A Framework For Protecting Voters Privacy in Electronic Voting Procedures

Journal of Cases on Information Technology, 15(2), 1-33, April-June 2013 1
A Framework for Protecting

Voters’ Privacy In Electronic
Voting Procedures
C. Manolopoulos, Computer Technology Institute and Press “DIOPHANTUS”, University of
Patras, Patras, Greece
D. Sofotassios, Computer Technology Institute and Press “DIOPHANTUS”, University of
Patras, Patras, Greece
P. Spirakis, Computer Technology Institute and Press “DIOPHANTUS”, Computer
Engineering and Informatics Department, University of Patras, Patras, Greece
Y.C. Stamatiou, Computer Technology Institute and Press “DIOPHANTUS”, Business
Administration Department, University of Patras, Patras, Greece
EXECUTIVE SUMMARY
eVoting is considered to be one of the most challenging domains of modern eGovernment and one of the main
vehicles for increasing eParticipation among citizens. One of the main obstacles for its wide adoptionis the
reluctance of citizens to participate in electronic voting procedures. This reluctance can be partially attributed
to the low penetration of technology among citizens. However, the main reason behind this reluctance is the
lack of trust which stems from the belief of citizens that systems implementing an eVoting process will violate
their privacy. The departure point of this approach is that the emergence of such a belief can be consider-
ably facilitated by designing and building systems in a way that evidence about the system’s properties is
produced during the design process. In this way, the designers can demonstrate the respect in privacy using
this evidence that can be understood and checked by the specialist and the informed layman. These tools
and models should provide sufficient evidence that the target system handles privacy concerns and require-
ments that can remove enough of the fears towards eVoting. This paper presents the efforts of the authors‘
organization, the Computer Technology Institute and Press “Diophantus” (CTI), towards the design and
implementation of an eVoting system, called PNYKA, with demonstrable security properties. This system was
based on a trust-centered engineering approach for building general security critical systems. The authors‘
approach is pragmatic rather than theoretical in that it sidesteps the controversy that besets the nature of
trust in information systems and starts with a working definition of trust as people’s positive attitude towards
a system that transparently and demonstrably performs its operations, respecting their privacy. The authors
also discuss the social side of eVoting, i.e. how one can help boost its acceptance by large social groups tar-
geting the whole population of the country. The authors view eVoting as an innovation that must be diffused
to a population and then employ a theoretical model that studies diffusion of innovation in social network,
delineating structural properties of the network that help diffuse the innovation fast. Furthermore, the authors
explain how CTI’s current situation empowers CTI to realize its vision to implement a privacy preserving,
discussion and public consultation forum in Greece. This forum will link, together, all Greek educational
institutes in order to provide a privacy preserving discussion and opinion gathering tool useful in decision
making within the Greek educational system.
Keywords: Cryptographic Protocol, eVoting, Privacy, Risk Assessment, Security Architecture, Trust
DOI: 10.4018/jcit.2013040101
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
2 Journal of Cases on Information Technology, 15(2), 1-33, April-June 2013
1. ORGANIZATION site http://pnyka.cti.gr/), Operational Program

BACKGROUND of Western Greece, 3rd Community Support
Framework.
The Computer Technology Institute and Press With respect to the acceptance of the proj-
“Diophantus” is a research and technology ects’ results, on June 13th 2008, CTI submitted
organization focusing on research and devel- the PNYKA system at the “eVoting Competition
opment in Information and Communication 2008” organized by the Competence Center for
Technologies (ICT). Particular emphasis is Electronic Voting and Participation sponsored
placed on education, by developing and deploy- by Internet Foundation Austria (IFA). The
ing conventional and digital media in education Competition targeted non-commercial, internet
and lifelong learning; publishing printed and eVoting systems fully developed using open
electronic educational materials; administrating source tools and takes place for the first time in
and managing the Greek School Network; and Europe. The PNYKA system was awarded the
supporting the organization and operation of the first prize from among numerous submissions
electronic infrastructure of the Greek Ministry from all over Europe.
of Education, Lifelong Learning and Religious
Affairs and all educational units. Since its
establishment in 1985, and in the past decades 2. SETTING THE STAGE
of rapid technological development, CTI has
During the last decades, we have witnessed a
actively contributed to many of the advances
rapid growth of Information and Communica-
that today are taken for granted.
tion Technologies (ICTs) as well as the diffu-
The Information Society Sectors are the
sion of Internet in people’s lives. These facts,
organization’s conveying mechanisms of know-
in conjunction with the need for more efficient
how, in turn supporting the Hellenic State’s
and economical government services have led
devolvement into the Information Society. The
to an increase of eGovernment services in many
Sectors, which are currently the following, are
countries. In this context, democratic societies
coordinated by the Board of Executives:
face the challenge to improve public participa-
tion in political debate and policy formation
• Educational Technology Sector; processes, realizing the concept of ePartici-
• Networking Technologies Sector; pation. One of the most important and critical
• E-Government Sector; facets of eParticipation is Electronic Voting or
• Center of Telematics & Applications for eVoting. eVoting has attracted lately the atten-
regional development; tion of many governments as an alternative to
• Further Education & Training Sector; conventional voting with the hope to increase
• Strategic & Development Policy Sector; citizens’ participation and reduce the costs.
