Security Property

    Identifying security properties is necessary to analyse e-voting systems in a fundamental and abstract way. They are also useful when designing and modelling e-voting prototypes. In the literature, there are a number of definitions of e-voting security properties. Here, we sum up as follows:

• Integrity: only eligible voters are accepted by election authorities and each eligible voter can cast one and only one ballot. Only valid ballots are included for tabulation.
• Privacy: voter's choice information will be kept secure if voter does not want to reveal it.
• Receipt-freeness and coercion-resistance: receipt-freeness and coercion-resistance is similar to privacy but much stronger. It requires that even the voter wants to, she has no way to prove others how she has voted, or the voter is able to cheat coercers that how she has voted. Receipt-freeness and coercion-resistance ensure voters to hide how they have voted even from a powerful adversary who is trying to coerce them, therefore prevents voter coercion, intimidation, and ballot selling.
• Individual verifiability: voters are able to verify that their votes are properly recorded by the election system, and to accuse the election authorities if cheating happens. This is achieved by using receipts.
• Public verifiability: any interested party (including voters) is able to verify that the final result is correctly tallied from the received votes.
• Robustness: the election system can tolerate some participants cheating during the election processes, and is able to recover from the cheating.
• Fairness: the tally of information remains secure before the publication phase. Therefore, partial tallying information is not available to voters before they cast their votes.
• Other properties: there are also some other properties such as convenience, adaptability, mobility, scalability, trust and so on. Convenience requires the system to be user friendly, no special knowledge required, and easy to use, for example click-and-go. Adaptability ensures that no special or expensive equipment is needed for election. Mobility makes sure that voters are not restricted by physical location to cast their votes. Scalability requires that the size of the election and the number of candidates does not affect the performance too much. Trust can be increased by providing better verifiability. It makes the public more confident in the election system. 
  

Our Trust Model   

In analysing cryptographic voting protocols, we typically consider two kinds of adversaries: passive adversaries and active adversaries. Passive adversaries only violate the anonymity of the election by finding out the links between voters and their votes. Active adversaries can try to add, delete or alter some votes in order to affect the result. Both ordinary voters and election authorities might be adversaries. In the Prêt à Voter system, there are three different election authorities: ballot generation authorities, registration authorities and ballot tallying authorities (tellers). We suppose there are N voters and the adversary has the ability to control at most N-2 voters, as well as all ballot generation authorities, all registration authorities and less than half of the ballot tallying authorities. In the Prêt à Voter system, voters will cast their votes in a secure place and all received votes will be published on the bulletin board. The bulletin board is appended by authentication and no body can change or remove information from the bulletin board. The adversaries can read anything published on the bulletin board, but they cannot know the communication content between honest voters and the voting booth.

Knowing Attacks

    A number of attacks which can be used to attack e-voting systems have been identified recently (KSW05, RP05, RP06b). Here, we summarise them into three categories: attacks against anonymity, attacks correctness and attacks against reliability.

Attacks against anonymity:

• Subliminal channel: adversaries agree on some rules in advance in order to retrieve non-trivial information from some trivial information which is transmitted through a public communication channel. Subliminal channels can be applied when some adversary is allowed to choose some random values to generate some trivial information. The trivial information looks random but it is deliberately generated and contains some secret information. Subliminal channel can be used in digital signature, such as DSA algorithm.
• Ballot duplication: dishonest voters cast duplicated votes as some honest voters in order to find out how these honest voters have voted.
• Change the sequence of cryptographic protocols: in some e-voting protocols, in order to cast votes, voters need to communicate with the election authorities for several rounds. However, the sequence of these protocol is crucial, and failure to stick to the sequence can violate voter's privacy.
• Voters generate ballots by themselves: in some e-voting protocols, voters are required to generate encrypted votes by themselves. However, if voters are coerced to reveal the random values used during the vote generation, their privacy can be violated.  
• Chain voting: chain voting attacks can be applied when ballots are generated by election authorities in advance. If adversaries successfully get one blank ballot out of the voting booth, they can use it to coerce many voters. The adversaries can force a certain voter to use this blank ballot to cast her vote and bring out another blank ballot. This attack can be continued until the end of the election.
• Authority knowledge: if ballots are generated by election authorities not in threshold fashion, those election authorities may be able to use that information to read voter's choices.
• Voting booth monitored: if the voting booth is monitored by adversaries using some hidden cameras, voter's privacy can be violated. A similar attack is that if dishonest voters take pictures of their votes, they can prove to adversaries how they have voted.
• Voter's choice leak out: in some voting protocols, voters have to cast their votes through some equipment. If the equipment is faulty design or some malicious codes have been buried inside, then the voter's choice can be leaked.
• Italian attack: this attack only can be applied to ranked voting methods, because the number of possible votes are much more than number of voters.

