Towards Usable and Secure Internet Voting

Towards Usable and Secure Internet Voting Yvo Desmedt

Stelios Erotokritou

Department of Computer Science, UCL Malet Place, London WC1E 6BT, UK

Department of Computer Science, UCL Malet Place, London WC1E 6BT, UK

[email protected]

[email protected]

ABSTRACT

Categories and Subject Descriptors

Usability and security are two very important facets of electronic voting systems. Security ensures that required properties of any election are achieved. Such properties include prevention of ballot stuffing, incoercibility, security against impersonation, amongst others. Usability on the other hand helps to ensure the integrity of elections. Systems which are usable and easy for voters to use allow them to cast their votes as intended. Most electronic voting systems developed by the cryptographic community were designed for booth-based elections. The ease of use of the Internet and the fact that people can vote from the comfort and privacy of their own home allows for Internet voting to be a possible alternative. However, client’s machines today are vulnerable to different forms of malware and thus are easy to hack. Although SSL uses cryptography, modern browsers are exposed to attacks such as click-jacking and man-in-the-browser attacks. Consequently, if Internet voting is to be widely deployed, it must also be secure against such attacks. Even though secure Internet voting is in its infancy, many countries and organizations are considering adoption. In 2001, Chaum proposed “code voting”, a solution for Internet voting secure even when using computers that might be vulnerable to a man-in-the-browser attack. In this paper, we critically analyze code voting. Although a very important step towards secure Internet voting, we explain that it is vulnerable when insiders are untrustworthy. Taking the above into consideration, we propose two new Internet voting schemes. These have been designed to be secure and usable - so as to be easy and accurate when people (voters) use them. We present these schemes and their experimental evaluation with human participants. We comment on the high success rate participants achieved in the experiments. This high accuracy presents the schemes we propose as good candidate schemes for use in Internet voting.

K.6.5 [Security and Protection]: Invasive software; H.1.2 [User/Machine Systems]: Human information processing

General Terms Human Factors, Experimentation, Security, Algorithms

Keywords Usable Cryptographic Protocols, Electronic Voting, Internet Voting Schemes

1.

INTRODUCTION

The ability to cast a vote and voice an opinion on the outcome of an election is one of the political rights of every adult citizen in a democratic country. To ensure the power of this right, it is important that casting a vote can be done easily and accurately. Voting schemes thus must be usable. No matter how obvious this requirement may seem, in various elections throughout history this has not always the case. Unintentional undervotes - accidentally not casting a vote in an election, overvotes - voting for more candidates than is allowed, or voting for the wrong candidates can substantially impact the outcome of elections. This was observed in the US 2000 presidential election upset in Florida [33, 48, 54]. Since then, major incentives were brought forward to update voting equipment and replace outdated voting methods with newer more reliable systems. The Help America Vote Act [10] was one such project which provided funding for this purpose. Direct Recording Electronic (DRE) systems gained popularity under the influence of such programs. Commercially available DRE systems - some of which were used in elections, include Diebold AccuVote TSx, Nedap ES LibertyVote and Avante VoteTrakker amongst others [20]. Such systems share similarities between them such as including audio to aid in the voting process and preventing overvoting. Some even have a touch screen which voters can use when casting their votes. But despite these seemingly technological aids, an in-depth large scale empirical study to analyze the usability of such systems was not really carried out before their deployment. Such a study would have compared DRE systems to older voting methods (such as punch cards) for various metrics - one of which being voter error rates. Even though there have been several warnings against the deployment of booth-based technology to achieve Internet-

Copyright is held by the authors.

1

based voting (see, e.g., [22, p.17] and [35, p. 2]), some countries are rushing towards internet voting [52]. It took the cryptographic community roughly 20 years to develop the state of the art for booth-based internet voting. So, one should not be surprised that at least a decade of fundamental research will be required to achieve secure internet voting. We briefly survey some of the most important developments. Experts agree (see e.g., [28]) that achieving secure Internet voting will be even more difficult than booth-based electronic voting. Indeed, the 2003 CRA Grand Research Challenges Workshop on Information Security [11] ranked secure Internet voting as one of the most challenging open problems in information security. Furthermore, the decision of the IACR to use cryptographic electronic voting has refocused the attention of Internet voting in the cryptographic community. However, several countries, as, e.g., Estonia [45], Finland [53], Switzerland [51] have already moved toward Internet voting and others as Norway [30], the US for overseas citizens plus military and dependents [38] and the UK [44] are considering it or have done pilot tests. Moreover, after several people were unable to vote in the 2010 UK elections, there has been a call for Internet voting as a possible solution to prevent a repeat of such future problems [5]. Since Internet voting is still in its initial development stages and several problems still remain to be resolved, the Netherlands [13, 29] decided not to pursue this move. We briefly survey some of the problems Internet voting faces. A major problem many systems face is that the voter’s machine might be hacked. For the sake of ease-of-use, voters like a nice interface, and so some of the systems that have been developed, as Helios 2.0 [2] for example, offer the voter a Web-based interface. Such systems might be vulnerable to man-in-the-browser attacks, such as for example exploited against Helios 2.0 in [16]. Despite these problems having been addressed in Helios 3.0 an analysis of this newer version can show that its security still remains frail1 . Some of the proposals, such as for example, the UK one [18, p. 46], are trivially flawed. Indeed, the UK system relies on a dedicated primitive operating system used solely to vote. The designers of the UK proposal were unaware that on modern computers the boot order can be reprogrammed by a hacker. Seeing that the voter’s machine might have been hacked, it seems that Internet voting is doomed to be insecure. However, in 2001 Chaum proposed a breakthrough solution called “code voting” [8]. In code voting, each voter receives a unique PIN per candidate by postal mail. By making the PINs, considered over all different voters and all different candidates, unique, the PIN can be used to vote. To vote, the voter just enters the PIN received which corresponds to the candidate of his/her choice. The breakthrough of Chaum’s approach is that one can use a possibly hacked computer to perform a secure operation. Although this is brilliant, Chaum’s idea has not received the attention it deserves and so it is of no surprise that it was reinvented, e.g., in [32]. A deeper analysis of code voting unfortunately shows that Chaum assumes the postal mail to be secure from a relia-

