0

Consider an electronic voting system with two goals: (1) ensure that the vote of each voter is correctly counted, and (2) ensure that no voter can create a proof of his/her/their vote. The reasoning for (1) is to ensure that the intent of majority is respected, and the reasoning for (2) is to curb the selling of votes.

The voting system is based on voting machines. In the election day, each voting machine stays offline (disconnected from any network) while collecting votes from multiple human electors, one after another in a closed booth. After the voting session ends, the machine prints multiple copies of a paper report that contains the sum of all collected votes for each candidate, without revealing the order of votes, of course. The reports are signed with a key that is verifiable to be emitted exclusively to that voting machine, using a standard PKI solution.

All reports from a given machine can be easily verified to be identical by party fiscals, which must be present at all voting sites. If the reports are identical, then the fiscals authorize to connect the machine to the automated counting server. The voting session is deemed "valid" and each party fiscal grabs a copy of the report and use it to count total votes (i.e. from all other machines) at some party-designated location, using only paper reports. The automated count, performed by the electoral authority, and the manual sums performed by each party, must yield the same outcome. If they don't, then each party must present their paper reports and the automated count must be audited to determine where is the error, but that's not relevant for this question.

With the above voting system, then if there is a voting fraud perpetrated by a single party, it must happen before the machines print their reports! An example of such fraud is an infrastructure attack that causes all voting machines to contain a software that ignores the real votes and instead prints a paper report with a result that favors the attacker's candidate.

One way of curbing such attacks is to provide N extra voting machines that can be used for auditing purposes. If there are M voting sessions, then there will be K=M+N voting machines, where M>0 and N>0. These N extra machines are not special in any way. In fact, each voting site receives a random unit from the K machines, and after the distribution, N random voting machines will be left without being assigned to any voting site. Assume the random distribution is safe, because it's not relevant for this question.

Each of the N extra machines can be given to some party or a group citizens interested in auditing the election. The receiver of each extra machine knows that the votes collected and reports emitted by such machine will not be official in any way, because the machine identifier was marked as "invalid" in the automated counting server (or was not officially assigned to any voting site, etc).

One way of checking that the voting machines are not lying in the printed reports (i.e. the software is counting votes from actual input), is to enter a known count of votes for each candidate into the machine that is used for auditing purposes. In the end, the known count can be compared to the printed reports, and if they match, we can say that the voting machine respected the collected inputs.

The problem of such audit procedure is that if a machine "knows" that it is being audited, it can simply print the result of real inputs, and thus evade fraud detection.

Hence my question: Is there some attack that a sophisticated attacker can employ to make each voting machine capable of "knowing" that it is being audited while offline? If yes, is there something that the election authority (or the voting machine provider) can do to curb such attacks?

fernacolo
  • 234
  • 1
  • 6
  • 3
    Who knows what side channel attacks are possible here? A sophisticated attacker might figure out (possibly obscure) behavioral differences between actual voters and auditors. Just as an example, they might notice that when actual voters are using the machine, there is a certain delay between votes as one voter leaves the room and another enters, but when being audited, the auditor naturally just goes on entering votes one after another to save time. This would probably have to be the subject of serious research, we can't just answer it in one question, without even knowing all the variables. – nobody Jul 03 '21 at 08:18
  • 1
    You are assuming here that all machines are identical in the sense where if an attack occurs, all machines will be attacked the same way. IMHO one single machine being compromised is a much more realistic scenario, because what matters most is that the attack remains undetected... – Serge Ballesta Jul 03 '21 at 10:19
  • @SergeBallesta Attacking a single machine (or a small subset of machines) has low chance of success for the attacker. I want to defend against infrastructure attacks which would compromise all machines, because they all run the same software. This is mentioned. – fernacolo Jul 03 '21 at 20:04
  • IMHO, attacking the whole set of machines is a reasonable scenario in only 2 use cases: a group trying to prove that voting machines are unsecure - and they want the attack to be easily identifiable - or a resource rich organization that want to tweak the result - and they do not want the attack to be identifiable. In the former scenario your proposed test will succeed. In the latter, the attacker is likely to know in advance the mitigation measures. Remember the Volkswagen *Dieselgate*. If a motor could guess when it was actively audited, I would not bet much that a voting machine could not.. – Serge Ballesta Jul 04 '21 at 08:22
  • @SergeBallesta, yes. That's what I mean. – fernacolo Jul 04 '21 at 20:37
  • Related: https://security.stackexchange.com/questions/116058/what-if-the-voting-machine-is-the-adversary-distributed-knowledge-trust – fernacolo Jul 14 '22 at 23:29

0 Answers0