Annals of Telecommunications

, Volume 71, Issue 7–8, pp 337–352 | Cite as

SecIVo: a quantitative security evaluation framework for internet voting schemes

  • Stephan NeumannEmail author
  • Melanie Volkamer
  • Jurlind Budurushi
  • Marco Prandini


Voting over the Internet is subject to a number of security requirements. Each voting scheme has its own bespoke set of assumptions to ensure these security requirements. The criticality of these assumptions depends on the election setting (e.g., how trustworthy the voting servers or the voting devices are). The consequence of this is that the security of different Internet voting schemes cannot easily be compared. We have addressed this shortcoming by developing SecIVo, a quantitative security evaluation framework for Internet voting schemes. On the basis of uniform adversarial capabilities, the framework provides two specification languages, namely qualitative security models and election settings. Upon system analysis, system analysts feed the framework with qualitative security models composed of adversarial capabilities. On the other side, election officials specify their election setting in terms of—among others—expected adversarial capabilities. The framework evaluates the qualitative security models within the given election setting and returns satisfaction degrees for a set of security requirements. We apply SecIVo to quantitatively evaluate Helios and Remotegrity within three election settings. It turns out that there is no scheme which outperforms the other scheme in all settings. Consequently, selecting the most appropriate scheme from a security perspective depends on the environment into which the scheme is to be embedded.


Internet voting Security evaluation Security requirements 



The authors would like to thank the reviewers for their constructive recommendations, which helped to improve this work significantly.


