Verifying anonymity in voting systems using CSP

We present formal definitions of anonymity properties for voting protocols using the process algebra CSP. We analyse a number of anonymity definitions, and give formal definitions for strong and weak anonymity, highlighting the difference between these definitions. We show that the strong anonymity definition is too strong for practical purposes; the weak anonymity definition, however, turns out to be ideal for analysing voting systems. Two case studies are presented to demonstrate the usefulness of the formal definitions: a conventional voting system, and Prêt à Voter, a paper-based, voter-verifiable scheme. In each case, we give a CSP model of the system, and analyse it against our anonymity definitions by specification checks using the Failures-Divergences Refinement (FDR2) model checker. We give a detailed discussion on the results from the analysis, emphasizing the assumptions that we made in our model as well as the challenges in modelling electronic voting systems using CSP.     

基于FOO投票协议的无收据电子投票方案

安全且实用的电子投票协议是信息安全领域的热点问题之一。引入了盲签名、投票编号、申诉标识等工具,提出了一种新的无收据的电子投票方案,该方案进一步完善了FOO投票协议,可保证选票的匿名性、可验证性和无收据性,并且允许投票者中途弃权。该方案不仅保持了原方案的各种优点,而且增强了系统的安全性和灵活性。因此,与其他类似方案相比较,该方案具有更好的通用性和实用性。     

A collision-free secret ballot protocol for computerized general elections

In secret ballot protocols, the unique voting property is crucial since without it a voter may vote more than once or his ballot may collide with others and be discarded by the authority. In this paper we present a collision-free secret ballot protocol based on the uniquely blind signature technique. Our proposed scheme can be used to hold large-scale general elections because it ensures independence among voters without the need for any global computation. This scheme preserves the privacy of a voter against the authority and other voters. Robustness is ensured in that no subset of voters can corrupt or disrupt the election. The verifiability of this protocol ensures that the authority cannot present a false tally without being caught.     

基于同态门限密码体制的投票协议

针对当前存在的投票协议普遍要求一个可信赖的管理机构的问题,提出一种新的投票协议。该协议综合运用同态加密、门限密码体制、盲签名、环签名、零知识证明等密码技术,在假设无人弃权或虽有人弃权但管理者不与其他投票人合谋作弊的情况下,消除了无可信第三方和健壮性共存的矛盾,同时满足了匿名性、合法性、健壮性、可验证性和无可信第三方等安全属性。     

一种嵌入证书的移动投票方法研究

本文提出一种新方法：事先获得颁发无线证书的选民可以使用自己的手机或PDA投票。这种方法允许选民用简单、方便而且保密和匿名的方式表决,不受时间和地点限制,从而增加投票率。     

Remote electronic voting systems: an exploration of voters' perceptions and intention to use

Coupling telephone and web interfaces with computers for balloting outside the polling place, remote electronic voting systems (REVS) give the voter a choice: polling booth, absentee ballot, or remote voting. Not only does this e-Government technology raises issues such as security, voter participation, and accessibility, REVS technologies themselves differ in features and enabling conditions. How users (voters) perceive REVS's availability, mobility, accuracy, privacy protection, and ease of use, is likely to affect their use intention. Intention to use or not to use a voting technology can translate into a decision to vote or not – and there are no ‘do-overs’. We develop a model and report on a survey of potential voters – people waiting to be impaneled on a jury – in regard to the impact of REVS characteristics on voting intentions and how the two most discussed REVS technologies of telephone- and web-based interfaces are perceived.     

基于区块链的安全电子选举方案

当前电子选举方案主要存在两个矛盾点：一是既要保证选举行为的合法合规性,又要保证选举过程的匿名性;二是既要保证选票信息的隐私保密要求,又要保证选举结果的公众可验证性。针对这些矛盾,提出一种基于以太坊区块链和零知识证明的去中心化的安全电子选举方案。在该方案中,利用非交互式零知识证明算法和区块链去中心化架构设计了选民身份合法性零知识证明和选票合法性零知识证明;利用智能合约和Paillier密码体制实现无需可信第三方计票机构的自动计票。理论分析和模拟实验结果表明,在没有中心信任机构的条件下,该方案满足电子选举安全性要求,可应用于小型社区选举。     

Scantegrity: End-to-End Voter-Verifiable Optical- Scan Voting

Scantegrity is a security enhancement for optical scan voting systems. It's part of an emerging class of "end-to-end" independent election verification systems that permit each voter to verify that his or her ballot was correctly recorded and counted. On the Scantegrity ballot, each candidate position is paired with a random letter. Election officials confirm receipt of the ballot by posting the letter that is adjacent to the marked position. Scantegrity is the first voting system to offer strong independent verification without changing the way voters mark optical scan ballots, and it complies with legislative proposals requiring "unencrypted" paper audit records.     

