Study on poll-site voting and verification systems
Introduction
From the birth of democracy in Athens in 6th Century BC and the first form of electoral laws, electoral systems have been designed and developed according to variations in practice of democratic governments worldwide.
The elections process consists in choosing a person or party, a candidate, to represent all the members of a community (e.g., a company, a state or a country). For a candidate, winning the elections carries a big responsibility in terms of representation, but it is also very attractive for some other reasons (e.g., funds, ability of changing existing rules and laws). Therefore, there might be some individuals interested in diverting elections' results and easing the victory of a certain candidate.
However, it is a difficult task to check whether the elections' results correspond to the voters' preferences while ensuring voter secrecy and anonymity. In other words, elections must be verifiable and, the vote must be secret and not linked to the voter. For instance, if voter Alice votes for candidate Bob, any another person must not be able to deduce Alice's preferences from the elections process and results, but instead, anyone must be able to verify the correctness of the whole voting process. Therefore, verifiability becomes one of the most important elections' attribute to provide trustworthiness in the elections' results to both candidates and voters.
Verifying that elections' results correspond to voters' preferences depends on the voting system. From the location point of view, most of the existing systems are based on poll sites, where voters attend specific places in order to vote. Remote voting systems (such as mail or Internet voting systems) are also an alternative.
From the ballot perspective, traditional voting systems use ballots in paper format with standardized list of candidates. They were first introduced in the state of Victoria, Australia, in 1856 (Bellis, 2009). Paper ballots contain all the necessary information to vote for a specific candidate, in a human-readable format. Thus, in the vote counting or tally, any person can verify whether the ballot is correct and, if so, to which candidate it relates. However, the main drawbacks of traditional voting systems are that all operations are manual and their economic and logistic costs are elevated. Moreover, the tally process where votes are counted can turn in a long procedure susceptible to human errors, especially when the voting system is complex.
More modern voting solutions incorporate electronic devices to mainly accelerate the tally process and overcome the problems introduced by human errors (Barrat Esteve, 2006), and also improve accessibility for disabled and illiterate voters. First initiatives appeared in 1964 in some states of the USA, which used punchcards and computer tally machines (Bellis, 2009). Broadly speaking, this kind of solutions can use different technologies, ranging from punchcards, optical scanners (to scan ballots), cryptographic techniques and direct-recording electronic (DRE) voting terminals.
Electronic voting (e-voting) systems effectively reduce the cost of traditional approaches, nevertheless, they also pose other kinds of challenges to elections verifiability. In this way, the work presented in Kohno and Stubblefield (2004) analyzes some relevant attacks which can be applied to e-voting infrastructures and also who could perform them. That information is summarized in Table 1.
These attacks may compromise the verifiability of a system For example, let us assume that Alice scans her ballot in an optical-scanner-based (opscan) voting system. Let us also consider that a poll worker with enough access rights discards Alice's scanned ballot without informing her. After elections, if no proof of that scanning was provided to Alice, she or any other independent observer, could not be sure whether her electronic ballot has been eliminated or modified after her ballot casting.
In addition to verifiability issues, security holes in the technology used to implement an e-voting infrastructure may also jeopardize the voter anonymity. Note that, a system that allows a certain individual to link a vote with the voter opens the door to coercibility attacks (i.e., a voter might be coerced into voting for a particular candidate). As a conclusion, ideal e-voting schemes should consider these issues in order to provide proper verifiability, ensure voter anonymity and reduce the costs in comparison with the traditional voting approaches.
Despite these additional challenges and problems, the trend is clear and firm toward using electronic voting means (E-Voting.CC and Competence Center for Electronic Voting and Participation, 2009), in particular, not only electronic tally, but also electronic vote casting (Barrat Esteve, 2006). On the one hand, this fact means that there are more verification challenges as the voting system becomes more computationally complex. On the other hand, this kind of e-voting system may be significantly helpful for disabled and illiterate citizens. At the same time, the use of electronic voting technologies may reduce the economic and logistic costs of elections and consultations, while enabling geographically distributed citizens to vote.
