USENIX Workshop on Accurate Electronic Voting Technology 

About: USENIX Workshop on Accurate Electronic Voting Technology is an academic conference. The conference publishes majorly in the area(s): Voting & Ballot. Over the lifetime, 16 publications have been published by the conference receiving 870 citations.

Security analysis of the diebold AccuVote-TS voting machine

Abstract: This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities--a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine's hardware and software and the adoption of more rigorous election procedures.

Three voting protocols: ThreeBallot, VAV, and twin

Abstract: We present three new paper-based voting methods with interesting security properties. Our goal is to achieve the same security properties as recently proposed cryptographic voting protocols, but using only paper ballots and no cryptography. From a security viewpoint we get reasonably close, particularly for short ballots. However, our proposals should probably be considered as more "academic" than "practical." In these proposals, not only can each voter verify that her vote is recorded as intended, but she gets a "receipt" she can take home that can be used later to verify that her vote is actually included in the final tally. But her receipt does not allow her to prove to anyone else how she voted. All ballots cast are scanned and published in plaintext on a "public bulletin board" (web site), so anyone may correctly compute the election result. In ThreeBallot, each voter casts three paper ballots, with certain restrictions on how they may be filled out. These paper ballots are of course "voter-verifiable." A voter receives a copy of one of her ballots as her "receipt", which she may take home. Only the voter knows which ballot she copied for her receipt. The voter is unable to use her receipt to prove how she voted or to sell her vote, as the receipt doesn't reveal how she voted. A voter can check that the web site contains a ballot matching her receipt. Deletion or modification of ballots is thus detectable; so the integrity of the election is verifiable. VAV is like ThreeBallot, except that the ballot-marking rules are different: one ballot may "cancel" another (VAV = Vote/Anti-Vote/Vote). VAV is better suited to - i.e. yields better security properties for - Plurality and preference (Borda, Condorcet, IRV) voting, while ThreeBallot is better suited for Approval and Range voting. Finally, we introduce "Floating Receipts," wherein voters may take home a copy of another voter's ballot. (She doesn't know whose ballot, though.) Floating Receipts are well-tuned to the security requirements of ThreeBallot-like schemes, and we examine protocols for achieving them. Our final voting system, Twin, is based almost entirely on Floating Receipts. Each voter casts a single ballot and takes home a single receipt. Twin is quite simple and close to being practical.

Ballot casting assurance via voter-initiated poll station auditing

Abstract: The technology for verifiable, open-audit elections has advanced substantially since research on this topic began a quarter century ago. Many of the problems are well-understood and have solid solutions. Ballot casting assurance -- the problem of ensuring that a programmatically encrypted ballot matches the intentions of an individual human voter -- has recently been recognized as perhaps the last substantial obstacle to making this technology fully viable. Several clever schemes have been developed to engage humans in interactive proofs to challenge and check validity of each ballot cast, but such a high standard may be neither practical nor necessary. If done properly, substantial integrity can be obtained by giving voters and observers the option to challenge ballot validity without requiring all voters to do so. This option can be made unobtrusive so as to not interfere with the normal process for most voters, but there are numerous risks and subtleties that necessitate a careful examination of the process. This paper identifies some heretofore unobserved issues with this "simple" method of casting ballots and describes a detailed process that mitigates all known threats. In doing so, it provides a blueprint for how verifiable, open-audit elections can reasonably be conducted in practice.

On estimating the size and confidence of a statistical audit

Abstract: We consider the problem of statistical sampling for auditing elections, and we develop a remarkably simple and easily-calculated upper bound for the sample size necessary for determining with probability at least c if a given set of n objects contains fewer than b "bad" objects. While the size of the optimal sample drawn without replacement can be determined with a computer program, our goal is to derive a highly accurate and simple formula that can be used by election officials equipped with only a hand-held calculator. We actually develop several formulae, but the one we recommend for use in practice is: U3(n, b, c) = ⌈(n - (b - 1)/2) ċ (1 - (1 - c)1/b)⌉ = ⌈(n - (b - 1)/2) ċ (1 - exp(ln(1 - c)/b))⌉ As a practical matter, this formula is essentially exact: we prove that it is never too small, and empirical testing for many representative values of n ≤ 10,000, and b ≤ n/2, and c ≤ 0.99 never finds it more than one too large. Theoretically, we show that for all n and b this formula never exceeds the optimal sample size by more than 3 for c ≤ 0.9975, and by more than (-ln(1 - c))/2 for general c.

Studying the Nedap/Groenendaal ES3B voting computer: a computer security perspective

Abstract: The Nedap/Groenendaal ES3B voting computer is being used by 90% of the Dutch voters. With very minor modifications, the same computer is also being used in parts of Germany and France. In Ireland the use of this machine is currently on hold after significant doubts were raised concerning its suitability for elections. This paper details how we installed new software in Nedap ES3B voting computers. It details how anyone, when given brief access to the devices at any time before the election, can gain complete and virtually undetectable control over the election results. It also shows how radio emanations from an unmodified ES3B can be received at several meters distance and used to tell what is being voted. We conclude that the Nedap ES3B is unsuitable for use in elections, that the Dutch regulatory framework surrounding e-voting currently insufficiently addresses security, and we pose that not enough thought has been given to the trust relationships and verifiability issues inherent to DRE class voting machines.