Page 100 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 100
J.A. Goler and E.J. Selker
92
of the user interface is an important one because user interfaces can be very
complicated to build and maintain. The amount of code needed to write them is
far larger than that required to perform cryptography or aggregation. However
the user interface is implemented, that piece of software must communicate with
the rest of the SAVE architecture in the same manner.
Once the user has filled out the ballot, the next step is to authenticate the voter.
A back-end system checks the person’s name against a database of registered vot-
ers. The registration server signs the vote, along with multiple electronic witnesses
as described above. The witnesses sign the vote to indicate that a valid voter, as
assessed by the registration server, cast it. At this point the signed, blinded bal-
lots are then sent to a variety of aggregation servers to be counted.
Clearly one of the most serious concerns raised about n-versioning is the
ability to truly diversify code. For simple operations there are a limited num-
ber of options a developer might choose. Developers may take similar overall
approaches; they may use different languages, break their code into different
functional blocks and write code in a particular style. Certainly a programmer
introducing secret functionality would be diverse from others. Differences in the
way code is written, just as for genetic diversity, leads some modules vulnerable
to attacks that others are safe from and vice-versa.
5 Security Analysis of SAVE
The SAVE architecture assumes that all modules are using the best available
standard encryption algorithms. The main security and reliability advantages
of SAVE come from its redundancy and overall modular structure. One of the
primary assumptions of SAVE is the independence of the code itself and the
reliability of the platform in general.
Consider n modules at each of m stages, M n,m , each with an internal fail-
ure rate F n,m , and attack susceptibility of A n,m . In addition, we must include
inter-module communication channels between two modules a and b in different
, for all a and b in different stages. To begin, we exclude the
stages, C a m ,b m+1
communication channel here, but include it below.
F M =1 − (1 − F n,m )(1 − A n,m ) (1)
m 1 ,m 2 ,...,m n
Thus, for the SAVE system, the total possible rate of failure in any module
(considering independence follows directly as shown in Equation 1.
However, SAVE implements an internal voting system which, for each stage,
requires a threshold t of agreed results to have a valid result. Each module
determines from the previous stage whether it has a valid input based on this
threshold. Including the threshold voting factor, the failure rate can be described
in equation 2.
n
n
F M =1 − (1 − F n,m )(1 − A n,m ) (F n,m A n,m ) (2)
u
u=t u ∀U
