Readiness of various eVoting systems for complex elections

Technical Report

Nr. TUD-CS-2011-0193

July 15th, 2011

Authors Denise Demirel, Richard Frankland and Melanie Volkamer

Readiness of various eVoting systems for complex

elections

Readiness of various eVoting systems for complex elections

Abstract

Electronic voting, or eVoting, systems in polling sta-tions are becoming more and more widely implemented.However, they face several challenges when dealing withlegally binding election systems. The purpose of this pa-per is to analyse the readiness of various eVoting systemsfor possible implementation in a highly complex elec-tion. As a representative for a complex election we lookat the local election in Germany, because this one allowscumulative voting, vote splitting, crossing out of candi-dates, as well as vote casting for parties and candidates.We deduce how various systems perform and analysethem with respect to these requirements, and also againstequally important criteria; usability, privacy and verifi-ability. The eVoting systems we evaluate in this paperreflect the wide variety of technologies currently avail-able. They are; electronic tallying tools, scan based sys-tems, DREs with VVPATs, and two cryptographic eVot-ing systems, Pret a Voter and Scantegrity II. As a resultwe found out that none of these systems fully meet thecriteria and, for the purpose of possible implementationfor the local election in Germany, need to be improved.Based on this we provide some suggestions for improve-ments and recommendations for future work.

1 Introduction

There exist many different types of eVoting systems.Some are for use in polling stations and still paper-based,such as punch card [29] and optical scan systems [38].Other systems use voting machines such as mechanicallever machines or DREs in the polling booth [27]. Fur-thermore, there is the development of remote eVotingsystems like Polyas [33], Helios [13], and of mobile vot-ing systems such as SMS voting [10].

Several polling station eVoting systems have alreadybeen used in jurisdictions around the world. In the USAvoting machines were first used in 1892 in the state of

New York in the form of mechanical lever machines [9].Various election authorities around the country continueto use several eVoting systems such as DRE and opticalscan systems [7, 6]. In Europe, Belgium was one of thefirst countries to introduce eVoting in 1991 with the firsttrials of DRE machines [23]. Preliminary projects withDREs in Germany failed because of security vulnerabil-ities and the issue of legality for use in legally bindingelections [8]. Nevertheless, eVoting systems can haveseveral advantages compared to traditional voting sys-tems. Digital ballots can be tallied faster and with lessadministrative effort and the use of eVoting machinesprovide better support for disabled voters. Furthermore,there are proposed eVoting systems which offer methodsto increase election verifiability.

The main goal of this paper is to assess the readinessof various eVoting systems for possible implementationin a highly complex legally binding election. We are do-ing this based on the local election in Hesse, Germany,because for this election there are more than 100,000 el-igible voters, more than 500 candidates, more than 70votes and the system allows voters to perform cumula-tive voting, vote splitting and crossing out of candidates[12]. To evaluate and tally such an election by hand isvery time intensive and fault prone, which is why the useof electronic support could be a big improvement.

We concentrate on eVoting systems implemented forpolling stations. These systems do not force a radicaldeparture from the vote casting process that the voterwould be used to, and they do not require the ownershipof a specific device like a personal computer or mobilephone. Another requirement for the selection of eVotingsystems for analysis, is whether their versatility allowstheir use for the local election in Germany, as definedlater. During the evaluation step the context of the wholeballot paper has to be evaluated, so we can exclude allsystems which, in the current version, only offer homo-morphic tallying, such as ThreeBallot [34], Scratch andVote [14] and Bingo Voting [16]. Furthermore, we do not

consider systems which are already improved like levermachines or punch card systems, and proposed systemsfrom conferences which are not yet well established. Wealso shall not consider similar systems to those discussedin the paper, such as Punchscan [26] which is a precursorto Scantegrity II [18] and Pret a Voter [36], and Mark-sense [1] which is another system using an optical scan-ner. Our approach is first to analyse the requirements, forexample the scale and vote casting process, of the localelection and to define criteria. Using these requirementsand criteria, we analyse each system and identify theirsuitability for use in the local election by evaluating themin the context of improvement or deficiency compared tothe traditional paper-based system.

The structure of this paper is as follows. We first ex-plain the local election in Hesse, Germany, showing itsscale based on data from the 2006 election. We then de-scribe the eVoting systems which are analysed and alsothe chosen criteria. The analysis follows in the next sec-tions, and we provide a table to compare the readiness ofeach system. Finally, we conclude with suggestions forfuture work in eVoting systems, and for their possiblefuture use in legally binding elections in Germany.

2 Related work

There are a few examples of previously published workevaluating eVoting systems against selected criteria and awide variety of systems have been critiqued in this man-ner. [32] analysed Helios versions 1.0 and 2.0 and Pret aVoter by an (un)linkability model for voter anonymity invoting systems, covering different levels of privacy andverifiability. With the exception of an older version ofPret a Voter, this study only looked at internet voting sys-tems. Furthermore, usability was not considered for anyof the systems. [31] looked at early eVoting protocols,mainly using homomorphic encryption, such as examin-ing them against criteria to determine their feasibility foruse in internet voting. The authors defined their own cri-teria, and concentrated on security properties. Further-more, the restriction of scope to internet voting reducesthe relevance of this work for implementations in localelections. [28] evaluated the following systems; DigitalVoting Pen, NEDAP DREs, scan based voting systems,Punchscan, Bingo Voting, ThreeBallot and scan basedcounting systems. The criteria election transparency, re-sult verifiability, and risk of manipulation were all con-sidered for each system. However, the authors did notexamine systems that provided end-to-end verifiability.They also mainly concentrate on a decision made by theGerman Federal Constitutional Court in 2009.[23] eval-uated different voting systems against selected criteriafor their possible use in election requirements in Bel-gium. The evaluated systems were; a voting machine

to generate paper ballots, optical scan based systems, asa whole, internet voting, and networked voting machinesin a polling station. These were analysed in the contextof election integrity, transparency, privacy and usability.However, no specific system was analysed, with the au-thors only looking at each system in a general manner,nor was end-to-end verifiability taken into account. Ourpaper makes a unique contribution through the evaluationof specific eVoting systems for possible future use in lo-cal elections in Germany, taking into account importantcriteria for implementation. Additionally, we show theimprovements and deficiencies of each analysed eVot-ing system, compared to the traditional system, and offersuggestions for improvement and future work.

3 Local election

The local election combines the elections for the admin-istrative body of towns, municipal and districts and isheld for all citizens of one district at the same time. Theballot paper consists of several parties, identifiable bytheir name, abbreviation and number [12]. Each partyconsists of several candidates, listed by their full nameand an individual number in their election area. The can-didates’ names are ranked in a particular order specifiedby their party. The number of available seats determinesthe maximum number of candidates each party can nom-inate. Next to each party and candidate name is a ballotcheckbox to record the voter’s preference (compare toFigure 1). Before the poll station opens for vote casting,

Figure 1: Ballot paper used in German local election

the ballot box is opened and the election authority andevery voter can check that it is empty. Afterwards, thebox is locked and is not permitted to be opened beforethe polling station closes [11].

Voters can cast as many votes as the number of avail-able seats. During this process vote splitting, cumulative

2

voting and crossing out of candidates is allowed. To doso voters have three options.