• Computing & Networking Systems Se- While eParticipation initiatives have been
curity Sector. deployed across the EU with mixed results so
far, some encouraging signs come from few but
The work that resulted in the PNYKA important eVoting initiatives (see, also, Susha &
system was done in collaboration between Grönlund, 2012, for an interesting recent effort
CTI and EXPERTNET Advanced Applications to systematize the study of the eParticipation
S.A. The work was partially supported by the domain as well as Sæbø et al. (2008), who at-
General Secretariat of Research and Technology tempt to provide a formal model for defining
of Greece, under the project PNYKA (project and studying eParticipation). In Switzerland,
code DEL_2, decision 8948/04.05.06, project eVoting and especially Internet voting, was
recently introduced as a complementary channel 10, October 2004.). However, eVoting, despite
for elections and referenda, with great success. the critique it has attracted, seems to be, still, a
One of the reasons might be that remote voting hot discussion issue and, possibly, a worldwide
was largely practiced through postal voting for reality in the future. Thus, any successful eVot-
many years. The introduction of Internet voting ing system should target at increasing citizen’s
came as an alternative and easier way to vote trust. Trust, however, is difficult to establish in
remotely and thus was rapidly accepted. In the eVoting domain since eVoting is necessar-
2005, Estonia carried out the first Nation Wide ily based on complex distributed information
online elections in the EU. It was the result of systems, involving complicated interactions
a bold political decision rather than a natural between computers, between humans, and
evolution as it came to be in Switzerland, but between humans and computers. A very inter-
it placed Estonia on the forefront of the eVot- esting recent survey was conducted by Beldad,
ing efforts in Europe. This, perhaps, would not et al. 2010, in relation to trust in e-services in
have been possible if the government had not several domains (eCommerce, eHealth, and
already implemented an advanced IT Strategy eGovernment) in order to discover what online
and a Nation Wide Digital ID scheme. In both elements increase the trust of people towards
cases, some basic conditions were met to allow these services. Many of their observations apply
for the fruitful deployment of such initiatives, also to the eVoting domain.
both in terms of the necessary infrastructures, In view of the considerations discussed
institutional measures and government policies above, our institute undertook the development
employed to support large scale deployment of an eVoting system based on formal methods of
of eVoting projects. Recent efforts to imple- risk assessment and management so as to handle
ment eVoting solutions in Greece, face in that systematically, from the initial system design
respect many challenges, such as the lack of phases, all the critical and sensitive requirements
a specific institutional framework that sup- of such a system. Such requirements include
ports the deployment of eVote applications at user confidence, system security, efficiency,
large scale (e.g. a national PKI Infrastructure) extensibility and the ability of re-using its
or the low ICT and Internet penetration rates components in other similar applications. This
(around 25%) and the resulting digital divide framework would focus on boosting potential
and “digital culture gap”. On top of these the users’ confidence towards the system and would
general lack of trust in ICTs and the Internet as cover the whole range of applications within
a safe medium to conduct secure transactions, the eVoting domain. Another successful effort
further hinders these efforts. This lack of trust taken previously by members of our institute
is clearly identified as a cause for the lack of is described in Bouras et al. (2003) which,
take-up of online purchases and online banking. however, was not accompanied by a publicly
It is apparent that voting is a fundamental available formal risk and security analysis and
process in any democratic system. Any effort relied on different cryptographic primitives.
