University of St Andrews Elections a Critical Infrastructure? Prospects for a Robust Poll terror attack risk ‘higher’ . BBC News, 18th April 2005. “ Britain faces its greatest risk of terrorist attack yet amid fears that groups may target the general election, according to an annual risk assessment. ” Electronic Voting Scheme for Jimmy Burns and Ben Hall. Britain fears al-Qaeda terrorist attack during election . Financial Times, 24th February 2005. “ The UK remains vulnerable to the real and serious threat of terrorism by the UK al-Qaeda, according to research by leading academics on the country’s preparedness for future attacks. ” Election and wedding make Britain ‘prime terror target’ . Daily Mail, 24th Tim Storer and Ishbel Duncan February 2005. “ Britain’s most senior police officer issued a stark warning today about the risk of a terrorist attack in the run-up to the General Election. ” Richard Norton-Taylor. Threat of terror attack on London higher, says report . The Guardian, 19th April 2005. “ The likelihood of a terrorist attack on London has increased because of the University of St Andrews impending election and Britain’s support of the war on Iraq, according to a private risk assessment published today. ” 27 th August 2005 SNI Workshop 3 of 31 University of St Andrews University of St Andrews Some Terminology Overview Often used interchangably, but to disambiguate: • Introduction to electronic voting. Voting system – the set of procedures and • The UK’s Electoral Context. technologies used to conduct an election. • Pollsterless remote electronic voting schemes. Election – an execution of a voting system. • The mCESG Scheme. Vote – the expression of a voter’s preference. • Adapting the mCESG scheme. • Future work Electoral system – the description of a legal vote and the algorithm for aggregating votes into results. Voter – an agent within the voting system eligible to cast a vote. Ballot – the instantiation of a vote, paper ballot for example. Voting scheme – theoretical design expressing properties for a a voting system. Voting technology – the implementation of aspects of a voting scheme. 27 th August 2005 27 th August 2005 SNI Workshop SNI Workshop 4 of 31 2 of 31
University of St Andrews University of St Andrews Why e-voting? Threats to e-voting Given the challenges involved, why use e-voting? Numerous, varied and context dependent: • For the US, potential for greater accuracy in: • Loss of vote records result of – System failure – Recording of voter intentions. – Corrupt insiders – Aggregation of votes. • Malicious candidates • In the UK, remote electronic voting perceived as – Vote buying a means for increasing convenience (and – Voter coercion hopefully turnout). • Denial of service • Other reasons: – Direct attacks on polling stations. – A useful target topic for development of – Disruption of power supplies. dependable technologies. – Disruption of communication networks. – A ‘modern’ way to run elections. – Sabotage of voting system. Different contexts have different motivations for changing their voting system. • Dishonest voters – false claims of fraud. 27 th August 2005 27 th August 2005 SNI Workshop SNI Workshop 7 of 31 5 of 31 University of St Andrews University of St Andrews Trends in Turnout (UK) Not Just e-voting... Postal voting on demand caused problems in Birmingham’s 2004 Local elections: 27 th August 2005 27 th August 2005 SNI Workshop SNI Workshop 8 of 31 6 of 31
University of St Andrews University of St Andrews Trends in Postal Voting (UK) Robust Electronic Voting Systems • Exhibit desired properties despite the presence of faults/attacks: – Core properties must be preserved regardless. – Some degradation of service may be acceptable. • This definition is context dependent – required properties in other categories vary. • Fulfillment of robustness requirements may be achieved through a variety of technological and/or procedural solutions. 27 th August 2005 27 th August 2005 SNI Workshop SNI Workshop 11 of 31 9 of 31 University of St Andrews University of St Andrews Requirements The UK Electoral Context The design of voting schemes is informed by their Again, context dependent but with recurring themes: target context: • Secrecy • UK Elections are governed by various Acts of – Voting privacy (remote/supervised) Parliament, but primarily the RPA 1983. – Voter anonymity • Variety of electoral systems employed – FPTP , • Integrity of result AM and STV. – Authentication of legitimate voters • Weak identification and authentication – Accurate recording of individual votes mechanisms. – Accurate aggregation of results – Registration is by household. • Usability – # of interactions, interface – No identification documents required at a capabilities. polling station. • User Acceptablity – understandability, familiarity. • Vote tracing mechanism permits election • Flexibility – one scheme/system for several recovery without substantially violated privacy. contexts? 27 th August 2005 27 th August 2005 SNI Workshop SNI Workshop 12 of 31 10 of 31
