Chris Culnane

A Peered Bulletin Board for Robust Use in Verifiable Voting Systems

The Secure Web Bulletin Board (WBB) is a key component of verifiable election systems. However, there is very little in the literature on their specification, design and implementation, and there are no formally analysed designs. The WBB is used in the context of election verification to publish evidence of voting and tallying that voters and officials can check, and where challenges can be launched in the event of malfeasance. In practice, the election authority has responsibility for implementing the web bulletin board correctly and reliably, and will wish to ensure that it behaves correctly even in the presence of failures and attacks. To ensure robustness, an implementation will typically use a number of peers to be able to provide a correct service even when some peers go down or behave dishonestly. In this paper we propose a new protocol to implement such a Web Bulletin Board, motivated by the needs of the vVote verifiable voting system. Using a distributed algorithm increases the complexity of the protocol and requires careful reasoning in order to establish correctness. Here we use the Event-B modelling and refinement approach to establish correctness of the peered design against an idealised specification of the bulletin board behaviour. In particular we have shown that for n peers, a threshold of t > 2n/3 peers behaving correctly is sufficient to ensure correct behaviour of the bulletin board distributed design. The algorithm also behaves correctly even if honest or dishonest peers temporarily drop out of the protocol and then return. The verification approach also establishes that the protocols used within the bulletin board do not interfere with each other. This is the first time a peered secure web bulletin board suite of protocols has been formally verified.

vVote: A Verifiable Voting System

The Prêt à Voter cryptographic voting system was designed to be flexible and to offer voters a familiar and easy voting experience. In this article, we present our development of the Prêt à Voter design to a practical implementation used in a real state election in November 2014, called vVote. As well as solving practical engineering challenges, we have also had to tailor the system to the idiosyncrasies of elections in the Australian state of Victoria and the requirements of the Victorian Electoral Commission. This article includes general background, user experience, and details of the cryptographic protocols and human processes. We explain the problems, present solutions, then analyze their security properties and explain how they tie in to other design decisions.

A Novel Semi-Fragile Image Watermarking, Authentication and Self-Restoration Technique Using the Slant Transform

A novel semi-fragile digital watermarking method based on the slant transform (SLT) for image authentication and self-restoration is introduced in this paper. The watermark bits are embedded into the middle frequency region of each block after applying SLT of the original image. The original image is further compressed and then embedded into the least significant bits (LSBs) of the watermarked image for subsequent self-restoration. The tampered regions of the watermarked image can be detected and localised by extracting the embedded watermark to compare with the original watermark for authentication. Localised tampered regions are self-recovered by extracting the LSBs of the watermarked image. Results achieved show that the SLT algorithm is more robust, faster and accurate than other transform methods based on the DCT and pinned sine transform. It could survive cut-and-paste attacks with robustness to JPEG attacks up to QF=75 compression prior to image authentication. The tampered regions can be detected with an average 91% detection rate after surviving the compression attack.

Versatile Pret a Voter: Handling Multiple Election Methods with a Unified Interface

A number of end-to-end verifiable voting schemes have been introduced recently. These schemes aim to allow voters to verify that their votes have contributed in the way they intended to the tally and in addition allow anyone to verify that the tally has been generated correctly. These goals must be achieved while maintaining voter privacy and providing receipt-freeness. However, most of these end-to-end voting schemes are only designed to handle a single election method and the voter interface varies greatly between different schemes. In this paper, we introduce a scheme which handles many of the popular election methods that are currently used around the world. Our scheme not only ensures privacy, receipt-freeness and end-to-end verifiability, but also keeps the voter interface simple and consistent between various election methods.

Using a formal analysis technique to identify an unbinding attack on a buyer-seller watermarking protocol

In this paper we provide a novel approach to the analysis of buyer-seller watermarking protocols by tailoring an existing formal technique that has not previously been used in this context. We accurately represent a buyer-seller watermarking protocol as proposed by Ibrahim et al. [6] by constructing a model using the process algebra CSP. By describing our model in this manner and utilising the tool support associated with CSP we are able to conduct a thorough analysis of all the possible behaviour in the protocol. Through formal analysis we have discovered an unbinding attack on the protocol. In this paper we also highlight other weaknesses that exist in the protocol and propose verifiable solutions to correct these weaknesses.

