vs browser
• vote changing, not sending votes,
compromising secrecy before encryption
• solutions:
• 2 factor (sms, app)
• biometric confirmation
• card reader with hardware keypad and display
• voting from a virtualized environment

26. DDoS attacks

27. DDoS attacks
• DDoS prevention:
• preparedness and adequate procedures
• tier 1 providers, telecoms
• blocking of command & control servers
• scrubbing centers
• cutting external traffic

28. Network attacks
• packet analysis => dropping the vote
• solutions:
• retry
• detectable (no receipt/confirmation sent)
• Tor / mixnets
• paper voting if e-voting doesn’t work for you

29. OpSec
• operational security
• passwords
• DMZ
• HSM
• intrusion detection, netflow anaylsis
• audit trail
• main criticism against Estonia
• verifiability of results exposes intrusions

30. Insider attacks
• OpSec, audit trail
• verifiable using “virtual paper trail” (e.g.
blockchain)
• Security agencies should catch it 

31. 0-day vulnerabilities
• ...well, crap
• general procedures for cancelling or postponing
elections
• if intrusions are detectable => patch

32. General procedures
• annulling online results
• notification of online voters
• postponing the eleciton
(not as hard and expensive as they are in
paper voting)

33. Paper voting?
• some of the problems above are valid for
paper voting as well
• results of paper voting are ultimately
aggregated on a computer
• with checks and paper trail
• …but what if it doesn’t match?

34. We must be paranoid
• everything can go wrong
• viruses are real
• state-level attacks are real
• manipulation attempts are real
• “it just works” doesn’t work
• “election security is national security”

35. The way forward?
• not all problems are addressed 100%
• there is no 100% secure solution
• we are looking for a solution that doesn’t
allow large-scale manipulations
• looks like such a solution is possible
• need for more R&D
• dynamic/direct democracy
• we are obligated to do it, sooner or later

36. Sources
https://eprint.iacr.org/2015/809.pdf
https://www.usvotefoundation.org/sites/default/files/E2EVIV_full_report.pdf
http://static.usenix.org/legacy/events/evtwote11/tech/slides/haenni.pdf
http://www.e-voting.cc/wp-content/uploads/Proceedings%202010/8.1.Spycher_2010.pdf
http://www.chaum.com/publications/Remotegrity-Design-and-Use-of-an-End-to-End-Verifiable-Remote-Voting-System.pdf
http://www.scytl.com/wp-content/uploads/2014/11/IDC-report_Implementing-End-to-End-Verifiable-Online-Voting_Enabling-Secure-Transparent-and-Tamper-Proof-Elections.pdf
https://www.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_SECUSO/Papers/GI_Workshop_2014.pdf
http://download.springer.com/static/pdf/730/chp%253A10.1007%252F3-540-45961-8_15.pdf?originUrl=http%3A%2F%2Flink.springer.com%2Fchapter%2F10.1007%2F3-540-
45961-8_15&token2=exp=1446764746~acl=%2Fstatic%2Fpdf%2F730%2Fchp%25253A10.1007%25252F3-540-45961-
8_15.pdf%3ForiginUrl%3Dhttp%253A%252F%252Flink.springer.com%252Fchapter%252F10.1007%252F3-540-45961-
8_15*~hmac=a7540fc29317746377a541091e07619a274e2048dbbfeb46f2abf76a58bf9918
https://vote.heliosvoting.org/
http://e-collection.library.ethz.ch/eserv/eth:3046/eth-3046-01.pdf
http://followmyvote.com
http://www.scytl.com/wp-content/uploads/2014/11/IDC-report_Implementing-End-to-End-Verifiable-Online-Voting_Enabling-Secure-Transparent-and-Tamper-Proof-Elections.pdf
http://www.bitcongress.org
https://bitcoinmagazine.com/21031/blockchain-technology-key-secure-online-voting/
https://people.csail.mit.edu/rivest/voting/papers/JakobssonJuelsRivest-MakingMixNetsRobustForElectronicVotingByRandomizedPartialChecking.pdf
http://arxiv.org/abs/1401.4151
https://www.regjeringen.no/globalassets/upload/krd/kampanjer/valgportal/valgobservatorer/2013/rapport_cartersenteret2013.pdf
http://techblog.bozho.net/why-all-the-fear-in-electronic-voting/

37. Thank you