Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

SecIVo: a quantitative security evaluation framework for internet voting schemes

  • 270 Accesses

  • 1 Citations


Voting over the Internet is subject to a number of security requirements. Each voting scheme has its own bespoke set of assumptions to ensure these security requirements. The criticality of these assumptions depends on the election setting (e.g., how trustworthy the voting servers or the voting devices are). The consequence of this is that the security of different Internet voting schemes cannot easily be compared. We have addressed this shortcoming by developing SecIVo, a quantitative security evaluation framework for Internet voting schemes. On the basis of uniform adversarial capabilities, the framework provides two specification languages, namely qualitative security models and election settings. Upon system analysis, system analysts feed the framework with qualitative security models composed of adversarial capabilities. On the other side, election officials specify their election setting in terms of—among others—expected adversarial capabilities. The framework evaluates the qualitative security models within the given election setting and returns satisfaction degrees for a set of security requirements. We apply SecIVo to quantitatively evaluate Helios and Remotegrity within three election settings. It turns out that there is no scheme which outperforms the other scheme in all settings. Consequently, selecting the most appropriate scheme from a security perspective depends on the environment into which the scheme is to be embedded.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3


  1. 1.

    Knowing in advance to the election which voters will cast identical votes is at least very hard.

  2. 2.

    The IACR deploys an n-out-of-n secret sharing scheme [24].


  1. 1.

    Adida B (2008) Helios: web-based open-audit voting. In: USENIX security symposium, pp 335–348

  2. 2.

    Allan R, Billinton R, de Oliveira MF (1976) An efficient algorithm for deducing the minimal cuts and reliability indices of a general network configuration. IEEE Trans Reliab 25(4):226–233

  3. 3.

    Almasizadeh J, Azgomi MA (2009) Intrusion process modeling for security quantification. In: 2009 Fourth international conference on availability, reliability and security (ARES). IEEE, pp 114–121

  4. 4.

    Armando A, Compagna L (2004) Satmc: a sat-based model checker for security protocols. In: Logics in artificial intelligence. Springer, pp 730–733

  5. 5.

    Aven T (1985) Reliability/availability evaluations of coherent systems based on minimal cut sets. Reliab Eng 13(2):93–104

  6. 6.

    Bannister F, Connolly R (2007) A risk assessment framework for electronic voting. Int J Technol Policy Manag 7(2):190–208

  7. 7.

    Basin D, Mödersheim S, Vigano L (2005) Ofmc: a symbolic model checker for security protocols. Int J Inf Secur 4(3):181–208

  8. 8.

    Bella G, Paulson LC, Massacci F (2002) The verification of an industrial payment protocol: the set purchase phase. In: Proceedings of the 9th ACM conference on computer and communications security. ACM, pp 12–20

  9. 9.

    Benaloh J, Quisquater JJ, Vaudenay S (2010) IACR 2010 election report

  10. 10.

    Binder K (1986) Introduction: theory and technical aspects of Monte Carlo simulations. Springer

  11. 11.

    Biondi F, Legay A (2015) Quantitative anonymity evaluation of voting protocols. In: Software engineering and formal methods, lecture notes in computer science. Springer International Publishing, pp 335–349

  12. 12.

    Budurushi J, Neumann S, Olembo MM, Volkamer M (2013) Pretty understandable democracy-a secure and understandable internet voting scheme. In: 2013 Eighth international conference on availability, reliability and security (ARES). IEEE, pp 198– 207

  13. 13.

    Buldas A, Mägi T (2007) Practical security analysis of e-voting systems. In: Advances in information and computer security. Springer, pp 320–335

  14. 14.

    Canetti R, Halevi S, Katz J (2003) A forward-secure public-key encryption scheme. In; Advances in cryptologyeurocrypt 2003. Springer, pp 255–271

  15. 15.

    Carlos MC, Martina JE, Price G, Custódio RF (2013) An updated threat model for security ceremonies. In: Proceedings of the 28th Annual ACM symposium on applied computing. ACM, pp 1836–1843

  16. 16.

    Cetinkaya O (2008) Analysis of security requirements for cryptographic voting protocols. In: 2008 Third international conference on availability, reliability and security (ARES). IEEE, pp 1451–1456

  17. 17.

    Chaum D, Carback R, Clark J, Essex A, Popoveniuc S, Rivest RL, Ryan PY, Shen E, Sherman AT (2008) Scantegrity ii: end-to-end verifiability for optical scan election systems using invisible ink confirmation codes. EVT 8:1–13

  18. 18.

    Chaum DL (1981) Untraceable electronic mail, return addresses, and digital pseudonyms. Commun ACM 24(2):84–90

  19. 19.

    Clarkson MR, Chong S, Myers AC (2007) Civitas: a secure voting system. Tech. rep., Cornell University

  20. 20.

    Coney L, Hall JL, Vora PL, Wagner D (2005) Towards a privacy measurement criterion for voting systems. In: Proceedings of the 2005 national conference on Digital government research. Digital Government Society of North America, pp 287–288

  21. 21.