bility viewpoint. Moreover, a collaboration of the postal service with the returning officer breaks the anonymity of all votes. Indeed, such a collaboration will allow for the identity of voters to whom specific voting codes were delivered to be known by the returning officer. The returning officer would then be able to know what each voter voted by identifying voting codes delivered to voters which were cast in the actual vote. Because of this, Internet code voting schemes such as the work of [32, 39] which use the postal mail system for the delivery of code votes, are also vulnerable to such attacks. Another problem is if one knows who is likely not to vote, Chaum’s scheme is not very secure against ballot stuffing by insiders. Anonymity of votes can also be compromized through a collaboration with the party that places PIN numbers into the ballots. One question we address in this paper is how we can make Chaum’s code voting secure against insiders. To be more precise, what happens if a majority of voters’ computers are compromized with malware that could allow hackers to vote in the place of true voters? In this respect, if we identify Alice as a potential election voter, one should respectively talk about Alice as a person - or in short Alicepers , and about Alice’s computer - denoted as Alicecomp . These are two different parties! Obviously, Alicepers cannot use advanced computational methods, but can be considered trustworthy regarding the actions concerning her own vote. Since we need to communicate with a computer-limited Alicepers , we cannot use techniques from conditionally secure cryptography, such as AES or RSA. This because such techniques require computation that Alicepers cannot carry out. Additionally, since Alicecomp might be compromized, PINs in code voting cannot be sent to Alicecomp . Moreover, since the postal service might not be trusted it seems that concepts from the extensive research (e.g., [15, 41, 43]) on perfectly secure message transmission (PSMT) and its variants - e.g. [4, 23, 42], could be used. In the context of Internet voting, Alicepers can receive her PINs in a secret shared format, with each share received in a different manner. This implies that voters will have to use a number of computing devices to securely receive their voting codes. This is not as impractical as one might initially consider it to be. Nowadays, many people can have effortless access to more than one computing device such as PC’s, laptops, smartphones (such as the secure and versatile iPhone) and tablets (such as the iPad). Furthermore, each of these devices could be connected to a communication network in a different manner (Internet or cellular network) which could be serviced by different service providers. Thus if the number of such required devices is small the protocols we present are practically feasible. The problem however is that Alicepers does not have the computer power required by the state of the art protocols! To overcome this problem, we will need to use concepts from secure human computation. Evidently such computation should be easy enough for human voters to carry out and most importantly, the instructions voters will have to follow should be simple and clearly explained so that the overall Internet voting scheme is usable. We thus use techniques typically used in unconditional cryptography which are better suited for human computation. This confers additional security benefits of unconditional security to our proposed protocols. In this paper, we present two Internet voting schemes.

1 In Helios 3.0 the security model assumes that the voter is not viewing a hacked version of the website. This could possible be achieved through DNS poisoning - although this has yet to be shown in practise.

2

The first is based on code voting and requires some effort for the voter to cast their vote correctly. The second scheme is based on a code voting variant which the authors presume to be more user friendly - something that was verified by results of participant experimentation carried out.

2.

Secure human communication/computation is an interesting challenge in various aspects of research, including contexts different from ours when conventional cryptographic solutions are not adequate. This may be the case due to an unavailability of computational power because users (humans) may have resource constrained devices, or when computational devices may be corrupted and thus not trusted. As humans are involved, it is important that any solutions are usable by people. This means that they should be easy for people to understand so as to correctly use a solution for an accurate outcome. Furthermore, any computation that people may be required to execute should not only be limited, but should also be easy for people to carry out. This requirement limits the “difficulty” of such solutions to trivial maths - such as addition over e.g. Z10 . Previous work has considered secure human computation in various cryptographic contexts. In [46] it was considered in an electronic voting scenario to securely and correctly provide voters with a receipt confirming the correctness of votes casts. [27] used it to provide secure authentication and identification of humans when no trusted hardware or software was available. Other similar work includes [26, 34, 47]. In our paper we use the concept of secret sharing schemes which can be decoded by humans (see Section 3.2).

RELATED WORK, ASSUMPTIONS AND REQUIREMENTS OF INTERNET VOTING SCHEMES

In this section, we briefly discuss relevant related work, outline the requirements of Internet voting schemes and identify assumption made in the description of the voting schemes presented in the text.

2.1

Related Work

In the past, usability tests of voting systems were mainly carried out upon ballots cast on real elections [3, 21]. This method of analysis is not truly effective when trying to measure the amount of overvotes and undervotes. This because no one can ever really know whether a false vote was cast accidentally or on purpose. In the past five years or so, usability analysis of electronic voting systems has started to be investigated and scrutinized. In [6] the authors analyzed a DRE system that the State of Maryland purchased. Their analysis showed that although these systems work well, several problems still exist. This because a significant minority of voters from particular demographic groups, including the elderly, poor and uneducated had concerns about them. In [17] a comparison of usability data from DRE systems with those from more traditional voting technologies (paper ballots, punch cards, and lever machines) was made. Results indicated that there were little differences between the DRE systems and older methods of voting when comparing efficiency or effectiveness. However, in terms of user satisfaction, the DRE system was found to be significantly better than the older methods. Other similar studies include those of [1, 12, 55]. In [7] the authors report on the first time any end-to-end (E2E) voting system with ballot privacy was used in a binding governmental election. This was held on November 3, 2009, where voters in Takoma Park, Maryland, cast ballots for the mayor and city council members using the Scantegrity II voting system. The authors reported that: “Despite some glitches, the use of Scantegrity II was a success, demonstrating that E2E cryptographic voting systems can be effectively used and accepted by the general public.” Although DRE systems provide promise for accurate elections, computer experts have expressed concerns over susceptibilities to fraud and errors which exist in some of them [14]. In [40] a study of the Diebold AccuVote-TS source code was carried out. It was reported by the authors that many security flaws were present which could be exploited in different ways. One bug could allow voters to cast multiple votes which could not be detected later. Another flaw could have allowed voters to gain administrative access to the systems. These flaws were extremely serious and could have allowed someone exploiting them to affect an election outcome. Other flaws were found in the same system and are reported in [19].

2.2

2.3

Requirements of Internet Voting Schemes

We now outline requirements which the Internet voting schemes we present aim to achieve. Our main main focus is on the passive adversary which achieves a more practical solution. We assume that a passive adversary is only able to view any data transmitted across any data transmission stream (whatever this may be - please see next section) the adversary can observe. When the adversary is passive, the voting schemes should be receipt free (incoercibility) - meaning that a voter cannot convince any observer on how they voted, which prevents vote-buying and coercion in particular. through some form of acknowledgement and/or auditing. Internet voting should also protect the anonymity of a voter’s vote - meaning that no one should be able to learn how a voter voted. The schemes we present achieve the correctness and completeness of an Internet voting election against a passive adversary. Additionally the protocols we present are efficient (polynomial communication and computational complexities) and are simple and easy enough to be executed correctly by humans.

2.4

A Simple Private Voting Toy Protocol

Before presenting our protocols, we first describe an alternative preliminary Internet voting toy protocol. We do this so we can identify assumptions which will be made for a secure voting scheme construction. It must be noted that these assumptions will be made as their research area are beyond the scope of this paper This protocol has the added advantage that voting codes (as opposed to Chaum’s code voting scheme [8]) are not required. Because of this, there is no need for a single sender - which in a voting system is the authority responsible for the election, to send any information to each voter. Instead, the sole purpose of this authority is to correctly identify and count votes cast by each voter who votes. This example “Toy Protocol” is based on the concept of

Secure Human Communication and Computation 3

write-in voting in which when a voter casts his/her vote they only write the name of their chosen candidate. This scheme is not used by all countries worldwide, but is used in some parts of the U.S.A and in Japan in a slightly different way than explained. The general idea of the protocol is that a voter will identify the candidate of his/her choice, secret share the name in an appropriate manner and transmit the shares over a private and anonymous network which connects the voter to the authority responsible for the election. We assume a t-bounded passive adversary which can corrupt up to t terminals a voter has access to using some form of passive malware.

anonymous to the receiver. Similarly, when a single sender sends different messages to multiple receivers over an asymmetric anonymous network, the identity of message recipient should remain anonymous to the sender. Examples of such anonymous networks are MIX networks as described in [9, 25, 37, 31]. Such networks will connect the Code Generation Entity (CGE) - please see Section 3 for further details, to the voters. In between the two communicating parties the MIX will carry out different permutations (shuffles) of transmitted data so as to achieve an anonymous interconnecting. Furthermore if the CGE transmits as much data as there are voters, the MIX network will ensure each voter will receive one piece of data. What is also important with such networks is that if a voter sends something back to the CGE, the data sent will take a reverse path from voter to the CGE as that taken from the CGE to the voter. The way such networks operate is shown in the following figure.