1. They select several candidates. The voters can splittheir vote by casting votes for candidates of severalparties on one ballot sheet. Cumulative voting isprovided such that a voter can cast up to three votesfor one candidate.

2. They select one party. In this case, the maximumnumber of votes is distributed to all candidates ofthis party during the counting process, as describedbelow.

3. They select several candidates and one party. Inthis case, all remaining votes (the maximum num-ber of votes minus number of votes cast for severalcandidates) will be distributed to all candidates ofthe party.

After all eligible voters cast their vote, the ballot boxesare kept locked in a secure place and are opened on thenext day, when the official tallying begins. The orderof the candidates on the ballot paper is very importantfor counting. In this sequence, skipping those that arecrossed out, the candidates each get a vote until the max-imum number of votes is used or every candidate hasthree votes. For example, imagine that there are four-teen candidates and the voter has fifteen votes. The firstcandidate will then receive two votes while the otherswill remain with one. The tallying takes place in public,with every citizen having the right to observe the process.Because ballot papers are counted and tallied manually,the definitive result is usually not known until after fourdays. This occurs because of the large number of castvotes, candidates and parties (compare to Table 1).

Table 1: Local election of Darmstadt, Hesse, in 2006 [4]

Type of voting system Party proportionalFrequency Every five yearsCentral / decentral election Decentral electionCentral / decentral tallying Decentral tallyingNumber of cast votes 2,898,159Number of invalid votes 1,383Number of voters cast a vote 44,385Number of eligible voters 101,666Size of the ballot paper 90 cm x 70 cm

/ 35" x 271/2"Number of candidates 502 in 13 listsNumber of votes to cast 71Specified candidate order YesCumulative voting YesVote splitting YesCrossing out of candidates Yes

4 Voting systems

In the following sections we provide a summary of thefunctionality of each chosen eVoting system. We give anoverview of the system itself, and the three main phasesof an election; pre-election, election, and post-election.

4.1 Tallying toolsIn Germany, tallying software has occasionally beenused. The voters cast their votes as usual. In the post-election phase the ballot papers are apportioned to sev-eral groups of three poll workers. One poll worker readsthe markings of the ballot paper aloud while another en-ters them using the software. The entered data are shownon the screen, with the third poll worker observing andcontrolling the whole process. After the ballot paper hasbeen entered into the system it is marked with the numberof the associated digital ballot. This offers the possibilityto audit the correct transfer of the cast votes of severalballot papers afterwards. After all votes have been pro-cessed, the election result is tallied automatically by thesoftware.

4.2 Scan based voting systemsScan based systems can be broadly classified into threedifferent methods. The first method implements a scan-ning device which is used by voters during vote casting.So far, the only known system using this method is theDigital Voting Pen system (compare to Section 4.2.1).In the second method, voters have to scan their ballotpaper after they vote, such as with an optical scanner(compare to Section 4.2.2), and alternatively the thirdmethod, where the ballot papers are scanned by the elec-tion authority during the tallying process, which can alsobe done by an optical scanner or with a barcode scan-ner (compare to Section 4.2.3). In all these approachesthe cast ballot is also available as a completed ballot pa-per. These can be recounted in random polling stations tocheck whether the election result tallied by the softwarematches the result given by manual tallying.

4.2.1 Digital Voting Pen / DotVote

This eVoting system was first introduced in 2005, andwas used for the purpose of evaluation in a shadow elec-tion of the Hamburg City elections of the same year[41]. This eVoting system makes use of a combinationof physical marks and optical recognition made duringthe election process. Faintly printed in the voting selec-tion checkboxes are unique patterns of dots, called Anotopatterns. During the vote casting process the positions ofthese dots are scanned by a camera in the digital pen de-vice, which determines where on the ballot paper a mark

3

Figure 2: The Digital Voting Pen / DotVote system [2]

is being made (compare to Figure 2). This provides a pa-per copy of a cast vote and electronic ballot informationwhich can be tallied electronically afterwards.

The voter starts the voting process by taking a digitalpen from an Initialisation docking station. The voter canmark as many candidates on the ballot paper as allowed.After this stage the voter then places the pen into a Trans-fer docking station, which transmits the data to a laptopand also wipes the pen of all voting data. When cor-rections need to be made to a cast vote, a third dockingstation can be used to wipe all stored vote data withouttransferring data and a new ballot paper can be requested.The vote counting process is initialised by election offi-cials after the polls have been closed. The actual tallyingof the vote data is performed automatically by the votingsystem software. Any irregular cast votes, such as marksthat are made close to the checkbox margin or drawings,are displayed to election officials for manual categorisa-tion.

4.2.2 Optical Scanner

Optical scan based systems have already been used inlegally binding political elections. Smartmatic [38] de-veloped an optical scan system called P.C.O.S. (PrecinctCount Optical Scan) which is used by the voter. Us-ing this system, the Phillipines underwent its local andnational elections in May 2010 and in September 2010Venezuela used it for its parliamentary elections. Oneexample for an optical scanner used by the election au-thority is the system provided by DRS [24], which wasused in 2007 for the Scottish elections.

Optical scanners in eVoting systems are used to scancompleted ballot papers. Therefore the ballot paper looksthe same and the vote casting process stays unchangedfor the voter. After the scanning process the votes aretallied automatically.

4.2.3 Barcode scanner

An eVoting system based on a barcode scanner has beenintroduced in Germany, and was used in 2008 sporadi-

cally for the local election in Bavaria, Germany [5]. Theballot papers are scanned during the tallying process, sothe vote casting process stays the same for the voter.The cast votes are scanned through the use of a barcodeprinted next to the name of a candidate or party on theballot paper (compare to Figure 3).

Figure 3: Ballot paper used in 2006 [5]

In the post-election phase every ballot paper receivesan individual barcode [21]. This allows the electionauthority to compare the original ballot paper with thestored digital ballot later on. During the tallying processthe poll worker first scans the barcode of the current bal-lot paper, and afterwards the barcode next to the chosencandidates. If the voter used cumulative voting the samebarcode would be scanned several times. Additionallythe poll workers get a sheet of special barcodes which of-fers the possibility, for example, to cross out candidates.Concurrently, the software displays the recorded vote onan electronic version of the ballot on the screen so thatother poll workers and interested parties can verify thecorrectness of the scanning process.

4.3 DRE voting machine with VVPATA DRE (Direct Recording Electronic) voting machinecan be defined as any device designed to provide an elec-tronic means of recording cast votes from voters. VVPATstands for Voter Verified Paper Audit Trail, where a paperrecord is generated. This can be checked at the momentof casting a vote, or audited later to verify the correctnessof the digital tally.

For the purpose of implementing a VVPAT, the prac-tice of using DRE machines with printers is starting togain popularity. Examples of systems used in legallybinding elections include the Accuvote systems widelyused throughout the United States of America [3, 6, 7]the Smartmatic SAES system used in Venezuela [25]and ProVotE in Italy [42]. DRE systems replace man-ually completed paper ballots with an interactive displayof possible candidate selections. In some cases this canmean simple buttons integrated into a fixed candidate list,

4

or a touch screen display. The printout resulting from acast vote acts as a paper ballot. Election officials andpoll workers organise the setting up of the system and allconstituent devices, checking the integrity of the DRE todetect tampering or interference with the election.

