To test and refine our Taxonomy, we have analyzed several different voting schemes known to us, presential as well as internet voting schemes, paper-based as well as electronic voting schemes. Among them are the traditional German paper election, Prêt à Voter[CRS05], Bingo Voting[BMQR07], and ScantegrityII[CCC+08]. We ex-emplarily summarize the analysis of two of these voting schemes here. The full analysis can be found in the appendix.
3.2.6.1. German Paper Election
The German governmental election is usually implemented as a traditional pa-per election, which takes place in designated polling stations. The election can be observed from beginning to end by everyone who is interested. Eligible voters are informed of the upcoming election several weeks before the election day(s) and get an invitation together with a personalized voting card with which they can prove eligibility at the polling station. Before the voting phase starts the poll workers show to the observers that the ballot box is empty. Then the ballot box is closed and its opening stays covered except when voters put in their ballots. Poll workers maintain a list of eligible voters, a voter roll, in which they record which voter has already cast a vote. To cast their vote, voters go to a polling station assigned to them, where they show their identity card and their voting card, are ticked off in the voter roll as present and obtain a ballot. With the ballot, the voter enters a voting booth and marks her choice in private on her ballot, which she then folds to hide her marks. The voter puts her filled-out ballot into a ballot box and is again ticked off in the voter roll to mark that she has cast her ballot. There are several elections run in parallel in different polling stations. At the end of election day, before counting it is made sure that all voters in all other polling stations are finished with casting their ballots, to avoid the leaking of intermediate results before the poll is closed. To count the ballots, they are taken out of the ballot box one at a time and shown to the observers. The content of each ballot box is counted by more than one person, the counting process is repeated until there is a consensus.
The German paper election scheme is rather strong concerning privacy, fairness and verifiable correctness. Provability of a fraud strongly depends on the avail-ability of voluntary election observers. A weak point of the scheme is its lack of redundancy and the fact that its voting processes within one polling station can hardly be parallelized.
The full analysis of this election can be found in Appendix A.
Election type
The voting scheme is paper-based and designed for governmental elections which take place distributed over several polling stations.
Preliminaries and Assumptions
• The poll workers as a group are neutral and trusted and do not mark ballots in an inconspicuous way.
• The ballot box is big enough that the ballots inside are sufficiently shuffled.
• The voter marks her choice in a voting booth which does not contain a camera.
• The election and counting process is observed by sufficiently many witnesses.
What makes this scheme secure?
The main security feature of the scheme is that the whole election and counting process is observable from beginning to end. The observability is supported by the fact that the votes are recorded on physical objects that can not be tampered with without physical access.
Category 1: Privacy and Coercion-Resistance
Voter privacy is ensured by the voting booth. The leakage of intermediate re-sults is prevented as long as the counting procedures of different polling stations are sufficiently synchronized between polling stations. The scheme is not coercion resistant since the voter can be forced to mark her ballot to make it invalid, or not to participate in the election at all. If the voter can mark more than one choice per ballot, the voting scheme is vulnerable to pattern voting attacks.
Category 2: Correctness and Verifiability
Verifiable correctness is ensured by the possibility of observation. A downside of the scheme is that each voter can only observe one polling station, so the election is not exactly universally verifiable. The observation is also very time-consuming.
Category 3: Fairness
The ballot layout is auditable, and the leakage of intermediate results is prevented by observation.
Category 4: Provability of a fraud
Since everything except for the ballot marking process is done in the open, ev-erything can be observed. So provability of a fraud depends on the presence of witnesses.
Category 5: Robustness and Scalability
The limiting factor of the paper election is that voters can only vote sequentially and the ballots are counted by hand, so the whole process takes a lot of time. Since choices are recorded on paper ballots, recounts can be done as often as wished. On the other hand, there is no redundancy in the recording of votes, lost ballots cannot be recovered.
3.2.6.2. Prêt à Voter
This analysis refers to the original scheme Prêt à Voter as introduced in [CRS05], and is done with the purpose of demonstrating and testing the taxonomy, not as an evaluation of Prêt à Voter. The original scheme has some drawbacks which become obvious in the taxonomy. However, it shall be mentioned here that Prêt à Voter has been further developed and improved in both privacy and robustness aspects [RS06, DHvdG+13].