to migrate from the conventional and long More specifically, our goals were the fol-
established voting procedures to an electronic lowing: (a) the design and implementation of
voting system is thus very seriously affected an electronic voting information system that
by this lack of trust in ICTs and the Internet. would be capable of supporting simple opinion
Moreover, the abundance of cases of misconduct polling procedure as well as national elections,
in electronic voting has resulted in severe de- (b) the application of formal design methods so
crease of trust among citizens (Gritzalis, 2003, that assurance would be, dynamically, built with
Mason, 2004, and The problems and potentials respect to keeping all important system require-
of voting systems, Communications of the ments, (c) the design of the system components
ACM, Special Issue on eVoting, Vol. 47, Iss. in such a way that they would be reusable, as
a set of libraries, in other systems with similar 3. CASE DESCRIPTION

requirements, and (c) the integration of the re-
quired elements that would increase users’ trust 3.1. Trust in the eVoting Domain
in the final system at the phase of its design as
well as during its development and operation. Since trust, as people’s attitude, plays a major
During project implementation we paid role in the way people view and use information
particular attention to having the following: systems, lack of trust renders even expensive and
(a) a full documentation of evidence support- sophisticated information systems completely
ing the correctness and security of the system useless. In most of the information systems that
based on the application of formal methods, (b) deliver e-services, trust is based not on some
a trust model of the system based on a layered publicly available systematic design process, but
architecture as it has been proposed and applied rather it is based on the reputation of the system’s
by CTI in earlier projects, (c) a theoretical implementer (e.g. a well-known company) and
(mathematic) model for the evaluation of the operator (e.g. the government).
system performance in a large scale, distributed On the other hand, trust is a hard to for-
operation and verification of the model through malize concept that also raises philosophical
simulation methods, and (d) a library of the and social (i.e. non-engineering) concerns. For
basic system components (library of reusable instance, Luhmann (2000) considers trust as a
components) that could be incorporated in other mechanism which causes the reduction of com-
similar systems. plexity. Coleman (1990) distinguishes certain
To reach our goals (see Antoniou, et al., elements that define a trust situation between
2007[1] and Manolopoulos, et al., 2008) our a trustor and a trustee. By definition a voting
team relied on two general methodologies and procedure is a trust situation, and in this case
one strong cryptographic eVoting protocol. The trust properties have to be reflected both on
two methodologies are the layers of trust decom- individual and system level, independently of
position of a system described in Konstantinou the voluntary, custom/norm based, institutional
et al. (2004) and Konstantionou et al. (2005) as or obtruded nature of the procedure. Trust is an
well as the CORAS (Consultative Objective Risk emergent social property based on interactions
Analysis System) risk assessment framework for between actors and for this reason, an eVoting
security critical systems (Stolen et al., 2003). procedure could, in principle, be established,
The eVoting specific protocol is the protocol if and only if, actors should certainly believe
described by Warren Smith (Smith, 2005) that it complies with certain properties of trust.
which is based on the homomorphic properties Given the multifaceted nature of trust, in
of the ElGamal encryption function and the our approach the concept of trust is pragmatic.
hardness of computing the discrete logarithm It is pragmatic in the sense that we rely on a
(see Lenstra & Lenstra 1990 for complexity plausible working definition and proceed in
theoretical issues pertaining to the discrete order to satisfy the definition’s prerequisites
logarithm problem). The adopted approach for trust. One possible definition of trust is the
targets all the phases of system design, imple- following.
mentation and testing, using trust modeling and Trust of a party A in a party B for a service
risk assessment methodologies in conjunction X is the measurable belief of A in that B will
with strong cryptographic protocols. This ap- behave dependably for a specified period within
proach was successfully applied for the design, a specified context.
implementation, and testing of an Internet-based In the eVoting domain, A is the voter, B
eVoting system that was initially deployed in is the eVoting system and X is the eVoting
an actual voting process by engineers who are service. Most importantly, by dependably we
member of the Technical Chamber of Greece, will imply ensuring the following basic voting
Western Sector. requirements (which apply to both eVoting and
conventional voting): democracy (only voters implementation processes (many of which we

who have the right to vote can vote and one vote demonstrate in the sections that follow) the
per voter is included in the election outcome), systems designers should try to produce ample
accuracy (the election outcome is correct and evidence (formal and semiformal) of their de-
includes all valid votes), secrecy (a voter’s vote sign and implementation of the system which
cannot be seen by any other voter), receipt- may, at any time, be subjected to the scrutiny of
freeness (no evidence is given to the voter that experts which may, then, “certify” to the public
can be used in order to disclose the contents of that the system can be trusted. Assembling a
his/her vote to another party), uncoercibility group of experts should not too difficult and
(protection from outside enforcement of opin- actually resembles the various consumer bod-
ion), fairness (the outcome of the election will ies which protect consumers against dangerous
be made public only after all votes have been or “bogus” products. If, on the contrary, no
received and tallied), verifiability (all critical inspectable or openly available evidence exists
stages of the election process are logged for which could aid experts in assessing a system
later auditing and the election outcome can be (e.g. only source code is available which may
verified by the voters), verifiable participation be hard to understand directly, even when
(the participation of a voter can be checked by properly documented, without other descrip-
the election authority, in cases where voting tions available), then there is no possibility to
is compulsory), and robustness (the election effectively convince the average voter to trust
process cannot be hindered either accidentally and use the system.
or on purpose by outside intervention).