Protocol 1. “Toy Protocol” for the passive adversary only case. 1. Let votecand be the name of the voter’s preferred candidate. 2. The voter randomly secret shares votecand using a (t + 1)-out-of-(t+1) secret sharing scheme to obtain the set of shares {s1 , . . . , st+1 }. The secret sharing that will be used will be similar to that described in Section 3.2 - but using mod 26 instead of mod 10. 3. The voter sends share si to the authority responsible for the election - over the private and anonymous network which connects them. Share si will be transmitted from terminal ti the voter has access to and upon a disjoint network path. Based on the above, it is easy to see that the required Internet voting properties are met. Privacy of the vote cast is achieved as the adversary can learn at most t shares and thus does not learn the cast vote. Reliability of the vote is achieved as the passive adversary cannot alter any of the shares. Anonymity of the vote is achieved as an anonymous network is used for the transmission of a cast vote. However, to use such protocols, the following issues need to be resolved:

Figure 1: How MIX networks operate. For both protocols we present, a t-bounded computationally unlimited passive adversary is considered. Such an adversary is assumed to be able to corrupt at most t entities in the protocols to be presented. We assume that the the adversary presence is not limited to a specific section of the voting scheme - for example in the network alone. On the contrary, the adversary can corrupt any nodes of the underlying network connecting communicating parties, as well as any terminals (computers) voters may have access to. As the adversary is assumed to be capable of compromising the network, it is assumed that disjoint network paths connecting parties across a network exist. Such paths do not share any common network nodes between them and it gives the sense of disjoint wires which connect communicating parties. As the adversary is t-bounded, it can observe data transmitted on at most t disjoint paths. Because of the above very complete (and realistic) assumptions regarding adversary presence, the requirement of the following statement is necessary and lower amount of resources cannot be used.

1. Simple and computationally efficient ways to securely transmit messages with a human participant are required. 2. How can one implement a private and asymmetric anonymous network? Although easy to understand, a disadvantage of the above scheme is that the voter needs to work mod 26, and this for each character in the candidate’s name. Obviously, for humans such computation is not trivial and this is why this scheme is preliminary and a toy protocol. This motivates schemes based on code voting which require mod 10 computations (see Section 3) or avoid modulo computations all together (see Section 4).

2.5

Required subroutines or Required Components

As anonymity of votes is imperative, in the context of the protocols to be presented we define the following:

Statement 1. To ensure privacy against a t-bounded passive adversary voters need to use at least t + 1 different terminals. This follows trivially from [24].

Definition 1. We define as an asymmetric anonymous network a network of nodes that ensures that when multiple senders transmit different messages to a single receiver, the identity of the sender of a message should remain

Two approaches voters can use when voting are respectively presented in Section 3 and 4. For each of these voting 4

approaches we have developed a MIX network and described how to use these in Pre-Voting mode and in Counting mode. Obviously this type of work is using techniques from cryptography which are beyond the scope of this paper, in which we report on the usability of the actual voting techniques we have developed. Note that since voting may take place asynchronically, the actual ”encrypted” (as a code, or as a bullet, explained respectively in Section 3 and 3) vote will be sent to the first MIX server, who will keep them2 . When the voting stage is over, the counting stage starts. In the counting stage the MIX servers ”undo” the modifications they did in the prevoting stage (see Figure 1).

3.

initial random codes for each of the candidates for each voter without knowing the final codes each voter will receive. These codes will be sent to voters (in a secure and anonymous manner) who will identify the code of the candidate they wish to vote for and use it to cast their votes. We will explain that this will allow the Internet voting system to be secure against t untrusted insiders while at the same time being easy enough for humans to use.

3.2

MOD 10 INTERNET VOTING

We call our first approach “Mod 10 Voting”. This protocol is similar in idea to Chaum’s proposed “code voting” protocols [8]. In code voting, voters can vote for candidates of their choice over the Internet using specific codes they receive through the post. The innovative distinction of the protocol we present is that it does not use the postal service for the transmission of code votes. This because, assuming the postal service to be a trusted service might not be a valid assumption to make. It is easy for anyone to violate the secrecy of a vote by observing someone’s post and through collaboration with the voting authority identify codes that were used and thus what a person voted. Instead, for the scheme we present we assume that transmission of code votes to voters occurs over a private and anonymous network. Codes are additionally sent to voters in a secret shared manner - with each share received by voters from a different terminal (computing device).3 The secret sharing is carried out in a manner which allows for the easy reconstruction of codes by a human without the need of a computational device. Both of these operations (secret sharing and human reconstruction) are carried out due to the possible presence of malware on a voter’s computer. If voting codes were received or reconstructed upon a single (infected with malware) computer key properties of elections could be violated4 . We now outline how a secure Internet code voting scheme secure against t passive adversaries can be constructed. We first give the main idea of the scheme and give more details later.

3.1

Friendly to humans Secret Sharing

In this section we describe the secret sharing scheme that will be used in the Mod 10 Internet Voting protocol. An n-out-of-n secret sharing scheme allows for a secret message M to be distributed as a selection of n shares {s1 , . . . , sn } so that the following properties are achieved:

• The collection of n shares is able to reconstruct the secret message M .

• Any subset of (n − 1) or less shares reveals no information about M .

Various secret sharing schemes exist in the literature such as those presented in [36, 49]. The secret sharing scheme that will be used in Section 3 will be Mod 10 secret sharing which we now describe. In such a scheme when a number (code) is shared to a number of shares (which are also a number of equal length), the sum of all respective numbers from the shares mod 10 will be equal to the respective number of the original code that was shared. We explain this secret sharing scheme through an example. Supposing that the code “2597” has to be shared into five shares, initially four shares are randomly created - each with the same length of digits as the secret to be shared. As an example we assume the four random shares are s1 = 7291, s2 = 1658, s3 = 9202 and s4 = 7484. The fifth share is then constructed by first identifying its units, so that when summing the units over all shares mod 10, this will equal the units of the code to share. In a similar manner, the number of tens/hundreds/thousands of the fifth share are identified so that when summing the tens/hundreds/thousands over all shares mod 10, this will equal the tens/hundreds/thousands of the code to share respectively. With the example random shares given, it is easy to see that s5 = 8172. It is easy to see that the described secret sharing scheme is perfectly secure. This because without knowledge of all shares one cannot reconstruct a shared secret. Additionally, knowledge of a lower number of shares (than what are required to reconstruct a secret) does not reveal any information of the shared secret. This because of the randomness used to create shares which allows for all possible codes to be possible when a lower number of shares are known. This is equivalent to information theoretic secrecy as defined in [50]. Reconstruction of a secret from the shares that were created can be carried out as detailed in the following two figures.

