Abstract
Individual verifiability remains one of the main practical challenges in e-voting systems and, despite the central importance of this property, countries that sought to offer it to their voters faced repeated security problems.
In this note, we revisit this property in the context of the IVXV version of the Estonian Internet voting system, which has been deployed for the Estonian municipal elections of 2017 and for the Estonian and European parliamentary elections of 2019.
We show that a compromised voter device can defeat the individual verifiability mechanism of the current Estonian voting system. Our attack takes advantage of the revoting option that is available in the Estonian voting system, and only requires to compromise the voting client application: it does not require compromising the mobile device verification app, or any server side component.
This issue, which has been confirmed by the IVXV system designers, adds to an increasingly long list of failures to offer genuine individual verifiability in Internet voting systems deployed for government elections. It prompts for reinforced caution regarding the evidences that are offered regarding the verifiability of voting systems, especially when the verifiability is a property on which is based the decision to deploy a voting system in government elections.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This is slightly more challenging in the case of the 2013 protocol which uses RSA-OAEP for encryption, compared to the ElGamal encryption used in the IVXV protocol. Indeed, the server would need to obtain the randomness used for encryption in order to produce a different ciphertext encrypted with the same randomness, while ElGamal encryption is just malleable.
References
Benaloh, J.: Simple verifiable elections. In: Wallach, D.S., Rivest, R.L. (eds.) 2006 USENIX/ACCURATE Electronic Voting Technology Workshop, EVT 2006. USENIX Association (2006)
Haines, T., Lewis, S.J., Pereira, O., Teague, V.: How not to prove your election outcome. In: 2020 IEEE Symposium on Security and Privacy, SP 2020, pp. 644–660. IEEE (2020)
Halderman, J.A., Teague, V.: The New South Wales iVote system: security failures and verification flaws in a live online election. In: Haenni, R., Koenig, R.E., Wikström, D. (eds.) VOTELID 2015. LNCS, vol. 9269, pp. 35–53. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22270-7_3
Heiberg, S., Willemson, J.: Verifiable internet voting in Estonia. In: 6th International Conference on Electronic Voting: Verifying the Vote (EVOTE), pp. 1–8 (2014)
Heiberg, S., Krips, K., Willemson, J.: Planning the next steps for Estonian Internet voting. In: Proceedings E-Vote-ID 2020, pp. 82–97. TalTech Press (2020)
Heiberg, S., Martens, T., Vinkel, P., Willemson, J.: Improving the verifiability of the Estonian Internet voting scheme. In: Krimmer, R., et al. (eds.) E-Vote-ID 2016. LNCS, vol. 10141, pp. 92–107. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52240-1_6
Kubjas, I., Pikma, T., Willemson, J.: Estonian voting verification mechanism revisited again. In: Krimmer, R., Volkamer, M., Braun Binder, N., Kersting, N., Pereira, O., Schürmann, C. (eds.) E-Vote-ID 2017. LNCS, vol. 10615, pp. 306–317. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68687-5_19
Mus, K., Kiraz, M.S., Cenk, M., Sertkaya, I.: Estonian voting verification mechanism revisited. CoRR, abs/1612.00668 (2016)
OSCE/ODIHR. Estonia parliamentary elections - 6 March 2011 - OSCE/ODIHR election assessment mission report (2011). https://www.osce.org/files/f/documents/a/9/77557.pdf
Parsovs, A.: Estonian electronic identity card: security flaws in key management. In: 29th USENIX Security Symposium, USENIX Security 2020, pp. 1785–1802. USENIX Association (2020)
Springall, D., et al.: Security analysis of the Estonian internet voting system. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 703–715. ACM (2014)
Confédération suisse. Annex to the FCh ordinance of 13 December 2013 on electronic voting (OEV, SR 161.116) (2018). https://www.bk.admin.ch/bk/en/home/politische-rechte/e-voting/versuchsbedingungen.html. Version 2.0
Valimised. Statistics about internet voting in Estonia. https://www.valimised.ee/en/archive/statistics-about-internet-voting-estonia
Acknowledgement
We would like to thank Sven Heiberg for confirming that the attack scenario described in this paper would succeed on the current implementation of the IVXV protocol and for his helpful and constructive comments. We also would like to thank Vanessa Teague for so many interesting discussions on the security of voting systems and for her review of a previous version of this document. Eventually, we would like to thank the Voting’22 reviewers for their interesting and helpful suggestions. The author was supported by the F.R.S.-FNRS project SeVoTe and by the FEDER-Cryptomedia Project.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Financial Cryptography Association
About this paper
Cite this paper
Pereira, O. (2023). Individual Verifiability and Revoting in the Estonian Internet Voting System. In: Matsuo, S., et al. Financial Cryptography and Data Security. FC 2022 International Workshops. FC 2022. Lecture Notes in Computer Science, vol 13412. Springer, Cham. https://doi.org/10.1007/978-3-031-32415-4_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-32415-4_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-32414-7
Online ISBN: 978-3-031-32415-4
eBook Packages: Computer ScienceComputer Science (R0)