Bingsheng Zhang,Hong-Sheng Zhou

DOI: https://doi.org/10.1007/978-3-030-32101-7_38

2019-01-01

Abstract:The conventional (election) voting systems, e.g., representative democracy, have many limitations and often fail to serve the best interest of the people in a collective decision-making process. To address this issue, the concept of liquid democracy has been emerging as an alternative decision-making model to make better use of "the wisdom of crowds". However, there is no known cryptographically secure e-voting implementation that supports liquid democracy. In this work, we propose a new voting concept called statement voting, which can be viewed as a natural extension of the conventional voting approaches. In the statement voting, instead of defining a concrete election candidate, each voter can define a statement in his/her ballot but leave the vote "undefined" during the voting phase. During the tally phase, the (conditional) actions expressed in the statement will be carried out to determine the final vote. We initiate the study of statement voting under the Universal Composability (UC) framework, and propose several construction frameworks together with their instantiations. As an application, we show how statement voting can be used to realize a UC-secure liquid democracy voting system. We remark that our statement voting can be extended to enable more complex voting and generic ledger-based non-interactive multi-party computation. We believe that the statement voting concept opens a door for constructing a new class of e-voting schemes.

Aida Manzano Kharman,Ben Smyth,Freddie Page

2023-11-22

Abstract:We formalise definitions of ballot secrecy and ballot independence by Smyth, JCS'21 as indistinguishability games in the computational model of security. These definitions improve upon Smyth, draft '21 to consider a wider class of voting systems. Both Smyth, JCS'21 and Smyth, draft '21 improve on earlier works by considering a more realistic adversary model wherein they have access to the ballot collection. We prove that ballot secrecy implies ballot independence. We say ballot independence holds if a system has non-malleable ballots. We construct games for ballot secrecy and non-malleability and show that voting schemes with malleable ballots do not preserve ballot secrecy. We demonstrate that Helios does not satisfy our definition of ballot secrecy. Furthermore, the Python framework we constructed for our case study shows that if an attack exists against non-malleability, this attack can be used to break ballot secrecy.

Cryptography and Security

Bingsheng Zhang,Hong-Sheng Zhou

DOI: https://doi.org/10.1145/3087801.3087868

2017-01-01

Abstract:The existing (election) voting systems, e.g., representative democracy, have many limitations and often fail to serve the best interest of the people in collective decision making. To address this issue, the concept of liquid democracy has been emerging as an alternative decision-making model to make better use of \"the wisdom of crowds\". Very recently, a few liquid democracy implementations, e.g. Google Votes and Decentralized Autonomous Organization (DAO), are released; however, those systems only focus on the functionality aspect, as no privacy/anonymity is considered. In this work, we, for the first time, provide a rigorous study of liquid democracy under the Universal Composability (UC) frame- work. In the literature, liquid democracy was achieved via two separate stages -- delegation and voting. We propose an efficient liquid democracy e-voting scheme that uni es these two stages. At the core of our design is a new voting concept called statement voting, which can be viewed as a natural extension of the conventional voting approaches. We remark that our statement voting can be extended to enable more complex voting and generic ledger-based non-interactive multi-party computation. We believe that the statement voting concept opens a door for constructing a new class of e-voting schemes.

Reshef Meir,Gal Shahaf,Ehud Shapiro,Nimrod Talmon

DOI: https://doi.org/10.1007/978-3-031-20614-6_15

2024-04-07

Abstract:Voting rules may implement the will of the society when all eligible voters vote, and only them. However, they may fail to do so when sybil (fake or duplicate) votes are present and when only some honest (non sybil) voters actively participate. As, unfortunately, sometimes this is the case, our aim here is to address social choice in the presence of sybils and voter abstention. To do so we build upon the framework of Reality-aware Social Choice: we assume the status-quo as an ever-present distinguished alternative, and study Status-Quo Enforcing voting rules, which add virtual votes in support of the status-quo. We characterize the tradeoff between safety and liveness (the ability of active honest voters to maintain/change the status-quo, respectively) in several domains, and show that the Status-Quo Enforcing voting rules are often optimal. We comment on the applicability of our methods and analyses to the governance of digital communities.

