E-Voting System

Many of us have dealt with electronic commerce transactions. This is already a part of everyday life. However, e-voting is not yet an obvious method for voting. The construction of electronic voting system is one of the most challenging security-critical tasks, because of the need for finding a trade-off between many seemingly contradictory security requirements like privacy vs. auditability. Thereby it is difficult to adopt ordinary mechanisms of e-commerce. For example, in e-commerce there is always a possibility to dispute about the content of transactions. Buyers get receipts to prove their participation in transactions. E-voters, in turn, must not get any receipts, because this would enable voters to sell their votes.

In 2003, Estonia initiated the project of e-voting. The aim was to implement e-voting in the elections of the local government councils in 2005. In January 2004, a group of American security experts revealed the security report of Secure Electronic Registration and Voting Experiment (SERVE) [1]. The SERVE system was planned for deployment in the 2004 primary and general elections and allows eligible voters to vote electronically via Internet. After examining the security of SERVE, the group of security experts recommended that SERVE should be shut down. They also declared that they do not believe that differently constituted projects could be more secure than SERVE. Their conclusion was that the real barriers to success in e-voting are not skills, resources, etc; it is the fact that given the current Internet and PC security technology, e-voting is an essentially impossible task.

The SERVE project was terminated indeed in January 2004. At the same time, Estonia continued to develop an e-voting system and implemented it according to the plans. The Estonian security experts published their security analysis [2] at the end of 2003. They declared that in practical sense the Estonian e-voting system is secure enough for implementation.

This contradicting situation was the main initiator of this work. By closer view, both security reports are consistent and contain truthful and
convincing arguments. One of the main reasons for two totally different results was the lack of unified rational security analysis in both reports. Some of the arguments were quite emotional, being based on experts’ subjective opinions and “common wisdom”.

The aim of the work is to adapt rational security analysis methods for studying the two evoting systems. It gives us the possibility to compare the practical security of these systems. In absolutely secure systems unexpected events are not possible. We may dream about such systems, but they can never be achieved in practice. This applies particularly to evoting systems. Considering the security level of personal computers, it is impossible to design e-voting systems, which are absolutely secure for every user. The most important security goal of voting is not to affect the final results and not to abuse the principles of10 democracy. The single incidents with users are still important but they do not have influence to the final result. Moreover, even in traditional voting systems small-scale incidents are acceptable. Therefore, in practical security analysis of e-voting we should concentrate on large-scale threats.

One of the rational approaches of security is known from theoretical cryptography: security reductions, which are proofs that security conditions held under certain combinatorial assumptions, such as hardness of factoring or Diffie-Hellman problem. For proving practical security, we also need empirical assumptions about the real world. Moreover, in theoretical cryptography the adversaries are considered to be Turing machines, which are well-defined and relatively easy to study. The real world adversaries are human beings with unpredictable behavior and different motives. Hence, for analyzing practical security, we need real world adversary models. There are works, which attempt to model real world adversaries.

In 2006 Buldas et al [3] presented a risk analysis method against rational attacks, which used assumptions about real world adversaries. In this work, we are going to adapt their method for analyzing the security of e-voting systems, in particular, for comparing the two systems. In Chapters 1 and 2, we give the general background of e-voting. In Chapter 3, we describe the Estonian and the SERVE e-voting systems and emphasize the differences of the two systems by paying attention to the points, which could affect the systems’ security. However, just pointing out the differences is clearly not enough to claim that one of the systems is secure and the other one not.

In Chapter 4, we give the practical security analysis for the two systems. First, we describe the security analysis method. In Section 4.2, we create the e-voting process models for SERVE and for the Estonian e-voting system. Adversaries are part of the environment and their actions are undesired events. For measuring the security we create an adversarial model in Section 4.3. In our analysis adversaries are rationally thinking persons who attack only, if this is profitable for them. Hence, adversaries estimate the gains and the costs of attacks. In Section 4.4 we define the security assumptions and give their justifications. Security assumptions are certain widely believed conditions, which give the basis of provable security. Section 4.5 gives the security analysis of SERVE and of the Estonian e-voting system based on the security assumptions by using the provable security approach. In this work, we do not completely formalize the security arguments, but in principle they can be formalized. We justify not widely believed assumptions in Subsection 4.6.3. In this justification we also study the influence of society to e-voting security.