Given the above definitions, we can define 3.2. A Layered Approach to Trust
the means by which the trust prerequisites, i.e.
the word “dependably” above, can be satisfied. In this section, we will provide a brief account
Trust management/engineering is a unified of these three elements of the approach, which
approach to interpreting, specifying and incor- is depicted in Figure 1.
porating security requirements in a transparent The layers of trust view of the eVoting
way that allows direct authorization of security- system is a view complementary to the other
critical actions on behalf of the user. formal views and models of ordinary IT systems
Thus, this applied view of trust, as pertain- (e.g. business view, technical view etc.) and is
ing to the eVoting domain, is a property of an employed in order to handle the complexity
eVoting system that can emerge in citizens’ of the security issues pertaining to eVoting,
minds as a result of a systematic system design as defined by its security requirements. This
process that produces, along the way, verifiable complexity can be as high as the complexities
(at least by technical people, appointed and that arise in other architectural views of such
trusted by the voters) certificates of system systems and the layers of trust approach can
security and correctness. This trust manifests be used as a tool for managing these issues
itself, in practice, in their will to use the sys- successfully.
tem in order to participate in an election. This The role of the layers, and the correspon-
emergence is made possible through a proper dence to the e-voting system, is as follows:
trust engineering approach. This approach has
been applied to the design and development • Scientific soundness: All the components
of the eVoting system described in this paper. of the system should possess some type
Our viewpoint is that, although a layman of security justification and be widely ac-
may not be in a position to judge the trust- cepted within the scientific community.
worthiness of an eVoting system based on the This layer corresponds to the selection of a
output produced by such systematic design and cryptographically strong eVoting protocol,
Figure 1. The trust-centered approach
based on provably secure cryptographic • Externally visible operational sound-

primitives, such as the ElGamal encryption ness: It should be possible for everyone
scheme and zero knowledge proofs; to check log and audit information at
• Implementation soundness: A methodol- some level. The employed cryptographic
ogy should be adopted that will lead to the protocol employs a number of publicly ac-
verification of the implementation of the cessible bulletin boards where information
separate system components as well as is appended concerning the votes cast as
the system as a whole. In addition, such well as the proof that the votes were taken
a verification methodology should be into consideration for the computation of
applied periodically to the system. This the vote outcome;
layer corresponds to the adoption of the • Convincing the public (social side of se-
CORAS methodology (see Section 4.5) for curity): It is crucial for the wide acceptance
designing and building the eVoting system; of the eVoting system that the public will
• Internal operation soundness: The trust it when it is in operation. This trust
design and implementation should offer can be, in general, amplified if the eVoting
high availability and fault tolerance and authority publicizes the details of the design
should support system self-auditing, self- and operation of the eVoting system to the
checking, and self-recovery from malfunc- public. There is provision for publicizing
tion. Interference from the inside with the all the details of the system architecture
normal operation of the system should be, and implementation as well as provide the
ideally, impossible to accomplish and, if software source code for scrutiny. In addi-
ever accomplished, it should be readily tion, in order to facilitate the system’s wide
detectable. The employment of the cryp- acceptance, the first trials will be conducted
tographically secure eVoting protocol on a voluntary basis with closed groups or
involves the use of proofs of correctness local associations, whose opinions can be
for all the executed steps; easily gathered and analyzed.
3.3. System Architecture of the Bouncy Castle Java crypto library (http://
and Components www.bouncycastle.org/), Open VPN (http://
openvpn.net/), OpenCA tool for building PKIs
In this section we will provide a high level view (http://www.openca.org/), and the use of the
of the architecture of the eVoting system that is PostgreSQL (http://www.postgresql.org/) data
based on the approach outlined in Section 4.2. base. This ensures that the system’s software
In Figure 2(a) we see the overall system’s can be independently audited and verified by
architecture. It consists of a number of local any interested third party (government agen-
Election Authorities (local EAs), which control cies, expert groups, researchers, industry etc.).
