Attacking Paper-Based E2E Voting Systems John Kelsey1, Andrew Regenscheid1, Tal Moran2, and David Chaum3 1 National Institute of Standards and Technology fjohn.kelsey,
[email protected] 2 Weizfmann Institute of Science
[email protected] 3
[email protected] Abstract. In this paper, we develop methods for constructing vote buying/coercion attacks on end-to-end voting systems, and describe vote buying/coercion attacks on three proposed end-to-end voting systems: Punchscan, Prˆet-`a-voter , and ThreeBallot. We also demonstrate a dif ferent attack on Punchscan, which could permit corrupt election officials to change votes without detection in some cases. Additionally, we con sider some generic attacks on end-to-end voting systems. 1 Introduction Voting systems in widespread use today have a number of known vulnerabilities [1–3]. Many of these vulnerabilities can be mitigated by following certain proce dures; the integrity of the election is then dependent on a combination of correct behavior by software, hardware, and election officials. The best of these systems provide security assurance based on the honesty and correct behavior of a small set of election officials and other observers. Com monly, each political party or candidate provides a certain number of observers. These individuals are expected to notice and report fraud that would deprive their party or candidate of votes. Election officials are also expected to notice and report fraud. In general, an outsider attempting to decide whether to trust a reported election outcome must rely on the premise that correct procedures were followed by observers and election officials.