Transitioning to a Javascript Voting Client for Remote Online Voting

Jordi Cucurull, Sandra Guasch, David Galindo

Abstract

Voters in remote electronic voting systems typically cast their votes from their own devices, such as PCs and smartphones. The software executed at their devices in charge of performing the ballot presentation, navigation and most of the cryptographic operations required to protect the integrity and privacy of the ballot, is referred to as the voting client. The first voting clients were developed as Java Applets. However, the use of this technology has become relegated in front of web technologies such as Javascript, which provide a better multi-platform user experience. This is the reason why in 2013 Scytl decided it was imperative to develop a voting client purely based on Javascript. This industrial paper shows the implementation experiences and lessons learned during the development and deployment of Javascript voting clients for our remote electronic voting systems. The paper is complemented with a performance study of 1) the main cryptographic primitives used in voting clients and 2) the voting casting process of one of the voting clients used in a real election.

References

  1. Adida, B. (2008). Helios: Web-based open-audit voting. In van Oorschot, P. C., editor, USENIX Security Symposium, pages 335-348. USENIX Association.
  2. Bellare, M. and Rogaway, P. (1993). Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS 7893, pages 62-73, New York, NY, USA. ACM.
  3. Brown, R. G., Eddelbuettel, D., and Bauer, D. (2009). Dieharder: A random number test suite. Duke University Physics Department.
  4. Chaum, D. and Pedersen, T. P. (1992). Wallet databases with observers. In Brickell, E. F., editor, Advances in Cryptology - CRYPTO 7892, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16-20, 1992, Proceedings, volume 740 of Lecture Notes in Computer Science, pages 89-105. Springer.
  5. Cortier, V. and Smyth, B. (2011). Attacking and fixing Helios: An analysis of ballot secrecy. In Proceedings of the 24th IEEE Computer Security Foundations Symposium, CSF 2011, pages 297-311. IEEE Computer Society.
  6. Damgaard, I. (2010). On s-protocols. Cryptologic Protocol Theory, CPT 2010, v.2.
  7. ECMAScript (2011). ECMAScript R Language Specification 5.1 Edition.
  8. Ferguson, N. and Schneier, B. (2003). Practical Cryptography. John Wiley & Sons, Inc., New York, NY, USA, 1 edition.
  9. Galindo, D., Guasch, S., and Puiggalí, J. (2015). 2015 Neuchâtel's cast-as-intended verification mechanism. In Haenni, R., Koenig, R. E., and Wikstrom, D., editors, E-Voting and Identity, volume 9269 of Lecture Notes in Computer Science, pages 3-18. Springer International Publishing.
  10. Gennaro, R. (2005). An improved pseudo-random generator based on the discrete logarithm problem. J. Cryptology, 18(2):91-110.
  11. Gharadaghy, R. and Volkamer, M. (2010). Verifiability in electronic voting - explanations for non security experts. In Krimmer, R. and Grimm, R., editors, Electronic Voting 2010, EVOTE 2010, 4th International Conference, Co-organized by Council of Europe, Gesellschaft für Informatik and E-Voting.CC, July 21st - 24th, 2010, in Castle Hofen, Bregenz, Austria, volume 167 of LNI, pages 151-162. GI.
  12. Gjosteen, K. (2013). The norwegian internet voting protocol. ePrint. eprint.iacr.org/2013/473.pdf.
  13. Halderman, J. A. and Teague, V. (2015). The new south wales ivote system: Security failures and verification flaws in a live online election. In Haenni, R., Koenig, E. R., and Wikström, D., editors, E-Voting and Identity: 5th International Conference, VoteID 2015, Bern, Switzerland, September 2-4, 2015 Proceedings, pages 35-53. Springer International Publishing.
  14. Juels, A., Catalano, D., and Jakobsson, M. (2010). Coercion-resistant electronic elections. In Chaum, D., Jakobsson, M., Rivest, R. L., Ryan, P. Y. A., Benaloh, J., Kutylowski, M., and Adida, B., editors, Towards Trustworthy Elections, New Directions in Electronic Voting, volume 6000 of Lecture Notes in Computer Science, pages 37-63. Springer.
  15. Karapanos, N., Filios, A., Popa, R. A., and Capkun, S. (2016). Verena: End-to-end integrity protection for web applications. In 2016 IEEE Symposium on Security and Privacy (to appear), pages 895-913.