the election process at a local (e.g. municipal-
ity) level, a central Election Authority, which 3.4. The Cryptographic
controls all the local EAs and verifies their Voting Protocol
operation, a VPN over the Internet that handles
the communication among the EAs and the At the heart of the system lies a strong crypto-
clients, which are the computers accepting the graphic protocol given by Smith (2005). The
votes. In the same figure, there also appear the protocol employed in our system is based on
entities that may attempt interference with the strong cryptographic primitives, including zero-
system since, by taking the worst case scenario, knowledge proofs that, essentially, provide the
we assume their existence and their will to at- guarantees (without violating the vote secrecy
tempt disruption of normal operation. requirement) that votes are correctly received
In Figure 2(b) the components of an EA and included in the voting outcome. The pro-
are shown. Each EA implements, at its core, the tocol uses ElGamal homomorphic encryption
eVoting protocol described by Smith (2005), and it is based on multiparty computations and
which has guaranteed strong cryptographic threshold cryptography, involving mutually dis-
properties. The components of an EA are the trusting agents, called keyholders, who control
following (most of which directly dictated by the voting process.
the protocol): the registrar, which is responsible The ElGamal encryption function is de-
for checking the voter’s eligibility through a scribed in detail in many sources and, thus, we
connection to a database server containing the will not provide its details here (see, e.g., Len-
id’s of eligible voters, the voting server, which stra & Lenstra, 1990). We will, however, em-
accumulates and verifies the votes sent by the phasize one of its features that make this func-
clients over the VPN, the key holders, which tion attractive for cryptographic purposes: the
cooperatively provide the critical vote encryp- fact that it is homomorphic. A function M (x )
tion key, the tallier, which sums the votes and is called homomorphic, with respect to opera-
provides the election total, the bulletin board tion “ ”, if the following property holds:
manager, which makes publicly available proofs
that all votes are taken into account unchanged, M (x 1 x 2 ) = M (x 1 ) M (x 2 )
the loggers, which store critical information
about the election process, and the auditors
which use the information stored by the loggers From this definition, it easily follows (induc-
in order to provide publicly verifiable proof tively) that for any number of n > 2 arguments
of correctness of the election process. Finally, it holds:
there is the system administration block that is
responsible for the configuration, initialization E (x 1 x 2 x n ) = E (x 1 ) E (x 2 ) E (x n )
and coordination of all the other blocks.
With regard to the implementation choices,
we have adopted the use of as many free and For the purposes of eVoting, let us assume that
open source libraries as possible. Our choices x 1, x 2 , , x n are the votes cast during a voting
include the Java programming language, the use
Figure 2. (a) The distributed architecture of the eVoting system (b) The EA block
procedure. Then, of course, we need them to 3.5. Building Demonstrable

exist in the system in encrypted form: Trust in the System: The CORAS
Risk Analysis Framework
E (x 1 ), E (x 2 ), , E (x n )
The risk analysis addresses the security aspects
of the eVoting platform in order to: (i) identify
in order to keep the votes secret. However, we the security risks associated with the usage of the
also need to add the votes and produce the vot- system for Internet-based voting, (ii) advise on
ing procedure tally. Since the votes are kept in whether the usage of the system is in accordance
encrypted form, this cannot be done directly. with applicable legislation, standards, recom-
Here is where the ElGamal function plays an mendations and guidelines, (iii) recommend
important role: it is homomorphic under the additional security related improvements that
operation of addition. That is, for the votes have to be provided.
E (x 1 ), E (x 2 ), , E (x n ) the following holds: The focus of the risk analysis was, mainly,
on the voting protocol and its implementation
since this was one of the most crucial com-
E (x 1 + x 2 + + x n ) = E (x 1 ) + E (x 2 ) + + E (x n )
ponents of the system. More specifically, our
analysis targets was focused on the following:
Since the ElGamal function encrypts data (i) Data: The transmission of data between the
in exponents, adding votes corresponds to mul- voters and the distributed servers, (ii) Proce-
tiplication of their encrypted versions. Then, dures: The protocol steps executed between the
on the left-hand side of the equality above, we client and the server modules, (iii) The threats
have the tally of the votes, in encrypted form, associated with corrupted keyholders (i.e. the
without having decrypted a single vote in the holders of the shares of the voting key, as dictated
process. We, then, only have to decrypt the by the adopted protocol of Smith, 2005 – see,
tally which is relatively easy (it is not of the also, Appendix), (iv) the risks related to vote
high difficulty of decrypted single votes). The disclosure. We did not handle the following
technically interested reader may see Smith issues, since they are not directly involved in
(2005) for a complete description of the eVoting the voting protocol itself but, rather, are related
protocol and its properties. For completeness of to the infrastructure in which the protocol oper-
the present exposition, we have stated, briefly, ates: (i) the risks associated with the interfaces
in the Appendix the main steps of the protocol. of the platform with other internal applications,
(ii) the internal handling and processing of the
stored data by other applications/processes
running on the same computer as the eVoting in order to increase the transparency of the
system modules, (iii) the risks associated with implementation process of the eVoting system
the network components (e.g. malfunctioning leading, thus, in its wider system acceptance
routers), (iv) the physical threats to the system by technical and non-technical people alike.
infrastructure (e.g. broken communication Moreover, this documentation provides a view
lines or damage to the servers due to flooding of the system visible by the public, in contrast
in the building). with most “closed-design” commercial eVot-
The main risk analysis steps were carried ing systems.
out with the CORAS risk analysis methodology As for the eVoting protocol that is em-
and are presented in the following subsections. ployed, it is based on strong cryptographic
CORAS is a risk analysis framework (see Figure primitives, including zero-knowledge proofs.