In Section 4.6 we justify less obvious assumptions by using attack trees risk analysis. In Subsections 4.6.1 and 4.6.2, we create a hypothetical environment model. First we present the need of environment parameters for analyzing the practical security of evoting systems. Next, we define the society characteristics, which can affect to success attacks against e-voting systems. For example, we assume that some users notice, if their computers are infected and inform Electoral Committee about that. On the other hand, all voters are not honest; some of them are agree to sell their votes to interest groups who11 have purpose to affect the result of voting. Additionally, we consider that some members of the development team of e-voting system can be corrupted. Obviously, it is a serious threat in e-voting systems. Large-scale attacks involve many people and therefore there is always possibility that somebody leaks the information, which could cause the attackers to be caught. We present all these hypothetical characteristics in Subsection

4.6.2. This environment model is not perfect, but can be considered as the first step to formally analyze the influence of society to the security of e-voting systems. In Subsection 4.6.3., we analyze adversaries’ activities in defined environment model for abusing e-voting systems. This empirical analysis uses multi-parameter attack trees [3]. For example, the cost and the success probability are considered as parameters of attack. We justify some of the security assumptions, which were used in previous subsections. We show that the Estonian e-voting system is practically secure in the defined environment model. The SERVE project has vulnerabilities in the system design, which makes it possible to perform voting-specific attacks. Additionally, we show that reasonable changes in our environment model will not change the results of this analysis. This means that if the defined environment model indeed reflects the reality, then the Estonian e-voting system is more secure than SERVE and the security experts’ opinions were reasonable.

It turns out that the main technical disadvantages of SERVE, which make it less secure than the Estonian system, are:
· non-encrypted ballots in an e-voting server;
· no independent log file system to check the correctness of processes of e-voting servers;
· votes counting server is online and contains, besides votes, also the names of voters;
· ballots are not signed by voters.
For defining the environment model, we have tried to estimate the characteristics of environment as close as possible to real society. We have used information from Internet, from research papers, interviews with public prosecutors and studied well-known attacking scenarios. This environment model is not perfect; the estimation of environment characteristics is subjective. However, it defines the need of environment characteristics for analyzing a practical security in e-voting systems. Future works towards refinement of the environment model’s characteristics definitely would improve this security analysis. As far as we know, there are no analogous security analyses published for e-voting systems. Therefore, this work can be considered as one of the first steps in this area.

2. State of the art
In this chapter, we give a brief overview of different kinds of electronic voting systems. This list is not perfect; however it gives us a glance of how electronic voting is implemented in Europe and in the United States.

The main reasons for a government to use electronic elections are:
· to increase elections’ activity by facilitating the casting of votes by voters; · to reduce elections’ and referendums’ expenses;

· to accelerate vote counting and the delivery of voting results; · to enable voters to cast their votes from different places, not from only a particular polling station.
The Internet voting system [22] was used in the national referendum in Geneva canton of Switzerland in 2004. In Switzerland, elections or referendums are held four or five times a year. There are 580.000 Swiss citizens living abroad, to compare with 7 million inhabitants in the country. It is important to provide them with an efficient and simple voting system. Approximately 52% of the Swiss population has Internet access, both at home and at the workplace. For all these reasons, the governments, both in Geneva and at the Federal level have decided to develop Internet-voting solutions.

3. Description of e-voting systems
This chapter presents the detailed descriptions of an e-voting system. In the beginning, we describe how e-voting systems work. Next, we give the descriptions of the Estonian evoting system and the Internet voting project Secure Electronic Registration and Voting Experiment (SERVE) in the United States of America. Finally, we point out the main differences between the two e-voting systems.

3.1. General description of e-voting systems
Generally, e-voting systems consist of six main phases:
· voters’ registration;
· authentication;
· voting and votes’ saving;
· votes’ managing;
· votes’ counting;
· auditing.
The voters’ registration is a phase to define voters for the e-voting system and give them authentication data to log into the e-voting system. The authentication is a phase to verify that the voters have access rights and franchise. The voting and vote’s saving is a phase where eligible voters cast votes and e-voting system saves the received votes from voters. The votes’ managing is a phase in which votes are managed, sorted and prepared for counting. The votes’ counting is the phase to decrypt and count the votes and to output the final tally. The auditing is a phase to check that eligible voters were capable to vote and their votes participate in the computation of final tally. Additionally there are some other e-voting specific rules verified in this phase. Figure 1. Phases of e-voting.

BENEFITS
The proposal could maintain the major principle of e-voting; which is of being similar to regular voting system.
The system was compliant with the election legislation and principles and was at least as secure as regular voting.
Therefore e-voting must be uniform and confidential, so the national committee could successfully make the system identical and also maintain the highest level of security.
The national committee ensured single vote for a single person by revoting and considering the last given vote on their web site. They will again arrange traditional system of voting if any person wants to change his opinion and this vote will get higher preference than evote. The process of collecting votes was secure, reliable and accountable.

LIMITATIONS
The national committee didn’t completely get out of the traditional voting system. Hence the system couldn’t cut down the cost rather there was an upsurge in the cost as they are conducting both the evoting session and the traditional voting system. The process is time consuming as the national committee allows the voters to vote on their web page from 6th day to 4th day before the traditional poll. As a result the process takes at least 7 to 8 days to publish the result.