Civitas is the first electronic voting system that is coercion-resistant, universally and voter verifiable, and suitable for remote voting. This paper describes the design and implementation of Civitas. Assurance is established in the design through security proofs, and in the implementation through information-flow security analysis. Experimental results give a quantitative evaluation of the tradeoffs between time, cost, and security. 1.

Voting with cryptographic auditing, sometimes called open-audit voting, has remained, for the most part, a theoretical endeavor. In spite of dozens of fascinating protocols and recent ground-breaking advances in the field, there exist only a handful of specialized implementations that few people have experienced directly. As a result, the benefits of cryptographically audited elections have remained elusive. We present Helios, the first web-based, open-audit voting system. Helios is publicly accessible today: anyone can create and run an election, and any willing observer can audit the entire process. Helios is ideal for online software communities, local clubs, student government, and other environments where trustworthy, secretballot elections are required but coercion is not a serious concern. With Helios, we hope to expose many to the power of open-audit elections. 1

We present three new paper-based voting methods with interesting security properties. Our goal is to achieve the same security properties as recently proposed cryptographic voting protocols, but using only paper ballots and no cryptography. From a security viewpoint we get reasonably close, particularly for short ballots. However, our proposals should probably be considered as more “academic ” than “practical.” In these proposals, not only can each voter verify that her vote is recorded as intended, but she gets a “receipt ” she can take home that can be used later to verify that her vote is actually included in the final tally. But her receipt does not allow her to prove to anyone else how she voted. All ballots cast are scanned and published in plaintext on a “public bulletin board ” (web site), so anyone may correctly compute the election result. In ThreeBallot, each voter casts three paper ballots, with certain restrictions on how they may be filled out. These paper ballots are of course “voterverifiable.” A voter receives a copy of one of her ballots as her “receipt”, which she may take home. Only the voter knows which ballot she copied for her receipt. The voter is unable to use her receipt to prove how she voted or to sell her vote, as the receipt doesn’t reveal how she voted. A voter can check that the web site contains a ballot matching her receipt. Deletion or modification of ballots is thus detectable; so the integrity of the election is verifiable. VAV is like ThreeBallot, except that the ballotmarking rules are different: one ballot may “cancel” another (VAV = Vote/Anti-Vote/Vote). VAV is better suited to – i.e. yields better security properties ∗ The latest version of this paper is always at

Abstract. A system that protects the unlinkability of certain data items (e. g. identifiers of communication partners, messages, pseudonyms, transactions, votes) does not leak information that would enable an adversary to link these items. The adversary could, however, take advantage of hints from the context in which the system operates. In this paper, we introduce a new metric that enables one to quantify the (un)linkability of the data items and, based on this, we consider the effect of some simple contextual hints. 1

We present a symbolic definition of election verifiability for electronic voting protocols in the context of the applied pi calculus. Our definition is given in terms of boolean tests which can be performed on the data produced by an election. The definition distinguishes three aspects of verifiability, which we call individual verifiability, universal verifiability, and eligibility verifiability. It also allows us to determine precisely which aspects of the system’s hardware and software must be trusted for the purpose of election verifiability. In contrast with earlier work our definition is compatible with a large class of electronic voting schemes, including those based on blind signatures, homomorphic encryption and mixnets. We demonstrate the applicability of our formalism by analysing two protocols which have been deployed; namely Helios 2.0, which is based on homomorphic encryption, and Civitas, which uses mixnets. In addition we consider the FOO protocol which is based on blind signatures.

Helios 2.0 is an open-source web-based end-toend verifiable electronic voting system, suitable for use in lowcoercion environments. In this paper, we analyse ballot secrecy and discover a vulnerability which allows an adversary to compromise the privacy of voters. This vulnerability has been successfully exploited to break privacy in a mock election using the current Helios implementation. Moreover, the feasibility of an attack is considered in the context of French legislative elections and, based upon our findings, we believe it constitutes a real threat to ballot secrecy in such settings. Finally, we present a fix and show that our solution satisfies a formal definition of ballot secrecy using the applied pi calculus.