3) that permeates the design process in all the These proofs, essentially, provide the guarantees
layers described above and aims at the precise, (without violating the vote secrecy requirement)
unambiguous, and efficient risk assessment of that votes are correctly received and included
general security critical systems, during their in the voting outcome. The protocol is based
design, implementation and operation phases. on multiparty computations and threshold
The framework focuses on the integration of cryptography, involving mutually distrusting
viewpoint-oriented UML-like modeling in the agents who control the voting process. The
risk assessment process. The integration of this interested reader may consult Smith (2005)
state-of-the-art modeling technology in the risk for the technical details and proofs of security
assessment process, referred to as model-based of the protocol.
risk assessment, is motivated by the need for With regard to our eVoting project status, it
cost reductions, efficiency improvement and is in the detailed design phase. The architectural
improved quality of risk assessment results. To design and the first steps of the CORAS meth-
achieve its goals, CORAS has four major anchor odology have been accomplished in conjunction
points: (1) a risk documentation framework with the system decomposition into the layers
based on the Reference Model for Open Distrib- of trust, currently focusing on the scientific
uted Processing (RM-ODP) (Putnam, 2000), (2) soundness layer (eVoting specific protocol).
a risk management process based on AS/NZS
4360 (Australian Standard: Risk Management, 3.5.1. Context Identification
AS/NZS 4360:1999, Strathfield: Standards
Australia.), (3) an integrated risk management This step involves a detailed description of the
and system development process based on the target system (application scenarios, assets, data
Unified Process (UP) (Krutchten, 1999) and (4) flows etc.) using the UML modeling language.
a platform for tool-integration based on XML The description uses various different types
(Grose et al., 2002). CORAS is a careful integra- of UML diagrams, depicting different system
tion of techniques and templates of risk analysis aspects. The aim is to gain a good understand-
methods, including failure modes, effects and ing of the system and document it using intui-
criticality analysis (FMEA/FMECA – Bouti & tive visual means. The diagrams that we used
Kadi, 1994), fault tree analysis (FTA), Hazard include Use case diagrams that show system
and operability analysis (HaZOP) (Kletz, 1999), functionality, Activity Diagrams that describe
Cause Consequence Analysis (CCA – Barber workflows, Time Sequence Diagrams that de-
& Davey, 1992), Markov analysis (e.g. Siu, scribe the exchange of data among stakeholders
1994), CRAMM (Barber & Davey, 1992) etc. over different time instances. System assets were
In addition, CORAS can produce detailed also evaluated with respect to their criticality. A
system documentation and a system security sample of the diagrams that were used during
policy based on the outputs of the tools that it the design phase of the system appears in Figure
employs. This documentation can be publicized 4, Figure 5, Figure 6, Figure 7, and Figure 8.
Figure 3. The CORAS framework
3.5.2. Risk Identification For the most critical threats among the
ones identified, a Fault Tree Analysis was
This step aims at the identification and documen- performed (using the ITEM Toolkit software,
tation of the threats that the system faces, using http://www.itemuk.com/) to identify events that
appropriate Threat Diagrams. A HazOp analysis cause the identified threats. Two examples of
is performed to provide a first level assessment the diagrams produced by this step are shown
of threats and propose initial countermeasures. in Tables 3 and 4.
As an example of the application of CO- This formal risk analysis process can be
RAS in the design phase, Table 1 summarizes complemented by error discovery methodolo-
the security critical assets we were identified gies such as the probabilistic approach proposed
using HAZOP. by Bradley, 2006, in which a Markov chain
In Table 2 we show a small fragment from based model is applied to the uncovering of
the HAZOP results which is focused on the ran- errors in the eVoting domain.
