Abstract
Voting over the Internet is subject to a number of security requirements. Each voting scheme has its own bespoke set of assumptions to ensure these security requirements. The criticality of these assumptions depends on the election setting (e.g., how trustworthy the voting servers or the voting devices are). The consequence of this is that the security of different Internet voting schemes cannot easily be compared. We have addressed this shortcoming by developing SecIVo, a quantitative security evaluation framework for Internet voting schemes. On the basis of uniform adversarial capabilities, the framework provides two specification languages, namely qualitative security models and election settings. Upon system analysis, system analysts feed the framework with qualitative security models composed of adversarial capabilities. On the other side, election officials specify their election setting in terms of—among others—expected adversarial capabilities. The framework evaluates the qualitative security models within the given election setting and returns satisfaction degrees for a set of security requirements. We apply SecIVo to quantitatively evaluate Helios and Remotegrity within three election settings. It turns out that there is no scheme which outperforms the other scheme in all settings. Consequently, selecting the most appropriate scheme from a security perspective depends on the environment into which the scheme is to be embedded.
Similar content being viewed by others
Notes
Knowing in advance to the election which voters will cast identical votes is at least very hard.
The IACR deploys an n-out-of-n secret sharing scheme [24].
References
Adida B (2008) Helios: web-based open-audit voting. In: USENIX security symposium, pp 335–348
Allan R, Billinton R, de Oliveira MF (1976) An efficient algorithm for deducing the minimal cuts and reliability indices of a general network configuration. IEEE Trans Reliab 25(4):226–233
Almasizadeh J, Azgomi MA (2009) Intrusion process modeling for security quantification. In: 2009 Fourth international conference on availability, reliability and security (ARES). IEEE, pp 114–121
Armando A, Compagna L (2004) Satmc: a sat-based model checker for security protocols. In: Logics in artificial intelligence. Springer, pp 730–733
Aven T (1985) Reliability/availability evaluations of coherent systems based on minimal cut sets. Reliab Eng 13(2):93–104
Bannister F, Connolly R (2007) A risk assessment framework for electronic voting. Int J Technol Policy Manag 7(2):190–208
Basin D, Mödersheim S, Vigano L (2005) Ofmc: a symbolic model checker for security protocols. Int J Inf Secur 4(3):181–208
Bella G, Paulson LC, Massacci F (2002) The verification of an industrial payment protocol: the set purchase phase. In: Proceedings of the 9th ACM conference on computer and communications security. ACM, pp 12–20
Benaloh J, Quisquater JJ, Vaudenay S (2010) IACR 2010 election report
Binder K (1986) Introduction: theory and technical aspects of Monte Carlo simulations. Springer
Biondi F, Legay A (2015) Quantitative anonymity evaluation of voting protocols. In: Software engineering and formal methods, lecture notes in computer science. Springer International Publishing, pp 335–349
Budurushi J, Neumann S, Olembo MM, Volkamer M (2013) Pretty understandable democracy-a secure and understandable internet voting scheme. In: 2013 Eighth international conference on availability, reliability and security (ARES). IEEE, pp 198– 207
Buldas A, Mägi T (2007) Practical security analysis of e-voting systems. In: Advances in information and computer security. Springer, pp 320–335
Canetti R, Halevi S, Katz J (2003) A forward-secure public-key encryption scheme. In; Advances in cryptologyeurocrypt 2003. Springer, pp 255–271
Carlos MC, Martina JE, Price G, Custódio RF (2013) An updated threat model for security ceremonies. In: Proceedings of the 28th Annual ACM symposium on applied computing. ACM, pp 1836–1843
Cetinkaya O (2008) Analysis of security requirements for cryptographic voting protocols. In: 2008 Third international conference on availability, reliability and security (ARES). IEEE, pp 1451–1456
Chaum D, Carback R, Clark J, Essex A, Popoveniuc S, Rivest RL, Ryan PY, Shen E, Sherman AT (2008) Scantegrity ii: end-to-end verifiability for optical scan election systems using invisible ink confirmation codes. EVT 8:1–13
Chaum DL (1981) Untraceable electronic mail, return addresses, and digital pseudonyms. Commun ACM 24(2):84–90
