Workshop Program

All sessions will be held in Regency D unless otherwise noted.

The accepted refereed articles listed below appear in Volume 3, Numbers 1–2, of the The USENIX Journal of Election Technology and Systems (JETS).

Downloads for Registered Attendees

Attendee Files 
JETS '15 Attendee List (PDF)

 

Tuesday, August 11, 2015

8:15 am–9:15 am Tuesday

Continental Breakfast
9:15 am–9:30 am Tuesday

Welcome

Editors-in-Chief: Dan Wallach, Rice University, and Walter Mebane, University of Michigan
9:30 am–11:00 am Tuesday

JETS Article Presentations: New Schemes and Techniques

New Techniques for Electronic Voting

Alan Szepieniec and Bart Preneel, KU Leuven and iMinds

This paper presents a novel unifying framework for electronic voting in the universal composability model that includes a property which is new to universal composability but well-known to voting systems: universal verifiability. Additionally, we propose three new techniques for secure electronic voting and prove their security and universal verifiability in the universal composability framework. 1. A tally-hiding voting system, in which the tally that is released consists of only the winner without the vote count. Our proposal builds on a novel solution to the millionaire problem which is of independent interest. 2. A self-tallying vote, in which the tally can be calculated by any observer as soon as the last vote has been cast — but before this happens, no information about the tally is leaked. 3. Authentication of voting credentials, which is a new approach for electronic voting systems based on anonymous credentials.

This paper presents a novel unifying framework for electronic voting in the universal composability model that includes a property which is new to universal composability but well-known to voting systems: universal verifiability. Additionally, we propose three new techniques for secure electronic voting and prove their security and universal verifiability in the universal composability framework. 1. A tally-hiding voting system, in which the tally that is released consists of only the winner without the vote count. Our proposal builds on a novel solution to the millionaire problem which is of independent interest. 2. A self-tallying vote, in which the tally can be calculated by any observer as soon as the last vote has been cast — but before this happens, no information about the tally is leaked. 3. Authentication of voting credentials, which is a new approach for electronic voting systems based on anonymous credentials. In this approach, the vote authenticates the credential so that it cannot afterwards be used for any other purpose but to cast that vote. We propose a practical voting system that instantiates this high-level concept.

Available Media

Improved Coercion-Resistant Electronic Elections through Deniable Re-Voting

Dirk Achenbach, Karlsruhe Institute of Technology; Carmen Kempka, NTT Secure Platform Laboratories; Bernhard Löwe and Jörn Müller-Quade, Karlsruhe Institute of Technology

In a democracy, it is essential that voters cast their votes independently and freely, without any improper influence. Particularly, mechanisms must be put into place that prevent—or at least severely impede—the coercion of voters. One possible counter- measure to coercion is revoting: after casting a vote under coercion, the voter can re-cast and overwrite her choice. However, revoting is only meaningful as a strategy to evade coercion if the adversary cannot infer whether the voter has modified her choice—revoting needs to be deniable, while still being publicly verifiable. We define the notions of correctness, verifiability, and deniability for a tallying protocol which allows for revoting. We also present a protocol realizing these notions. To the best of our knowledge, our solution is the first to achieve both deniability and public verifiability without asking information about the voter’s previously-cast ballots for revoting.

In a democracy, it is essential that voters cast their votes independently and freely, without any improper influence. Particularly, mechanisms must be put into place that prevent—or at least severely impede—the coercion of voters. One possible counter- measure to coercion is revoting: after casting a vote under coercion, the voter can re-cast and overwrite her choice. However, revoting is only meaningful as a strategy to evade coercion if the adversary cannot infer whether the voter has modified her choice—revoting needs to be deniable, while still being publicly verifiable. We define the notions of correctness, verifiability, and deniability for a tallying protocol which allows for revoting. We also present a protocol realizing these notions. To the best of our knowledge, our solution is the first to achieve both deniability and public verifiability without asking information about the voter’s previously-cast ballots for revoting. A seemingly competitive line of work, started by the well-known work of Juels, Catalano, and Jakobsson, uses fake credentials as a strategy to evade coercion: the voter presents to the adversary a fake secret for voting. In this work, we extend Juels et al.’s work to achieve deniable revoting. Their solution also allows for revoting, however not deniably. Our solution supports fake credentials as an opt-in property, providing the advantages of both worlds.