A new multi-set modulation technique for increasing hiding capacity of binary watermark for print and scan processes

In this paper we propose a multi-set modulation technique to increase the hiding capacity within a binary document image. As part of this technique we propose an Automatic Threshold Calculation and Threshold Buffering, Shifted Space Distribution and Letter Space Compensation technique. The Automatic Threshold Calculation is used to distinguish word spaces from letter spaces. The Threshold Buffering is used to reduce the chance of misinterpretation of spaces during the detection phase, following printing and scanning. The Shifted Space Distribution and Letter Space Compensation techniques robustly embed a watermark into the binary document image. The Automatic Threshold Calculation has been shown to be successful in identifying word spaces for different types of fonts and font sizes. The combination of the Shifted Space Distribution, Letter Space Compensation and Threshold Buffering techniques have been shown to create a watermark that is robust to printing and scanning.

Imperceptible printer dot watermarking for binary documents

In this paper we propose a new imperceptible yellow printer dot watermarking scheme for documents printed on a colour printer. The scheme takes advantage of the imperfections of the human visual system to hide thousands of yellow dots over the entire page. It takes inspiration from the methods used by laser printer manufacturers for printer identification. The novelty of our approach is in providing an automatic embedding and detection method that can survive the distortions of printing and scanning. In order to achieve this a new moving window detection method is proposed. An error correction code is employed to handle the errors that could be present following detection. The scheme is evaluated through embedding and detection experiments on different types of documents; including text, architectural drawings and a cartoon. Our scheme offers an embedding capacity of 26,190 bits per page. Experiments were conducted using error correction codes with rates of 1/2, 1/3 and 1/5, given payloads of 13,095, 8,730, and 5,238 bits per A4 page respectively. We are able to successfully recover the watermark in all documents at a rate of 1/2 and 1/5, and in all document except one at 1/3. Further experiments were conducted with a smaller dot size to evaluate the impact it has on our results. With the smaller dot size we were still able to recover the watermarks from all documents when using an error correction code with rate 1/5. The capacity offered by this approach far exceeds the capacity offered by existing binary watermarking schemes, which are robust to printing and scanning. The substantially larger capacity opens up a wider range of possible applications as well as the possibility of using more robust cryptographic techniques for authentication.

Authenticating Binary Text Documents Using a Localising OMAC Watermark Robust to Printing and Scanning

In this paper we propose a new authentication and localisation scheme to produce a watermark which can be embedded in a limited capacity binary text document and that will work in a print and scan environment. The scheme utilises Message Authentication Codes (MAC), specifically OMACs, which create a cryptographic fixed-length summary of a document. An OMAC must be truncated to a form part of our watermark and is used during authentication. The remainder of the watermark is used during localisation. We have created over 2,000,000 watermarks in controlled experiments to evaluate their ability to authenticate a document and localise any changes. In addition, we have embedded an authenticating watermark into seven different documents and authenticated them after printing and scanning.

Trust Implications of DDoS Protection in Online Elections

Online elections make a natural target for distributed denial of service attacks. Election agencies wary of disruptions to voting may procure DDoS protection services from a cloud provider. However, current DDoS detection and mitigation methods come at the cost of significantly increased trust in the cloud provider. In this paper we examine the security implications of denial-of-service prevention in the context of the 2017 state election in Western Australia, revealing a complex interaction between actors and infrastructure extending far beyond its borders.

vVote: Verifiable Electronic Voting in Practice

In Victoria, Australia, the vVote verifiable voting system allowed blind voters and voters in remote locations to cast fully secret ballots in a verifiable way. The new verifiability checks did not impede function or satisfaction in the voting experience.