General Idea

The electoral body responsible for the election (central government, justice department, local government etc., depending on the election and country) will create unique 2 Since the first MIX server knows the IP address from the voter, the first MIX server can put these votes in proper order, which is essential for our permutation based scheme to work. 3 It should be pointed out that we do not consider the use of any dedicated secure hardware as this may be an expensive solution. The reader is also reminded of the note made earlier in Section 1 that most voters nowadays have easy access to more than one computing device. 4 An example of such a violation is malware casting votes without the consent of the actual voter - if active malware were considered. This would be possible due to the receiving of codes from a single computer. To prevent this secret sharing is used and as no computational device is trusted, codes should be reconstructible by humans.

5

the voting scheme responsible for creating the codes with which voters will cast their votes. We assume the election has c number of candidates and that there are v number of voters. The CGE will create v random initial codes for each of the c candidates. These codes will be grouped together to form v number of c − tuples, with each tuple containing a single code for each candidate and each code used only once for the whole election. Each of these codes will be transmitted to voters in a secret shared manner over a private and anonymous network. When considering a passive adversary the CGE can be composed of a single party and is regarded as a single sender. This because a passive adversary will act correctly in the generation and transmission of the codes. We now present our protocol which describes how the CGE can transmit initial voting codes to voters in a private, reliable and anonymous manner - using assumptions identified earlier. Our work considers single-seat elections.

We explain how to reconstruct a secret through an example. Supposing the five 4-digit shares are the following:

• • • • •

7291 1658 9202 7484 8172

To reconstruct the secret you have to: • Add all digits corresponding to units for the five numbers. In the example, these are all green highlighted digits. Please note down the digit which corresponds to the number of units of the sum.

1 + 8 + 2 + 4 + 2 = 17 Æ Here we note down 7 • Add all digits corresponding to tens for the five numbers. In the example, these are all blue highlighted digits. Please note down the digit which corresponds to the number of units of the sum.

9 + 5 + 0 + 8 + 7 = 29 Æ Here we note down 9 • Add all digits corresponding to hundreds for the five numbers. In the example, these are all orange highlighted digits. Please note down the digit which corresponds to the number of units of the sum.

2 + 6 + 2 + 4 + 1 = 15 Æ Here we note down 5 • Add all digits corresponding to thousands for the five numbers. In the example, these are all pink highlighted digits. Please note down the digit which corresponds to the number of units of the sum.

7 + 1 + 9 + 7 + 8 = 32 Æ Here we note down 2 We then reconstruct the secret by putting the numbers we noted down in their correct order (first digit written down as the units of the four digit code, second digit written down as the number of tens of the four digit code, third digit written down as the number of hundreds of the four digit code and the fourth digit written down as the number of thousands of the four digit code). For the example, we would reconstruct the secret to be equal to 2597.

Protocol 2. Mod 10 Code Voting against a Passive Adversary. A code-voting based approach works as following. In the pre-voting stage the CGE will send to each voter vi for each candidate cj a ci,j , unique over all i and j. These ci,j values will be secret shared using a (t+1)-out-of-(t+1) secret sharing scheme (as described in Section 3.2), and each share will be sent once on different communication paths which connect the CGE to voters (as stated earlier the adversary cannot eavesdrop the whole network but on at most t disjoint paths). In the voting stage, voters will receive each ci,j by reconstructing them (as described in Section˜refsec:humanSS) from the (t + 1) shares received via (t + 1) disjoint paths, so, using (t + 1) different computers and accounts. If voter’s vi favorite candidate is j 0 , then the voter needs to send back to the CGE, without using secret sharing and using a single machine, the code ci,j 0 which corresponds to the candidate of their choice. The reader is reminded that the transmission of this code is done over a private anonymous network - as described in Section 2.4, so as to achieve anonymity of votes cast. In the counting stage, the CGE will receive codes and will identify the candidate the code corresponds to and will count the vote for the respective candidate.

Figure 2: Detailed instructions on how to reconstruct a mod 10 secret shared secret. In the figure below, a diagrammatic interpretation of the above instructions is given.

+

Share 1

Share 2

Share 3

Share 4

Share 5

7 2 9 1

1 6 5 8

9 2 0 2

7 4 8 4

8 1 7 2

1 8 2 4 2

1 7

+

9 5 0 8 7

2 9

+

2 6 2 4 1

1 5

+

Theorem 1. The combined protocol for a passive adversary with a human voter achieves anonymous, perfectly private and perfectly reliable transmission of voting codes.

7 1 9 7 8

Proof. The anonymity, privacy and reliability properties of the combined protocol are a direct result from the security properties of protocols which are used. Anonymity of the protocol is obtained by transmitting voting codes to voters over a private and anonymous network - one of the assumptions made. Privacy of the protocol is achieved through the t + 1-out-of-t + 1 secret sharing of voting codes. This prevents the t-bounded adversary from learning any of the voting codes sent out by the CGE to the voters. Perfect reliability of voting codes is achieved as we are considering a passive adversary and voting codes can be reconstructed from the shares received by a voter. In Section 5 we assess the way human participants use this voting protocol through the results of experimental evaluation that was carried out.

3 2

Your Secret is:

2 5 9 7

2597 Please re-write your secret: ………………...

Figure 3: Detailed instructions on how to reconstruct a mod 10 secret shared secret in figure format. In this section we detail the generation, secure and anonymous transmission of voting codes to voters and how the voters themselves can securely cast their votes considering a passive adversary - as this has been defined in Section 2.3. We call the Code Generation Entity (CGE) the entity in 6

4.

PERMUTATION INTERNET VOTING

Each voter starts of with the same initial screen or handout of instructions similar to that shown in Figure 5. Such a handout could be made readily available to the general public. As an example, it can be printed in national papers.

The “Mod 10 Voting” protocol required the human voter to carry out some sort of computation. Despite the computational simplicity, some users may find these operations confusing and difficult to execute correctly when voting. The second protocol we present is called “Permutation Voting”. This protocol is similar in structure to our “Mod 10 Voting” protocol in the sense that data needs to be sent to voters over a private and anonymous network and voters need to receive this data using more than one terminal. The “Permutation Voting” protocol though is more user friendly as no apparent form of mathematical operations need to be carried out by voters. Instead, all voters have to do is to follow a path traced by joined lines over some figures - as will be detailed in the text.

