The End-to-End Verifiable Internet Voting Project

Abstract:

Voting systems have strict security and privacy requirements, which are different from those in many other domains. They must not expose information that connects voters and their votes; moreover, to prevent voter coercion, individual voters must not themselves be able to expose information that proves how they voted. These requirements are fundamentally in tension with exposing enough information to determine that the counted votes match the cast votes, and are difficult to fulfill even in purely physical voting systems.

Over the past two decades, various forms of Internet-based voting have been proposed and carried out in the United States and other countries. A primary motivation for Internet voting is accessibility, both for voters with disabilities and for voters who cannot easily visit polling places or submit absentee ballots in a timely fashion (e.g., expatriates, those serving abroad in the military, etc.).

Unfortunately, though well-intentioned, these Internet voting systems have generally been fraught with security and privacy issues. Some systems used in national-level elections have been subsequently found to leak voter and vote information and to be susceptible to various forms of manipulation that can untraceably alter election results. This has led many activists and technologists to write off Internet voting as inherently insecure and unsuitable for use in real elections.

In December 2013 the Overseas Vote Foundation (OVF) announced the End-to-End Verifiable Internet Voting Project (E2E VIV). Its goal is to study the feasibility of developing an Internet-based system that fulfills the security and privacy requirements associated with voting while providing transparent, trustworthy, auditable elections. Galois has been managing the technical aspects of the E2E VIV project. In this role we have developed a comprehensive set of requirements that an E2E VIV system must satisfy, a high-level architecture for such a system, and demonstration implementations of some of its components.

Currently, the cryptography, security, auditing, and elections experts involved in the project (including the likes of Josh Beneloh, David Wagner, Dan Wallach, David Jefferson, Philip Stark, and the elections officials responsible for Los Angeles, Austin, Tallahassee, and Albuquerque) are reflecting upon these artifacts and attempting to design a new generation of E2E VIV system that can satisfy the needs of overseas, military, and disabled voters.

In this talk we will reflect upon the background and state of the E2E VIV project, focusing on the novel privacy-preserving and high-assurance aspects of the system from both algorithmic and systems points-of-view.

Biography:

Dr. Joseph Kiniry, a new Principal Investigator at Galois, was most recently a Full Professor at the Technical University of Denmark (DTU). There, he was the Head of DTU's Software Engineering section. He also held a guest appointment at the IT University of Copenhagen. Over the past decade he has held permanent positions at four universities in Denmark, Ireland, and The Netherlands.

Joe has extensive experience in formal methods, high-assurance software engineering, foundations of computer science and mathematics, and information security. Specific areas that he has worked in include software verification foundations and tools, digital election systems and democracies, smart-cards, smart-phones, critical systems for nation states, and CAD systems for asynchronous hardware.

He has over ten years experience in the design, development, support, and auditing of supervised and internet/remote electronic voting systems while he was a professor at various universities in Europe. He co-led the DemTech research group at the IT University of Copenhagen and has served as an adviser to the Dutch, Irish, and Danish governments in matters relating to electronic voting.