Attacking Paper-Based E2E Voting Systems

Attacking Paper-Based E2E Voting Systems

Attacking Paper-Based E2E Voting Systems John Kelsey1, Andrew Regenscheid1, Tal Moran2, and David Chaum3 1 National Institute of Standards and Technology fjohn.kelsey, [email protected] 2 Weizfmann Institute of Science [email protected] 3 [email protected] Abstract. In this paper, we develop methods for constructing vote­ buying/coercion attacks on end-to-end voting systems, and describe vote­ buying/coercion attacks on three proposed end-to-end voting systems: Punchscan, Prˆet-`a-voter , and ThreeBallot. We also demonstrate a dif­ ferent attack on Punchscan, which could permit corrupt election officials to change votes without detection in some cases. Additionally, we con­ sider some generic attacks on end-to-end voting systems. 1 Introduction Voting systems in widespread use today have a number of known vulnerabilities [1–3]. Many of these vulnerabilities can be mitigated by following certain proce­ dures; the integrity of the election is then dependent on a combination of correct behavior by software, hardware, and election officials. The best of these systems provide security assurance based on the honesty and correct behavior of a small set of election officials and other observers. Com­ monly, each political party or candidate provides a certain number of observers. These individuals are expected to notice and report fraud that would deprive their party or candidate of votes. Election officials are also expected to notice and report fraud. In general, an outsider attempting to decide whether to trust a reported election outcome must rely on the premise that correct procedures were followed by observers and election officials. A new kind of voting system has been proposed in recent years [4–9], in which the voter interacts with the voting system to get a receipt. This receipt can then be checked against a set of receipts published by the voting system. These published receipts can be used to produce or verify the reported count for the voting system, but must not be useful for selling votes (for example, by proving how each voter voted). This class of voting system has been called end to end, or E2E, to reflect the idea that each voter can check, to some high degree of confidence, that his vote was correctly cast, and also that his vote was correctly included in the final count. Other means must be used to ensure that the whole election result is correct- for example, by ensuring that only authorized people were permitted to vote, and that no additional votes were inserted into the count. These systems build on older work on cryptographic voting systems [10–12], which typically relied on the assumption that a voter would have access to some trusted computing devices. In this paper, we consider the security of a number of proposed E2E voting systems against attacks to tamper with election results and to permit the buying or coercion of votes. An important idea in this paper is that most E2E systems can be meaning­ fully divided into: 1. A front-end, which describes the voter’s direct interaction with the voting system to cast a vote and receive a receipt, and 2. A back-end, which describes the voting system’s public statements (such as receipts posted to a bulletin board and the claimed vote totals), and the mechanisms used to prove to voters and other observers that the reported election results are consistent with the public statements. Our attacks focus exclusively on the front-end, the voting systems’ inter­ actions with the voters. In general, our attacks provide ways in which corrupt election officials or voters can subvert the real-world implementation of the front- ends of these voting systems, to get very different properties from the voting systems than were expected. 1.1 Attacking Voting Systems In general, someone attacking a voting system wants to affect the outcome of the election. The stakes in such an attack can be quite high, involving control of enormous government resources. These stakes can be inferred by the amount of money spent on lobbying and campaigning, both reported publicly in the United States [13, 14]. Election results can be changed by altering recorded votes or reported totals, and also by finding a way to learn what each voter chose, so that voters can be bribed or coerced into voting in some desired way. It can also be done by disrupting the orderly operation of an election, which may simply delay an un­ desirable (to the attacker) result, or may force an election to be rerun, possibly changing its result. Violations of voter privacy and disruption of elections may be of some interest to attackers even when the election result cannot be altered, but the impact of these attacks is much smaller. 