Compared to older DRE systems, such as Diebold andNedap DREs, the voting process is similar. Voters maketheir selection from a provided list of candidates at theDRE itself. The paper ballot can then be generated bythe attached printer, and does not require any extra actionfrom the voter. Voters check that the paper ballot matchestheir voting intentions, and the ballot is then depositedinto a ballot box. The electronic vote is not cast until thevoters have verified that both paper and electronic votematch. If voters notice a discrepancy in the display orprintout then they must alert a poll worker. It has beenrecommended that if this occurs, all necessary steps toensure voter privacy are taken, and that the machine bewithdrawn from use [39].

4.4 Cryptographic voting systemsThere exist several systems designed for the implementa-tion of end-to-end verifiable election systems. Here, weprovide an overview of two examples, Pret a Voter andScantegrity II.

4.4.1 Pret a Voter

This system was first introduced in 2005 [20], and hasundergone several revisions and enhancements. After thediscovery of some security vulnerabilities in 2006 [35]an improved version of the system has been proposed[37], on which we concentrate in this paper.

The ballot paper used by Pret a Voter consists of twohalves which can be separated. One side contains a listof candidate names in a random order, determined by thedefault candidate order and a random seed value. Theother side contains the corresponding ballot checkboxesto record voter preferences. The side where votes arecast, which is usually the right-hand side, also containsencrypted information. This is to enable the system toreconstruct the corresponding candidate order (compareto Figure 4).

The involved parties of this voting system are

• Registrars, who hold the private key, in a thresh-old fashion, for decrypting the candidate order andprinting the ballot paper,

• Clerks, which create the encrypted seed values ofthe permutated candidate list,

• a sequence of mix servers (re-encryption mixnet)which shuffle and re-encrypt the ballots to hide the

Figure 4: Pret a Voter ballot paper [44]

link between an encrypted and unencrypted ballot,and

• a set of Tellers, who hold the private key, in a thresh-old fashion, for decrypting the cast and re-encryptedvotes.

In the pre-election phase the Tellers and Registrarsboth generate and offer a public key. The Clerks thencreate cryptographic code pairs in a way that each con-tributes to the entropy of the cryptographic seed, and en-crypts them with the public key offered by the Registrarsand Tellers. A set of Registrars can therefore decrypt andreconstruct the candidate order, which allows the print-ing of the list together with the remaining cryptographiccode. This code corresponds to the seed that was en-crypted by the public key of the Tellers. Several papers[20, 36, 37, 44] propose auditing processes which takeplace before, during and after the election. In most ofthese proposals, the Tellers have to decrypt the code andreveal the seed information, so this has to be done at acentral location. Before the election, all subpairs of thecryptographic code pairs are published on the BulletinBoard. Some of the code pairs are then selected for au-diting and deleted afterwards. Because they are chosenrandomly the probability is high that coercion can be de-tected. The percentage of checked pairs can be chosendepending on the desired level of security. Additionally,some ballot papers can be audited by revealing their se-cret seed value, generating the assigned candidate orderand then comparing this with the printed candidate or-der. Furthermore, in some papers [20, 37, 43], methodsare proposed to give the voter the possibility to performan audit on a ballot paper in the polling station, for ex-ample the cut and choose approach. After the voters casttheir vote they detach the candidate list and, for securityreasons, destroy it. The other side is scanned, signed, andkept by the voter as a receipt.

In the post-election phase all ballot papers are pub-lished on a secure Bulletin Board, where the voters canuse their receipt to check if their vote has been enteredinto the system unaltered. Following that, all ballotsare collected from the Bulletin Board and the voters’

5

choice index is absorbed into the cryptographic informa-tion [36]. The ballots are then shuffled and re-encryptedby the mixnet and are posted in a random order. TheTellers then decrypt the output of the mixnet and add theresult to the Bulletin Board, where the casted votes willbe tallied by software. Individual voters can check theirreceipts, which contain their vote in encrypted form, andeveryone can check the decryption and tallying of thevotes because all intermediate results are published onthe Bulletin Board. It has also been proposed [36] thatthe mixnet can be verified by using the Partial RandomChecking (PRC) approach as described in [30]. It shouldbe noted that the PRC needs to be run several times toprovide proof of correct operation instead of just strongevidence. The correct encryption of the ballot papersby the Tellers can be checked by re-encrypting the re-sult [37]. The correctness of the tallying process can bechecked by tallying with other, for example self-written,software. Furthermore, the left-over forms could be au-dited [20].

4.4.2 Scantegrity II

Scantegrity II is a voter verifiable voting system and anenhancement for optical scan voting systems [18]. It canbe considered the latest iteration of a system with simi-lar core functionality which has been proposed as part ofthe systems Punchscan [26] and Scantegrity [19]. Scant-egrity II has recently been used in a legally binding elec-tion in the USA [17].

The ballot paper (compare to Figure 5) is made up oftwo main pieces [18]. The first is the actual ballot itself,where it is possible to select candidates, and the other is adetachable receipt which can be used for voter verifiabil-ity. Each candidate of the fixed candidate list has a corre-sponding bubble which contains a hidden ConfirmationCode, unique within the ballot, and printed with Invisi-ble Ink. The special ink is designed so that the informa-tion is not human-readable while hidden, with a specialDecoder Pen being needed to make the codes visible.Additionally, the ballot contains a serial number whichis machine-readable. The receipt is a detachable Chitwhich offers two further serial numbers, left and right,which are printed with Invisible Ink, and an area to writedown Confirmation Codes.

The pre-election phase consists of setting up the tablesrequired for generation of the ballots and vote verifica-tion. This requires a secret-sharing scheme to be imple-mented, which shares a secret master key, in a thresholdfashion, for the whole election, for use by entities knownas Trustees. The scheme allows the pre-computation ofthe Confirmation Codes, the link to their respective can-didates, and the ballot serial number and receipt serialnumber to which they belong. These pre-computed as-

Figure 5: Scantegrity II ballot paper [18]

sociations are cryptographically protected as part of theimplemented commitment scheme. The data are main-tained as tables, which are in turn utilised from a TrustedComputing Device. From this device, information can besent for ballot paper printing and for use with the secureBulletin Board. After this occurs, the Trusted Device iswiped of all data, with the required data for tallying be-ing regenerated in the post-election phase.

Voters cast their vote from polling stations in the fol-lowing process. Firstly, they are handed a ballot paper,which is inside a privacy sleeve, from a pile. After re-ceiving a ballot paper and a Decoder Pen, the voter cantake the ballot paper to a voting booth. Here, the votermarks the bubble next to the chosen candidate, whichreveals a confirmation code. The voter has the optionof writing it onto the attached receipt for later verifica-tion. Due to the security properties of the Invisible Ink,Confirmation Codes disappear after a few minutes. Thevoter separates the ballot from the receipt and proceedsto place the ballot in a scanner, which scans the ballotID and the position of the marked bubbles. The voteralso has the option of auditing a ballot. On this ballot thevoter marks all available candidates and records the Con-firmation Codes, keeping the receipt to check later. If thecast ballot paper is improperly marked or intentionallyspoiled, the voter must bring it back to a poll worker.The right side of the Chit is then detached and kept asa record, with the ballot paper then being destroyed inview of the voter. This is done to ensure that the sum ofissued ballots is the same as the sum of all ballots cast,audited and spoiled.

