Aggelos Kiayias

An Internet Voting System Supporting User Privacy

This work introduces the Adder system , an Internet-based, free and open source electronic voting system which employs strong cryptography. Our system is a fully functional e-voting platform and enjoys a number of security properties, such as robustness, trust distribution, ballot privacy, auditability and verifiability. It can readily implement and carry out various voting procedures in parallel and can be used for small scale boardroom/department-wide voting as well as large-scale elections. In addition, Adder employs a flexible voting scheme which allows the system to carry out procedures such as surveys or other data collection activities. Adder offers a unique opportunity to study cryptographic voting protocols from a systems perspective and to explore the security and usability of electronic voting systems

Malicious takeover of voting systems: arbitrary code execution on optical scan voting terminals

This work focuses on the AccuVote Optical Scan voting terminal (AV-OS) that is widely used in US elections. We present a new attack that can be delivered without opening the system enclosure, and without changing a single bit of the systems firmware. The attack is launched by inserting a maliciously programmed AV-OS memory card into the terminal. The card contains binary code that exploits careless runtime memory management in the systems firmware to transfer control to alternate routines stored in the memory card. Once the control is taken by the injected code, the voting system is forced to operate according to the wishes of the attacker. In particular, given that the attack results in the execution of the arbitrary code, an attacker can completely take over AV-OS operation and compromise the results of an election. It is also noteworthy that once a memory card is compromised it can be duplicated using the native function of the voting terminal. In some past elections it was observed that up to 6% of all memory cards were involved in card duplication. There exists a non-trivial possibility that the infection on one memory card can propagate virally to other cards in a given election. This development was performed without access to the source code of the AV-OS system and without access to any internal vendor documentation. We note that this work is performed solely with the purpose of security analysis of AV-OS.

Tampering with Special Purpose Trusted Computing Devices: A Case Study in Optical Scan E-Voting

Special purpose trusted computing devices are currently being deployed to offer many services for which the general purpose computing paradigm is unsuitable. The nature of the services offered by many of these devices demand high security and reliability, as well as low cost and low power consumption. Electronic Voting machines is a canonical example of this phenomenon. With electronic voting machines currently being used in much of the United States and several other countries, there is a strong need for thorough security evaluation of these devices and the procedures in place for their use. In this work, we first put forth a general framework for special purpose trusted computing devices. We then focus on Optical Scan (OS) electronic voting technology as a specific instance of this framework. OS terminals are a popular e-voting technology with the decided advantage of a user-verified paper trail: the ballot sheets themselves. Still election results are based on machine- generated totals as well as machine-generated audit reports to validate the voting process. In this paper we present a security assessment of the Diebold AccuVote Optical Scan voting terminal (AV-OS), a popular OS terminal currently in wide deployment anticipating the 2008 Presidential elections. The assessment is developed using exclusively reverse-engineering, without any technical specifications provided by the machine suppliers. We demonstrate a number of security issues that relate to the machines proprietary language, called AccuBasic, that is used for reporting election results. While this language is thought to be benign, especially given that it is essentially sandboxed by the firmware to have only read access, we demonstrate that it is powerful enough to (i) strengthen known attacks against the AV-OS so that they become undetectable prior to elections (and thus significantly increasing their magnitude) or, (ii) to conditionally bias the election results to reach a desired outcome. Given the discovered vulnerabilities and attacks we proceed to discuss how random audits can be used to validate with high confidence that a procedure carried out by special purpose devices such as the AV-OS has not been manipulated. We end with a set of recommendations for the design and safe-use of OS voting systems.