In this paper, we analyse information leakage in Ryan’s Prêt à Voter with Paillier encryption scheme (PAV-Paillier). Our analysis shows that although PAV-Paillier seems to achieve a high level of voter privacy at first glance, it might still leak voter’s choice information in some circumstances. Some threats are trivial and have appeared in the literature, but others are more complicated because colluding adversaries may apply combined attacks. Several strategies have been suggested to mitigate these threats, but we have not resolved all the threats. We leave those unsolved threats as open questions. In order to describe our analysis in a logical manner, we will introduce an information leakage model to aid our analysis. We suggest that this model can be applied to analyse information leakage in other complex mixnet based e-voting schemes as well. Furthermore, we introduce a simplification of PAV-Paillier. In our proposal, without degrading security properties such as voter privacy, verifiability and reliability, we no longer need to apply the homomorphic property to absorb the voter’s choice index into the onion, thus we step back to employ the ElGamal encryption. This results in a simpler and more straightforward threshold cryptosystem. Some other attractive properties of our proposal scheme are: unlike traditional Prêt à Voter schemes, the candidate list in our scheme can be in alphabetical order. Our scheme not only handles approval elections, but also it handles ranked elections (e.g. Single Transferable Voting). Furthermore, our scheme mitigates the randomisation attack. 1

Users often wish to participate in online groups anonymously, but misbehaving users may abuse this anonymity to disrupt the group’s communication. Existing messaging protocols such as DC-nets leave groups vulnerable to denial-of-service and Sybil attacks, Mixnets are difficult to protect against traffic analysis, and accountable voting protocols are unsuited to general anonymous messaging. We present the first general messaging protocol that offers provable anonymity with accountability for moderate-size groups, and efficiently handles unbalanced loads where few members wish to transmit in a given round. The N group members first cooperatively shuffle an N × N matrix of pseudorandom seeds, then use these seeds in N “pre-planned ” DC-nets protocol runs. Each DCnets run transmits the variable-length bulk data comprising one member’s message, using the minimum number of bits required for anonymity under our attack model. The protocol preserves message integrity and one-to-one correspondence between members and messages, makes denial-of-service attacks by members traceable to the culprit, and efficiently handles large, unbalanced message loads. A working prototype demonstrates the protocol’s practicality for anonymous messaging in groups of40+ members.

In a previous paper, a version of the Pret a Voter verifiable election scheme using ElGamal encryption and enabling the use of re-encryption mixes was presented. In order to ensure that the construction of the ballot forms mesh with the re-encryption mixes, it was necessary to draw the seed values from a statistical distribution, e.g., a binomial. In this paper we present a similar construction of the ballot forms but using Paillier encryption in place of ElGamal. The advantage of this is that the homomorphic properties of Paillier are ideally suited to our construction and removes the need to constrain the distribution of seed values. As with the scheme using ElGamal, we have a distributed construction of encrypted ballot forms. This enables on-demand decryption and printing of the ballot forms and so eliminates the need to trust a single authority to keep this information secret. It also avoids chain of custody issues as well as chain voting style attacks.

End-to-end verifiable voting systems allow voters to verify that their votes are cast as intended, collected as cast, and counted as collected. Essentially, end-to-end voting systems provide voters assurance that each step of the election worked correctly. At the same time, voting systems must protect voter privacy and prevent the possibility of improper voter influence and voter coercion. Several end-to-end voting systems have been proposed, varying in usability and practicality. In this thesis we describe and analyze Scantegrity II, a novel end-to-end verification mechanism for optical scan voting which uses confirmation codes printed on the ballot in invisible ink. The confirmation codes allow voters to create privacy-preserving receipts which voters can check against the bulletin board after the close of the election to ensure that their votes have been collected as cast. Anyone can check that votes have been counted as collected and that the tally is correct. We describe the Scantegrity II system and