In the post-election phase, the results are determinedby electronic tally through the position of the scannedmarked bubbles. The scanner generates an ElectronicBallot Image, from which the recorded marks are taken.The Trustees reconstruct the master election key, ina threshold fashion and regenerate the tables with theTrusted Device. Vote data, in the form of data from theElectronic Ballot Images, are then added to the tables,allowing the tallying of the election results. For verifia-bility, the Confirmation Codes for each ballot paper can

6

be reconstructed by the election authority and publishedon the Bulletin Board, without displaying the candidateselected. To do this, the ballot serial number is used tofind the pre-computed Confirmation Codes in the tables.In the case of a voter who chose to audit a ballot paper,the Confirmation Codes and the associated candidatesare displayed. The Trusted Device is then wiped of alldata again. In addition to the ballot audit, any member ofthe public can perform an audit against the tally compu-tation, using software provide by a trusted source or thatthey have written themselves. This process involves therandom comparison of the recorded ballot marks, savedin one table, to either the publicly announced tally, orthe list of voted Confirmation Codes. This is achievedby opening some of the commitments used to protect thepre-computed associations.

5 Criteria

In this section we define several criteria to be used for theanalysis. They are divided into three different groups:usability, privacy and verifiability. The list of criteriaused in this paper is not exhaustive but we have chosen,in our opinion, the most important ones. However, be-fore implementing eVoting systems for local elections,other criteria need to be taken into account as well. Thesewould include costs, reliability, scalability, timely tally-ing, performance, robustness, unconditional privacy ofthe ballot and the handling of complaints.

5.1 UsabilityAn eVoting system which is used by the average voterneeds to be usable. We define usability as comprising ofease of use, ease of understanding and accessibility. Thecriterion ease of use measures the facility with which vot-ers can accurately cast their vote. Ideally, the process ofcasting a ballot should not take any significantly long pe-riod of time, as to avoid queues building up at polling sta-tions or voters being put off voting altogether. Regardingthe criterion ease of understanding it is necessary that avoter should fully understand how to fill out a ballot andcast it. In this respect, voters must understand how theirvote is interpreted by the system and know if the vote isvalid or not. Concerning accessibility, a voting systemmust be able to be used by all eligible voters [36]. Thisincludes voters with disabilities, who may face difficul-ties with conventional paper ballots.

5.2 PrivacyOur definition of privacy includes voter privacy andreceipt-freeness as defined below. Voter privacy is animportant criterion, ensuring that voters’ ballot remains

secret, and that they remains anonymous. An eVotingsystem is receipt-free if voters cannot create any phys-ical proof of the content of their cast vote, or can use afake receipt, indistinguishable from a real one, to provideproof of a false vote [15].

5.3 Verifiability

Verifiability can be split into two distinct types; individ-ual and public verifiability. Our definition of individ-ual verifiability includes cast as intended and recordedas cast [44] and our definition of public verifiability in-cludes tallied as recorded [36]. A voter’s marked ballotshould reflect the voter’s choice. Therefore they shouldbe able to verify if their vote is cast as intended. Fur-thermore, voters should have the possibility to verify thattheir vote is recorded as cast. There must be no differ-ence between the cast ballot and the resulting vote data.This can also require that the receipt must accurately en-code the voter’s choice. There should be no discrepancybetween the result of the tallying process and the actualelection result given by all of the stored votes. Therefore,voters should be able to verify that their vote is tallied asrecorded. When looking at the verifiability of an eVot-ing system it is necessary to consider that not every voteris likely to have the specialist knowledge to understandthe used cryptographic tools and auditing processes. Totake this into account, we extend the criterion verifia-bility with the requirement of technical understanding,which examines the understandability of the providedverification methods. This criterion examines the levelof specialist knowledge necessary for voters to be able tofollow the verification process.

6 Analysis

In this section we analyse the eVoting systems proposedin section 4 by the criteria defined in section 5. We firstlook at the traditional paper based elections as it is thecurrent voting system and already conforms with the lo-cal election system and relevant legal requirements. Inthe following subsections, all chosen eVoting systemsare analysed according to how they differ in function-ality from the traditional system. Therefore we first lookat the tallying tool, since it is merely an extension of thetraditional system through the use of automatic tallying.This is followed by the scan based systems which alsouse a tallying tool and additionally a scanning device toscan the cast votes. After this, we look at DREs that useVVPATs, which aim to replicate the traditional electionin an electronic manner with an additional paper audittrail. Finally, we analyse two cryptographic eVoting sys-tems, Pret a Voter and Scantegrity II, because they are

7

used in conjunction with other eVoting systems such asoptical scanners or DREs.

6.1 Traditional voting system

In our analysis, the traditional paper based voting systemis the standard to measure each eVoting systems by thedefined criteria. Therefore, the current voting system isanalysed.

Usability Regarding the ease of use in the traditionalvoting system, the vote casting can be done intuitively.All candidates are sorted by associated party and rankedby the order defined by their party. The voter marks achosen candidate or party by an ”x” and crosses out can-didates by crossing their name. One difficulty in the cur-rent voting system is that the voters have to find theirfavorite candidates between up to 71 proposals (compareto Table 1) if they do not know their rank. Another chal-lenge for the voter lies in counting the number of alreadycast votes and calculating the amount that remaining.Therefore it is quite possible that a voter can cast an in-valid vote by accident, such as by casting more votes thanallowed. Regarding the ease of understanding, the legalregulation for casting a valid vote is complicated. There-fore every German citizen gets an example of the currentballot paper two weeks before the election, and an intro-duction of how to cast a vote, to allow voters a chanceto get prepared. Furthermore, the state provides electioninformation on a webpage. The accessibility of the cur-rent voting system can be improved. Currently, the legalregulations allow disabled people to take a trusted per-son with them to the polling station, after giving advancenotice, to support them during the vote casting process[11].

Privacy Voters cast their vote in a secret polling boothand every ballot paper looks the same. Therefore it isnot possible to assign a specific ballot paper, and castvote, to a specific person. This gives the system goodvoter privacy. The voter does not receive any receipt, soreceipt-freeness is not an issue for the traditional paperbased election.

Verifiability The voters cast their vote in an intuitiveway on a ballot paper, so in general the votes are castas intended. Furthermore, everyone can verify that thevotes are recorded as cast. The cast votes are recordedby putting them into a ballot box. Every German citi-zen can check whether the ballot box is empty prior tothe election and remains locked. No one can remove andchange cast votes or add some which are not cast by el-igible voters. The tallying process is also public, whichis why every voter can verify if the cast votes are talliedas recorded. Every German citizen can also observe howthe ballot box is opened and how the ballot papers aresorted and tallied. However, the tallying process for the

local election can take up to four days and occur in sev-eral offices at the same time, so a voter can only verifythe tallying process in one polling station at a time. Re-garding the technical understanding, the traditional vot-ing system does not use any technical devices, and spe-cialist knowledge is not necessary to follow the electionprocess.

6.2 Tallying toolsBecause the tallying tool leaves the vote casting processunchanged, we only look at the verifiability criteria tal-lied as recorded and technical understanding, which aremet by the system in the following ways.