Attacks against correctness:

• Unreliability of the bulletin board: if the bulletin board is not robust, adversaries can change the information recorded on the bulletin board, in order to alter, add or delete ballots.
• Discarded receipts: voters can verify whether their votes have been correctly recorded by the election system. The receipts are the proof for accusation. However, if some receipts have been discarded, adversaries will know that these votes cannot be audited. Therefore they can change these votes from the bulletin board without being detected.
• Faulty ballot form: in some election systems, if the ballot is not properly constructed, a vote for Alice will be tallied as a vote for Bob. Therefore, the final result will be inaccurate.
• Remove valid ballot: when all received votes are collected, invalid votes should be removed from the final tally. However, if some valid votes have been removed in this process, the final result will be incorrect.
• Faulty ballot recording: the voter's vote has not been properly recorded. 
• Faulty ballot tallying: the received votes have not been correctly tallied.
• Faulty authorisation: if some eligible voters are refused the right to cast their votes or some ineligible voters are allowed, the integrity property will be violated.

Attacks against reliability:

• Invalid signature: if the signature on the receipt is not valid. This voter cannot accuse that her vote has not been properly recorded because this receipt is not a valid proof.
• Invalid ballot used: if invalid ballots are used in the election and some of these invalid ballots are discovered in the voting stage (enough to affect the result), the trust by public will be destroyed.
• Denial of service: if some election authorities refuse to perform their tasks during the election phases, the election system might suffer denial of service.
• Early publishing: some faulty election authorities publish the final result in advance. The partial result might affect voters before they cast their votes.

System Perspectives of the Prêt à Voter

    In this section, we will analyse the security of the Prêt à Voter system by each of the possible attack introduced above.

Passive attacks:

• Subliminal channel: adversaries may apply the subliminal channel attack with the Prêt à Voter system in two stages. One is in the ballot generation stage, the ballot generation authorities can carefully choose the random values, therefore the encrypted Onion can reveal the order of the candidate list without being decrypted. The other is when the registration authorities sign voter's receipt, they can embed subliminal channel in the digital signature. The first attack can be a threat to the Prêt à Voter system because the ballots are not generated in threshold fashion. About the second attack, if the registration authorities collude with the ballot generation authorities or more than half of the ballot tallying authorities, they can know the order of the candidate list just by providing the receipt, therefore they might succeed as well.
• Ballot duplication: this attack cannot be applied to the Prêt à Voter system, because each ballot should be unique, there will not be two valid ballots which are identical. Therefore, if there are two identical votes on the bulletin board, the cheating participants will be identified and removed.
• Change the sequence of cryptographic protocols: this is not a problem in the Prêt à Voter system because voter's task has been reduced to the minimum. Voters can cast their votes by a single step.
• Voter generate ballot by themselves: this is not a problem because all ballots are generated by election authorities in advance.
• Chain voting: the chain voting attack will be a problem in the Prêt à Voter system because all ballot forms are generated and printed in advance. An adversary can get an empty ballot out of the voting booth. They can coerce a certain voter to use this ballot to cast her vote and bring out another blank ballot.
• Authority knowledge: in the Prêt à Voter system, ballots are not generated in a threshold fashion, therefore the ballot generation authorities can record all relationships between Onions and the order of the candidate list. Therefore, they are able to read the content of each vote from the receipt or the bulletin board.
• Voting booth monitored: this might be a problem in PAV and it cannot simply be solved just using technique methods. To prevent this attack, it is suggested that the voting booth is examined by some trusted third parties. Besides, no voters should be allowed to bring digital equipment and cameras into the voting booth.
• Voter's choice leak out: this is not a problem because when casting votes, voters do not need to use any equipment.
• Italian attack: the Prêt à Voter system suffers the Italian attack if it is used in ranked voting methods.