4.1

• • • • • • • • • •

Secret Bullets

Do not accept a value without Sheet 1 covering this area

Do not accept a value without Sheet 2 covering this area

0 1 2 3 4 5 6 7 8 9

Permutation Voting Scheme

We now present the more user friendly Internet voting scheme for an election with c candidates - c1 , c2 , . . . , cc , considering a t-threshold bounded passive adversary. In the background the scheme uses permutations, but users just have to execute the simple task of tracing a line amongst other lines in a diagram. We first explain how the voter votes. We assume the ith voter in the pre-voting step received πi,j ∈R Sc in a similar way to the “Mod 10 Voting” protocol. However, this time πi,j is a permutation, so instead of receiving shares of c codes, the voter receives shares of one permutation. As before, each share is received upon a different computer. Voter Voting Assuming we denote the set of candidates as C. When the voter selects candidate cand ∈ C, the ith voter will “compute”: radi,b := πi,l (· · · (πi,2 (πi,1 (cand))) · · · ),

Figure 5: Initial view of voters. Voters will receive the first permutation from one of the two terminals they have access to and running software they will be able to see the permutation in figure form. This will be printed out and placed in the position indicated by the handout as shown in Figure 6. List of Candidates

(1)

where l ≥ t+1. radi,b is then sent in private and anonymous manner to the CGE. We note that the “computation” in Eq. 1 can easily be achieved by the voter as we now briefly explain. The printing of the permutations could be carried out using software which is able to transform a permutation represented in mathematical format to a diagrammatic figure - in a similar manner to that shown in Figure 4 below.

(

)

1 2 3 4 5 6 3 1 4 6 5 2

•

Candidate A

•

Candidate B

•

Candidate C

•

Candidate D

•

Candidate E

Put this edge against "Candidate list edge"

Put this edge against Arrow Sheet 2

Do not vote without Sheet 2 covering this area

Sheet 1

1 2 3 4 5

Figure 6: Voters print the first permutation and place it in the appropriate position. In a similar manner, voters will receive the second permutation from a different terminal, and place it in the position indicated by the handout as shown in Figure 7.

Software

List of Candidates

Processing

Figure 4: Software transformation of permutations to diagrammatic format.

4.2

Trace the Line Dummy 1 Dummy 2 Dummy 3 Dummy 4 Dummy 5 Start here Dummy 6 Dummy 7 Dummy 8 Dummy 9

Permutation Voting Example

We now explain the permutation Internet voting scheme through the use of diagrams. We assume the value of t = 1 which means the voter gets two shares.



Put against Sheet 1

Put against "Voting Bullets"

•

Candidate A

•

Candidate B

2

•

Candidate C

3

•

Candidate D

4

•

Candidate E

Sheet 1

1

Sheet 2

5

Figure 7: Voters print the second permutation and place in the appropriate position.

7

Voters would then identify the candidate of their choice. They can do this by tracing the line over the two permutation sheets and identifying the radio button they need to select in the Internet voting system. This is shown in Figure 8. List of Candidates



Put against Sheet 1

5.1

Candidate A

•

Candidate B

2

•

Candidate C

3

•

Candidate D

4

•

Candidate E

1

Sheet 2

5

Figure 8: Voters trace the radio button corresponding to the candidate of their choice - in this case Candidate D, to cast their votes. In the example, the second radio button is clicked. Once voters identify the radio button which corresponds to the candidate of their choice, they can then cast their vote on an online system - see Section 4.3. Their vote will be sent through a MIX network to ensure that anonymity of cast votes is achieved. There really is not much more to add for this voting scheme. As can be seen from the description, this scheme seems very easy for a human voter to use without errors. In Section 5 we assess the way human participants used this voting protocol through the results of experimental evaluation that was carried out.

4.3

Demographics of Participants Number of people without a university degree Number of people with a university degree

9 15

12 21

Internet Permutation Vote Casting

8

6

4

5

45-54

55-65

13

The earlier subsections described how voters can use the overall permutation they receive to identify the radio button index which corresponds to the candidate of their choice. What we have yet to clarify is the way with which voters will cast their votes. We do this now. When the CGE creates permutations in the pre-voting stage, for each one it will create a number code. When the CGE transmits over the private and anonymous network a share of a permutation, the associated unique code will also be transmitted. In the voting stage of the protocol, voters will use an online form to enter the code which corresponds to the permutation they received and they will then select the radio button which corresponds to the candidate of their choice. In the counting stage, the CGE will receive a code and an index of a selected radio button. The code will identify the permutation that the CGE constructed and in this manner, the candidate for whom the vote was cast can be identified. This will allow for the vote to be counted. It is easy to see that for passive malware the final version of the permutation Internet voting scheme achieves the required properties of an election. As voters receive the permutation from at least t + 1 terminals and as the adversary is t-bounded, even if voters cast their vote on an infected terminal the adversary will not be able to identify the candidate for whom the vote was cast. This because it is not fully aware of the final and complete permutation.

5.

Demographics of Participants

One hundred different people participated in the experimental evaluation of the proposed voting protocols. We tried to target adults across various age groups and of different educational backgrounds. Participants were classified by their age groups and whether they held a university degree or not. More specifically, the latter identified people with a university degree as those who either were currently attending university 3rd year or beyond) or had completed university and obtained a degree (in various subjects not confined to scientific ones). People identified in the group that did not hold a university degree included people that left school at the age of fifteen, people that did not proceed with further education beyond high school and people that attended a college (at most two years further education).5 The combined demographics (based on education and level of education) of the people that participated in the experiments can be seen in Figure 9 below.


•

Sheet 1

In order to assess the usability of the proposed voting protocols by human voters we carried out experiments with participants.

7 17-24

25-34

35-44

Age group of Participants

Figure 9: Demographics of participants.

5.2

Experimental Procedure

Before we describe the experimental procedure we first must thank the participants that took part in the experiments and gave us their consent to use the results of their participation for this research paper. The participants cannot be named (not only because there were many of them) as their results were anonymized to maintain participant privacy. This was done to conform to UCL ethics rules on aptitude tests which state that: The following types of human participant research DO NOT require ethics approval . . . : Research involving the use of educational tests (cognitive, diagnostic, aptitude, achievement), survey procedures, interview procedures or observation of public behaviour UNLESS information obtained is recorded in such a manner that human participants can be identified . . . 5 It should be noted that none of our participants that attended a college followed scientific based education.

EXPERIMENTAL EVALUATION 8

For this reason, experimental results were not marked in any way which could identify the person who created them. Furthermore, the results were placed in an envelope which contained all results papers (complete or not) and these were mixed to prevent identification. Once all the experiments were finished, the results were taken out of the envelope to be analyzed. The experiments were paper based. Participants were given the same experimental sheets of paper as those which can be found in Appendix A for the mod 10 voting experiments and in Appendix B for the permutation voting experiments.. The permutation vote experiments were the first ones to be carried out and when participants were finished, they progressed to the Mod 10 voting experiments. For the permutation vote experiments, the two sets of sheets corresponding to Sheet 1, Sheet 2 and Sheet 3 were provided to participants by the person conducting the experiment in a random shuffled order. The sheets for the first method were first provided to participants and once they had completed the required tasks, the sheets for the second method were given to them. For all participants of the experiment, participants were not given any instructions further to those that could be found on the experiment sheets which can be found in the appendices. The only form of interaction participants had with the person conducting the experiment was the exchange of sheets for the two versions of the permutation vote experiments. Furthermore, before they began, participants only knew that the experiment they were participating in was only to test “The way people use two voting protocols”. Further details about the experiments and the scope of their research was given to them once they had completed all the required experimental tasks.