  1. 1.
    Adida B (2008) Helios: web-based open-audit voting. In: USENIX security symposium, pp 335–348Google Scholar
  2. 2.
    Allan R, Billinton R, de Oliveira MF (1976) An efficient algorithm for deducing the minimal cuts and reliability indices of a general network configuration. IEEE Trans Reliab 25(4):226–233CrossRefzbMATHGoogle Scholar
  3. 3.
    Almasizadeh J, Azgomi MA (2009) Intrusion process modeling for security quantification. In: 2009 Fourth international conference on availability, reliability and security (ARES). IEEE, pp 114–121Google Scholar
  4. 4.
    Armando A, Compagna L (2004) Satmc: a sat-based model checker for security protocols. In: Logics in artificial intelligence. Springer, pp 730–733Google Scholar
  5. 5.
    Aven T (1985) Reliability/availability evaluations of coherent systems based on minimal cut sets. Reliab Eng 13(2):93–104MathSciNetCrossRefGoogle Scholar
  6. 6.
    Bannister F, Connolly R (2007) A risk assessment framework for electronic voting. Int J Technol Policy Manag 7(2):190–208CrossRefGoogle Scholar
  7. 7.
    Basin D, Mödersheim S, Vigano L (2005) Ofmc: a symbolic model checker for security protocols. Int J Inf Secur 4(3):181–208CrossRefGoogle Scholar
  8. 8.
    Bella G, Paulson LC, Massacci F (2002) The verification of an industrial payment protocol: the set purchase phase. In: Proceedings of the 9th ACM conference on computer and communications security. ACM, pp 12–20Google Scholar
  9. 9.
    Benaloh J, Quisquater JJ, Vaudenay S (2010) IACR 2010 election reportGoogle Scholar
  10. 10.
    Binder K (1986) Introduction: theory and technical aspects of Monte Carlo simulations. SpringerGoogle Scholar
  11. 11.
    Biondi F, Legay A (2015) Quantitative anonymity evaluation of voting protocols. In: Software engineering and formal methods, lecture notes in computer science. Springer International Publishing, pp 335–349Google Scholar
  12. 12.
    Budurushi J, Neumann S, Olembo MM, Volkamer M (2013) Pretty understandable democracy-a secure and understandable internet voting scheme. In: 2013 Eighth international conference on availability, reliability and security (ARES). IEEE, pp 198– 207Google Scholar
  13. 13.
    Buldas A, Mägi T (2007) Practical security analysis of e-voting systems. In: Advances in information and computer security. Springer, pp 320–335Google Scholar
  14. 14.
    Canetti R, Halevi S, Katz J (2003) A forward-secure public-key encryption scheme. In; Advances in cryptologyeurocrypt 2003. Springer, pp 255–271Google Scholar
  15. 15.
    Carlos MC, Martina JE, Price G, Custódio RF (2013) An updated threat model for security ceremonies. In: Proceedings of the 28th Annual ACM symposium on applied computing. ACM, pp 1836–1843Google Scholar
  16. 16.
    Cetinkaya O (2008) Analysis of security requirements for cryptographic voting protocols. In: 2008 Third international conference on availability, reliability and security (ARES). IEEE, pp 1451–1456Google Scholar
  17. 17.
    Chaum D, Carback R, Clark J, Essex A, Popoveniuc S, Rivest RL, Ryan PY, Shen E, Sherman AT (2008) Scantegrity ii: end-to-end verifiability for optical scan election systems using invisible ink confirmation codes. EVT 8:1–13Google Scholar
  18. 18.
    Chaum DL (1981) Untraceable electronic mail, return addresses, and digital pseudonyms. Commun ACM 24(2):84–90CrossRefGoogle Scholar
  19. 19.
    Clarkson MR, Chong S, Myers AC (2007) Civitas: a secure voting system. Tech. rep., Cornell UniversityGoogle Scholar
  20. 20.
    Coney L, Hall JL, Vora PL, Wagner D (2005) Towards a privacy measurement criterion for voting systems. In: Proceedings of the 2005 national conference on Digital government research. Digital Government Society of North America, pp 287–288Google Scholar
  21. 21.
    Cortier V, Galindo D, Glondu S, Izabachène M (2014) Election verifiability for helios under weaker trust assumptions. In: Computer security-ESORICS 2014. Springer, pp 327–344Google Scholar
  22. 22.
    Cortier V, Galindo D, Glondu S, Izabachne M (2013) A generic construction for voting correctness at minimum cost—application to helios. IACR Cryptology ePrint Archive 2013:177Google Scholar
  23. 23.
    Cortier V, Smyth B (2013) Attacking and fixing helios: an analysis of ballot secrecy. J Comput Secur 21(1):89–148CrossRefGoogle Scholar
  24. 24.