Verifiability After the election the ballot informationis entered into the system where the software has beeninstalled. The tallying is public, so every voter can par-ticipate during this process. They can verify if the en-tered information matches the digital ballot shown on thescreen. Even in doing so, it is not possible to verify thatthe votes are tallied as recorded because the tallying pro-cess is supported by software. One possibility is to anal-yse the used software tool, but this requires high tech-nical understanding and possibly some specialist knowl-edge.

6.3 Scan based voting systemsThe scan based voting systems we are looking at mini-mally change the process of vote casting because the vot-ers still cast their vote on a regular paper ballot. There-fore, when evaluating the usability we just discuss theuse of the pen device in the Digital Voting Pen system,and for optical scanner systems, the scanning processperformed by the voter. For all scan based voting systemswe do not consider the privacy criterion receipt-freenessand the verifiability criterion cast as intended, as thereare no changes when compared to the traditional system.Additionally, we do not look at the voter privacy crite-rion for the barcode scanner because the scanning takesplace during the tallying phase. All scan based systemsuse a tallying tool to calculate the election result. Be-cause this has already been analysed in section 6.2 we donot repeat the analysis for tallied as recorded and techni-cal understanding.

6.3.1 Digital Voting Pen / DotVote

The Digital Voting Pen system stacks up against the cri-teria in the following ways.

Usability Concerning the ease of understanding, theconcept of filling in the ballot paper is very similar to thetraditional system. To amend their vote, voters woulddispose of their ballot paper as normal, and additionally

8

wipe the pen of data. However, because of the time takenwhen uploading the voting data to the laptop, and thesubsequent data wiping of the pen, the complete votingprocess may take longer than the traditional system.

Privacy With regards to voter privacy, voters canmark and scan their ballot papers in the privacy of thepolling booth. However, voters interact directly with thedigital pen when casting their vote and there is the po-tential for the pen to leak information about the voter’sintentions. The voter has to trust that the device is func-tioning correctly, and that it has not been tampered with.

Verifiability There is difficulty when voters wish tocheck that their vote has been recorded as cast. Thepen automatically recognises the special Anoto patternof dots printed on the ballot paper checkboxes. Becausevoters have no way of checking if the system has recog-nised these dots correctly, and therefore recorded theirdesired selections, they must trust that their vote is cor-rectly interpreted by the system. Voters must also trustthat these dots, and correspondingly the ballot paper,have been generated correctly too. The verifiability inthis system is fairly simple to comprehend, being essen-tially the same as the traditional system, and does notrequire much technical understanding.

6.3.2 Optical Scanner

eVoting systems based on optical scanners measure upagainst the defined criteria in the following ways.

Usability Regarding the ease of use, the ballot paperfor the local election in 2006 has a size of around 90 cm x70 cm, about 35" x 271/2" (compare to Table 1). A spe-cial scanner would be necessary to use this ballot paperand, depending on the system used, the scanning processwould become difficult.

Privacy eVoting systems where ballot papers arescanned during the tallying process do not present anydifferences in voter privacy, but systems where the voteris seen by other people during the scanning process cancause some problems. During the scanning process it ispossible that the scanner saves ballot information and thetime of scanning, so a coercer could assign this informa-tion to the observed order of voters casting their vote.Furthermore, it could become difficult for voters to scana large ballot paper without revealing some of their votepreferences by accident.

Verifiability Some optical scanners save an imageof the whole ballot paper and use software for evalua-tion, while others only save the completed region, or re-spectively the interpretation of the scanned ballot paper.Therefore it is possible that the original ballot paper filledby the voter may differ from the electronic ballot. It mustbe possible for the voters to verify that their ballot paperis recorded as cast, for example by showing the result on

a screen during the scanning process, which is not pro-vided in all systems. However even in doing so it is notguaranteed that the cast votes are saved as displayed.

6.3.3 Barcode scanner

This eVoting system only differs from the tallying tool inthe method of ballot information entry, performed withthe use of a barcode scanner. Correspondingly, there areno changes regarding the selected criteria, so the analysisfor the barcode scanner is covered by the tallying toolanalysis (compare to Section 6.2).

6.4 DRE voting machine with VVPAT

These systems replaces pen and paper interaction with ahuman-computer interface and machine functionality. Inthis way some problems present in the traditional systemare solved but new ones are introduced.

Usability The ease of use of a DRE offers an improve-ment over the traditional system. A complex ballot sheetcan be displayed clearly on a screen, with further user in-terface capabilities for a voter to navigate the ballot. Re-garding ease of understanding, the display of instructionsduring the voting process and provision of user feed-back, especially to voters who attempt to cast too manyvotes or an invalid vote, allows voters a greater facility incompleting the ballot. The accessibility of the system isincreased by adaptations to DRE selection mechanisms,which are commonly implemented in many jurisdictionsto improve access for disabled voters. It has been pro-posed to make DREs with VVPATs completely accessi-ble to all possible voters, regardless of disability [22].

Privacy Current implementations of DREs fail the is-sue of voter privacy. There are no adequate assurancesfor voters to know whether a voting machine is corrupt ornot, and whether the computer could store additional in-formation linking voters to their vote. The possibility ofthe machine leaking vote information is also a factor. Ad-ditionally, implementations of the printing system mayleak information. For instance, a paper roll that does notdetach the ballot paper after printing allows an attackerto recover the order of cast votes. Observing the orderof voters then allows voter privacy to be broken. Thesesystems possess receipt-freeness because voters receiveno receipt.

Verifiability It is possible to check that a vote has beencast as intended because voters can both check their se-lection on the voting machine and on the generated pa-per ballot. A voter cannot check that their vote has beenrecorded as cast, however, as it is not possible to ver-ify the electronic vote recorded on the machine. Fur-thermore, it is only possible to verify whether votes havebeen tallied as recorded with a manual count of the paper

9

ballots. Therefore the verification of election correctnesscan only be offered with the VVPAT. The level of tech-nical understanding required to check the paper ballotis very low. However, to analyse the software used torecord the vote and tally the result requires expertise thatis not likely to be possessed by the average voter.

6.5 Cryptographic voting systems

One of the difficulties in using eVoting systems for the lo-cal election is the large and complex ballot paper consist-ing of 502 candidates and 13 parties (compare to Table 1)and the legal regulation which includes cumulative vot-ing, vote splitting and crossing out of candidates. Thereis nothing in the available literature on Pret a Voter orScantegrity II which deal with these three options but weassume that it is possible to alter the system to supportthese functions. In this paper we have a look at the us-ability of a ballot paper which fulfils the requirements ofthe local election in Hesse, Germany. It should be notedthat the usability aspect depends on the ballot paper im-plemented, which is why only general assumptions arepossible at this point.

6.5.1 Pret a Voter

Some papers have already analysed some threats againstPret a Voter [37, 20, 43, 40, 45] or evaluated the systemby several criteria [44, 36].