5.3

Experimental results of the permutation voting scheme 99

1 Number of participants who identified Number of participants who identified all four radio buttons correctly at least one radio button wrong

Figure 11: Experimental results of the permutation voting scheme Based on the above results, it is easy to see that the mod 10 voting system has a 95% success rate. Similarly, the permutation voting system has a 99% success rate. But we believe that it is important to realize that even though there were 100 participants, the number of experiment instances were far greater. For the Mod 10 voting scheme, each participant was asked to create the code of two different candidates, thus we can consider that there were 200 test instances - although not independent. Similarly, for the permutation based scheme, each participant was asked to identify the radio button corresponding to candidates in four different cases. Thus we consider that overall there were 400 test instances for both versions of this scheme - although not independent. We believe this should be taken into account as there is a distinction between the different types of errors that were created. Some participants - especially in mod 10 voting scheme, made only one error when during the experiment they were asked to find two codes. Based on this, we could argue the success rate of the mod 10 voting system is close to 96.5% and for the permutation voting system is close to 99.75%.

Experimental Results

The following figures identify the experimental results of the Mod 10 and permutation voting schemes.

5.4

In this section we discuss the results of our experiments. Both voting schemes performed extremely well and this is seen by the very high percentage of people that used them correctly to find a correct answer. This was especially the case for the permutation voting protocol. For this protocol only a single error (out of 400 experiment instances) was made. It should be noted that this error only came about because the participant made a mistake and not because the participant did not understand how to use the protocol (as the participant was correct for the other three experiment instances). During discussion with participants after the experiments, many participants commented that they found the permutation voting experiment extremely easy. Some participants also said that they found the second version of the experiment (using the second set of sheets) slightly easier than the first version of the experiment - as there was a lower amount of untidiness between the lines which allowed for the required tracing to be easier. For the mod 10 voting experiments only five people (out of one hundred) made errors. Two of these people got both

Experimental results of the Mod 10 voting scheme 95

3

Experimental Results Discussion

2

Number of participants who Number of participants who Number of participants who created both codes correctly created one code correctly created both codes wrong

Figure 10: Experimental results of the mod 10 voting scheme

9

experimental instances (calculation of code for candidate A and D) wrong. One of these participants had a university degree and it seems that they over thought the experiment and instead of following the experiment instructions they sort of came up with their own alternative version of the experiment. The other participant that made errors in both experiment instances clearly did not understand the instructions and as a result made errors. Three different participants made errors on just one of the experiment instances. One’s mistake was that for the first instance (code for candidate A), they copied the given example exactly whereas they did everything correctly for the second instance. Another’s mistake was that instead of evaluating the code for candidate D they instead evaluated the code for candidate B (but did so correctly). The third participant to get one of the instances wrong did so as they got the summations for candidate D wrong for some reason - maybe due to human error. Different people interacted with the Mod 10 voting experiments in different ways. Some people found it extremely easy and did not even have to look at or use the code generation form example to complete the experiment correctly. This was noticed for some people that both had and did not have a university degree. In general people, found this experiment more challenging than the permutation based scheme. One comment that came up several times during discussion with participants after the experiments had finished was that the initial instructions of the code generation were slightly confusing but once they saw the filled in code generation example things were easier to understand. Furthermore, some participants also stated that if these forms were not provided (the example form and the forms they used to create the codes), they would have most likely got things wrong. This highlights the importance of clear and concise instructions when dealing with people, usability and security. Despite the errors that occurred, it should be taken into account that if the voting schemes presented in this paper were to be used in a real election, then education of voters on how to use the schemes would occur before voters cast their vote. This would include television adverts/programs, fliers and newspaper articles which would clearly explain to people all the necessary steps they will need to carry out to cast their votes correctly. Even though errors would most likely still occur, they may (but not necessarily) occur at a lower rate.

6.

presented in this paper. One thing that could be done would be to carry out further testing which will include a greater proportion of the voting population. For example, even though we had 100 participants, their ages did not surpass 65. Thus further experiments of the proposed protocols should include older participants to assess accurately older voters use the proposed protocols. Further work that could be carried out could be to deploy and assess the correctness and usability of the proposed protocols upon a network (internal network or the Internet) using a number of terminals so as to simulate the use of the voting schemes as these have been presented in Section 3 and Section 4. ACKNOWLEDGEMENTS: The authors would like to thank the 100 anonymous participants for their contribution who also gave us their consent to use the results of their participation. Without their help we could not experimentally evaluate the proposed protocols and for this we thank them. The authors would also like to thank the six people who acted as test participants before any formal experimentation took place. These participants carried out an initial form of the experiments and provided very good suggestions and comments which were taken into account so as to improve the correctness and usability of the experiments. It should be noted that their results were not taken into account in the 100 participant sample that was presented in the paper.

7.

REFERENCES

[1] Accessibility and U. C. for Remote Voting Systems. Accessibility and usability considerations for uocava remote electronic voting systems. Approved by the TGDC for transmittal to the EAC on January 14, 2011. [2] B. Adida. Helios: Web-based Open-Audit Voting. In Proceedings of the 17th USENIX Security Symposium, pages 335–348. USENIX Association, 2008. San Jose, CA, USA. [3] S. Ansolabehere and C. Stewart. Residual votes attributable to voting technologies. [4] B. Ashwinkumar, A. Patra, A. Choudhary, K. Srinathan, and C. P. Rangan. On tradeoff between network connectivity, phase complexity and communication complexity of reliable communication tolerating mixed adversary. In PODC, pages 115–124, New York, NY, USA, 2008. ACM. [5] BBC News. Chaotic polling problems lead to calls for e-voting. http: //news.bbc.co.uk/2/hi/technology/10102126.stm. [6] B. B. Bederson, B. Lee, R. M. Sherman, P. S. Herrnson, and R. G. Niemi. Electronic voting system usability issues. In Proceedings of the SIGCHI conference on Human factors in computing systems, CHI ’03, pages 145–152. ACM, 2003. [7] R. Carback, D. Chaum, J. Clark, J. Conway, A. Essex, P. S. Herrnson, T. Mayberry, S. Popoveniuc, R. L. Rivest, E. Shen, A. T. Sherman, and P. L. Vora. Scantegrity ii municipal election at takoma park: The first e2e binding governmental election with ballot privacy. In USENIX Security Symposium, 2010. August 11-13, 2010, Washington, DC, USA. [8] D. Chaum. SureVote: Technical Overview.

