ABSTRACT
CONTENTS 12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
12.1.1 End-to-End Verifiability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 12.2 Outline of Prêt à Voter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
12.2.1 The Voting Ceremony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 12.2.2 Vote Counting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 12.2.3 Advantages of Prêt à Voter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
12.3 Auditing the Election . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 12.3.1 Auditing the Ballot Generation Authority . . . . . . . . . . . . . . . . . . 317
. . . . . . . . . . . . . . . . . 12.3.2.1 Auditing the Mixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 12.3.2.2 Auditing the Decryption Tellers . . . . . . . . . . . . . . . . . 318
12.4 Cryptographic Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 12.4.1 Decryption Mixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 12.4.2 Re-encryption Mix-nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
12.4.2.1 Re-encryption Mixes with Cyclic Shifts . . . . . . . . . 320 12.4.2.2 Re-encryption Mixes with Affine
Transformations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 12.4.2.3 Re-encryption Mixes with Full Permutations . . . . 321
12.4.3 Distributed Generation of Ballots . . . . . . . . . . . . . . . . . . . . . . . . . . 322 12.4.4 The Bulletin Board . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
12.5 Facilitating Verification and Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 12.5.1 Encouraging Cast-as-Intended Verification (Ballot Auditing) 323
12.6 Enhancing Robustness Using Parallel Verification Mechanisms . . . . . . 324 12.6.1 Verified Encrypted Paper Audit Trails . . . . . . . . . . . . . . . . . . . . . . 325 12.6.2 Human Readable Paper Audit Trails . . . . . . . . . . . . . . . . . . . . . . . 325 12.6.3 Confirmation Codes and Signatures . . . . . . . . . . . . . . . . . . . . . . . . 326
12.7 Accountability, Dispute Resolution and Resilience . . . . . . . . . . . . . . . . . . 327 12.7.1 Cast-as-Intended Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 12.7.2 Authenticity of Receipts (Included-as-Cast Verification) . . . . 328 12.7.3 Tally Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
12.8 Vulnerabilities and Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 12.8.1 Ballot Stuffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 12.8.2 Information Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 12.8.3 Retention of the Candidate List . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 12.8.4 Forced/Coerced Randomization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 12.8.5 Chain Voting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 12.8.6 Trash Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 12.8.7 Clash Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 12.8.8 Psychological Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
12.9 Prêt à Voter Goes Down-Under . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 12.9.1 Significance of the VEC Election . . . . . . . . . . . . . . . . . . . . . . . . . . 333 12.9.2 Challenges of Combining End-to-End Verifiability with
Traditional Victorian Paper Voting . . . . . . . . . . . . . . . . . . . . . . . . . 334 12.9.3 Specific Design Choices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
12.9.3.1 Computer-Assisted Voting . . . . . . . . . . . . . . . . . . . . . . 335 12.9.3.2 Unified Scanner and EBM . . . . . . . . . . . . . . . . . . . . . . 335
12.9.4 Handling Complex Ballots and Printing Them on Demand . . 336 12.9.5 The Web Bulletin Board . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 12.9.6 vVote-Specific Vulnerabilities and Countermeasures . . . . . . . . 338 12.9.7 Practical Experiences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
12.10 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Prêt à Voter provides a practical and highly usable approach to end-to-end verifiable elections with a simple, familiar voter-experience. It assures a high degree of transparency while preserving secrecy of the ballot. Assurance arises from the auditability of an evidence trail created by the execution of the election, rather than the need to place trust in the system components. The original idea has undergone numerous enhancements since its inception in 2004, driven by the identification of threats, the availability of improved cryptographic primitives and the desire to make the scheme as flexible as possible. This evolution culminated in the development and deployment of the system for use in the State of Victoria in Australia for the state election in November 2014. This chapter presents the key elements of the approach and describes the evolution of the design up to that deployment. We also describe the voter experience, and the security properties that the schemes provide.