Therefore, the verifiability of the voting system becomes essential for trustworthy elections. This capability is commonly considered under three different points of view, which lead to individual, universal and end-to-end types of verifications. Briefly speaking, individual verification allows voters to check that their individual ballots are correctly cast and counted. From the system point of view, universal verification allows voters, electoral and third parties to inspect that the elections' results correspond to cast ballots. The aim is to ensure that the whole voting process is performed correctly, which, in turn, leads to trustworthy elections' results. In traditional voting systems, both verifications can be achieved by a set of procedures (i.e., manual operations addressed by elections officials, or also by independent entities and observers from candidates). On the other hand, in e-voting systems this is achieved by a mix of procedures and mainly, technologies. A later enhanced property is the end-to-end (E2E) verifiability. From the voter point of view, in an E2E verifiable voting system, a voter can check that her ballot is correctly cast and counted in the final tally. The goal is to increase the voters' confidence in the elections' results. Note that this property was hardly supportable in traditional voting systems, since the voter Alice concluded her interaction with the voting system when casting the ballot in the ballot box. However, new designs of voting systems and modern technologies facilitate an E2E voter verifiable voting process.
This survey presents a fair comparison of the verifiability of 16 complete voting systems and 2 partial solutions which can be divided into two main categories: paper-based and electronic-based. They are also named as voting verification systems (VVSs). The motivation behind this decision is that, nowadays, poll-site-based voting systems are the most common ones.
In this paper, the U.S. HAVA guidelines are used to perform a preliminary classification of all the analyzed VVSs. This step groups the different schemes according to similar fundamental features and allows their fair comparison. HAVA (Help America Vote Act) is a United States federal law (U.S. Congress, 2002) that pursues three main goals: (i) replace punchcard and lever-based voting systems; (ii) create the Election Assistance Commission to assist in the administration of Federal elections; and (iii) establish minimum elections administration standards. The HAVA classification requires VVSs to provide proofs that allow voters and other observers to verify that the voting process has not been tampered with. Therefore, e-voting schemes not providing this kind of proofs are discarded and not addressed in this paper.
Certain voting schemes used in some emerging countries (Monteiro et al., 2001) are examples of this last situation. These approaches are based on the use of DREs and the integrity and confidentiality of their voting processes uniquely depend on the security of the electronic voting terminals themselves and the trustworthiness of the elections officers. This also includes the trustworthiness of the certifications applied on the DREs.
These measures are insufficient to comply with the U.S. HAVA guidelines and, hence, they are not considered in this survey. Nevertheless, due to its scale and impact, it is worth to mention the e-voting scheme used in Brazil. In 2000, this country completed the first completely automated elections using DREs (electronic voting terminals) (Riebeek, 2002). As explained above, the integrity and security of the whole voting process depend on the integrity of the DREs and the electoral officers who manage them. Even though the provision of printed receipts to the voters was initially considered to be used in elections scheduled after 2003, it was finally discarded in favor of digitally recording the votes and storing them in the DREs (being only accessible to the electoral officials). Other security measures provided by the electoral authorities focuses on showing that the DREs count the votes properly. Nevertheless, these measures are based on monitoring a subset of DREs leaving the rest of voting terminals unsupervised (Brunazzo and Rezende, 2010) and, hence, susceptible of being tampered with. In addition to that, external observers are not allowed to check the integrity of the software used in the DREs (Rezende, 2010). As a result, some experts have expressed their concerns about the security properties provided by this particular e-voting scheme (Rezende, 2010; Camargo, 2005).
The contribution of this work is threefold:
- 1.
Definition of a common evaluation framework (including 15 VVS characteristics) to fairly compare all systems.
- 2.
Study and comparison of 18 notable voting systems.
- 3.
Analysis of current and future trends in voting schemes and technology.
Document structure. The next section introduces the necessary background for the present work. Section 3 presents the evaluation framework. We then present a selection of notable paper-based voting verification systems (VVSs) (Section. 4) and their analysis (Section 6.1). In the same way, highlighting electronic VVSs are introduced (Section 5) and analyzed (Section 6.2). The following main point presented in Section 6.3 is the analysis of observed trends. Finally, Section 7 presents the concluding remarks of this work.
