Enhancing Ballot Privacy in Estonian Internet Voting System

IMPROVING BALLOT PRIVACY IN THE ESTONIAN INTERNET VOTING SYSTEM Supervised by Prof. Ahto Buldas (PhD) Taaniel Kraavi 192926IVSB Cyber Security Engineering IT College, Tallinn University of Technology DD.MM.YYYY

BACKGROUND AND EXISTING RESEARCH Current system IVXV in use since 2017 Double envelope scheme A lot of research on the previous system, much less on the new one Regarding the new system: a. Security analyses (Zhang et al. 2021) b. Attacks on security (Pereira 2019, Heiberg et al. 2020) c. Attacks on privacy by abusing the cryptosystem (M ller 2021) d. General caveats (Ministry ordered report 2019) Problems are being worked on, or have counterarguments Little research on improving privacy by solving organisational concerns TALLINN UNIVERSITY OF TECHNOLOGY

GOAL AND CONTRIBUTIONS Research question: Can the signature coupling of votes and signatures be re-architected to protect electronic voter identities? Contributions: Introduce a new service for verifying translated signatures Propose a CRL type approach for ballot revocation Suggest organizational changes that allow for voter pseudonymisation TALLINN UNIVERSITY OF TECHNOLOGY

METHODOLOGY A qualitative and observational approach in two parts: 1. a descriptive analysis of the current system, 2. an exploratory study to explore alternatives. Restrictions: Maintain as much as possible of the current system Avoid introducing new problems Data sources: Technical documentation Scientific and popular research Statements from parties involved with i-voting TALLINN UNIVERSITY OF TECHNOLOGY

RESULTING CHANGES 1. A ballot revocation service is charged with invalidating votes in case of re-voting, double voting, or foul play. 2. Ballot revocation certificates are used to revoke ballots. 3. Voter signatures are replaced to protect their identity. 4. A re-signing verification service validates the signature replacement. TALLINN UNIVERSITY OF TECHNOLOGY

RE-SIGNING VERIFICATION SERVICE (RVS) TALLINN UNIVERSITY OF TECHNOLOGY

BALLOT REVOCATION SERVICE (BRS) TALLINN UNIVERSITY OF TECHNOLOGY

CASTING A VOTE TALLINN UNIVERSITY OF TECHNOLOGY

DISCUSSION Cryptographic approaches to re-signing Viability of the re-signing verification service: financial and trust concerns Choosing a pseudonymisation function Post-voting auditability of voter eligibility Publication of the anonymised ballot box TALLINN UNIVERSITY OF TECHNOLOGY

IDEAS FOR FUTURE WORK Reverse proxy re-encryption and other trapdoor signature schemes Multi-certificate signatures Protocol specifications On-the-fly mix-net for votes in a public ballot box Portability in case of architecture changes Formal security assessment TALLINN UNIVERSITY OF TECHNOLOGY

THANK YOU - TALLINN UNIVERSITY OF TECHNOLOGY taltech.ee/en DD.MM.YYYY

Can the Ballot Revocation Service be somehow implemented as a distributed service in order to increase its security (confidentiality)?

What would happen if an obfuscation centre with certain de-obfuscation rights was created to replace voter ID codes in the Annulment List with anonymised (obfuscated) codes? Would this approach further increase voter privacy?

Pseudonymisation functions must also be collision free how easy or difficult is it in practice to violate this rule and what risks and ways of mitigating it may be involved in the light of e-elections?

Could the implementation of anonymous and pseudonymous signatures make use of decentralised technologies in the future, similar to the concept of mix-net based techniques but of higher level?

TALLINN UNIVERSITY OF TECHNOLOGY taltech.ee/en