University of St Andrews University of St Andrews Pollsterless Electronic Voting Electronic Voting Approaches • First noted by Malkhi, pollsterless schemes • SERVE (US DoD) • Hybrid DRE/Paper ballot systems permit vote casting directly by the voter without a • Homomorphic encryption – Paper audit trails. software artifact (a pollster) acting on the voter’s (Benaloh) – ‘Mercuri’ method. behalf. • Blind signature schemes • ‘Hybrid’ schemes utilising • Pollsterless schemes have two advantages: mix–nets: (Fujioka) – A wider range of electronic devices can be – Multiple receipts • Cryptographic Counters (Shubina) used for vote casting and verification. • FREE e-Democracy – VoteHere (Neff) Lowers the cost of participation for voters. (Kitcat) – Visual cryptography A more flexibile range of voting devices (Chaum). • SENSUS (Cranor) improves usability and accessability. – Prêt á Voter - • REVS + variants – Verification of vote collection and tabulation (Schneider/Ryan/Bryans) (Joaquim) may be performed directly – a voter doesn’t • ... • RIES need to trust the pollster to intrepret • Cybervote Project (EU) messages on their behalf. 27 th August 2005 27 th August 2005 SNI Workshop SNI Workshop 15 of 31 13 of 31 University of St Andrews University of St Andrews The mCESG Scheme Common Countermeasures • The CESG scheme was proposed by the • Distribute trust across autonomous domains. commerical arm of GCHQ. • Maintain failure detection and recovery • The mCESG scheme improves on the CESG mechanisms. – Detection by officials, candidates or voters. scheme by: – Non–trivial in presence of secrecy – Providing vote verification without increasing requirements. potential for coercion/vote buying. • De–centralised vote collection points (polling – Distributes the election authority into autonomous domain to provide better stations). protection of voter privacy. – Identification of bottlenecks in voting schemes is an emerging topic. • Retains the pollsterless feature of the CESG scheme for vote casting. • Provide mechanisms for voter and/or universal verifiability. 27 th August 2005 27 th August 2005 SNI Workshop SNI Workshop 16 of 31 14 of 31
University of St Andrews University of St Andrews Credential Generation Scheme Overview The domains of the election authority co-operate to The mCESG electronic voting scheme has four generate credentials. phases: 1. Voter registration. p(Candidates) 2. Distributed credential generation. Candidates Candidate Candidate Number Publisher Permutator Generator Returning Returning 3. Voting. Officer Officer 4. Tallying. Permutation of CNs Vendor Candidate names Phases two and three may occur in parallel, i.e. Personal Voter Name PCNs voting credentials may be requested during the voting Voter VN Response Candidate Number Number Number Generator Generator Generator period. VN, Registration Name Officer 1st ½ RNs 1st ½ PCNs 2nd ½ PCNs Security Polling Card 2nd ½ RNs Card Deliverer Deliverer Electoral Commission Name VN, 1st ½ PCNs, 2nd ½ RNs 2nd ½ PCNs, 1st ½ RNs Voter 27 th August 2005 27 th August 2005 SNI Workshop SNI Workshop 19 of 31 17 of 31 University of St Andrews University of St Andrews Casting a Vote Voting Credentials • Send a combination of <VID> and <PCN> to the • Consists of a polling card and a security card , election authority on any available delivered seperately to the voter on secure communication device. stationary. • To vote for Mrs Thatcher, send: Voter Name: Alice JONES Voter Number: 4547 1290 3738 4571 4547129037384571 1642 � �� � ���� VN PCN Candidates Personal Response Candidate Numbers Numbers In an SMS message to the election authority. M. Thatcher 16 583 42 712 • A generic reply is received: 67 572 N. Chamberlain 24 835 ‘‘Thankyou for voting -- C. Atlee 60 701 12 932 you have not been charged for SECURITY CARD your text message.’’ POLLING CARD • Credentials are generated across a distributed election authority to resist ballot box stuffing. 27 th August 2005 27 th August 2005 SNI Workshop SNI Workshop 20 of 31 18 of 31
Recommend
More recommend