Apollo - End-to-end Verifiable Internet Voting with Recovery from Vote Manipulation Open Access
Downloadable ContentDownload PDF
End-to-end verifiable (E2E-V) voting protocols enable voters to check that their ballots have been correctly cast and recorded, and also enable anyone to check that the tally was correctly computed from the recorded votes. E2E-V voting protocols have been successfully designed for precinct-based voting. The problem of designing an electronic E2E-V voting protocol for remote voting is more challenging because one may not rely on polling place supervision and procedures for the security properties. This dissertation focuses on an E2E-V Internet voting protocol.Apollo, a modified version of popular remote voting protocol Helios, is proposed to address some of the vulnerabilities of Helios, improving on the feasibility of Internet voting. In particular, Apollo does not possess Helios’ major known vulnerability, where a dishonest voting terminal can change the vote after it obtains the voter’s credential. A proof of the security properties of Apollo is presented.Unfortunately, neither Helios nor Apollo provides ballot secrecy, because the voting terminal knows the vote. PrivApollo, a protocol that improves Apollo by providing ballot secrecy even if the voting terminal is dishonest, is proposed.A voting system with low usability will typically not achieve its security goals because users will tend not to use it correctly. Users might not even complete all steps, in which case they might end up not voting without realizing it. A usability experiment is presented, which explores whether adding an educational session before voting on Apollo changed the time taken by voters to successfully cast a ballot and whether it changed how often they completed optional tasks that would enhance the security of the protocol.