CONCLUSIONS AND FUTURE WORK

In this paper we have explored the concept of usable and secure Internet voting protocols. We have proposed two protocols which could be used in such a setting and have shown them to be secure against the presence of malware on voters’ computers. Furthermore, the permutation based protocol appears to be user friendly and easily usable by voter. This was identified through experiments which evaluated how human participants - from different demographics, used these protocols. Even though the work on the proposed protocols and experiments is at its initial stages, the results of the experiments seem very encouraging. As mentioned in the text, much work still needs to be done to achieve secure Internet voting which could be used in practice. More work could also be done upon the work 10

[9]

[10]

[11]

[12]

[13]

[14] [15]

[16]

[17]

[18]

[19]

[20] [21] [22]

[23]

Proceedings of the Workshop on Trustworthy Elections (WOTE ’01). http://www.vote.caltech.edu/ wote01/pdfs/surevote.pdf. August 26-29 2001. Tomales Bay, CA, USA. D. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM, 24(2):84–88, February 1981. U. S. E. A. Commission. Help America Vote Act. http://www.eac.gov/about_the_eac/help_america_ vote_act.aspx. Computing Research Association. Four Grand Challenges in Trustworthy Computing. In CRA Conference on Grand Research Challenges in Information Security and Assurance, 2003. http://archive.cra.org/reports/trustworthy. computing.pdf. November 16–19, Warrenton, Virginia. F. G. Conrad, B. B. Bederson, B. Lewis, E. Peytcheva, M. W. Traugott, M. J. Hanmer, P. S. Herrnson, and R. G. Niemi. Electronic voting eliminates hanging chads but introduces new usability challenges. Int. J. Hum.-Comput. Stud., 67(1), 2009. Digital Civil Rights in Europe. Electronic Voting Machines Eliminated In The Netherlands. http://www.edri.org/edrigram/number5.20/ e-voting-machines-netherlands. D. Dill. Electronic voting: An overview of the problem. http://usacm.acm.org/images/documents/dill.pdf. D. Dolev, C. Dwork, O. Waarts, and M. Yung. Perfectly secure message transmission. Journal of the ACM, 40(1):17–47, January 1993. S. Estehghari and Y. Desmedt. Exploiting the client vulnerabilities in internet e-voting systems: Hacking Helios 2.0 as an example. In 2010 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE ’10), August 9–10, 2010, 2010. S. P. Everett, K. K. Greene, M. D. Byrne, D. S. Wallach, K. Derr, D. Sandler, and T. Torous. Electronic voting machines versus traditional methods: improved preference, similar performance. In Proceedings of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, CHI ’08, pages 883–892. ACM, 2008. B. Fairweather and S. Rogerson. Technical options report. www.communities.gov.uk, Local government publications. A. J. Feldman, J. A. Halderman, and E. W. Felten. Security analysis of the diebold accuvote-ts voting machine. In Proceedings of the USENIX Workshop on Accurate Electronic Voting Technology, EVT’07, pages 2–2. USENIX Association, 2007. C. for American Politics and Citizenship. Characteristics of contemporary voting machines. B. C. for Justice. The machinery of democracy: Voting system security,accessibility, usability, and cost. Four grand challenges in trustworthy computing, 2nd conference on grand research challenges in computer science and engineering november 16-19, 2003, 2006. M. Franklin and R. Wright. Secure communication in minimal connectivity models. In Advances in Cryptology — Eurocrypt ’98, Proceedings Lecture

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

[37]

[38]

11

Notes in Computer Science 1403, pages 346–360. Springer-Verlag, 1998. Espoo, Finland, May 31–June 4. M. K. Franklin and M. Yung. Secure hypergraphs: Privacy from partial broadcast. SIAM J. Discrete Math., 18(3):437–450, 2004. J. Furukawa. Efficient and verifiable shuffling and shuffle-decryption. IEICE Transactions, 88-A(1):172–188, 2005. C. Gentry, Z. Ramzan, and S. G. Stubblebine. Security protocols, 14th International workshop, Cambridge, UK,. C. Gentry, Z. Ramzan, and S. G. Stubblebine. Secure distributed human computation. In Security Protocols Workshop, volume 5087 of Lecture Notes in Computer Science, pages 177–180. Springer, 2006. E. Gerck, C. A. Neff, R. L. Rivest, A. D. Rubin, and M. Yung. The business of electronic voting. In Financial Cryptography, volume 2339 of Lecture Notes in Computer Science, pages 234–259. Springer, 2001. R. Gonggrijp and W.-J. Hengeveld. Studying the Nedap/Groenendaal ES3B voting computer: a computer security perspective. In EVT’07: Proceedings of the USENIX Workshop on Accurate Electronic Voting Technology, pages 1–1, Berkeley, CA, USA, 2007. USENIX Association. Government.no. The e-vote 2011-project. http: //www.regjeringen.no/en/dep/krd/kampanjer/ election\_portal/electronic-voting.html. J. Groth. Linear algebra with sub-linear zero-knowledge arguments. In CRYPTO, volume 5677 of Lecture Notes in Computer Science, pages 192–208. Springer, 2009. J. Helbach and J. Schwenk. Secure internet voting with code sheets. In VOTE-ID, volume 4896 of Lecture Notes in Computer Science, pages 166–177. Springer, 2007. E-Voting and Identity, First International Conference, VOTE-ID 2007, Bochum, Germany, October 4-5, 2007, Revised Selected Papers. M. Herron and J. Sekhon. Overvoting and representation: An examination of overvoted presidential ballots in broward and miami-dade counties. 23:21–47, 2003. N. J. Hopper and M. Blum. Secure human identification protocols. In ASIACRYPT, volume 2248 of Lecture Notes in Computer Science, pages 52–66. Springer, 2001. I. P. Institute. Report of the national workshop on internet voting: Issues and research agenda. news.findlaw.com/hdocs/docs/election2000/nsfevoterprt.pdf, 2001. M. Ito, A. Saito, and T. Nishizeki. Secret sharing schemes realizing general access structures. In Proc. IEEE Global Telecommunications Conf., Globecom’87, pages 99–102. IEEE Communications Soc. Press, 1987. M. Jakobsson, A. Juels, and R. L. Rivest. Making mix nets robust for electronic voting by randomized partial checking. In USENIX Security Symposium, pages 339–353. USENIX, 2002. San Francisco, CA, USA, August 5-9, 2002. D. Jefferson, A. Rubin, B. Simons, and D. Wagner. An

[39]

[40]

[41]

[42]

[43]

[44]

[45]

[46]

[47]

[48]

[49] [50]

[51]

[52]

[53]

[54]

