authorChristian Urban <christian dot urban at kcl dot ac dot uk>
Fri, 03 Oct 2014 15:37:05 +0100 (2014-10-03)
changeset 193 a97b828bf87f
parent 192 2cb42412f3fd
child 194 5e7976fa8577
Binary file handouts/ho02.pdf has changed
--- a/handouts/ho02.tex	Fri Oct 03 13:14:34 2014 +0100
+++ b/handouts/ho02.tex	Fri Oct 03 15:37:05 2014 +0100
@@ -1,6 +1,6 @@
@@ -249,6 +249,18 @@
 easily possible. They managed to write a virus that infected
 the whole system by having only access to a single machine.
+\caption{Direct-Recording Electronic voting machines above;
+an optical scan machine below.\label{machines}}
 What made matters worse was that Diebold tried to hide their
 incompetency and inferiority of their products, by requiring
 that election counties must not give the machines up for
@@ -309,12 +321,115 @@
 \noindent This brings us to the case of Estonia, which held in
 2007 the worlds first general election that used Internet.
-Again their solution made some good choices: 
+Again their solution made some good choices: for example
+voter authentication is done via the Estonian ID card,
+which contains a chip like credit cards. They also made most
+of their source code public for independent scrutiny. Of
+this openness means that people (hacker) will look at your 
+fingers and find code such as
+\noindent which can be downloaded from their github
+Also their system is designed such that Internet voting is
+used before the election: votes can be changed an unlimited
+amount of times, the last vote is tabulated, you can even
+change your vote on the polling day in person. This is an
+important security mechanism guarding against vote coercion,
+which of course is an important problem if you are allowed to
+vote via Internet.
+However, the weak spots in any Internet voting system are the
+voters' computers and the central server. Unfortunately, their
+system is designed such that they needs to trust the integrity
+of voters’ computers, central server components and also the
+election staff. In 2014, group of independent observers around
+Alex Halderman were able to scrutinise the election process in
+Estonia. They found many weaknesses, for example careless
+handling of software updates on the servers. They also
+simulated an election with the available software and were
+able to covertly manipulate results by inserting malware on
+the voters' computers. Overall, their recommendation is 
+to abandon Internet voting and to go back to an entirely
+paper-based voting process. In face of state-sponsered
+cyber-crime (for example NSA), Internet voting cannot be made
+secure with current technology. They have a small video
+clip with their findings at
+\noindent This brings us to the question, what could be a
+viable electronic voting process in
+\underline{\textbf{\emph{theory}}} with current technology?
+In the literature one can find proposals such as
+\item Alice prepares and audits some ballots, then casts an
+      encrypted ballot, which requires her to authenticate to
+      a server.
+\item A bulletin board posts Alice's name and encrypted
+      ballot. Anyone, including Alice, can check the bulletin
+      board and find her encrypted vote posted. This is to
+       make sure the vote was received by the server.
+\item When the election closes, all votes are shuffled and the
+      system produces a non-interactive proof of a correct
+      shuffling. Correct in the sense that one cannot determine
+       anymore who has voted for what. This will require a 
+       zero-knowledge-proof based shuffling procedure.
+\item After a reasonable complaint period to let auditors
+      check the shuffling, all shuffled ballots are decrypted,
+      and the system provides a decryption proof for each
+      decrypted ballot. Again this will need a 
+      zero-knowledge-proof-type of method.
+\item Perform a tally of the decrypted votes.
+\item An auditor can download the entire (shuffled) election
+      data and verify the shuffle, decryptions and tally.
-%Coming back to the question of why I use online banking, but 
-%prefer not to e-vote. 
+\noindent As you can see the whole process is not trivial at
+all and leaves out a number of crucial details (such as how to
+best distribute public keys). It even depends on a highly
+sophisticated process called \emph{zero-knowledge-proofs}.
+They essentially allow one to convince somebody else to know
+a secret without revealing what the secret is. This is a kind
+of cryptographiv ``magic'', like the Hellman-Diffie protocol
+which can be used to establish a secret even if you can only
+exchange postcards with your communication partner. We will
+look at zero-knowledge-proofs in a later lecture in more
+The point of these theoretical/hot-air musings is to show that
+such an e-voting procedure is far from convenient: it takes
+much more time to allow, for example, for scrutinising whether
+the votes were cast correctly. Very likely it will also not
+pass the benchmark of being understandable to Joe Average.
+This was a standard a court rules that needs to be passed in
+the German election process. 
+The overall conclusion is that an e-voting process involving
+the Internet cannot be made secure with current technology.
+Voting has just too high demands on integrity and ballot
+secrecy. This is different from online banking where the whole
+process is designed around authentication. If fraud occurs,
+you try to identify who did what (somebody’s account got zero;
+somewhere the money went). Even if there might be even more 
+gigantic sums at stake in online banking than with voting,
+it can be solved. That does not mean there are no problems
+with online banking. But with enough thought, they can
+usually be overcome with technology we have currently. This
+is different with e-voting: even the best have not come
+up with something workable yet.
 %Why do I use e-polling in lectures?
Binary file hws/hw02.pdf has changed
--- a/hws/hw02.tex	Fri Oct 03 13:14:34 2014 +0100
+++ b/hws/hw02.tex	Fri Oct 03 15:37:05 2014 +0100
@@ -36,9 +36,21 @@
 \item[$\Box$] Each ballot has a unique ID. When a voter is given a ballot, the ID is recorded. When the voter submits his or her ballot, this ID is checked against the record.
+\item In the Estonian general election, votes can be cast via Internet
+  some time before the election day. These votes cast via Internet can
+  be changed an unlimited amount of times, the last vote is
+  tabulated. You can even change your vote on the polling day in
+  person. Which security requirement does this procedure address?
 \item What is the main difference between online banking and e-voting? 
 (Hint: Why is the latter so hard to get secure?)
+\item Imagine, hypothetically, you have a perfectly secure Internet
+  voting system, by which I mean nobody can tamper with or steal votes
+  between your browser and the central server responsible for vote
+  tallying. What can still go wrong with such a perfectly secure
+  voting system, which is prevented in traditional elections with
+  paper-based ballots?