Clarkson MR, Chong S, Myers AC (2007) Civitas: a secure voting system. Tech. rep., Cornell University
Coney L, Hall JL, Vora PL, Wagner D (2005) Towards a privacy measurement criterion for voting systems. In: Proceedings of the 2005 national conference on Digital government research. Digital Government Society of North America, pp 287–288
Cortier V, Galindo D, Glondu S, Izabachène M (2014) Election verifiability for helios under weaker trust assumptions. In: Computer security-ESORICS 2014. Springer, pp 327–344
Cortier V, Galindo D, Glondu S, Izabachne M (2013) A generic construction for voting correctness at minimum cost—application to helios. IACR Cryptology ePrint Archive 2013:177
Cortier V, Smyth B (2013) Attacking and fixing helios: an analysis of ballot secrecy. J Comput Secur 21(1):89–148
Cuvelier E, Pereira O, Peters T (2013) Election verifiability or ballot privacy: Do we need to choose?. In: Computer Security–ESORICS 2013. Springer, pp 481–498
Delaune S, Kremer S, Ryan M (2006) Coercion-resistance and receipt-freeness in electronic voting. In: Computer Security Foundations Workshop, 2006. 19th IEEE. IEEE, pp 12–pp
Delaune S, Kremer S, Ryan M (2009) Verifying privacy-type properties of electronic voting protocols. J Comput Secur 17:435–487. doi:http://dx.doi.org/10.3233/JCS-2009-0340
Dolev D, Yao AC (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2):198–208
Driels MR, Shin YS (2004) Determining the number of iterations for monte carlo simulations of weapon effectiveness. Tech. rep., DTIC Document
EAC Advisory Board and Standards Board (2009) Threat trees and matrices and threat instance risk analyzer (tira)
Fujioka A, Okamoto T, Ohta K (1993) A practical secret voting scheme for large scale elections. In: Advances in CryptologyAUSCRYPT’92. Springer, pp 244–251
Fuqua N (1987) Reliability engineering for electronic design, vol 34. CRC Press
Haber S, Benaloh J, Halevi S (2010) The helios e-voting demo for the IACR. International Association for Cryptologic Research. http://www.iacr.org/elections/eVoting/heliosDemo.pdf
IACR: IACR 2010 Election (2010). https://vote.heliosvoting.org/helios/elections/85db4808-cc46-11df-a972-12313f025959/view
IACR: A short explanation of helios for cryptographers (2010). http://www.iacr.org/elections/2010/HeliosForCryptographers.html
IACR: About the Helios System (2016). http://www.iacr.org/elections/eVoting/about-helios.html
Iida Y, Wakabayashi H (1989) An approximation method of terminal reliability of road network using partial minimal path and cut sets. In: Transport policy, management & technology towards 2001: selected proceedings of the fifth world conference on transport research, vol 4
Juels A, Catalano D, Jakobsson M (2005) Coercion-resistant electronic elections. In: Proceedings of the 2005 ACM workshop on privacy in the electronic society. ACM, pp 61–70
Kahn J, Linial N, Samorodnitsky A (1996) Inclusion-exclusion: exact and approximate. Combinatorica 16(4):465–477
Kim HM, Nevo S (2008) Development and application of a framework for evaluating multi-mode voting risks. Internet Research 18(1):121–135
Kremer S, Ryan M, Smyth B (2010) Election verifiability in electronic voting protocols. In: ESORICS, lecture notes in computer science, vol 6345. Springer, pp 389–404
Küsters R, Truderung T (2009) An epistemic approach to coercion-resistance for electronic voting protocols. In: 30th IEEE symposium on Security and privacy (SP), 2009. IEEE, pp 251–266
Küsters R, Truderung T, Vogt A (2010) Accountability: definition and relationship to verifiability. In: Proceedings of the 17th ACM conference on computer and communications security. ACM, pp 526–535
Küsters R, Truderung T, Vogt A (2011) Verifiability, privacy, and coercion-resistance: new insights from a case study. In: IEEE symposium on security and privacy (SP), 2011. IEEE, pp 538–553
Küsters R, Truderung T, Vogt A (2012) Clash attacks on the verifiability of e-voting systems. In: 33rd IEEE symposium on security and privacy (SP), 2012. IEEE, pp 395–409
Landau DP, Binder K (2014) A guide to Monte Carlo simulations in statistical physics. Cambridge University Press
Langer L (2010) Privacy and verifiability in electronic voting. Ph.D. thesis, TU Darmstadt
Lauer TW (2004) The risk of e-voting. Electronic Journal of e-Government 2:177–186
Lee WS, Grosh DL, Tillman FA, Lie CH (1985) Fault tree analysis, methods, and applications: a review. IEEE Trans Reliab 34(3):194–203
Luna J, Suri N, Krontiris I (2012) Privacy-by-design based on quantitative threat modeling. In: Seventh international conference on risk and security of internet and systems (CRiSIS), 2012. IEEE, pp 1–8