    Cuvelier E, Pereira O, Peters T (2013) Election verifiability or ballot privacy: Do we need to choose?. In: Computer Security–ESORICS 2013. Springer, pp 481–498Google Scholar
  25. 25.
    Delaune S, Kremer S, Ryan M (2006) Coercion-resistance and receipt-freeness in electronic voting. In: Computer Security Foundations Workshop, 2006. 19th IEEE. IEEE, pp 12–ppGoogle Scholar
  26. 26.
    Delaune S, Kremer S, Ryan M (2009) Verifying privacy-type properties of electronic voting protocols. J Comput Secur 17:435–487. doi: CrossRefzbMATHGoogle Scholar
  27. 27.
    Dolev D, Yao AC (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2):198–208MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Driels MR, Shin YS (2004) Determining the number of iterations for monte carlo simulations of weapon effectiveness. Tech. rep., DTIC DocumentGoogle Scholar
  29. 29.
    EAC Advisory Board and Standards Board (2009) Threat trees and matrices and threat instance risk analyzer (tira)Google Scholar
  30. 30.
    Fujioka A, Okamoto T, Ohta K (1993) A practical secret voting scheme for large scale elections. In: Advances in CryptologyAUSCRYPT’92. Springer, pp 244–251Google Scholar
  31. 31.
    Fuqua N (1987) Reliability engineering for electronic design, vol 34. CRC PressGoogle Scholar
  32. 32.
    Haber S, Benaloh J, Halevi S (2010) The helios e-voting demo for the IACR. International Association for Cryptologic Research.
  33. 33.
  34. 34.
    IACR: A short explanation of helios for cryptographers (2010).
  35. 35.
    IACR: About the Helios System (2016).
  36. 36.
    Iida Y, Wakabayashi H (1989) An approximation method of terminal reliability of road network using partial minimal path and cut sets. In: Transport policy, management & technology towards 2001: selected proceedings of the fifth world conference on transport research, vol 4Google Scholar
  37. 37.
    Juels A, Catalano D, Jakobsson M (2005) Coercion-resistant electronic elections. In: Proceedings of the 2005 ACM workshop on privacy in the electronic society. ACM, pp 61–70Google Scholar
  38. 38.
    Kahn J, Linial N, Samorodnitsky A (1996) Inclusion-exclusion: exact and approximate. Combinatorica 16(4):465–477MathSciNetCrossRefzbMATHGoogle Scholar
  39. 39.
    Kim HM, Nevo S (2008) Development and application of a framework for evaluating multi-mode voting risks. Internet Research 18(1):121–135CrossRefGoogle Scholar
  40. 40.
    Kremer S, Ryan M, Smyth B (2010) Election verifiability in electronic voting protocols. In: ESORICS, lecture notes in computer science, vol 6345. Springer, pp 389–404Google Scholar
  41. 41.
    Küsters R, Truderung T (2009) An epistemic approach to coercion-resistance for electronic voting protocols. In: 30th IEEE symposium on Security and privacy (SP), 2009. IEEE, pp 251–266Google Scholar
  42. 42.
    Küsters R, Truderung T, Vogt A (2010) Accountability: definition and relationship to verifiability. In: Proceedings of the 17th ACM conference on computer and communications security. ACM, pp 526–535Google Scholar
  43. 43.
    Küsters R, Truderung T, Vogt A (2011) Verifiability, privacy, and coercion-resistance: new insights from a case study. In: IEEE symposium on security and privacy (SP), 2011. IEEE, pp 538–553Google Scholar
  44. 44.
    Küsters R, Truderung T, Vogt A (2012) Clash attacks on the verifiability of e-voting systems. In: 33rd IEEE symposium on security and privacy (SP), 2012. IEEE, pp 395–409Google Scholar
  45. 45.
    Landau DP, Binder K (2014) A guide to Monte Carlo simulations in statistical physics. Cambridge University PressGoogle Scholar
  46. 46.
    Langer L (2010) Privacy and verifiability in electronic voting. Ph.D. thesis, TU DarmstadtGoogle Scholar
  47. 47.
    Lauer TW (2004) The risk of e-voting. Electronic Journal of e-Government 2:177–186Google Scholar
  48. 48.
    Lee WS, Grosh DL, Tillman FA, Lie CH (1985) Fault tree analysis, methods, and applications: a review. IEEE Trans Reliab 34(3):194–203CrossRefzbMATHGoogle Scholar
  49. 49.
    Luna J, Suri N, Krontiris I (2012) Privacy-by-design based on quantitative threat modeling. In: Seventh international conference on risk and security of internet and systems (CRiSIS), 2012. IEEE, pp 1–8Google Scholar
  50. 50.
    Madan BB, Goševa-Popstojanova K, Vaidyanathan K, Trivedi KS (2004) A method for modeling and quantifying the security attributes of intrusion tolerant systems. Perform Eval 56(1):167–186CrossRefGoogle Scholar