基于列表签名的安全电子投票方案

列表签名是群签名的一个推广,对用户签名的次数作了有效限制并增加了公开检测和公开身份验证。本文基于列表签名提出可用于大规模选举的电子投票方案,任何人都可以对不诚实投票行为进行验证;若不诚实投票者投出超过一张的选票,则任何人都可以通过选票中的签名进行检测并确定不诚实签名者的身份。该方案同时保证了选票的唯一性
性、秘密性、可验证性和公平性,具有较高的通信效率和安全性。     

基于投票的P2P文件真实性认证协议

提出了一种基于电子投票的文件真实性认证协议。需要验证文件真实性的发起者将投票请求发送给多个代理节点,由代理节点泛洪（Flood）投票并收集结果返回给发起者。发起者根据各选区的非重复选票确定文件的真实性。交互过程中使用洋葱路由和路由交换表,实现了发起者匿名、投票者匿名和文件提供者匿名。理论分析和实验表明,用该协议进行文件真实性认证,成功率在95％以上。与已有文件真实性认证协议比较,交互次数大大减少,并提供了参与者匿名。     

ESIV: an end-to-end secure internet voting system

Nowadays, with the growing popularity of e-Government services, security of client platforms and violation of citizen e-rights are of great concerns. Since Internet-voting protocols have no control over voter-side platforms, bribery/coercion and breaching vote’s privacy and voter’s anonymity are feasible. In fact, the voter-side platform (voter’s PC) is easily vulnerable to malicious software (cyber-attacks) and can totally breach security of the entire voting protocol. We have proposed ESIV: an end-to-end secure internet-voting system that highly guarantees: voter and server-side platform’s security, verifiability, fairness, resistance to bribery/coercion and voting authorities collusion besides simultaneous election support while preserving eligibility, anonymity, privacy and trust. In addition, we utilize Java Card 3 technology as an independent secure web-server which is connected directly to network in order to send/receive HTTP(S) requests using high-speed interfaces. This technology brings about independence from utilizing any trusted device at voter-side and provides end-to-end security. Finally, an implementation of ESIV is presented and ESIV security features are evaluated.     

一种Internet上的匿名电子投票协议的研究与设计

文章讨论了一种适合在Internet上进行大范围投票的电子投票协议,这个协议通过传送不可追踪的授权消息允许投票者进行匿名投票。协议保证了以下几点:(1)只有符合条件的投票者可以投票;(2)每个投票者只能投票一次;(3)投票者可以查询他的投票是否生效;(4)除了投票者本人,任何人都不能根据投票找到投票者;(5)如果某个投票者弃权,任何人都不能以他的名义进行投票。     

Voting security and technology

Voting seems like the perfect application for technology, but actually applying it is harder than it first appears. To ensure that voters can vote honestly, they need anonymity, which requires a secret ballot. Through the centuries, different civilizations have done their best with the available technologies. Stones and pottery shards dropped in Greek vases led to paper ballots dropped in sealed boxes. Mechanical voting booths and punch cards replaced paper ballots for faster counting. Now, new computerized voting machines promise even more efficiency, and remote Internet voting promises even more convenience.     

无可信中心的电子投票方案*

给出一个无可信中心的电子投票方案,即使在管理机构和计票机构都不可信的情况下仍能够保证投票的安全性。该方案能够始终保证投票者的匿名性,即使选票公开,任何人都不能确定投票者的身份;解决了选票碰撞的问题,即不同的投票人必定产生不同的选票。     

Practical Internet voting system

Recently, Internet voting systems have gained popularity and have been used for government elections and referendums in the United Kingdom, Estonia and Switzerland as well as municipal elections in Canada and party primary elections in the United States and France. Current Internet voting systems assume either the voter's personal computer is trusted or the voter is not physically coerced. In this paper, we present an Internet voting system, in which the voter's choice remains secret even if the voter's personal computer is infected by malware or the voter is physically controlled by the adversary. In order to analyze security of our system, we give a formal definition of coercion-resistance, and provide security proof that our system is coercion-resistant. In particular, our system can achieve absolute verifiability even if all election authorities are corrupt. Based on homomorphic encryption, the overhead for tallying in our system is linear in the number of voters. Thus, our system is practical for elections at a large scale, such as general elections.     