  16. Klein, A. (2008). Temporary user tracking in major browsers and Cross-domain information leakage and attacks. September-November, 2008, Trusteer.
  17. Koshiba, T. and Kurosawa, K. (2004). Short exponent diffie-hellman problems. In Bao, F., Deng, R. H., and Zhou, J., editors, Public Key Cryptography - PKC 2004, 7th Int. Workshop on Theory and Practice in Public Key Cryptography, volume 2947 of Lecture Notes in Computer Science, pages 173-186. Springer.
  18. Kurosawa, K. (2002). Multi-recipient public-key encryption with shortened ciphertext. In Naccache, D. and Paillier, P., editors, Public Key Cryptography, 5th Int. Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2002, volume 2274 of Lecture Notes in Computer Science, pages 48-63. Springer.
  19. Marsaglia, G. (1996). Diehard: a battery of tests of randomness.
  20. Maurer, U. (2009). Unifying zero-knowledge proofs of knowledge. In Preneel, B., editor, Progress in Cryptology AFRICACRYPT 2009, volume 5580 of Lecture Notes in Computer Science, pages 272-286. Springer Berlin Heidelberg.
  21. Menezes, A. J., Vanstone, S. A., and Oorschot, P. C. V. (1996). Handbook of Applied Cryptography. CRC Press, Inc., Boca Raton, FL, USA, 1st edition.
  22. NIST (2001). Federal Information Processing Standard (FIPS) 197, Advanced Encryption Standard (AES). Technical report, U.S. Department Of Commerce.
  23. NIST (2010). A Statistical Test Suite for the Validation of Random Number Generators and Pseudo Random Number Generators for Cryptographic Applications, NIST Special Publication 800-22rev1a. Technical report, U.S. Department Of Commerce.
  24. NIST (2012). Federal Information Processing Standard (FIPS 180-4), Secure Hash Standard. Technical report, U.S. Department Of Commerce.
  25. NIST (2015). Federal Information Processing Standard (FIPS) 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. Technical report, U.S. Department Of Commerce.
  26. Puiggalí, J., Chóliz, J., and Guasch, S. Best practices in internet voting. In NIST: Workshop on UOCAVA Remote Voting Systems. Washington DC, August 2010.
  27. RFC-5280 (2008). Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List Profile.
  28. RSA Laboratories. PKCS #12: Personal Information Exchange Syntax Standard.
  29. RSA Laboratories. PKCS #5: Password-Based Cryptography Standard.
  30. Rukhin, A., Soto, J., Nechvatal, J., Barker, E., Leigh, S., Levenson, M., Banks, D., Heckert, A., Dray, J., Vo, S., Rukhin, A., Soto, J., Smid, M., Leigh, S., Vangel, M., Heckert, A., Dray, J., and Iii, L. E. B. (2010). NIST Special Publication 800-22 Rev 1a: Statistical test suite for random and pseudorandom number generators for cryptographic applications.
  31. Schnorr, C. P. (1991). Efficient signature generation by smart cards. J. Cryptol., 4(3):161-174.
  32. Stark, E., Hamburg, M., and Boneh, D. (2009). Symmetric cryptography in JavaScript. In ACSAC, pages 373- 381. IEEE Computer Society.
  33. van Oorschot, P. C. and Wiener, M. J. (1996). On diffiehellman key agreement with short exponents. In Maurer, U. M., editor, Advances in Cryptology - EUROCRYPT 7896, Int.l Conf. on the Theory and Application of Cryptographic Techniques, volume 1070 of Lecture Notes in Computer Science, pages 332-343. Springer.
  34. W3C. W3C Subresource Integrity. W3C Candidate Recommendation, November, 2015.
  35. W3C. Web Cryptography API. W3C Candidate Recommendation, December, 2014.
Download


Paper Citation


in Harvard Style

Cucurull J., Guasch S. and Galindo D. (2016). Transitioning to a Javascript Voting Client for Remote Online Voting . In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016) ISBN 978-989-758-196-0, pages 121-132. DOI: 10.5220/0005967301210132


in Bibtex Style

@conference{secrypt16,
author={Jordi Cucurull and Sandra Guasch and David Galindo},
title={Transitioning to a Javascript Voting Client for Remote Online Voting},
booktitle={Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)},
year={2016},
pages={121-132},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005967301210132},
isbn={978-989-758-196-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)
TI - Transitioning to a Javascript Voting Client for Remote Online Voting
SN - 978-989-758-196-0
AU - Cucurull J.
AU - Guasch S.
AU - Galindo D.
PY - 2016
SP - 121
EP - 132
DO - 10.5220/0005967301210132