  51. 51.
    Moran T, Naor M (2006) Receipt-free universally-verifiable voting with everlasting privacy. In: Advances in cryptology-CRYPTO 2006. Springer, pp 373–392Google Scholar
  52. 52.
    Mundform DJ, Schaffer J, Kim MJ, Shaw D, Thongteeraparp A, Supawan P (2011) Number of replications required in monte carlo simulation studies: a synthesis of four studies. Journal of Modern Applied Statistical Methods 10(1):4Google Scholar
  53. 53.
    Neumann S, Budurushi J, Volkamer M (2014) Analysis of security and cryptographic approaches to provide secret and verifiable electronic voting, chap 2, pp 27–61. Design, development, and use of secure electronic voting systems. IGI GlobalGoogle Scholar
  54. 54.
    Neumann S, Olembo MM, Renaud K, Volkamer M (2014) Helios verification: to alleviate, or to nominate: is that the question, or shall we have both?. In: Electronic government and the information systems perspective. Springer, pp 246– 260Google Scholar
  55. 55.
    Nevo S, Kim H (2006) How to compare and analyse risks of internet voting versus other modes of voting. Electronic Government, an International Journal 3(1):105–112CrossRefGoogle Scholar
  56. 56.
    Ouchani S, Jarraya Y, Mohamed OA (2011) Model-based systems security quantification. In: Ninth annual international conference on privacy, security and trust (PST), 2011. IEEE, pp 142–149Google Scholar
  57. 57.
    Pardue H, Landry J, Yasinsac A (2010) A risk assessment model for voting systems using threat trees and monte carlo simulation. In: First international workshop on requirements engineering for e-voting systems (RE-VOTE), 2009. IEEE, pp 55–60Google Scholar
  58. 58.
    Pardue H, Landry JP, Yasinsac A (2011) E-voting risk assessment: a threat tree for direct recording electronic systems. Int J Inf Secur Priv (IJISP) 5(3):19–35CrossRefGoogle Scholar
  59. 59.
    Pardue H, Yasinsac A, Landry J (2010) Towards internet voting security: a threat tree for risk assessment. In: Fifth international conference on risks and security of internet and systems (CRiSIS), 2010. IEEE, pp 1–7Google Scholar
  60. 60.
    Paulson LC (1997) Proving properties of security protocols by induction. In: Computer security foundations workshop, 1997. Proceedings, 10th. IEEE, pp 70–83Google Scholar
  61. 61.
    Pereira O (2014) Personal communicationGoogle Scholar
  62. 62.
    Rubinstein RY, Kroese DP (2011) Simulation and the Monte Carlo method, vol 707. WileyGoogle Scholar
  63. 63.
    Ryan PY, Teague V (2013) Pretty good democracy. In: Security protocols XVII. Springer, pp 111–130Google Scholar
  64. 64.
    Sampigethaya K, Poovendran R (2006) A framework and taxonomy for comparison of electronic voting schemes. Computers & Security 25(2):137–153CrossRefGoogle Scholar
  65. 65.
    Schryen G, Volkamer M, Ries S, Habib SM (2011) A formal approach towards measuring trust in distributed systems. In: Proceedings of the 2011 ACM symposium on applied computing. ACM, pp 1739–1745Google Scholar
  66. 66.
    Smyth B (2012) Replay attacks that violate ballot secrecy in Helios. Tech. rep., Cryptology ePrint ArchiveGoogle Scholar
  67. 67.
    Stoneburner G, Goguen A, Feringa A (2002) Risk management guide for information technology systems. Tech. rep., National Institute of Standards and Technology Special Publication 800–30Google Scholar
  68. 68.
    Vaurio JK (1998) An implicit method for incorporating common-cause failures in system analysis. IEEE Trans Reliab 47(2):173–180CrossRefGoogle Scholar
  69. 69.
    Waters B (2009) Dual system encryption: realizing fully secure ibe and hibe under simple assumptions. In: Advances in Cryptology-CRYPTO 2009. Springer, pp 619–636Google Scholar
  70. 70.
    Zagórski F, Carback RT, Chaum D, Clark J, Essex A, Vora PL (2013) Remotegrity: Design and use of an end-to-end verifiable remote voting system. In: Applied cryptography and network security. Springer Berlin Heidelberg, pp 441–457Google Scholar

Copyright information

© Institut Mines-Télécom and Springer-Verlag France 2016

Authors and Affiliations

  • Stephan Neumann
    • 1
    Email author
  • Melanie Volkamer
    • 1
    • 2
  • Jurlind Budurushi
    • 1
  • Marco Prandini
    • 3
  1. 1.Technische Universität DarmstadtDarmstadtGermany
  2. 2.Karlstad UniversityKarlstadSweden
  3. 3.Università di BolognaBolognaItaly

Personalised recommendations