The full analysis is in Appendix D. Prêt à Voter is a paper-based election scheme for presential elections. The voter gets a ballot which has two parts: a right-hand side which displays the candidates in random order, and a left-hand side where the voter can mark her choice. To cast her ballot, the voter makes a mark next to the candidate of her choice, separates the two ballot halves and destroys the part which contains the candidate names. The other half also contains an encryption of the permutation. This part is scanned and recorded and later published on a public bulletin board for verification. The voter can take this part home as a receipt, and check if it is published correctly.
The permutation of each ballot has been created prior to the voting phase by a set of tellers, each teller using its own randomness called a germ to create its permuta-tion. The permutations are applied subsequently, and ballots are later decrypted by the tellers by sequentially decrypting and applying the permutation to the ballot.
This procedure is called an onion mix. In newer versions [RS06], a more robust re-encryption mix is used.
Election type
Prêt à Voter is a paper and optical scanner based cryptographic voting scheme designed for presential elections.
Preliminaries and Requirements
• Tallying is performed by a set of tellers which are realized as several hard-ware devices. Each teller has two key pairs, and creates a permutation of the candidate order for each ballot.
• There is a trusted election authority (EA) which generates a random seed of which the tellers calculate their permutations. The EA generates the ballots depending on these permutations.
• The EA generates a random seed from which random values, called germs, are created for the tellers. The germs are encrypted and hashed to obtain each teller’s permutation.
What makes this scheme secure?
• Each ballot has a random candidate order which is invisible but present as an encryption on the voter’s receipt.
• The recording device only reads the mark but not the candidate order (only its encryption), so it does not see the voter’s choice in plaintext.
• Voters can check their receipts on a public bulletin board.
Trusted Instances/cryptographic assumptions:
• Trusted ballot creators/printers (they see the permutation of each ballot)
• IND-CPA-secure encryption for the permutations
• Encryption acts as binding commitment; Encrypted permutations should not be decryptable to other permutations with some trapdoor.
Category 1: Privacy and Coercion-Resistance
Privacy and receipt-freeness depend strongly on the underlying assumptions, es-pecially the assumption of trusted authorities: each entity which sees the full ballots, i. e. parties who create it, print it, hand it out to voters etc. sees the permutation, and each ballot has a unique identification number which identifies the ballot. Pri-vacy is ensured as long as these parties are trusted. PriPri-vacy is not unconditional, it depends on the encryption scheme used for the encrypted permutations that are printed on the ballots. However, Demirel et al. [DHvdG+13] introduced a technique to provide Prêt à Voter with everlasting privacy. Receipt-freeness holds under the given assumptions, but coercion-resistance does not, since the voter can be forced to mark a certain position which can be seen on her receipt. A big advantage of Prêt à Voter is that the device which records the ballots does not learn the voter’s choice.
Category 2: Correctness and Verifiability
For individual verifiability, the voter can see on her paper ballot that it is correctly marked and that it is published on the bulletin board correctly. The counting process is publicly verifiable by anyone who is interested, but requires some mathematical background. Verifiable correctness strongly depends on enough voters checking that their ballots are on the bulletin board, or at least the EA not knowing who is going to check their ballot, since not checked ballots can be modified unnoticed.
Category 3: Fairness
Fairness holds under the assumption that the checking of eligibility is performed properly and it is checked that each voter takes part in the voting process only once, and sufficiently many ballots are audited to ensure layout neutrality. For intermediate results to leak, the scanner and either all tellers or the voting authority would have to be corrupted.
Category 4: Provability of a fraud
If a ballot is missing on the bulletin board, the voter can prove this with her receipt. Her ballot can then be included in the tally. It is then unclear though if her ballot is just missing or was substituted by another one. Since the ballots are not signed by the voters, ballot stuffing is only prevented if additional measures are taken, like observability as in the German paper election.
Category 5: Robustness and Scalability
Due to the onion mixing technique, each teller can perform a denial of service attack by refusing to decrypt ballots. Apart from that, similar scalability issues hold as with the paper election: the voting process requires physical presence in a voting booth in a polling station, therefore voters mostly vote sequentially. An advantage of Prêt à Voter is that ballots can be tallied electronically.