Usability Regarding the ease of use the basic principleof Pret a Voter enforces that all parties and candidates areprinted in random order, which leads to a very complexand confusing ballot paper. Based on the election datafrom 2006 1, during the vote casting process, the voterhas to find the right checkboxes among more than 500possibilities up to 71 times. This becomes even morework intensive when they want to cross out candidates.The order in the lists of candidates differs from the orig-inal one, which is important for vote casting (compare toSection 3), and voters have to reconstruct this based onthe field information of the candidates. If the originallyproposed ballot layout of Pret a Voter is used which re-quires that the right side the ballot paper is detached, itwill become considerable larger, around 5 metres, or 16feet, long (related to the font size and design of the ballotpaper of 2006), which would probably make it difficultto detach and scan the choices. Regarding the ease ofunderstanding, the vote casting process of Pret a Voteris very similar to the traditional system [36]. The onlydifference lies in the random candidate order which hasto be explained to the voter prior the election. Concern-ing the accessibility of Pret a Voter, the random order ofcandidates could become a problem for disabled people,which would probably need longer to fill the ballot paper.

Further, they have to deal with a large ballot paper and todetach the perforated right side could become a criticalissue [43].

Privacy In terms of voter privacy, after the votersmark their candidates the right side is detached and de-stroyed before leaving the secure polling booth. There-fore, just the voters know the original order of the can-didates and how they voted. Some vulnerabilities havebeen discussed, such as the chain voting attack [36],where a coercer manages to get a ballot paper in ad-vance and therefore knows both where the voter has toset a mark, and how the receipt will look. There is alsothe possibility of taking a picture of the completed bal-lot paper in the voting booth. One proposal on how toavoid such attacks is to cover the cryptographic code bya scratch field which is removed immediately before thescanning process [36, 45], with the poll worker checkingthat the scratch field is still intact. Further, this approachensures that all ballot papers which have been audited byrevealing the candidate order are not admitted for vot-ing. Regarding the receipt-freeness, the receipt does notshow for which candidates the voters cast a vote but onwhich position they made an ”x”. One possible attack isto force voters to cast a vote on a specific position, forexample always marking the first choice. This is knownas the randomisation attack [36, 43]. A possible counter-measure in this situation would be for voters to choosea ballot paper which has their preferred candidate as thefirst choice [43]. However, to find the desired ballot pa-per in a local election with 502 candidates would be adifficult task.

Verifiability To convince voters that their vote is castas intended, it is necessary to show that the printed can-didate order on the ballot paper matches the candidate or-der reconstructed by the cryptographic codes. Therefore,all voters should get the possibility to join the auditingprocesses which take place before and after the election.It is possible that not all voters are convinced that thechecked ballot papers were created in the same way asthe ones used in polling stations, and not all voters cantake part during the auditing process. Therefore, an au-diting process like the cut and choose approach shouldbe offered during the election. But this requires that theballot papers can be threshold decrypted by the Tellers,which would have to be available over the internet orintranet in every polling station. In local elections thisis an organisational problem and in addition could bringsome security vulnerabilities. At this point some furtherresearch to close this gap is necessary. To verify thatthe votes have been recorded as cast voters can checkwhether the receipt on the Bulletin Board matches thereceipt they received from the polling station. As men-tioned in [36], a voter verifiable paper audit trail (com-pare to Section 4.3) used as a paper copy of the ballot

10

receipt can give additional assurance. The receipt offersvoters the possibility to verify that their vote has beenrecorded as cast without being present during the wholetallying phase, such as in the traditional voting system.However, if voters have to check up to 71 votes, this stepwould be very work intensive. Regarding the criteria tal-lied as recorded, during all election phases enough in-formation is published to offer the possibility to verifythe whole election process. Concerning the technical un-derstanding, voters who want to verify the whole processneed some specialist knowledge to judge the election cor-rectness. People who are not used to technical devices,for example computers, would also probably have prob-lems with checking their receipt online. Further, the sys-tem assumes that the voter has enough mathematical andtechnical knowledge to understand the auditing processof the mixnet, the security of the Bulletin Board, and tounderstand why their vote is secure and cannot be de-crypted. It would be necessary that all these auditingsteps are justified by an expert the voter has coincidencein. Furthermore, it is not possible to tally the completedballot paper manually, so technical understanding is nec-essary for verification.

6.5.2 Scantegrity II

While threat analyses of Scantegrity II have been in-cluded within the latest paper [18], and reflections on theusability of the system have been discussed [17], theredo not yet exist any evaluations of the system against cri-teria such as defined in this paper.

Usability Regarding the ease of use of the system, theaction of casting a vote with Scantegrity II has been de-signed to be as similar to established optical scan votecasting processes as possible, with the verification func-tions essentially acting as an optional add-on for the voter[18]. However, the Confirmation Codes disappear aftera short period of time, meaning a voter must be quickin writing them down. With the possibility of up to 71individual votes, a voter would have to interrupt can-didate selection every so often to note down Confirma-tion Codes before they disappear. Additionally, the re-ceipt would have to be large enough to accommodate71 Codes. Furthermore, cumulative voting requires threeCodes for each candidate, meaning that there may be upto 1600 Confirmation Codes on the ballot paper. For thelocal election in Hesse, Germany, with such a large bal-lot and number of possible selections, vote casting timesare likely to be long. Similarly, with ease of understand-ing, voters have to comprehend that they must fill outtheir ballot and receive Confirmation Codes, which needto be written down and checked on the Bulletin Boardto be verified. However, voters would be able to preparefor this with a template ballot paper they can obtain in

advance. The accessibility of the system is another im-portant issue. With regards to the verification process,the requirement for checking Confirmation Codes on aBulletin Board may continue to cause certain types ofdisabled voters problems. So while the act of casting avote would be the same as in the traditional system, theact of verification may not be.

Privacy Voter privacy is handled in a variety of ways.The ballot is covered in a privacy sleeve when trans-ported to and from the voting booth, preventing eaves-dropping of ballot serial numbers and candidate selec-tion. Additionally, due to the use of special ink, Con-firmation Codes disappear shortly after being revealed,disrupting the physical link between the voters prefer-ence and paper receipt. However, collusion between pollworkers and election officials who record serial numbersof voters, or a compromised Trusted Computation De-vice, could allow for the breaking of voter privacy. Ad-ditionally, the printing of the ballot papers must also besecured, since ballot information can also be leaked here.Receipt-freeness is tackled in the following manner. Therecorded Confirmation Codes indicate that the voter hascast votes, but this receipt is designed to not reveal con-fidential voting information to any third party. However,the complexity of the local election system may lead tothe receipt leaking information about how voters casttheir vote, such as number of votes cast. Additionally,since all cast Confirmation Codes are published on theBulletin Board, knowledge of the receipt serial numberallows a coercer to check for this leakage without the re-ceipt having to contain any information.