    Cortier V, Galindo D, Glondu S, Izabachène M (2014) Election verifiability for helios under weaker trust assumptions. In: Computer security-ESORICS 2014. Springer, pp 327–344

  22. 22.

    Cortier V, Galindo D, Glondu S, Izabachne M (2013) A generic construction for voting correctness at minimum cost—application to helios. IACR Cryptology ePrint Archive 2013:177

  23. 23.

    Cortier V, Smyth B (2013) Attacking and fixing helios: an analysis of ballot secrecy. J Comput Secur 21(1):89–148

  24. 24.

    Cuvelier E, Pereira O, Peters T (2013) Election verifiability or ballot privacy: Do we need to choose?. In: Computer Security–ESORICS 2013. Springer, pp 481–498

  25. 25.

    Delaune S, Kremer S, Ryan M (2006) Coercion-resistance and receipt-freeness in electronic voting. In: Computer Security Foundations Workshop, 2006. 19th IEEE. IEEE, pp 12–pp

  26. 26.

    Delaune S, Kremer S, Ryan M (2009) Verifying privacy-type properties of electronic voting protocols. J Comput Secur 17:435–487. doi:http://dx.doi.org/10.3233/JCS-2009-0340

  27. 27.

    Dolev D, Yao AC (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2):198–208

  28. 28.

    Driels MR, Shin YS (2004) Determining the number of iterations for monte carlo simulations of weapon effectiveness. Tech. rep., DTIC Document

  29. 29.

    EAC Advisory Board and Standards Board (2009) Threat trees and matrices and threat instance risk analyzer (tira)

  30. 30.

    Fujioka A, Okamoto T, Ohta K (1993) A practical secret voting scheme for large scale elections. In: Advances in CryptologyAUSCRYPT’92. Springer, pp 244–251

  31. 31.

    Fuqua N (1987) Reliability engineering for electronic design, vol 34. CRC Press

  32. 32.

    Haber S, Benaloh J, Halevi S (2010) The helios e-voting demo for the IACR. International Association for Cryptologic Research. http://www.iacr.org/elections/eVoting/heliosDemo.pdf

  33. 33.

    IACR: IACR 2010 Election (2010). https://vote.heliosvoting.org/helios/elections/85db4808-cc46-11df-a972-12313f025959/view

  34. 34.

    IACR: A short explanation of helios for cryptographers (2010). http://www.iacr.org/elections/2010/HeliosForCryptographers.html

  35. 35.

    IACR: About the Helios System (2016). http://www.iacr.org/elections/eVoting/about-helios.html

  36. 36.

    Iida Y, Wakabayashi H (1989) An approximation method of terminal reliability of road network using partial minimal path and cut sets. In: Transport policy, management & technology towards 2001: selected proceedings of the fifth world conference on transport research, vol 4

  37. 37.

    Juels A, Catalano D, Jakobsson M (2005) Coercion-resistant electronic elections. In: Proceedings of the 2005 ACM workshop on privacy in the electronic society. ACM, pp 61–70

  38. 38.

    Kahn J, Linial N, Samorodnitsky A (1996) Inclusion-exclusion: exact and approximate. Combinatorica 16(4):465–477

  39. 39.

    Kim HM, Nevo S (2008) Development and application of a framework for evaluating multi-mode voting risks. Internet Research 18(1):121–135

  40. 40.

    Kremer S, Ryan M, Smyth B (2010) Election verifiability in electronic voting protocols. In: ESORICS, lecture notes in computer science, vol 6345. Springer, pp 389–404

  41. 41.

    Küsters R, Truderung T (2009) An epistemic approach to coercion-resistance for electronic voting protocols. In: 30th IEEE symposium on Security and privacy (SP), 2009. IEEE, pp 251–266

  42. 42.

    Küsters R, Truderung T, Vogt A (2010) Accountability: definition and relationship to verifiability. In: Proceedings of the 17th ACM conference on computer and communications security. ACM, pp 526–535

  43. 43.

    Küsters R, Truderung T, Vogt A (2011) Verifiability, privacy, and coercion-resistance: new insights from a case study. In: IEEE symposium on security and privacy (SP), 2011. IEEE, pp 538–553

  44. 44.

    Küsters R, Truderung T, Vogt A (2012) Clash attacks on the verifiability of e-voting systems. In: 33rd IEEE symposium on security and privacy (SP), 2012. IEEE, pp 395–409

  45. 45.

    Landau DP, Binder K (2014) A guide to Monte Carlo simulations in statistical physics. Cambridge University Press

  46. 46.

    Langer L (2010) Privacy and verifiability in electronic voting. Ph.D. thesis, TU Darmstadt

  47. 47.

    Lauer TW (2004) The risk of e-voting. Electronic Journal of e-Government 2:177–186

  48. 48.

    Lee WS, Grosh DL, Tillman FA, Lie CH (1985) Fault tree analysis, methods, and applications: a review. IEEE Trans Reliab 34(3):194–203

  49. 49.

    Luna J, Suri N, Krontiris I (2012) Privacy-by-design based on quantitative threat modeling. In: Seventh international conference on risk and security of internet and systems (CRiSIS), 2012. IEEE, pp 1–8

  50. 50.