Active attacks:

• Unreliability of the bulletin board: if the bulletin board is not reliable, a lot of attacks are possible. How to implement secure and reliable bulletin board is an interesting research topic. But according to our trust model, we just simply assume that the bulletin board is robust.
• Discarded receipt: some voters might through away their votes, or adversaries can force honest voters to surrender their receipts, therefore instead of these valid votes, they can record some other invalid votes onto the bulletin board. However, the Voter Verifiable Paper Audit Trail (VVPAT) is helpful to prevent this attack. An independent record of all votes will be available to public. Thus this attack can be discovered and the Prêt à Voter system is resistant to this attack.
• Faulty ballot form: in the Prêt à Voter system, it is suggested that before the election, sufficient ballots are randomly challenged. The remaining ballots can be used only if no cheating is detected. This method can detect cheating with any required degree of probability. Therefore, the faulty ballot form attack will not be a problem.
• Remove valid ballot: the Prêt à Voter system require that for any ballot removed from the final tally, the ballot along with the reason why to spoil this ballot have to be recorded on the bulletin board. Therefore, if some valid ballots are removed from the final tally, it can be detected.
• Faulty ballot recording: one interesting property of the Prêt à Voter system is that each voter will be provided with a receipt. Voters can use their receipt to check whether their votes have been correctly recorded and accuse the authorities if they can not found their receipts on the bulletin board. Besides, VVPAT is another independent record which makes the ballot recording phase public verifiable.
• Faulty ballot tallying: the ballot tallying stage is audited and publicly verifiable. Any cheating within this stage will be detected.
• Faulty authorisation: if eligible voters are refused registration, they can accuse the registration authorities to some trusted parties using their proof of identity. The trusted parties can make the judgement according to the election parameters published in the set-up stage. Besides, because a list of all eligible voters will be published, if ineligible voters are allowed to cast votes, it can be detected by public.

Attacks against reliability:

• Invalid signature: if the registration authorities sign with an invalid signature on some receipts without being discovered by voters immediately, voters will not have a valid receipt with which to make an accusation of incorrect vote recording. Therefore, voters have to check that the signature on their receipts are valid before leaving the voting booth.
• Invalid ballots used: this will be a problem if invalid ballots are used and discovered during the election process. Therefore, we have to assume that all ballots are checked in advance and the ballots used are correctly constructed.
• Denial of service: all election authorities and bulletin board might deny service. If the ballot generation authorities or registration authorities refuse to implement their tasks, we just need to replace them. If some ballot tallying authorities deny service, the whole system will be out of work. Therefore, the Prêt à Voter system requires that the secret keys of each teller has to be distributed among all other tellers in threshold fashion. Therefore, unless more than half tellers deny service, the whole election system still works. If the bulletin board break down, the VVPAT can be used to recover all the data. Therefore, the Prêt à Voter is very robust against denial of service attacks.
• Early publishing: in order to prevent partial result from affecting voters before they cast their votes, we require the ballot tallying stage to start after all voters finish casting their votes. Therefore, if there is at least one honest teller, the early publishing attack can not be applied.

Conclusion

    According to the analysis above, the Prêt à Voter system is robust the against majority of considered attacks. But it still has three weak points: one is in the ballot generation stage. Because all ballots are generated and printed in advance and not in threshold fashion, authorities knowledge, subliminal channel and chain voting attacks are possible. A suggested solution is that all ballots are generated in threshold fashion and is only printed on demand. The other weak point of the Prêt à Voter system is that the registration authorities may generate invalid signature, and it is not realistic to assume that all ordinary voters have the ability to audit the signature by themselves. One suggestion is that some trusted party is available at the voting booth to help voters check the signature. Also, education might be a long term solution. The third weak point is that if the Prêt à Voter system is used in ranked voting methods, Italian attack can be applied.

    Besides, the security of the Prêt à Voter system is dependent on four assumptions: one is that the bulletin board is secure and reliable. If adversaries can change information recorded on the bulletin board, a lot of security properties will be violated. The second assumption is that voters cast their votes in secure place. If the voting booth is monitored by hidden camera or voters are allowed to take camera into the voting booth, voter's privacy will be violated or adversaries can coerce voters to vote in some particular way. Another assumption is that more than half of the ballot tallying authorities are honest. Otherwise, the whole election system will be under threat of denial of service. Last but not least, enough ballots have to be checked by trusted third parties before the election in order to ensure the ballots used in the election are correctly generated.