Multiagent Systems,Social and Information Networks

Nikos Chondros,Bingsheng Zhang,Thomas Zacharias,Panos Diamantopoulos,Stathis Maneas,Christos Patsonakis,Alex Delis,Aggelos Kiayias,Mema Roussopoulos

DOI: https://doi.org/10.1016/j.cose.2019.03.001

IF: 5.105

2019-01-01

Computers & Security

Abstract:We present the D-DEMOS suite of distributed, privacy-preserving, and end-to-end verifiable e-voting systems; one completely asynchronous and one with minimal timing assumptions but better performance. Their distributed voting operation is human verifiable; a voter can vote over the web, using an unsafe web client stack, without sacrificing her privacy, and get recorded-as-cast assurance. Additionally, a voter can outsource election auditing to third parties, still without sacrificing privacy. We provide a model and security analysis of the systems, implement prototypes of the complete systems, measure their performance experimentally, demonstrate their ability to handle large-scale elections, and demonstrate the performance trade-offs between the two versions.

Nikos Chondros,Bingsheng Zhang,Thomas Zacharias,Panos Diamantopoulos,Stathis Maneas,Christos Patsonakis,Alex Delis,Aggelos Kiayias,Mema Roussopoulos

DOI: https://doi.org/10.1109/icdcs.2016.56

2015-01-01

Abstract:E-voting systems have emerged as a powerful technology for improving democracy by reducing election cost, increasing voter participation, and even allowing voters to directly verify the entire election procedure. Prior internet voting systems have single points of failure, which may result in the compromise of availability, voter secrecy, or integrity of the election results. In this paper, we present the design, implementation, security analysis, and evaluation of D-DEMOS, a complete e-voting system that is distributed, privacy-preserving and end-to-end verifiable. Our system includes a fully asynchronous vote collection subsystem that provides immediate assurance to the voter her vote was recorded as cast, without requiring cryptographic operations on behalf of the voter. We also include a distributed, replicated and fault-tolerant Bulletin Board component, that stores all necessary election-related information, and allows any party to read and verify the complete election process. Finally, we also incorporate trustees, i.e., individuals who control election result production while guaranteeing privacy and end-to-end-verifiability as long as their strong majority is honest. Our system is the first e-voting system whose voting operation is human verifiable, i.e., a voter can vote over the web, even when her web client stack is potentially unsafe, without sacrificing her privacy, and still be assured her vote was recorded as cast. Additionally, a voter can outsource election auditing to third parties, still without sacrificing privacy. Finally, as the number of auditors increases, the probability of election fraud going undetected is diminished exponentially. We provide a model and security analysis of the system. We implement a prototype of the complete system, we measure its performance experimentally, and we demonstrate its ability to handle large-scale elections.

David Basin,Saša Radomirović,Lara Schmid,Sasa Radomirovic

DOI: https://doi.org/10.1109/csf49147.2020.00009

2020-06-01

Abstract:In voting, disputes arise when a voter claims that the voting authority is dishonest and did not correctly process his ballot while the authority claims to have followed the protocol. A dispute can be resolved if any third party can unambiguously determine who is right. We systematically characterize all relevant disputes for a generic, practically relevant, class of voting protocols. Based on our characterization, we propose a new definition of dispute resolution for voting that accounts for the possibility that both voters and the voting authority can make false claims and that voters may abstain from voting. A central aspect of our work is timeliness: a voter should possess the evidence required to resolve disputes no later than the election’s end. We characterize what assumptions are necessary and sufficient for timeliness in terms of a communication topology for our voting protocol class. We formalize the dispute resolution properties and communication topologies symbolically. This provides the basis for verification of dispute resolution for a broad class of protocols. To demonstrate the utility of our model, we analyze a mixnet-based voting protocol and prove that it satisfies dispute resolution as well as verifiability and receipt-freeness. To prove our claims, we combine machine-checked proofs with traditional pen-and-paper proofs.