Verifiability Voters can check that their paper vote hasbeen cast as intended because their ballot paper will con-tain their candidate selections as machine and, crucially,human readable marked selection bubbles. The prop-erty of the vote being recorded as cast can be inferredby auditing another ballot paper for correctness. Theact of auditing the ballot paper gives voters extra assur-ance that their own ballot paper was printed correctly aswell. Voters who wish to directly check that their ownvote has been interpreted correctly by the system canuse the recorded Confirmation Codes on their receipt toverify that they match with what has been recorded onthe Bulletin Board. With regards to the vote being tal-lied as recorded, it is possible to recompute the electionoutcome using published commitment information andtable associations, allowing voters to check their com-puted tally against the voted tally. To perform this, voterscan write their own software, or use some from a trustedsource. Additionally, completed paper ballots can alsobe used to perform a manual tally, which can be trig-gered by large amounts of genuine election discrepan-cies and challenges [17]. As far as technical understand-ing goes, the concept of cryptographic commitments pro-

11

Table 2: Results of eVoting system evaluation

Scan based systems Cryptographic systemsTalTool DigPen OptiScan BarScan DRE PaV Scanteg

Use 0 0 - 0 + - -Understanding 0 - 0 0 + 0 0Accessibility 0 0 0 0 + - 0Voter privacy 0 - - 0 - 0 -Receipt-freeness 0 0 0 0 0 0 0Cast as intended 0 0 0 0 0 - +Recorded as cast - - - - - + +Tallied as stored - - - - - + +Technical understanding - - - - - - -

viding verifiability may be difficult for the average voterto understand. While the requirement for ConfirmationCodes to be written on receipts not explicitly referringto selected candidates is simple to grasp, the method oftable generation, tallying and auditing may not be under-standable for a voter.

7 Future Work and Conclusion

In this paper we describe the German local election, var-ious eVoting systems and evaluate them against severaldefined criteria and the requirements of the local elec-tion. As a result the analysis shows that none of thesystems are ready for use in the local election in Hesse,Germany. The tallying tool, for example, just slightlychanges the traditional voting process but does not allowthe voter to verify the tallying process. Regarding thescan based systems, the Digital Voting Pen and opticalscanner also show a great similarity to the traditional sys-tem, but can break voter privacy and have some disadvan-tages regarding usability. DREs with VVPATs have someusability advantages compared to the traditional votingsystem but also do not guarantee voter privacy, nor dothey offer verifiability of the tallying process. The cryp-tographic systems Pret a Voter and Scantegrity II provideadvanced verifiability options but have some disadvan-tages regarding usability and receipt-freeness. Further,the voter needs high technical understanding to verifyelection correctness and comprehend both systems. Ingeneral the analysis shows that at least for the verifiabil-ity of all systems the voter need some specialist knowl-edge and technical understanding. Table 2 summarisesthe improvements and deficiency of each system com-pared to the traditional system.

The analysis shows that before using one of these sys-tems for a local election further improvement is neces-sary. Possible future work for specific systems could in-clude: Firstly, verifiability of the tallying tool and scanbased systems can be improved by showing intermediate

results on a separate screen during the tallying process.Secondly, the security of DREs with VVPATs and Scant-egrity II could be optimised through the developmentof comprehensive and mandatory security standards thatwould drastically reduce the chance of vote secrecy beingcompromised through device leakage or attack. Thirdly,the usability of Pret a Voter can be improved through theuse of a look up table or machine interface that sorts andthen reassembles the random order. Finally, many of theanalysed eVoting systems generate a ballot paper whichcan be manually tallied. Therefore, the development ofan algorithm which determines the proportion of ballotpapers that have to be recounted to uncover, with a highprobability, an error in the system, would improve verifi-ability of election results.

Regarding the further analysis of eVoting systems,more criteria, mentioned in Section 5, could be used tocomprehensively assess the feasibility of systems for im-plementation. Before using eVoting systems in legallybinding elections in Germany it would be necessary toanalyse whether the system meets the five basic legalprinciples for German elections; universal, equal, free,secret and direct. As soon as eVoting systems meetthe requirements of local elections this could be con-sidered as the next step for the investigation into theirfuture implementation. There are also some factors oflegally binding elections not considered here, such ashow these systems might deal with irregular, invalid, ordefaced ballot papers, or how postal voting might be inte-grated. However while some systems show deficienciesthat preclude their suitability for these particular elec-tions, they also demonstrate improvements over the tra-ditional system in certain criteria. Pret a Voter and Scant-egrity II provide end-to-end verifiability and DREs offerincreased usability. It should be noted that our study doesnot completely dismiss the idea of using eVoting systemsfor elections in Germany. We hope that our findings spuron the continued development of new systems and theimprovement of established ones.

12

References[1] Counting mark-sense ballots, http://www.cs.uiowa.

edu/˜jones/voting/optical/, retrieved 20/4/2011.

[2] Cropped and simplified picture from: http://www.heise.de/ct/06/06/090 [german], retrieved 20/04/2011.

[3] Federal efforts to improve security and reliability of electronicvoting systems are under way, but key activities need to be com-pleted, government accountability office, 2005, http://www.gao.gov/new.items/d05956.pdf, retrieved 20/4/2011.

[4] Homepage publishing statistics, http://www.statistik-hessen.de/subweb/k2006/EG411000.htm [german], retrieved 20/4/2011.

[5] Sondala, http://www.sondala.de/wp/?tag=it [ger-man], retrieved 20/4/2011.

[6] State of colorado certified voting equipment, de-partment of state, state of colorado, 2010, http://www.elections.colorado.gov/WWW/default/Voting%2520Systems/Voting%2520Equipment%2520used%2520in%2520Nov%25202005%2520election-final-public-01-17-06.pdf,retrieved 20/4/2011.

[7] Voting systems certified by the state of new jersey, de-partment of state, state of new jersey, 2008, http://www.njelections.org/voting-equipment/voting-systems-certified-nj-111909.pdf,retrieved 20/4/2011.

[8] Webpage detailing withdrawal of dre machines from use fol-lowing constitutional court decision verfassungsgericht stoppteinsatz von wahlcomputern, http://www.spiegel.de/netzwelt/tech/0,1518,610962,00.html [german],retrieved 12/04/2011.

[9] Webpage explaining historical use of mechanical lever ma-chines, http://www.fec.gov/pages/lever.htm, re-trieved 20/04/2011.

[10] Webpage of ivote, http://www.ivotemobile.com/, re-trieved 20/4/2011.

[11] Kommunalwahlordnung (kwo), March 2000.

[12] Hessisches kommunalwahlgesetz (kwg), April 2005.

[13] ADIDA, B. Helios: Web-based open-audit voting. In Proceedingsof the 17th Symposium on Security (Berkeley, CA, USA, 2008),Usenix Association, pp. 335 – 348.

[14] ADIDA, B., AND RIVEST, R. L. Scratch & vote: self-containedpaper-based cryptographic voting. In Proceedings of the 5th ACMworkshop on Privacy in electronic society (New York, NY, USA,2006), WPES ’06, ACM, pp. 29–40.

[15] BENALOH, J., AND TUINSTRA, D. Receipt-free secret-ballotelections (extended abstract). In Proceedings of the twenty-sixthannual ACM symposium on Theory of computing (New York, NY,USA, 1994), STOC ’94, ACM, pp. 544–553.

[16] BOHLI, J., MULLER-QUADE, J., AND ROHRICH, S. Bingovoting: Secure and coercion-free voting using a trusted randomnumber generator. In E-Voting and Identity, A. Alkassar andM. Volkamer, Eds., vol. 4896 of Lecture Notes in Computer Sci-ence. Springer Berlin / Heidelberg, 2007, pp. 111–124.

