Lecture Notes in Computer Science 5767 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen UniversityofDortmund,Germany MadhuSudan MicrosoftResearch,Cambridge,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum Max-PlanckInstituteofComputerScience,Saarbruecken,Germany PeterY.A. Ryan Berry Schoenmakers (Eds.) E-Voting and Identity Second International Conference,VOTE-ID 2009 Luxembourg, September 7-8, 2009 Proceedings 1 3 VolumeEditors PeterY.A.Ryan UniversityofLuxembourg Luxembourg E-mail:[email protected] BerrySchoenmakers TechnicalUniversityofEindhoven Eindhoven,TheNetherlands E-mail:[email protected] LibraryofCongressControlNumber:Appliedfor CRSubjectClassification(1998):E.3,D.4.6,K.6.5,C.2,J.1,K.4.4 LNCSSublibrary:SL4–SecurityandCryptology ISSN 0302-9743 ISBN-10 3-642-04134-5SpringerBerlinHeidelbergNewYork ISBN-13 978-3-642-04134-1SpringerBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. springer.com ©Springer-VerlagBerlinHeidelberg2009 PrintedinGermany Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SPIN:12748914 06/3180 543210 Preface These proceedings containthe papers presented at VoteID 2009,the Second In- ternationalConferenceonE-votingandIdentity.TheconferencewasheldinLux- embourgduringSeptember7–8,2009,hostedbytheUniversityofLuxembourg. VoteID 2009built onthe successofthe 2007edition heldinBochum.Events havemovedondramaticallyinthe interveningtwoyears:atthe time ofwriting, people are in the streets of Tehran protesting against the claimed outcome of theJune12thpresidentialelectioninIran.Bannersbearingthewords“Whereis myvote?”beartestimonytothe strengthoffeelingandtheneedforelectionsto be trusted. These events showthat the searchfor high-assurancevotingis nota purely academic pursuit but one of very real importance. We hope that VoteID 2009willhelp contributeto ourunderstanding ofthe foundations ofdemocracy. TheProgramCommitteeselected11papersforpresentationattheconference out of a total of 24 submissions. Each submission was reviewed by at least four Program Committee members. The EasyChair conference management system proved instrumental in the reviewing process as well as in the preparation of these proceedings. The selected papers cover a wide range of aspects of voting: proposals for high-assurancevotingsystems,evaluationofexistingsystems,assessmentofpub- lic response to electronic voting and legal aspects. The programalso included a keynote by Mark Ryan. We would like to thank everyonewho helped in making this conference hap- pen. First of all thanks to the authors for submitting their work and thanks to the members of the Program Committee and the external reviewers for their efforts. Many thanks as well to the local organizers for hosting the conference, with special thanks to Hugo Jonker who served both as General Chair of the conferenceandas a member ofthe ProgramCommittee. Finally,we shouldalso like to thank the FNR in Luxembourg for their generous sponsorship of the workshop that allowed us to extend invites to the two speakers as well as fund a number of student stipends. July 2009 Peter Ryan Berry Schoenmakers VOTE ID 2009 September 7–8, 2009,Luxembourg General Chair Hugo Jonker University of Luxembourg, Luxembourg Local Organization Baptiste Alcalde University of Luxembourg, Luxembourg Ragga Eyjolfsdottir University of Luxembourg, Luxembourg Program Chairs Peter Ryan University of Luxembourg, Luxembourg Berry Schoenmakers Technical University of Eindhoven, The Netherlands Program Committee Mike Alvarez Caltech, USA Josh Benaloh Microsoft Research, USA Ian Brown University of Oxford, UK David Chaum USA Michael Clarkson Cornell University, USA Lorrie Faith Cranor Carnegie Mellon University, USA Peter Emerson de Borda Institute, Ireland Jeroen van de Graaf Universidade Federal de Ouro Preto, Brazil Dimitris Gritzalis University of the Aegean, Greece Bart Jacobs Radboud University, The Netherlands Hugo Jonker University of Luxembourg, Luxembourg Steve Kremer LSV ENS Cachan, France Robert Krimmer evoting.cc, Austria Olivier Pereira Universite Catholique de Louvain, Belgium Andreas Pfitzmann Technical University of Dresden, Germany Josef Pieprzyk Macquarie University, Australia Bart Preneel Katholieke Universiteit Leuven, Belgium Mark Ryan University of Birmingham, UK Ahmad-Reza Sadeghi Ruhr University Bochum, Germany Ronald Rivest MIT, USA VIII Organization Kazue Sako NEC, Japan Ted Selker MIT, USA Jacques Traor´e France Telecom, France Melanie Volkamer Technical University of Darmstadt, Germany Dan Wallach Rice University, USA External Reviewers Roberto Araujo Rainer Boehme Benjamin Kellermann Stefan Ko¨psell Lucie Langer Dimitrios Lekkas Hans L¨ohr Olivier de Marneffe Lilian Mitrou Axel Schmidt Matt Smart Ben Smyth Marianthi Theoharidou Joe-Kai Tsay Bill Tsoumas Table of Contents Not-So Hidden Information: Optimal Contracts for Undue Influence in E2E Voting Systems.............................................. 1 Jeremy Clark, Urs Hengartner, and Kate Larson Masked Ballot Voting for Receipt-Free Online Elections............... 18 Roland Wen and Richard Buckland Improving and Simplifying a Variant of Prˆet `a Voter ................. 37 Ralf Ku¨sters, Tomasz Truderung, and Andreas Vogt Implications of Graphics on Usability and Accessibility for the Voter ... 54 Benjamin Smith, Sharon Laskowski, and Svetlana Lowry Assessing Voters’ Attitudes towards Electronic Voting in Latin America: Evidence from Colombia’s 2007 E-Voting Pilot .............. 75 R. Michael Alvarez, Gabriel Katz, Ricardo Llamosa, and Hugo E. Martinez Developing a Legal Framework for Remote Electronic Voting .......... 92 Axel Schmidt, Dennis Heinson, Lucie Langer, Zoi Opitz-Talidou, Philipp Richter, Melanie Volkamer, and Johannes Buchmann VeryVote: A Voter Verifiable Code Voting System.................... 