State-Wide Elections, Optical Scan Voting Systems, and the Pursuit of Integrity

In recent years, two distinct electronic voting technologies have been introduced and extensively utilized in election procedures: direct recording electronic systems and optical scan (OS) systems. The latter are typically deemed safer, as they inherently provide a voter-verifiable paper trail that enables hand-counted audits and recounts that rely on direct voter input. For this reason, OS machines have been widely deployed in the United States. Despite the growing popularity of these machines, they are known to suffer from various security vulnerabilities that, if left unchecked, can compromise the integrity of elections in which the machines are used. This article studies general auditing procedures designed to enhance the integrity of elections conducted with optical scan equipment and, additionally, describes the specific auditing procedures currently in place in the State of Connecticut. We present an abstract view of a typical OS voting technology and its relationship to the general election process. With this in place, we lay down a ldquotemporal-resourcerdquo adversarial model, providing a simple language for describing the disruptive power of a potential adversary. Finally, we identify how audit procedures, injected at various critical stages before, during, and after an election, can frustrate such adversarial interference and so contribute to election integrity. We present the implementation of such auditing procedures for elections in the State of Connecticut utilizing the Premiere (Diebold) AccuVote OS; these audits were conducted by the UConn VoTeR Center, at the University of Connecticut, on request of the Office of the Secretary of the State. We discuss the effectiveness of such procedures in every stage of the process and we present results and observations gathered from the analysis of past election data.

Tree-Homomorphic encryption and scalable hierarchical secret-ballot elections

In this work we present a new paradigm for trust and work distribution in a hierarchy of servers that aims to achieve scalability of work and trust simultaneously. The paradigm is implemented with a decryption capability which is distributed and forces a workflow along a tree structure, enforcing distribution of the workload as well as fairness and partial disclosure (privacy) properties. We call the method “tree-homomorphic” since it extends traditional homomorphic encryption and we exemplify its usage within a large scale election scheme, showing how it contributes to the properties that such a scheme needs. We note that existing design models over which e-voting schemes have been designed for, do not adapt to scale with respect to a combination of privacy and trust (fairness); thus we present a model emphasizing the scaling of privacy and fairness in parallel to the growth and distribution of the election structure. We present two instantiations of e-voting schemes that are robust, publicly verifiable, and support multiple candidate ballot casting employing tree-homomorphic encryption schemes. We extend the scheme to allow the voters in a smallest administrated election unit to employ a security mechanism that protects their privacy even if all authorities are corrupt.

Integrity of electronic voting systems: fallacious use of cryptography

In recent years, electronic voting systems have been deployed in all U.S. elections. Despite the fact that cryptographic integrity checks are used in most such systems, several reports have documented serious security vulnerabilities of electronic voting terminals. We present an overview of the typical security and election vulnerabilities found in most, if not all, electronic election systems, and present a case study that illustrates such vulnerabilities. Our hands-on security analysis of the AccuVote TSx voting terminal --- used by more than 12 million voters in over 350 jurisdictions in the U.S. --- demonstrates certain new integrity vulnerabilities that are present in the system. We present two attacks based on these vulnerabilities: one attack swaps the votes of two candidates and another erases the name of one candidate from the slate. These attacks do not require modification of the operating system of the voting terminal (as was the case in a number of previous attacks) and are able to circumvent the cryptographic integrity checks implemented in the terminal. The attacks can be launched in a matter of minutes and require only a computer with the capability to mount a PCMCIA card file system (a default capability in most current operating systems). The attacks presented here were discovered through direct experimentation with the voting terminal and without access to any internal documentation or the source code from the manufacturer.

The vector-ballot approach for online voting procedures

Looking at current cryptographic-based e-voting protocols, one can distinguish three basic design paradigms (or approaches): (a) Mix-Networks based, (b) Homomorphic Encryption based, and (c) Blind Signatures based. Each of the three possesses different advantages and disadvantages w.r.t. the basic properties of (i) efficient tallying, (ii) universal verifiability, and (iii) allowing write-in ballot capability (in addition to predetermined candidates). In fact, none of the approaches results in a scheme that simultaneously achieves all three. This is unfortunate, since the three basic properties are crucial for efficiency, integrity and versatility (flexibility), respectively. Further, one can argue that a serious business offering of voting technology should offer a flexible technology that achieves various election goals with a single user interface. This motivates our goal, which is to suggest a new “vector-ballot” based approach for secret-ballot e-voting that is based on three new notions: Provably Consistent Vector Ballot Encodings, Shrink-and-Mix Networks and Punch-Hole-Vector-Ballots. At the heart of our approach is the combination of mix networks and homomorphic encryption under a single user interface; given this, it is rather surprising that it achieves much more than any of the previous approaches for e-voting achieved in terms of the basic properties. Our approach is presented in two generic designs called “homomorphic vector-ballots with write-in votes” and “multi-candidate punch-hole vector-ballots”; both of our designs can be instantiated over any homomorphic encryption function.