1.2 Previous Work Several end-to-end cryptographic voting protocols have been developed. This paper analyzes Punchscan [6, 7], Prˆet-`a-voter [15] and ThreeBallot [8, 16], which are described in Section 2. Researchers have begun to perform security analyses of these schemes, and some weaknesses have been discovered. A coercion attack against ThreeBallot, dubbed the ThreePattern attack [8], involves a coercer telling voters to mark their three ballots according to a particular pattern, then checking that that those patterns appear on the bulletin board. Strauss [17, 18] notes several vul­ nerabilities in ThreeBallot, including the Reconstruction attack. Here, for suf­ ficiently long ballots, an attacker is able to look at one receipt and determine which other two ballots on the bulletin board belong to the same multiballot. A well known issue with these systems is that it is easy to force a voter to vote for a random candidate by instructing them to return with a receipt showing a vote for the first ballot choice. A formal study of the three voting schemes by Clark, Essex and Adams [19] concludes that while ThreeBallot receipts provide some clues for how voters voted, Prˆet-`a-voter and Punchscan receipts do not contain any information that would help an attacker. Nonetheless, Moran and Naor [20] developed a coercion attack against Punchscan that relied on the voter’s choice of receipt. The Punchscan voting procedure was modified for the VoComp competition [21] to prevent this and related attacks by requiring voters to choose the receipt sheet prior to viewing the ballot. 1.3 Our Results Briefly, our results can be summarized as follows: Punchscan and Pr^et-`a-voter { We provide a misprinting attack which can alter election results by mislead­ ing many voters into believing they have a receipt committing to a different vote than is actually cast. This can be mitigated with a special audit of the printed ballots, but that auditing requires trusting small numbers of election observers, rather than all voters, with the integrity of the election. { We provide a mechanism for using scratch-off cards, cellphones, or other techniques to reliably buy or coerce votes. Pr^et-`a-voter { We report a previously-known but unpublished sleight-of-hand attack to allow vote buying. Threebal lot { We provide a mechanism to provide voters a financial incentive to vote in some desired way, when the three ballots are filled-in in a random way by some voting machine. { We provide a technique for buying votes when the ballots are filled out manually, using a variant of chain voting. All End to End Systems { We report a couple of known broad categories of attack on E2E systems we did not find referenced in the literature. { We provide a framework for vote-buying and coercion attacks. While our attacks are specific to particular E2E systems, the general ideas behind them can be broadly applied. One goal of this paper is to get these ideas into widespread circulation, so that systems we have not considered here may also be subjected to the same analysis. 2 Background 2.1 E2E Voting Systems Election systems in current use rely on procedures to provide integrity and bal­ lot secrecy. Typically, voters must trust election administrators to follow these procedures. Secure elections using traditional voting systems are possible when tight controls are in place, such as maintaining the chain of custody of ballots, but it is nearly impossible for voters to gain assurance that such controls are followed. End-to-end (E2E) cryptographic voting schemes aim to provide voters with a means of verifying that elections are honest, without needing to trust election officials or that the chain of custody of ballots is maintained. End-to-end refers to the voter’s ability to verify the election from vote casting to vote counting. Most schemes operate by encoding voters’ choices a special way which can be read by election officials. The encoded ballot is posted on a public bulletin board and each voter is given a voting receipt. The unique feature of E2E voting schemes is that this receipt can be used to verify the encoded ballot on the bulletin board but does not show how the voter voted. Additionally, E2E voting schemes provide voters with a means to ensure cast ballots are counted correctly. In nearly all cases this done by having the voting scheme prove that each encrypted vote on the bulletin board is correctly decrypted, allowing anyone to verify the final vote tallies by recounting the decrypted ballots. Front-End vs. Back-End E2E voting schemes involve a combination of activ­ ities performed by voters, election administrators and auditors. We refer to the part of the voting system that the voter interacts with the system as the front- end. This typically includes the ballot, receipt and bulletin board. Voters interact with the front-end to gain assurance the voting system is functioning honestly, often relying on auditors or tools to verify some parts of the voting protocol for them.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    18 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us