Available Media

Verifiable European Elections: Risk-limiting Audits and Universally Verifiable Tallies for D'Hondt and Its Relatives

Philip B. Stark, University of California, Berkeley; Vanessa Teague, University of Melbourne

We provide Risk Limiting Audits for proportional representation election systems such as D'Hondt and Sainte-Laguë. These techniques could be used to produce evidence of correct (electronic) election outcomes in Denmark, Luxembourg, Estonia, Norway, and many other countries.

We provide Risk Limiting Audits for proportional representation election systems such as D'Hondt and Sainte-Laguë. These techniques could be used to produce evidence of correct (electronic) election outcomes in Denmark, Luxembourg, Estonia, Norway, and many other countries.

Available Media
11:00 am–11:30 am Tuesday

Break with Refreshments
11:30 am–12:30 pm Tuesday
12:30 pm–2:00 pm Tuesday

Luncheon for Workshop Attendees
2:00 pm–3:00 pm Tuesday
3:00 pm–3:30 pm Tuesday

Break with Refreshments
3:30 pm–4:30 pm Tuesday

JETS Article Presentations: Usability of Verification

From Error to Error: Why Voters Could not Cast a Ballot and Verify Their Vote with Helios, Prêt à Voter, and Scantegrity II

Claudia Z. Acemyan, Philip Kortum, Michael D. Byrne, and Dan S. Wallach, Rice University

The aim of this paper is to identify user errors, and the related potential design deficiencies, that contributed to participants failing to vote cast and vote verify across three end-to-end voting systems: Helios, Prêt à Voter, and Scantegrity II. To understand why voters could not cast a vote 42% of the time and verify that their ballots were cast and counted with the tested e2e systems 53% of the time, we reviewed data collected during a system usability study. An analysis of the findings revealed subjects were most often not able to vote with Helios because they did not log in after encrypting their ballot but before casting it. For both Prêt à Voter and Scantegrity II, failing to vote was most frequently attributed to not scanning the completed ballot. Across all three systems, the most common reason participants did not verify their vote was due to not casting a ballot in the first place.

The aim of this paper is to identify user errors, and the related potential design deficiencies, that contributed to participants failing to vote cast and vote verify across three end-to-end voting systems: Helios, Prêt à Voter, and Scantegrity II. To understand why voters could not cast a vote 42% of the time and verify that their ballots were cast and counted with the tested e2e systems 53% of the time, we reviewed data collected during a system usability study. An analysis of the findings revealed subjects were most often not able to vote with Helios because they did not log in after encrypting their ballot but before casting it. For both Prêt à Voter and Scantegrity II, failing to vote was most frequently attributed to not scanning the completed ballot. Across all three systems, the most common reason participants did not verify their vote was due to not casting a ballot in the first place. While there were numerous usability failures identified in the study, these errors can likely be designed out of the systems. This formative information can be used to avoid making the same types of mistakes in the next generation of voting systems—ultimately resulting in more usable e2e methods.

Available Media

Diffusion of Voter Responsibility: Potential Failings in E2E Voter Receipt Checking

Ester Moher, Children's Hospital of Eastern Ontario Research Institute; Jeremy Clark, Concordia University; Aleksander Essex, Western University

End-to-end verifiable (E2E) voting systems provide voters with (privacy preserving) receipts of their ballots allowing them to check that their votes were correctly included in the final tally. A number of recent studies and field tests have examined the usability of ballot casting and receipt checking. Simply checking receipts, however, is not enough to provide strong assurance that the election outcome is correct; voters must also be counted on to report any discrepancies between their receipts and the official record when they occur. In this paper we designed and ran a study examining the frequency and conditions under which voters (a) check their receipts, and (b) report discrepancies when they occur. Participants were recruited online and were asked to vote in a survey on charitable giving. Similar to previous work, we found that the proportion of voters performing a receipt check was low.