Quantum anonymous voting with unweighted continuous-variable graph states

Motivated by the revealing topological structures of continuous-variable graph state (CVGS), we investigate the design of quantum voting scheme, which has serious advantages over the conventional ones in terms of efficiency and graphicness. Three phases are included, i.e., the preparing phase, the voting phase and the counting phase, together with three parties, i.e., the voters, the tallyman and the ballot agency. Two major voting operations are performed on the yielded CVGS in the voting process, namely the local rotation transformation and the displacement operation. The voting information is carried by the CVGS established before hand, whose persistent entanglement is deployed to keep the privacy of votes and the anonymity of legal voters. For practical applications, two CVGS-based quantum ballots, i.e., comparative ballot and anonymous survey, are specially designed, followed by the extended ballot schemes for the binary-valued and multi-valued ballots under some constraints for the voting design. Security is ensured by entanglement of the CVGS, the voting operations and the laws of quantum mechanics. The proposed schemes can be implemented using the standard off-the-shelf components when compared to discrete-variable quantum voting schemes attributing to the characteristics of the CV-based quantum cryptography.     

Public opinion's influence on voting system technology

The US general election in 2000 represents a turning point in elections history. A laborious count and analysis of what was statistically a tie vote in Florida decided the highly scrutinized contest for US president. Simultaneously, voting system standards continued evolving, spurred in part by the introduction of new, high-power technologies. These factors, coupled with an unprecedented level of public scrutiny, changed nearly all aspects of the election process. With its recounts, interpretation of voter intent, and presumed problems related to punch-card voting, the 2000 presidential vote triggered the passage of the Help America Vote Act (HAVA) and the massive trend toward direct recording electronic voting systems (DREs). The election process, which had always been taken for granted, now faced intense scrutiny from the media, computer scientists, conspiracy theorists, advocacy groups, and the general public. The US Federal Election Commission approved new voting system standards designed to ensure that election equipment certified for purchase by participating states would be accurate, reliable, and dependable.     

基于一次性环签名的区块链电子投票方案

针对当前电子投票系统在匿名性、透明性、公开计票等方面存在的问题,提出了一种基于一次性环签名和区块链的电子投票方案。通过引入一次性环签名解决了投票者匿名、重复投票、公开验证等问题,通过区块链技术解决了投票过程的公开透明问题,为保证任何人或机构无法在投票结束前获得投票中间结果,引入了匿名地址技术。为提高计票效率,采用密钥共享的方法,对计票算法进行了改进。通过安全和性能分析,该方案符合电子投票系统的基本安全标准。     

Designing Usable Voting Systems for Voters With Hidden Barriers: A Pilot Study

Little research has been conducted considering how to improve the usability of voting systems for people with hidden barriers, including voters with dyslexia, non-native English voters, and voters with arthritis. This article explores usability issues for people with hidden barriers through a series of interviews and usability tests of a web-based Voting Application. First, voters with and without dyslexia preferred using a Helvetica font over custom-designed dyslexia fonts called Lexia Readable and Open Dyslexic. Second, voters whose native language was English, Spanish, or Chinese preferred ballots in their native languages that were written in Plain Language style over ballots written in Traditional Language style. Third, voters with arthritis preferred a multicolumn ballot layout over a scroll ballot layout or multipage ballot layout because voters were able to see all candidates at a glance. Last, voters with arthritis preferred simpler user input devices, and therefore preferred a 2-button or 3-button input device over a 5-button input device. These results serve to inform designers on how to improve voting systems so that they are usable for voters with hidden barriers.     

Computational aspects of strategic behaviour in elections with top-truncated ballots

Understanding when and how computational complexity can be used to protect elections against different manipulative actions has been a highly active research area over the past two decades. Much of this literature, however, makes the assumption that the voters or agents specify a complete preference ordering over the set of candidates. There are many multiagent systems applications, and even real-world elections, where this assumption is not warranted, and this in turn raises a series of questions on the impact of partial voting on the complexity of manipulative actions. In this paper, we focus on two of these questions. First, we address the question of how hard it is to manipulate elections when the agents specify only top-truncated ballots. Here, in particular, we look at the weighted manipulation problem—both constructive and destructive manipulation—when the voters are allowed to specify top-truncated ballots, and we provide general results for all scoring rules, for elimination versions of all scoring rules, for the plurality with runoff rule, for a family of election systems known as Copeland\(^{\alpha }\), and for the maximin protocol. The second question we address is the impact of top-truncated voting on the complexity of manipulative actions in electorates with structured preference profiles. In particular, we consider electorates that are single-peaked and we show how, for many voting protocols, allowing top-truncated voting reimposes the \(\mathcal {NP}\)-hardness shields that normally vanish in such electorates.