Josh Benaloh,Mike Byrne,Philip Kortum,Neal McBurnett,Olivier Pereira,Philip B. Stark,Dan S. Wallach

DOI: https://doi.org/10.48550/arXiv.1211.1904

2012-11-08

Cryptography and Security

Abstract:In her 2011 EVT/WOTE keynote, Travis County, Texas County Clerk Dana DeBeauvoir described the qualities she wanted in her ideal election system to replace their existing DREs. In response, in April of 2012, the authors, working with DeBeauvoir and her staff, jointly architected STAR-Vote, a voting system with a DRE-style human interface and a "belt and suspenders" approach to verifiability. It provides both a paper trail and end-to-end cryptography using COTS hardware. It is designed to support both ballot-level risk-limiting audits, and auditing by individual voters and observers. The human interface and process flow is based on modern usability research. This paper describes the STAR-Vote architecture, which could well be the next-generation voting system for Travis County and perhaps elsewhere.

Tzer-Long Chen,Chia-Hui Liu,Ya-Hui Ou,Yao-Min Huang,Zhen-Yu Wu

DOI: https://doi.org/10.1007/s10207-024-00852-w

2024-05-08

International Journal of Information Security

Abstract:The integrity of electronic voting systems is critical in safeguarding the democratic process worldwide. This study addresses the twin challenges of bribery and coercion that undermine most existing electronic voting systems. Recognizing the limitations of current security measures, which fail to protect voter autonomy even after the disclosure of voting secrets, we propose an innovative level-five secure e-voting system. By integrating an additional setup phase, our system maintains voter volition, ensuring security even when key secrets are compromised. Utilizing cryptographic techniques, blind signatures, and subliminal channels in conjunction with smart card PIN mechanisms, our approach not only bolsters system security but also enhances its potential for widespread adoption. This work underscores the importance of advanced cryptographic methods in developing coercion-resistant electronic voting systems that prioritize voter privacy and choice.

computer science, information systems, theory & methods, software engineering

Denis Mollison

2023-02-10

Abstract:Criteria for a good voting system have been given particularly careful scrutiny in recent years, with general agreement that the core values are fair results, voter power and choice, and local representation. This paper reexamines the basic ideas of three widely used voting systems, the Single Transferable Vote, List-PR, and Mixed Member Proportional (MMP); and evaluates their performance in terms of both principles and practice. It looks particularly closely at proportionality, examining three aspects:n linearity, the threshold for representation and the threshold for gaining a majority. As regards local representation, an important question is how to design multi-member constituencies. It will be argued that using constituencies based on natural demographic boundaries (such as local government areas) can combine better local representation with stability over time and better proportionality. STV is unsurprisingly best for voter empowerment and choice, as those are parts of its basic idea. Broad conclusions are summarised within the Summary on page 1 of the paper. The paper makes use of recent public availability of large preferential voting data sets for STV elections, making possible new analyses of how STV functions in practice, and of voter behaviour, particularly examining how voters' second preferences relate to their first preferences.

Physics and Society,Applications

Odell Hegna

DOI: https://doi.org/10.48550/arXiv.1501.00820

2019-03-11

Abstract:Computers may control safety-critical operations in machines having embedded software. This memoir proposes a regimen to verify such algorithms at prescribed levels of statistical confidence. The United States Department of Defense standard for system safety engineering (MIL-STD-882E) defines development procedures for safety-critical systems. However, a problem exists: the Standard fails to distinguish quantitative product assurance technique from categorical process assurance method for software development. Resulting is conflict in the technical definition of the term risk. The primary goal here is to show that a quantitative risk-based product assurance method exists and is consistent with hardware practice. Discussion appears in two major parts: theory, which shows the relationship between automata and software; and application, which covers demonstration and indemnification. Demonstration is a technique for generating random tests; indemnification converts pass/fail test results to compound Poisson parameters (severity and intensity). Together, demonstration and indemnification yield statistical confidence that safety-critical code meets design intent. Statistical confidence is the keystone of quantitative product assurance. A secondary goal is resolving the conflict over the term risk. The first meaning is an accident model known in mathematics as the compound Poisson stochastic process, and so is called statistical risk. Various of its versions underlie the theories of safety and reliability. The second is called developmental risk. It considers software autonomy, which considers time until manual recovery of control. Once these meanings are separated, MIL-STD-882 can properly support either formal quantitative safety assurance or empirical process robustness, which differ in impact.

