E-voting
Electronic voting is called e-voting and it includes both electronic voting systems as well as electronic systems to verify one's vote.
Such systems can be divided into two categories: supervised systems at polling stations and independent systems. An example for the first category are for example electronic voting machines used in USA, India and Brazil.
The second category consists of independent systems that allow user to vote outside the polling station, for example via a mobile phone or a computer. Estonian e-voting is an example of such system.
E-voting in Estonia
In Estonia e-voting means that a citizen can vote over the internet. Hence, it may be also called i-voting. E-voting has been available in Estonia since 2005.
What is the advantage of i-voting?
- allows to vote from outside the polling station, e.g. at home or from abroad
- increases turnout (convenience: no need to go somewhere)
- decreases the amount of foul play (in case of a perfectly secure system)
- tallying is faster
As statistics shows, e-voting has become more popular year after year:
Elections | Year | Number of e-voters | Percentage of e-voters |
---|---|---|---|
Local government elections | 2005 | 9317 | 1.9% |
Parliamentary elections | 2007 | 30275 | 5.5% |
European Parliament elections | 2009 | 58669 | 14.7% |
Local government elections | 2009 | 104413 | 15.8% |
Parliamentary elections | 2011 | 140846 | 24.3% |
Local government elections | 2013 | 133808 | 21.2% |
European Parliament elections | 2014 | 103151 | 31.3% |
Parliamentary elections | 2015 | 176329 | 30.5% |
Local government elections | 2017 | 186034 | 31,7% |
What is needed for successful e-voting (in Estonia)?
- ID-card or mobile-ID for user authentication and digital signing
- E-voting legislation
- E-voting software
- E-voting support infrastructure (hardware, information security, network communications)
- Organizers
- Informed voters
In Estonia, ID-card is a compulsory document, so all voters are able to electronically authenticate themselves and issue digital signatures. Moreover, e-voting is recognized by legislation. Voting, including e-voting is overseen by the National Electoral Committee (Vabariigi Valimiskomisjon).
Architecture of Estonian e-voting
How does the Estonian e-voting system work? First, we will describe the scope and the parties involved in the process:
We could say that e-voting system contains four main parties: voters, vote collecting servers, vote processing servers, vote tallying server.
Estonian e-voting system uses a so-called double envelope scheme. First, the voter encrypts his vote with the public key of the elections that comes from the election organizer, National Electoral Committee (NEC). This encryption forms the first layer ("envelope") around the vote. Secondly, the encrypted vote is signed using voter's private key, constituting the second layer. The signed and encrypted vote is sent to election server.
In the server, the voter's ID is first checked by verifying the signature on the encrypted vote. The signature is then removed from the vote and the encrypted vote is sent to another server, where the votes are decrypted using the private key of elections and then tallied. It is important to understand that the first server does not have access to the election's private key and hence cannot decrypt the vote. Only anonymous encrypted votes are sent to the second server where they can be decrypted.
Updated version of the Estonian i-voting system (IVXV)
The e-voting system was upgraded in 2017 to increase the security level and overall trustworthiness. Now it is possible to use cryptographic measures to anonymise the votes before they are sent to the tally server. It used to be that the anonymization was provided by server software which removed signatures from the encrypted votes. Previous solution worked but left a possibility to attack the system by malicious insiders who have access to the servers.
Now the voting servers are using mixnets. By using a mixnet it is possible to anonymize the votes. After the signatures are removed from the encrypted votes, they are mixed such that it would not be possible to match the votes and signatures. In addition a mathematical proof is generated that allows to verify that mixing was done correctly. Thus, an insider can not find out how the voters voted. In addition, external auditors can use the proof to check that the mixing did not modify the result and that all encrypted votes were included in the result.
IVXV is using ElGamal instead of RSA. This is needed in order to apply the mixnet as mixing requires that encryption of the votes was done with a cryptosystem that is homomorphic. ElGamal is homomorphic when considering the multiplication operation. This means that by multiplying two encrypted ElGamal ciphertexts we get a ciphertext that is the multiplication of the corresponding plaintexts. I.e., ElGamal encryption has the following property: Enc(m1) * Enc(m2) = Enc(m1 * m2).
The new system provides integrity for the votes, which guarantees that the voting servers are not able to add or remove votes. The integrity is provided by a registration service, which gets a commitment for each cast vote. The registration service could be seen as a bulletin board but it is not public to prevent coercion. However, external auditors can come and audit the commitments of the registration service to make sure that votes from all e-voters are included and that no votes were added.
In addition, the vote verification application also verifies the digital signature of the encrypted and signed vote that is sent by the voting system.
More information about the updated voting system can be found from: General Framework of Electronic Voting and Implementation thereof at National Elections in Estonia (2017)
Vote verification
Vote verification should answer voter's question What happens to my vote after it is cast? Among other, the following questions should be answered:
- Was the vote encrypted and signed correctly?
- Was the vote sent to the server correctly?
- Was the vote correctly received at the server?
- Was the vote correctly counted when tallying?
- Are all the valid votes taken into account in the tally?
- Are there any invalid (fake) votes included in the tally?
The vote verification application, used since 2011, helps to answer the first three questions from this list. The rest of the properties are provided by organizational means not verifiable by each individual voter (see also the list of known problems below). The property of a voting system that allows the individual voter to verify that his or her vote was correctly counted and also allows to verify that the voting system functioned as it was intended (e.g., did not add/remove votes) is called end-to-end verifiability.