dom generation of the keys by the key generation
agents, called the key holders in the protocol 3.5.3. Risk Analysis
in Smith (2005). According to the protocol,
these keys are multiplied together in order to This step aims at estimating the risks that are
form the key that will be used for encrypting caused by the threats identified in the previous
the votes. This key is not known by the entities, step. At first, we defined the levels of scale of
who only know their own keys. Compromising the various measures that are used in the risk
the election key requires collaboration among analysis (i.e. likelihood of event occurrence,
all involved parties, which is highly unlikely consequence and risk). Then, we estimated the
since they most often have conflicting interests. amount of risk (quantitatively or qualitatively
using Fault Tree Analysis). Tables 5 and 6 are categorization. Specific countermeasures are
parts of the full tables compiled during our proposed for each risk, with emphasis on ex-
analysis. treme risks. In Table 8 an excerpt of the risk
treatment table is shown with some security
3.5.4. Risk Evaluation risks and the proposed treatment.
After the application of the CORAS
This step aims at the evaluation of system framework on the eVoting system, the follow-
risk, based on the previous analysis and the ing conclusions were reached: (1) In general,
risk levels defined. The evaluation results are the adopted voting protocol, as well as many
presented in the risk categorization matrix, as of the engineering decisions made during the
shown in Table 7. design of the system, proved to be reasonable
The numbers appearing on Table 7 corre- choices since they addressed satisfactorily all
spond to the risks (risk IDs) that were identified the potential threats discovered through the
and analyzed in the previous steps. The risks application of CORAS. The protocol employs
were classified from acceptable (white area) to threshold cryptography, suitably time-stamped
extreme (dark gray area). For instance, risk No multiple votes, use of Zero Knowledge Proofs
42 corresponds to “Multiple votes do not arrive for validating the encrypted votes etc. (2) The
in the same sequence they were submitted” (the analysis indicated aspects of the initial design
protocol allows multiple votes but only the one that were, subsequently, further enhanced (e.g.
most recently submitted is taken into account). web access vs. client server access, SSL vs. VPN
This risk is considered to be extreme, since it between the voter and the Election Authority,
has high occurrence likelihood and catastrophic etc.). Moreover, the analysis revealed the need
consequences. for emphasis on certain design choices, such
as the user interface, the clear communication
3.5.5. Risk Treatment
between the voter and EA through precise mes-
This last step of the methodology involves deci- sages, reasonable time intervals between two
sions to be taken about prioritizing and treating subsequent votes etc. (3) The need for extensive
the identified risks, based on the aforementioned checking for faults emerged, e.g. by a body
Figure 4. Use case diagram
Figure 5. Class diagram
Figure 6. Activity diagram
Figure 7. Time sequence diagram: Decryption/Calculation of voting results (see steps in the
Appendix)
Figure 8. Time sequence diagram: Zero-Knowledge proofs of validity
Table 1. Security critical assets of the eVoting system identified by HAZOP
Asset Description Designated Entity

Voters List Contains the voters which are eligible to vote. EA
Candidates List Contains the election’s possible choices for the voter. EA
The information required from a voter to be identified and
Voter Credentials EA, EAi, Voter
authenticated by the eVoting system.
Contains information that defines issues such as the opening
Configuration Files EA, EAi
and closing time of the voting process, the ballot format, etc.
Voting opening and closing Messages that inform of the opening and closing of the
EA, EAi
announcements voting process.
Randomly generated numbers
Numbers that must be provably random. EA, EAi, Voter
used in key generation
Decryption and encryption keys must be produced under strict
Encryption/Decryption Keys integrity constraints. Decryption keys must remain secret, EA, Key holders
safe and unaltered throughout the whole eVoting process.
Empty ballot form The form that a voter must fill in, in order to submit a vote. Voter
The vote is sequentially encrypted by the voter and the EAi,
Encrypted and Re-encrypted
and consequently verified against its integrity and time of Voter, EAi,
vote
submission.
Most of the entities in the system provide Zero Knowledge Voter, EAi, EA, Key
ZKPs
Proofs for their actions to be verifiable. holders
The proposed eVoting system supports the submission of
Multiple votes Voter
multiple votes per user. Only the final vote is valid.
The voting server performs the protocol steps on behalf of
Voting Server in EAi EAi
the local EAis.
The client module is installed in the voter’s personal computer.
Client module It provides access to the eVoting system and executes the Voter
protocol steps on behalf of the voter.
The database records keep the vital information of the
Database records for votes
submitted votes and the voters who cast their votes (in EAi, EA
and voters
separate databases).
These files contain detailed information for the system’s
Log files and Audit files EAi, EA
operation. They are used in order to verify its integrity.
The network is the basic medium over which most data com-
Network munications are performed. Its uninterrupted availability is Voter, EAi, EA
vital for the eVoting system.
Contains announcements that are made public, such as the list
Bulletin Board EAi, EA
with voters who voted and the list with the encrypted votes.