Analysis of Internet Voting Security in the SERVE (Secure Electronic Registration and Voting Experiment) Online Election System. http://www.servesecurityreport.org. R. Joaquim, C. Ribeiro, and P. Ferreira. Veryvote: A voter verifiable code voting system. In VOTE-ID, volume 5767 of Lecture Notes in Computer Science, pages 106–121. Springer, 2009. E-Voting and Identity, Second International Conference, VOTE-ID 2009, Luxembourg, September 7-8, 2009. T. Kohno, A. Stubblefield, A. D. Rubin, and D. Wallach. Analysis of an electronic voting system. In Proceedings IEEE Symposium on Security and Privacy, pages 27–42. IEEE Computer Society, May 2004. Oakland, California. M. Kumar, P. Goundan, K. Srinathan, and C. Rangan. On perfectly secure communication over arbitrary networks. In Proceedings of the Annual ACM Symposium on Principles of Distributed Computing (PODC), pages 193–202, 2002. K. Kurosawa and K. Suzuki. Almost Secure (1-Round, n-Channel) Message Transmission Scheme. ICITS 2007, 2007. K. Kurosawa and K. Suzuki. Truly Efficient 2-Round Perfectly Secure Message Transmission Scheme. In EUROCRYPT, volume 4965 of LNCS, pages 324–340. Springer, 2008. Istanbul, Turkey, April 13-17. U. Local Governmernt. Implementing electronic voting in the UK. http://www.communities.gov.uk/ archived/general-content/localgovernment/ implementingelectronicvoting/. E. Maaten. Towards remote e-voting: Estonian case. In Electronic Voting in Europe - Technology, Law, Politics and Society, volume 47 of LNI, pages 83–100. GI, 2004. July 7th–9th 2004, Bregenz, Austria. D. Malkhi, O. Margo, and E. Pavlov. E-voting without ‘cryptography’. In Financial Cryptography, volume 2357 of Lecture Notes in Computer Science, pages 1–15. Springer, 2002. T. Matsumoto. Human-computer cryptography: An attempt. Journal of Computer Security, 6(3):129–150, 1998. W. R. Mebane. The wrong man is president! overvotes in the 2000 presidential election in florida. Perspectives on Politics, 2(03):525–535, 2004. A. Shamir. How to share a secret. Commun. ACM, 22(11):612–613, 1979. C. Shannon. Communication theory of secrecy systems. Bell System Technical Journal, Vol 28, pp. ˝ 656U715, 1949. The State of Geneva Web Site. Official State of Geneva e-voting site. http: //www.geneve.ch/evoting/english/welcome.asp. The University of North Carolina at Chapel Hill. Online Voting: Internet Voting in Practice. http://www.unc.edu/courses/2008spring/law/ 357c/001/onlinevotingsite/inpractice.html. vaalit.fi. About electronic voting in Finland. http://www.vaalit.fi/sahkoinenaanestaminen/en/ yleistietoa.html. J. Wand, K. Shotts, J. Sekhon, W. Mebane,

M. Herron, and H. Brady. The buttefly did it: The aberrant vote for buchanan in palm beach county, florida. 95(4):793–810, 2001. [55] M. A. Winckler, R. Bernhaupt, P. Palanque, D. Lundin, K. Leach, P. Ryan, E. Alberdi, and L. Strigini. Assessing the usability of open verifiable e-voting systems: a trial with the system Prˆet a ` Voter.

12

Appendix A: Mod 10 voting experiments You will be given five 4-digit numbers. From these, you will create the code with which to vote with. You can do this by adding each of the digits of the five numbers mod 10 (there is no need to know what this is as it is explained). This means that you will add together all the numbers corresponding to units and note down the number of units in the sum. Similarly, you will add together all the numbers corresponding to the number of tens and note down the number of units in the sum. Similarly you will do the above for the numbers which corresponds to the number of hundreds and thousands. We explain the above process through an example. Supposing the five 4-digit numbers are the following:

• • • • •

7291 1658 9202 7484 8172

To create your code you have to: • Add all digits corresponding to units for the five numbers. In the example, these are all green highlighted digits. Please note down the digit which corresponds to the number of units of the sum.

1 + 8 + 2 + 4 + 2 = 17 Æ Here we note down 7 • Add all digits corresponding to tens for the five numbers. In the example, these are all blue highlighted digits. Please note down the digit which corresponds to the number of units of the sum.

9 + 5 + 0 + 8 + 7 = 29 Æ Here we note down 9 • Add all digits corresponding to hundreds for the five numbers. In the example, these are all orange highlighted digits. Please note down the digit which corresponds to the number of units of the sum.

2 + 6 + 2 + 4 + 1 = 15 Æ Here we note down 5 • Add all digits corresponding to thousands for the five numbers. In the example, these are all pink highlighted digits. Please note down the digit which corresponds to the number of units of the sum.

7 + 1 + 9 + 7 + 8 = 32 Æ Here we note down 2 We then create a four digit code by putting the numbers we noted down in their correct order (first digit written down as the units of the four digit code, second digit written down as the number of tens of the four digit code, third digit written down as the number of hundreds of the four digit code and the fourth digit written down as the number of thousands of the four digit code). For the example we would get the code to equal 2597. On the next page we also present this example in the code generation form supplied.

EXAMPLE – How to use the code generation form

Based on the example given above and the code generation form example, create your own code from the five 4-digit numbers below for Candidates A and D. You can either calculate the code yourself (as in the above example given) or use the empty code generation form supplied on pages 4 and 5.

Number 1 Number 1

Candidate A

Candidate B

Candidate C

Candidate D

Candidate E

6

6

4

4

0

9

7

3

1

4

2

2

5

8

8

7

8

7

8

9

Number 2 Number 2

Candidate A

Candidate B

Candidate C

Candidate D

Candidate E

7

0

4

2

7

4

6

5

2

2

4

2

5

8

9

1

5

4

6

5

Number 3 Number 3

Candidate A 0

6

7

4

Candidate B

Candidate C

Candidate D

Candidate E

6

7

6

7

5

9

6

9

5

3

8

4

4

5

3

8

Number 4 Number 4

Candidate A

Candidate B

Candidate C

Candidate D

Candidate E

5

8

7

0

1

3

2

8

5

7

2

3

0

7

3

6

3

9

2

2

Number 5 Number 5

Candidate A 1

4

9

1

Candidate B

Candidate C

Candidate D

Candidate E

9

8

0

2

8

7

9

8

1

7

0

9

2

8

7

4

Please create your own code for Candidate A

Do you have a university degree? …………... Please state your age: …………….

Please create your own code for Candidate D

Appendix B: Permutation voting experiments You will be given two sets of three sheets that contain various lines. For each of the sets please place them in the right location relative to the diagram below:

List of Candidates x A



Put against Sheet 1



Put against Sheet 2

Voting Bullets 1

x

B

2

x

C

3

x

D

4

x

E

Sheet 1

Sheet 2

Sheet 3

5

For each of the sets, by following the lines identify the voting bullet number which corresponds to candidates A and D. First Method

Second Method

Candidate A voting bullet number: …………

Candidate A voting bullet number: …………

Candidate D voting bullet number: …………

Candidate D voting bullet number: …………

Do you have a university degree? …………...

Please state your age: …………….

First set of sheets given to participants (given as three small pieces of paper)



Sheet 1

Second set of sheets given to participants (given as three small pieces of paper)



Sheet 1

Put against Sheet 1


Sheet 2

Put against Sheet 1


Sheet 2

Put against Sheet 2


Sheet 3

Put against Sheet 2

Sheet 3


Participant view when sheets were placed correctly for first set of sheets

Participant view when sheets were placed correctly for second set of sheets




Put against Sheet 1


Put against Sheet 2


Voting Bullets 1

x

B

2

x

C

3

x

D

4

x

E


Sheet 1



Sheet 2

Put against Sheet 1


5

Sheet 3

Put against Sheet 2


Voting Bullets 1

x

B

2

x

C

3

x

D

4

x

E

Sheet 1

Sheet 2

Sheet 3

5