Section snippets
Background
In this study, we consider the standard voting process composed of the following phases: (i) voter registration and identification, (ii) vote casting using ballots and (iii) vote tally, where all ballots are securely tabulated and unbiased results are made publicly available. The voting process also includes all procedures and technologies to reliably address the consultations or elections. Fig. 1 shows a diagram of this standard process which includes some internal procedures.
In the following
Common evaluation framework
In this section, we introduce the classification of the properties that we extract from the set of systems under consideration. All of them constitute the single, structured evaluation framework that we use to ease their comparison and analysis.
Paper-based VVSs: presentation and classification
In this section, we collect the most notable voting solutions based on paper in Fig. 5. The idea behind these VVSs is that they require paper ballots for voting and/or verification purposes. From the HAVA classification, we present two kinds of VVSs: direct and E2E.
Electronic-based VVSs: presentation and classification
We present the evaluated electronic based VVSs in Fig. 6. The idea behind them is that they depend primarily on e-voting procedures, even though some of them may have paper receipts to provide E2E verifiability, in order to offer higher confidence to voters. From the HAVA classification, we present solutions on three out of the four types: process separation-, evidence- and end-to-end cryptography-based.
Study and comparison of VVSs
In this section, we introduce the analysis of the considered VVSs by type (Section 6.1 for paper-based and Section 6.2 for electronic-based ones) and the study of the synergies of voting systems and cryptographic technologies (Section 6.3).
Conclusions
In this paper, we have presented an evaluation framework, common for all systems, in order to conduct a fair study among paper- and electronic-based voting verification systems (VVSs). To do so, we have proceeded as follows: (i) we have defined a classification of VVSs, (ii) we have specified an evaluation framework (combining 15 characteristics from VVSs), (iii) we have selected and analyzed a notable set of 18 VSSs (from both commercial and academic worlds), and (iv) we have extracted
Acknowledgments
Authors thanks to Ronald L. Rivest for his comments and suggestions. Authors are solely responsible for the views expressed in this paper, which do not necessarily reflect the position of UNESCO nor commit that organization. This work was partly supported by the Spanish Ministry of Science and Innovation (through projects eAEGIS TSI2007-65406-C03-01, CO-PRIVACY TIN2011-27076-C03-01, ARES-CONSOLIDER INGENIO 2010 CSD2007-00004 and Audit Transparency Voting Process IPT-430000-2010-31), by the
Roger Jardí-Cedó (Tivissa, Catalonia, 1985) is part of the research support staff at the Rovira i Virgili University, in particular, of the eVerification research project, which focuses on putting e-voting verifiability. He is member of the UNESCO Chair in Data Privacy. He obtained his titles in Computer Systems Engineering in 2007 and in Computer Science Engineering in 2009, both at the Rovira i Virgili University. Currently, he is a Ph.D. student in Computer Science since 2009. His research
References (86)
- et al.
Minimum disclosure proofs of knowledge
J Comput Syst Sci
(1988) - et al.
Ballot casting assurance
- et al.
Scratch & vote: self-contained paper-based cryptographic voting
- et al.
State-wide elections, optical scan voting systems, and the pursuit of integrity
Trans Inf Forensic Secur
(2009) - et al.
Everlasting security in the bounded storage model
Inf Theory IEEE Trans
(jun 2002) VoteHere VHTi: a verifiable e-voting protocol
(2004)- Barrat Esteve J. A preliminary question: is e-voting actually useful for our democratic institutions? What do we need...
The history of voting machines
(November 2009)Ballot casting assurance via voter-initiated poll station auditing
- et al.