106 Rui Joaquim, Carlos Ribeiro, and Paulo Ferreira Minimum Disclosure Counting for the Alternative Vote ............... 122 Roland Wen and Richard Buckland A Design of Secure Preferential E-Voting............................ 141 Kun Peng and Feng Bao RIES - Rijnland Internet Election System: A Cursory Study of Published Source Code ........................................... 157 Rop Gonggrijp, Willem-Jan Hengeveld, Eelco Hotting, Sebastian Schmidt, and Frederik Weidemann Combatting Electoral Traces: The Dutch Tempest Discussion and beyond ......................................................... 172 Wolter Pieters Author Index.................................................. 191 Not-So Hidden Information: Optimal Contracts for Undue Influence in E2E Voting Systems Jeremy Clark, Urs Hengartner, and Kate Larson Cheriton School of Computer Science Universityof Waterloo Waterloo, ON,Canada, N2L 3G1 {j5clark,uhengart,klarson}@cs.uwaterloo.ca Abstract. This paper considers coercion contracts in voting systems with end-to-end (E2E) verifiability. Contracts are a set of instructions that an adversary can dictate to a voter, either through duress or by offeringpayment,thatincreasetheprobabilityofacompliantvotercon- structing a vote for the adversary’s preferred candidate. Using a repre- sentativeE2E system,weplacetheattacksin game-theoretictermsand study the effectiveness of three proposed contracts from the literature. We offer a definition of optimality for contracts, provide an algorithm forgeneratingoptimalcontracts,andshowthatasthenumberofcandi- dates increases, the adversary’s advantage through the use of contracts decreases. Wealsoconsidertheuseofcontractsinaheterogeneouspop- ulation of voters and for financially constrained adversaries. 1 Introduction End-to-end verifiable voting systems (E2E systems) allow voters to indepen- dently verify the correctness of the final tally, without needing to trust the chain-of-custody over the ballots after the election in paper voting settings, nor anysoftwareorhardwareusedforvotecaptureandtallyinginelectronicandre- motevotingsettings.E2Esystemsoftenusecryptographicprimitivestoachieve these properties while maintaining the secrecy of every cast ballot. A sample of recently proposed E2E systems include VoteHere [20], “Votegrity” [12], Prˆet `a Voter[14],“Benaloh-06”[7],ScratchandVote[3],Punchscan[15,23],ThreeBal- lot[24],Scantegrity[10,11],Civitas[19],VoteBox[25]andHelios[1].Acommon element of these systems is the production of some kind of obfuscation of each vote, which voters can retain, digitally or physically, as a privacy-preservingre- ceipt of their vote. Since the receipt does not reveal which candidate the voter selected, it ostensibly cannot be used effectively in a scheme to buy votes or coercevotersintovotingforaparticularcandidate.Howeverthisisnotthecase: evenif votes are correctly obfuscated,undue influence can still be accomplished by paying or forcing voters to follow certain procedures in the construction of their receipts, such that the receipts become probabilistically biased toward a chosen candidate. We call these procedures, and consequences for not following P.Y.A.RyanandB.Schoenmakers(Eds.):VOTE-ID2009,LNCS5767,pp.1–17,2009. (cid:2)c Springer-VerlagBerlinHeidelberg2009 2 J. Clark, U. Hengartner, and K. Larson them,acontract.Inthispaper,wearguethatcontractsarepersistentenoughin E2E systems to warrant further study and, in response, we conduct a detailed analysis in a representative E2E system—Punchscan. Our contributions can be summarized as • a new analysis of the effectiveness of three existing attacks [9,17,18] using coercion contracts in Punchscan with two candidates, • a definition of optimality for contracts and a linear-time algorithm for gen- erating optimal contracts, • an analysis of multiple-candidate contracts showing that their effectiveness decreases with the number of candidates, • an analysis of contracts in the setting where some voters have intentions other than accepting the highest payment available to them and hide their real intentions from the adversary,and • ananalysisofcontractsinthesettingwheretheadversaryisfinanciallycon- strained showing that the adversarymust value the vote by, approximately, an order of magnitude more than the voter selling the vote. 2 Preliminaries 2.1 End-to-End Verifiability Voting systems that offer end-to-end verifiability often use a variety of crypto- graphictechniquestosimultaneouslyachieveballotsecrecyandtallycorrectness. One common construction includes, abstractly, these three critical steps: i. The voter produces and retains an obfuscation of her vote, such that given only the obfuscated vote, it is not possible to determine the vote. ii. Obfuscated votes are collected by the election authority,published publicly, and voters check that the obfuscation of their vote is included and correct in this collection. iii. Obfuscated votes are collectively deobfuscated to produce a tally in a way thatisverifiablycorrectanddoesnotrevealthelinkbetweenanyobfuscated and deobfuscated votes. While there is little roomfor variationwithin (ii), a variety of approachesto (i) and (iii) have been presented in the literature. The integrity of (i) is sometimes referred to as ballot casting assurance [2] or voter initiated auditing [5], while privacy is called coercion resistance [16] or receipt freeness [8]. The dominant mechanism for achieving obfuscation in (i) is encryption, but more recent lit- erature includes use of permutations, code substitutions, information splitting, and vote swapping. When the obfuscation technique is encryption, the deobfus- cation in (iii) is typically achieved through a mix network [13,22] or additive homomorphic encryption [6].