End-to-end verifiable (E2E) voting systems provide voters with (privacy preserving) receipts of their ballots allowing them to check that their votes were correctly included in the final tally. A number of recent studies and field tests have examined the usability of ballot casting and receipt checking. Simply checking receipts, however, is not enough to provide strong assurance that the election outcome is correct; voters must also be counted on to report any discrepancies between their receipts and the official record when they occur. In this paper we designed and ran a study examining the frequency and conditions under which voters (a) check their receipts, and (b) report discrepancies when they occur. Participants were recruited online and were asked to vote in a survey on charitable giving. Similar to previous work, we found that the proportion of voters performing a receipt check was low. More importantly, within this group, we found that the proportion of voters reporting discrepancies was also low. We did however observe that the incidence of receipt checking was significantly higher when the election outcome was unanticipated or unexpected by voters. In the condition with an adverse election result we observed that, while 7.5% of voters checked receipts, only 0.5% filed a dispute when shown an incorrect receipt. With such low reporting rates, E2E voting systems will struggle to detect fraud with high confidence, especially in elections with narrow margins of victory. We posit, therefore, that improving the usability of the receipt check component in E2E systems is an important open problem.

Available Media
4:30 pm–5:00 pm Tuesday

Invited Talk

TBA

Matt Masterson, U.S. Elections Assistance Commission

Matthew Masterson was nominated by President Barack H. Obama and confirmed by unanimous consent of the United States Senate on December 16, 2014 to serve on the U.S. Election Assistance Commission (EAC). His term of service extends through December 12, 2017.

Matthew Masterson was nominated by President Barack H. Obama and confirmed by unanimous consent of the United States Senate on December 16, 2014 to serve on the U.S. Election Assistance Commission (EAC). His term of service extends through December 12, 2017.

Prior to his appointment with EAC, Commissioner Masterson served as Interim Chief of Staff for the Ohio Secretary of State, a position he held since November 2014, he previously served as Deputy Chief of Staff and Chief Information Officer from 2013 to 2014, as well as Deputy Director of Elections from 2011 to 2013. In these roles Mr. Masterson was responsible for voting system certification efforts by the Secretary of State’s office including being the liaison to the Ohio Board of Voting Machine Examiners. Additionally, Mr. Masterson was in charge of Ohio’s effort to develop an online voter registration database and online ballot delivery for military and overseas voters. He is widely regarded as an expert on elections administration throughout Ohio and the country.

Prior to joining the Ohio Secretary of State’s Office, Mr. Masterson held multiple roles at the Election Assistance Commission from 2006 to 2011. Mr. Masterson was Deputy Director for the EAC’s Voting System Testing and Certification Program. In this role Mr. Masterson’s primary responsibility was the creation of the next iteration of the Voluntary Voting System Guidelines (VVSG). Mr. Masterson worked with the EAC’s Technical Guidelines Development Committee (TGDC) and the National Institute of Standards and Technology (NIST) in the creation of the TGDC’s recommended Voluntary Voting System Guidelines. In addition to these responsibilities, Mr. Masterson managed the day to day business of the EAC’s laboratory accreditation program including the creation of the EAC’s Voting System Test Laboratory Program Manual. Prior to this position Mr. Masterson joined the EAC in 2006 as a Special Assistant/Counsel to Chairman Paul DeGregorio.

Mr. Masterson was admitted to practice law in the State of Ohio in November of 2006. Mr. Masterson graduated from The University of Dayton School of Law in May 2006. At the University of Dayton Mr. Masterson served as the Chief Justice of the Moot Court program and Student Bar Association Vice President. Prior to law school Mr. Masterson received BS and BA degrees from Miami University in Oxford, OH.