Starting from the local government elections in 2017 all the previously mentioned properties should hold. The new system provides a higher security level but some properties are verified by auditors. E.g., voters themselves are not able to verify that their votes were included in the final result. Thus, Estonian i-voting system does not provide end-to-end verifiability.
Potential problems and solutions in Estonian e-voting process
- Voting on someone's behalf
- Solution: it is possible to recast one's vote several times
- Solution: voting by traditional means (on paper) overrides the electronic vote
- A malware changes the vote or does not cast the vote at all
- Solution: a voter can verify if his vote reached the server
- Solution: a massive attack would probably be detected and voting result is cancelled
- Sabotage of e-voting: diminishing the reputation of e-voting by spreading false information. This could result in cancelling the voting result.
- Solution: e-voting process is transparent and verifiable
- It is not possible to verify if all votes are correctly included in the tally
- Partial solution: it is possible to observe the tallying process.
- Solution: in 2017 the voting system was upgraded such that a proof is generated that shows if the votes that were cast were also counted. In case multiple votes were cast by the same voter then the only the last vote will be valid. The proof can only be verified by an auditor and thus the end user can not check if his/her choice was tallied.
Security analysis of the old version of the Estonian e-voting system
In spring 2014, a group of recognized e-voting researchers published a report on Estonian e-voting. The report showed that election organizers have problems with organizational security. Researchers noticed that many procedural rules were not followed correctly or they were lacking altogether. Following such rules is very important to avoid creating any weaknesses in the system. For example, the voting software was developed using developers' personal computers rather than special computers meant for just this task. The most important failure to follow procedural rules took place in 2013 when the vote counting server was unable to write the result to a DVD. As a quick alternative someone's personal USB stick was used to transport the votes. Using a personal USB stick for this purpose makes it theoretically possible to alter the tally by infecting the server with malware.
Secondly, the reporters demonstrated an attack that allows to change the voting outcome by infecting one of the organizers computers with malware. The attack was carried out by infecting the DVD that were to be used to install the operating system on the election servers. It was possible to infect the DVD so that the modification went undetected. The researches disclosed the vulnerability before the elections and this attack is no longer possible. The attack was based on the idea that you always have to trust something and it is almost impossible to create a system that is not based on trusting some components. For example, people have to trust that the software is built correctly, i.e., that the compilers that compile code are not under the control of an attacker. Also, one has to trust the operating system and that the hardware of the computer is not backdoored. An overview of the trust issue is given by Ken Thompson in his famous speech: Reflections on Trusting Trust.
Finally, the researchers pointed out a known problem that user's computers cannot be trusted as they can be infected by malware. For example, it is possible to infect user's computer with a malware that saves the ID-card PIN codes and uses these later to recast the vote. It is difficult for an end user to detect such malware, especially if the attacker is a large nation state with advanced cyber offense capabilities. The vote verification application does not provide protection against this attack as the malware can easily recast the vote after the allowed verification period (provided that the ID-card is in the card reader). Estonian e-voting system allows to recast one's vote infinite number of times and does not notify the voter about the vote being cast again. If the system would notify the voter then it would be easier to buy and sell votes as the notification could be a proof of revoting & changing the sold vote. However, this attack is only possible when the voter is using a regular ID-card reader. If the voter uses a pin-pad based ID-card reader then the attacker is not able to access the PIN codes as the PIN codes do not go though the operating system. This attack also does not work when the voter uses Mobile-ID for vote casting.
Documents
- Press release of the security researcher, May 12, 2014
- Reply by the NAtional Electoral Committee, May 13, 2014
- E-voting is (too) secure, Anto Veldre, CERT-EE (in Estonian)
- Researcher's reply to NEC
- Published research paper, November 2014
E-voting software
The e-voting server-side software is open sourced with the source code available on GitHub: https://github.com/vvk-ehk/ivxv. E-voting client application is downloadable from the elections web site during the pre-election phase. The voting application lets the voter to browse the candidate list and cast a vote.
How to check the authenticity of the voting application?
- Before downloading, verify that you are really on the official web site of the elections. Check that the web site uses HTTPS and study its certificate.
- Check if the downloaded applications hash coincides with the one published in media.
Voting instructions
Specific usage instructions for the voting application are published before the elections.
However, these are four main steps:
- user authentication (ID-card / mobile-ID)
- browsing candidate list and choosing a candidate
- confirming the vote by signing it (ID-card / mobile-ID)
- verifying if the vote reached the server (optional)
Vote verification system
The vote verification system allows the voter to verify if his vote reached the election organizers correctly. Such verification helps against attacks where a malware in the voter's computer changes the vote before sending it to the server. The general idea of the verification system is archived here:
The vote verification application work on iOS, Android and Windows Phone devices that have a camera and internet connection. The verification must be carried out on a separate device independent from the voting device as the latter may be compromised.
Vote verification:
- After a successful voting, a QR-code is shown on the computer screen
- Voter installs the verification app in his smart phone or tablet
- The smart device is used to read the QR-code, after which the device contacts the election server
- The cast vote is shown on the smart device screen
If the vote shown on the screen does not match the cast vote, the election organizers should be contacted. More information can be found from the archived instructions.
Can the vote verification increase vote selling?
Isn't it discriminating if vote verification requires a smart device?
Starting from 2015, the vote verification system is also approved by legislation and now it is possible to use it as an input to apply for revoking the voting results.
Extra reading
- Description of Estonian e-voting system
- Estonian e-voting
- Other info