[17] CARBACK, R., CHAUM, D., CLARK, J., CONWAY, J., ES-SEX, A., HERRNSON, P. S., MAYBERRY, T., POPOVENIUC, S.,RIVEST, R. L., SHEN, E., SHERMAN, A. T., AND VORA, P. L.Scantegrity II municipal election at takoma park: the first E2Ebinding governmental election with ballot privacy. In USENIXSecurity’10 Proceedings of the 19th USENIX conference on Secu-rity (2010), USENIX Security’10, p. 19–19. ACM ID: 1929846.

[18] CHAUM, D., CARBACK, R. T., CLARK, J., ESSEX, A.,POPOVENIUC, S., RIVEST, R. L., RYAN, P. Y. A., SHEN, E.,SHERMAN, A. T., AND VORA, P. L. Scantegrity II: end-to-endverifiability by voters of optical scan elections through confirma-tion codes. IEEE Transactions on Information Forensics and Se-curity 4 (Dec. 2009), 611–627. ACM ID: 1720423.

[19] CHAUM, D., ESSEX, A., CARBACK, R., CLARK, J., POPOVE-NIUC, S., SHERMAN, A., AND VORA, P. Scantegrity: End-to-End Voter-Verifiable optical- scan voting. IEEE Security andPrivacy 6 (May 2008), 40–46. ACM ID: 1383188.

[20] CHAUM, D., RYAN, P. Y. A., AND SCHNEIDER, S. A. A practi-cal, voter-verifiable election scheme. In European Symposium onResearch in Computer Security, number 3679 in Lecture Notes inComputer Science (2005), Springer- Verlag.

[21] CLUB, C. C. Artikle about the local election inbavaria, http://www.ccc.de/updates/2008/kommunalwahlen-bayern-2008 [german], retrieved20/4/2011.

[22] DAWKINS, S., SULLIVAN, T., ROGERS, G., CROSS, II, E. V.,HAMILTON, L., AND GILBERT, J. E. Prime iii: an innovativeelectronic voting interface. In Proceedings of the 14th interna-tional conference on Intelligent user interfaces (New York, NY,USA, 2009), IUI ’09, ACM, pp. 485–486.

[23] DE COCK, D., AND PRENEEL, B. Electronic voting in bel-gium: Past and future. In E-Voting and Identity, A. Alkassarand M. Volkamer, Eds., vol. 4896 of Lecture Notes in Com-puter Science. Springer Berlin / Heidelberg, 2007, pp. 76–87.10.1007/978-3-540-77493-8 7.

[24] DRS. Webpage, http://www.drs.co.uk, retrieved20/4/2011.

[25] EUEOM. Final report - presidential elections venezuela 2006.Tech. rep., European Union Election Observation Mission, 2006.

[26] FISHER, K., CARBACK, R., AND SHERMAN, A. T. Punch-scan: Introduction and system definition of a high-integrity elec-tion system. In Proceedings of the 2006 IAVoSS Workshop onTrustworthy Elections (2006).

[27] GAO. Federal efforts to improve security and reliability of elec-tronic voting systems are under way, but key activities need to becompleted. Tech. Rep. GAO-05-956, Government AccountabilityOffice, 2005.

[28] GREIF, N., HARTMANN, V., AND RICHTER, D. Analyse vonwahlgertekonzepten in bezug auf das bundesverfassungsgericht-surteil. PTB- Mitteilungen 120, 2 (2010), 133 – 147.

[29] IBM. Article about punch card, http://www-03.ibm.com/ibm/history/exhibits/supplies/supplies_5404PH12.html, retrieved 20/4/2011.

[30] JAKOBSSON, M., JUELS, A., AND RIVEST, R. L. Making mixnets robust for electronic voting by randomized partial checking.In USENIX Security ’02 (2002).

[31] LAMBRINOUDAKIS, C., GRITZALIS, D., TSOUMAS, V.,KARYDA, M., AND IKONOMOPOULOS, S. Secure ElectronicVoting: The Current Landscape, vol. 7 of Advances in Informa-tion Security. Kluwer Academic Publishers, 2003, ch. 7, pp. 101–122.

[32] LANGER, B. L. Privacy and Verifiability in Electronic Voting.PhD thesis, Technische Universitt Darmstadt, 2010.

[33] MICROMATA. Webpage http://www.micromata.de/micromata [german], retrieved 20/42011.

[34] RIVEST, R. L. The threeballot voting system. Tech. rep.,Computer Science and Artificial Intelligence Laboratory, Mas-sachusetts Institute of Technology, Oct 2006.

13

[35] RYAN, P. A., AND PEACOCK, T. Pret a voter: a system perspec-tive. Tech. Rep. CS-TR-929, University of Newcastle upon Tyne,2005.

[36] RYAN, P. Y., BISMARK, D., HEATHER, J., SCHNEIDER, S.,AND XIA, Z. Pret a voter: a voter-verifiable voting system. Uni-versity of Luxembourg, University of Surrey.

[37] RYAN, P. Y., AND SCHNEIDER, S. A. Pret a voter with re-encryption mixes. In Proceedings of the 11th European Sym-posium on Research in Computer Science (ESORIC’06) (2006),LNCS 4189, pp. 313 – 326.

[38] SMARTMATIC. Webpage, http://www.smartmatic.com/, retrieved 20/4/2011.

[39] USEAC. Voluntary voting system guidelines, vol. 1,2005, http://www.eac.gov/assets/1/workflow_staging/Page/124.PDF, retrieved 20/4/2011.

[40] VAN DE GRAAF, J. Voting with unconditional privacy by merg-ing pret a voter and punchscan. IEEE Transactions on Informa-tion Forensics and Security - Special issue on electronic voting 4(December 2009). IEEE Press Piscataway, NY, USA.

[41] VOLKAMER, M., AND VOGT, R. New generation of voting ma-chines in germany - the hamburg way to verify correctness. InProceedings of the Frontiers in Electronic Elections Workshop -FEE ’06 (2006).

[42] WELDEMARIAM, K., AND VILLAFIORITA, A. Modeling andanalysis of procedural security in (e)voting: the trentino’s ap-proach and experiences. p. 10:1–10:10. ACM ID: 1496749.

[43] XIA, Z., CULNANE, C., HEATHER, J., JONKER, H., RYAN, P.Y. A., SCHNEIDER, S. A., AND SRINIVASAN, S. Versatile preta voter: Handling multiple election methods with a unified inter-face. In Progress in Cryptology - INDOCRYPT 2010 - 11th In-ternational Conference on Cryptology in India (December 2010),K. C. Gong, Guang & Gupta, Ed., vol. 6498 of Lecture Notes inComputer Science, Springer, pp. 98–114. Hyderabad, India, De-cember 12-15.

[44] XIA, Z., SCHNEIDER, S. A., HEATHER, J., RYAN, P. Y.,LUNDIN, D., PEEL, R., AND HOWARD, P. Pret a voter: All-in-one. In Proceedings of IAVoSS Workshop on Trustworthy Elec-tions (WOTE 2007) (2007), pp. 47 – 56. Ottawa, Canada.

[45] XIA, Z., SCHNEIDER, S. A., HEATHER, J., AND TRAOR,J. Analysis, improvement and simplification of the pret avoter with pailier encryption. In Proceedings of the 3rdUSENIX/ACCURATE Electronic Voting Technology Workshop(EVT’08) (2008). San Jose, California.

14