Madan BB, Goševa-Popstojanova K, Vaidyanathan K, Trivedi KS (2004) A method for modeling and quantifying the security attributes of intrusion tolerant systems. Perform Eval 56(1):167–186
Moran T, Naor M (2006) Receipt-free universally-verifiable voting with everlasting privacy. In: Advances in cryptology-CRYPTO 2006. Springer, pp 373–392
Mundform DJ, Schaffer J, Kim MJ, Shaw D, Thongteeraparp A, Supawan P (2011) Number of replications required in monte carlo simulation studies: a synthesis of four studies. Journal of Modern Applied Statistical Methods 10(1):4
Neumann S, Budurushi J, Volkamer M (2014) Analysis of security and cryptographic approaches to provide secret and verifiable electronic voting, chap 2, pp 27–61. Design, development, and use of secure electronic voting systems. IGI Global
Neumann S, Olembo MM, Renaud K, Volkamer M (2014) Helios verification: to alleviate, or to nominate: is that the question, or shall we have both?. In: Electronic government and the information systems perspective. Springer, pp 246– 260
Nevo S, Kim H (2006) How to compare and analyse risks of internet voting versus other modes of voting. Electronic Government, an International Journal 3(1):105–112
Ouchani S, Jarraya Y, Mohamed OA (2011) Model-based systems security quantification. In: Ninth annual international conference on privacy, security and trust (PST), 2011. IEEE, pp 142–149
Pardue H, Landry J, Yasinsac A (2010) A risk assessment model for voting systems using threat trees and monte carlo simulation. In: First international workshop on requirements engineering for e-voting systems (RE-VOTE), 2009. IEEE, pp 55–60
Pardue H, Landry JP, Yasinsac A (2011) E-voting risk assessment: a threat tree for direct recording electronic systems. Int J Inf Secur Priv (IJISP) 5(3):19–35
Pardue H, Yasinsac A, Landry J (2010) Towards internet voting security: a threat tree for risk assessment. In: Fifth international conference on risks and security of internet and systems (CRiSIS), 2010. IEEE, pp 1–7
Paulson LC (1997) Proving properties of security protocols by induction. In: Computer security foundations workshop, 1997. Proceedings, 10th. IEEE, pp 70–83
Pereira O (2014) Personal communication
Rubinstein RY, Kroese DP (2011) Simulation and the Monte Carlo method, vol 707. Wiley
Ryan PY, Teague V (2013) Pretty good democracy. In: Security protocols XVII. Springer, pp 111–130
Sampigethaya K, Poovendran R (2006) A framework and taxonomy for comparison of electronic voting schemes. Computers & Security 25(2):137–153
Schryen G, Volkamer M, Ries S, Habib SM (2011) A formal approach towards measuring trust in distributed systems. In: Proceedings of the 2011 ACM symposium on applied computing. ACM, pp 1739–1745
Smyth B (2012) Replay attacks that violate ballot secrecy in Helios. Tech. rep., Cryptology ePrint Archive
Stoneburner G, Goguen A, Feringa A (2002) Risk management guide for information technology systems. Tech. rep., National Institute of Standards and Technology Special Publication 800–30
Vaurio JK (1998) An implicit method for incorporating common-cause failures in system analysis. IEEE Trans Reliab 47(2):173–180
Waters B (2009) Dual system encryption: realizing fully secure ibe and hibe under simple assumptions. In: Advances in Cryptology-CRYPTO 2009. Springer, pp 619–636
Zagórski F, Carback RT, Chaum D, Clark J, Essex A, Vora PL (2013) Remotegrity: Design and use of an end-to-end verifiable remote voting system. In: Applied cryptography and network security. Springer Berlin Heidelberg, pp 441–457
Acknowledgments
The authors would like to thank the reviewers for their constructive recommendations, which helped to improve this work significantly.
Author information
Authors and Affiliations
Corresponding author
Additional information
This project (HA project no. 435/14-25) is funded in the framework of Hessen ModellProjekte, financed with funds of LOEWE Landes-Offensive zur Entwicklung Wissenschaftlich-ökonomischer Exzellenz, Förderlinie 3: KMU-Verbundvorhaben (State Offensive for the Development of Scientific and Economic Excellence). Furthermore, the first author is partially funded by CASED project ComVote.
Rights and permissions
About this article
Cite this article
Neumann, S., Volkamer, M., Budurushi, J. et al. SecIVo: a quantitative security evaluation framework for internet voting schemes. Ann. Telecommun. 71, 337–352 (2016). https://doi.org/10.1007/s12243-016-0520-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12243-016-0520-0