Shuffle-sum: coercion-resistant verifiable tallying for stv voting
Trans Inf Forensic Secur
(2009)
Enhancing electronic voting machines on the example of bingo voting
Trans Inf Forensic Secur
Bingo voting: secure and coercion-free voting using a trusted random number generator
Security measures for Brazil's e-vote – act two: parallel testing
Scantegrity: end-to-end voter-verifiable optical-scan voting
IEEE Secur Priv
Accessible voter-verifiability
Cryptologia
Scantegrity II: end-to-end verifiability by voters of optical scan elections through confirmation codes
IEEE Trans Inf Forensics Secur
Untraceable electronic mail, return addresses, and digital pseudonyms
Commun ACM
Secret-ballot receipts: true voter-verifiable elections
IEEE Secur Priv
A robust and verifiable cryptographically secure election scheme
Vote by mail: voting historical background
Map of electronic democracy
Mod Democr
A public key cryptosystem and a signature scheme based on discrete logarithms
Voluntary voting system guidelines
iVote
Three case studies from Switzerland: e-voting
How to prove all np-statements in zero-knowledge, and a methodology of cryptographic protocol design
The effectiveness of receipt-based attacks on ThreeBallot
Trans Inf Forensic Secur
Analysis of an electronic voting system
Proc IEEE Symp Secur Priv
Internet voting at the election of local government councils on October 2005
Split-ballot voting: everlasting privacy with distributed trust
ACM Trans Inf Syst Secur
Receipt-free universally-verifiable voting with everlasting privacy
Cited by (6)
Leveraging Secured E-Voting Using Decentralized Blockchain Technology
2023, Internet of ThingsBlockchain for Fool-Proof E-Voting Systems
2022, Lecture Notes in Networks and SystemsRVBT: A Remote Voting Scheme Based on Three-Ballot
2020, Proceedings - 2020 16th International Conference on Computational Intelligence and Security, CIS 2020Exploring the use of biometric smart cards for voters' accreditation: A case study of Nigeria electoral process
2020, International Journal on Advanced Science, Engineering and Information TechnologyApplication of Secret Sharing Based on Random Linear Block Code in Electronic Voting
2019, Gongcheng Kexue Yu Jishu/Advanced Engineering Sciences
Roger Jardí-Cedó (Tivissa, Catalonia, 1985) is part of the research support staff at the Rovira i Virgili University, in particular, of the eVerification research project, which focuses on putting e-voting verifiability. He is member of the UNESCO Chair in Data Privacy. He obtained his titles in Computer Systems Engineering in 2007 and in Computer Science Engineering in 2009, both at the Rovira i Virgili University. Currently, he is a Ph.D. student in Computer Science since 2009. His research focuses on cryptography and e-voting security. He has published 3 works and has taken part in 4 research projects.
Jordi Pujol-Ahulló obtained on September 2002 his B.S. degree in Computer Science Engineering (Software speciality). On June 2005 he obtained his M.S. degree in Computer Science Engineering. Both degrees were attained at Universitat Rovira i Virgili. He obtained his PhD in January 2010 in the University of Murcia. During his PhD he also an invited researcher at the University of Trento (Italy) with Alberto Montresor. His current research topics are cryptography and security.
Jordi Castellà-Roca (Menàrguens, Catalonia, 1975) is tenured assistant professor at Rovira i Virgili University, he is member of the UNESCO Chair in Data Privacy. He got his title of Engineer in Computer Systems from University of Lleida in 1998, the title of Engineer in Computer Science from Rovira i Virgili University in 2000 and Ph.D. in Computer Science from the Autonomous University of Barcelona in 2005. His research focuses on the fields of cryptography and privacy. He has published over 35 works, is co-author of six patents, and has participated in 24 research projects (main researcher in six of them).
Alexandre Viejo is a tenure-track lecturer at Rovira i Virgili University (Tarragona, Spain). He received his Ph.D. in Computer Science from Rovira i Virgili University in 2008. He received a Master in Telematics Engineering from the Technical University of Catalonia (Barcelona, Spain) in 2007. He got his M.Sc. in Computer Engineering from Rovira i Virgili University in 2005. In 2009, he was a researcher at Humboldt-Universität zu Berlin (Berlin, Germany). His fields of activity are data privacy, data security and cryptographic protocols.