Logic in Computer Science

Marie-Laure Zollinger,Peter B. Rønne,Steve Schneider,Peter Y. A. Ryan,Wojtek Jamroga

2024-07-18

Abstract:Voting protocols seek to provide integrity and vote privacy in elections. To achieve integrity, procedures have been proposed allowing voters to verify their vote - however this impacts both the user experience and privacy. Especially, vote verification can lead to vote-buying or coercion, if an attacker can obtain documentation, i.e. a receipt, of the cast vote. Thus, some voting protocols go further and provide mechanisms to prevent such receipts. To be effective, this so-called receipt-freeness depends on voters being able to understand and use these mechanisms. In this paper, we present a study with 300 participants which aims to evaluate the voters' experience of the receipt-freeness procedures in the e-voting protocol Selene in the context of vote-buying. This actually constitutes the first user study dealing with vote-buying in e-voting. While the usability and trust factors were rated low in the experiments, we found a positive correlation between trust and understanding.

Cryptography and Security,Human-Computer Interaction

Kristjan Krips,Nikita Snetkov,Jelizaveta Vakarjuk,Jan Willemson

2023-09-19

Abstract:Assessing and comparing the security level of different voting systems is non-trivial as the technical means provided for and societal assumptions made about various systems differ significantly. However, trust assumptions concerning the involved parties are present for all voting systems and can be used as a basis for comparison. This paper discusses eight concrete voting systems with different properties, 12 types of parties involved, and seven general security goals set for voting. The emerging trust relations are assessed for their criticality, and the result is used for comparison of the considered systems.

Cryptography and Security

Steven Kivinen

DOI: https://doi.org/10.1016/j.jmateco.2024.103061

IF: 0.747

2024-10-01

Journal of Mathematical Economics

Abstract:In the context of voting, Moulin (1980) establishes that anonymity, neutrality, and efficiency are often incompatible unless one accepts indecision (i.e. ties). We show that versions of this incompatibility continue to hold for a natural weakening of anonymity proposed by Bartholdi et al. (2021) called equity . As equity is a relatively weak fairness requirement, the tension between fairness and efficiency in voting is deeper than previously established.

economics,social sciences, mathematical methods,mathematics, interdisciplinary applications

Rowdy Chotkan,Jérémie Decouchant,Johan Pouwelse

DOI: https://doi.org/10.48550/arXiv.2208.05339

2022-08-10

Distributed, Parallel, and Cluster Computing

Abstract:Self-Sovereign Identity (SSI) aspires to create a standardised identity layer for the Internet by placing citizens at the centre of their data, thereby weakening the grip of big tech on current digital identities. However, as millions of both physical and digital identities are lost annually, it is also necessary for SSIs to possibly be revoked to prevent misuse. Previous attempts at designing a revocation mechanism typically violate the principles of SSI by relying on central trusted components. This lack of a distributed revocation mechanism hampers the development of SSI. In this paper, we address this limitation and present the first fully distributed SSI revocation mechanism that does not rely on specialised trusted nodes. Our novel gossip-based propagation algorithm disseminates revocations throughout the network and provides nodes with a proof of revocation that enables offline verification of revocations. We demonstrate through simulations that our protocol adequately scales to national levels.

Alexander Ek,Philip B. Stark,Peter J. Stuckey,Damjan Vukcevic

DOI: https://doi.org/10.1007/978-3-031-43756-4_3

2023-10-05

Abstract:An election audit is risk-limiting if the audit limits (to a pre-specified threshold) the chance that an erroneous electoral outcome will be certified. Extant methods for auditing instant-runoff voting (IRV) elections are either not risk-limiting or require cast vote records (CVRs), the voting system's electronic record of the votes on each ballot. CVRs are not always available, for instance, in jurisdictions that tabulate IRV contests manually. We develop an RLA method (AWAIRE) that uses adaptively weighted averages of test supermartingales to efficiently audit IRV elections when CVRs are not available. The adaptive weighting 'learns' an efficient set of hypotheses to test to confirm the election outcome. When accurate CVRs are available, AWAIRE can use them to increase the efficiency to match the performance of existing methods that require CVRs. We provide an open-source prototype implementation that can handle elections with up to six candidates. Simulations using data from real elections show that AWAIRE is likely to be efficient in practice. We discuss how to extend the computational approach to handle elections with more candidates. Adaptively weighted averages of test supermartingales are a general tool, useful beyond election audits to test collections of hypotheses sequentially while rigorously controlling the familywise error rate.