    Madan BB, Goševa-Popstojanova K, Vaidyanathan K, Trivedi KS (2004) A method for modeling and quantifying the security attributes of intrusion tolerant systems. Perform Eval 56(1):167–186

  51. 51.

    Moran T, Naor M (2006) Receipt-free universally-verifiable voting with everlasting privacy. In: Advances in cryptology-CRYPTO 2006. Springer, pp 373–392

  52. 52.

    Mundform DJ, Schaffer J, Kim MJ, Shaw D, Thongteeraparp A, Supawan P (2011) Number of replications required in monte carlo simulation studies: a synthesis of four studies. Journal of Modern Applied Statistical Methods 10(1):4

  53. 53.

    Neumann S, Budurushi J, Volkamer M (2014) Analysis of security and cryptographic approaches to provide secret and verifiable electronic voting, chap 2, pp 27–61. Design, development, and use of secure electronic voting systems. IGI Global

  54. 54.

    Neumann S, Olembo MM, Renaud K, Volkamer M (2014) Helios verification: to alleviate, or to nominate: is that the question, or shall we have both?. In: Electronic government and the information systems perspective. Springer, pp 246– 260

  55. 55.

    Nevo S, Kim H (2006) How to compare and analyse risks of internet voting versus other modes of voting. Electronic Government, an International Journal 3(1):105–112

  56. 56.

    Ouchani S, Jarraya Y, Mohamed OA (2011) Model-based systems security quantification. In: Ninth annual international conference on privacy, security and trust (PST), 2011. IEEE, pp 142–149

  57. 57.

    Pardue H, Landry J, Yasinsac A (2010) A risk assessment model for voting systems using threat trees and monte carlo simulation. In: First international workshop on requirements engineering for e-voting systems (RE-VOTE), 2009. IEEE, pp 55–60

  58. 58.

    Pardue H, Landry JP, Yasinsac A (2011) E-voting risk assessment: a threat tree for direct recording electronic systems. Int J Inf Secur Priv (IJISP) 5(3):19–35

  59. 59.

    Pardue H, Yasinsac A, Landry J (2010) Towards internet voting security: a threat tree for risk assessment. In: Fifth international conference on risks and security of internet and systems (CRiSIS), 2010. IEEE, pp 1–7

  60. 60.

    Paulson LC (1997) Proving properties of security protocols by induction. In: Computer security foundations workshop, 1997. Proceedings, 10th. IEEE, pp 70–83

  61. 61.

    Pereira O (2014) Personal communication

  62. 62.

    Rubinstein RY, Kroese DP (2011) Simulation and the Monte Carlo method, vol 707. Wiley

  63. 63.

    Ryan PY, Teague V (2013) Pretty good democracy. In: Security protocols XVII. Springer, pp 111–130

  64. 64.

    Sampigethaya K, Poovendran R (2006) A framework and taxonomy for comparison of electronic voting schemes. Computers & Security 25(2):137–153

  65. 65.

    Schryen G, Volkamer M, Ries S, Habib SM (2011) A formal approach towards measuring trust in distributed systems. In: Proceedings of the 2011 ACM symposium on applied computing. ACM, pp 1739–1745

  66. 66.

    Smyth B (2012) Replay attacks that violate ballot secrecy in Helios. Tech. rep., Cryptology ePrint Archive

  67. 67.

    Stoneburner G, Goguen A, Feringa A (2002) Risk management guide for information technology systems. Tech. rep., National Institute of Standards and Technology Special Publication 800–30

  68. 68.

    Vaurio JK (1998) An implicit method for incorporating common-cause failures in system analysis. IEEE Trans Reliab 47(2):173–180

  69. 69.

    Waters B (2009) Dual system encryption: realizing fully secure ibe and hibe under simple assumptions. In: Advances in Cryptology-CRYPTO 2009. Springer, pp 619–636

  70. 70.

    Zagórski F, Carback RT, Chaum D, Clark J, Essex A, Vora PL (2013) Remotegrity: Design and use of an end-to-end verifiable remote voting system. In: Applied cryptography and network security. Springer Berlin Heidelberg, pp 441–457

Download references


The authors would like to thank the reviewers for their constructive recommendations, which helped to improve this work significantly.

Author information

Correspondence to Stephan Neumann.

Additional information

This project (HA project no. 435/14-25) is funded in the framework of Hessen ModellProjekte, financed with funds of LOEWE Landes-Offensive zur Entwicklung Wissenschaftlich-ökonomischer Exzellenz, Förderlinie 3: KMU-Verbundvorhaben (State Offensive for the Development of Scientific and Economic Excellence). Furthermore, the first author is partially funded by CASED project ComVote.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Neumann, S., Volkamer, M., Budurushi, J. et al. SecIVo: a quantitative security evaluation framework for internet voting schemes. Ann. Telecommun. 71, 337–352 (2016). https://doi.org/10.1007/s12243-016-0520-0

Download citation


  • Internet voting
  • Security evaluation
  • Security requirements