Applications,Cryptography and Security,Computers and Society,Methodology

Ivana Stančíková,Ivan Homoliak

DOI: https://doi.org/10.48550/arXiv.2206.06019

2022-06-13

Abstract:Decentralized electronic voting solutions represent a promising advancement in electronic voting. One of the e-voting paradigms, the self-tallying scheme, offers strong protection of the voters' privacy while making the whole voting process verifiable. Decentralized smart contract platforms became interesting practical instantiation of the immutable bulletin board that this scheme requires to preserve its properties. Existing smart contract-based approaches employing the self-tallying scheme (such as OVN or BBB-Voting) are only suitable for a boardroom voting scenario due to their scalability limitation. The goal of our work is to build on existing solutions to achieve scalability without losing privacy guarantees and verifiability. We present SBvote, a blockchain-based self-tallying voting protocol that is scalable in the number of voters and therefore suitable for large-scale elections. The evaluation of our proof-of-concept implementation shows that the protocol's scalability is limited only by the underlying blockchain platform. We evaluated the scalability of SBvote on two public smart contract platforms -- Gnosis and Harmony. Despite the limitations imposed by the throughput of the blockchain platform, SBvote can accommodate elections with millions of voters.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Bingsheng Zhang,Zengpeng Li,Jan Willemson

DOI: https://doi.org/10.48550/arXiv.2109.01994

2021-09-05

Abstract:Estonian Internet voting has been used in national-wide elections since 2005. However, the system was initially designed in a heuristic manner, with very few proven security guarantees. The Estonian Internet voting system has constantly been evolving throughout the years, with the latest version (code-named IVXV) implemented in 2018. Nevertheless, to date, no formal security analysis of the system has been given. In this work, for the first time, we provide a rigorous security modeling for the Estonian IVXV system as a ceremony, attempting to capture the effect of actual human behavior on election verifiability in the universal composability (UC) framework. Based on the voter behavior statistics collected from three actual election events in Estonia, we show that IVXV achieves end-to-end verifiability in practice despite the fact that only $4\%$ (on average) of the Estonian voters audit their ballots.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Formal Languages and Automata Theory

Anne Broadbent,Alain Tapp

DOI: https://doi.org/10.48550/arXiv.0806.1931

2008-06-12

Abstract:We present three voting protocols with unconditional privacy and information-theoretic correctness, without assuming any bound on the number of corrupt voters or voting authorities. All protocols have polynomial complexity and require private channels and a simultaneous broadcast channel. Our first protocol is a basic voting scheme which allows voters to interact in order to compute the tally. Privacy of the ballot is unconditional, but any voter can cause the protocol to fail, in which case information about the tally may nevertheless transpire. Our second protocol introduces voting authorities which allow the implementation of the first protocol, while reducing the interaction and limiting it to be only between voters and authorities and among the authorities themselves. The simultaneous broadcast is also limited to the authorities. As long as a single authority is honest, the privacy is unconditional, however, a single corrupt authority or a single corrupt voter can cause the protocol to fail. Our final protocol provides a safeguard against corrupt voters by enabling a verification technique to allow the authorities to revoke incorrect votes. We also discuss the implementation of a simultaneous broadcast channel with the use of temporary computational assumptions, yielding versions of our protocols achieving everlasting security.

Cryptography and Security

Sebastian Müller,Andreas Penzkofer,Darcy Camargo,Olivia Saa

DOI: https://doi.org/10.48550/arXiv.2012.08313

2020-12-15

Abstract:Voting algorithms have been widely used as consensus protocols in the realization of fault-tolerant systems. These algorithms are best suited for distributed systems of nodes with low computational power or heterogeneous networks, where different nodes may have different levels of reputation or weight. Our main contribution is the construction of a fair voting protocol in the sense that the influence of the eventual outcome of a given participant is linear in its weight. Specifically, the fairness property guarantees that any node can actively participate in the consensus finding even with low resources or weight. We investigate effects that may arise from weighted voting, such as loss of anonymity, centralization, scalability, and discuss their relevance to protocol design and implementation.

Distributed, Parallel, and Cluster Computing,Probability