The receipt containing the voter’s vote in encoded format
Paper receipt Voter
(barcode).
Final partial tally The tally that is calculated in a local EAi. EAi, Key holders
The final tally that is calculated in the central EA (the final
Final total tally EA, Key holders
result of the voting process).
Table 2. A fragment of the HAZOP table
Asset: Key Holders’ Keys

Directive Threat Probability Consequences Countermeasures
The keys are not real
The key
random numbers. Intensive software testing.
generator is
Manipulation Low Their value can be Access to system software is
altered by an
predicted or known limited.
adversary
beforehand.
Key sharing using the k out of
Some of the
Corruption in the vot- k scheme. Corruption is not
Disclosure keys Ki are Medium
ing process. possible unless all key holders
revealed
disclose their key.
Fake randomness. Good programming practices.
Error in the
Programming Keys do not meet Extensive software testing.
key generator Medium
errors predefined standards Use of provably secure random
module
(e.g. length). number generators.
Table 3. Part of high-level risk table
of external auditors who should have at their was made apparent, in order to avoid malicious
disposal all the details of the system (including intervention with the proper system operation.
the source code and configuration information The analysis prompted us to take measures such
of all system components). Also, some elements as the use of secure USB tokens or smart cards,
were identified which were crucial for the for critical data storage such as the secret shares
overall system security which should receive of the global key.
special attention: use of certified servers for It should be noted that, before the system
time-stamping and cryptographically strong is ever used in order to conduct a real, critical
random number generators, cross-validation election process, the risk analysis process should
among different communication modules etc. be performed at a finer and deeper detail taking
(4) The need for taking physical and organiza- into account, also, and the infrastructure hosting
tional measures, apart from the technical ones, the eVoting system.
Table 4. Fault tree diagram (ITEM Toolkit)
Table 5. Assessment of likelihood of occurrence of unwanted incidents
3.6. Summary: Coverage of system achieves the following election proper-

the Basic eVoting Principles ties, to the stated degree:
In summary, due to the precautions taken dur- • General/Universal: Any legal voter
ing the design, implementation, and installation should be allowed to cast his/her vote. This
phases, as well as due to the secure eVoting implies that any electronic voting system
protocol employed (see Appendix) the PNYKA
Table 6. Qualitative assessment of consequence using FMEA (ITEM Toolkit)
Effects
Failure
ID Function/Entity System Causes Consequences
Mode Local
Wide
The config file is
not properly
The size
updated by
parameter is The public
system Voting process
1 GenerateElGamalParameters(size) not available parameters may
administrator. may not start.
in the system not be created
Access to config
config file
file/database is
not possible.
The Bulletin
Board is not System Connection to
Voting process
2 Publish(ElGamalParameters) updated with initialization is database is not
may not start.
the public not possible possible.
parameters
Table 7. Risk categorization matrix
should enhance the possibilities for a voter themselves in the Election center due,
to participate in an election, if he/she is e.g., to illness) to cast their votes using the
entitled to vote. In addition, an electronic system’s facilities;
voting system should complement, and not • Equal: All legal voters are entitled to
replace, the traditional voting procedures vote only once and their votes contribute
and/or existing IT systems supporting equally to the determination of the final
these procedures. This, for instance, allows voting result. This places an equal weight
people not trusting the electronic voting for each vote when included in the final
system to cast their votes in the traditional tallying process. The protocol implemented
Electoral centers using the existing election in our system (Smith’s protocol) first uses
procedures while allowing people trusting an authentication process based on OpenCA
the system (or people who cannot present (i.e. a PKI infrastructure) in order to as-
Table 8. Risk treatment table
Treatment Options -
Risk ID Description Risk Level
Measures
Risk with Regard to Partial Keys Disclosure or Non-Availability
The disclosure of partial
keys would be
catastrophic, as it would
Disclosure of some of Ki
2 Extreme allow the decryption of
by their keyholders
individual votes and the
final result by
unauthorized parties
Threshold cryptography
techniques are used as
a countermeasure. Such
techniques require for at
least t out of n
keyholders to collaborate
in order to initiate the
elections. Moreover clash
of interests among the
Some of the Ki are not
5 Extreme keyholders
available
discourage potential
malicious coalitions.
For ultimate security we
suggest that t = n which
implies that all keyholders
would need to form a
malicious coalition in
order to affect the
elections.
Risks with regard to votes submission order (they follow but not shown here for brevity)
certain that the voter is entitled to vote. In encrypts his/her vote using the ElGamal
addition, a (PKI certified, Network Time encryption scheme (which is randomized
Protocol – NTP) timestamp is used on the and, thus, precludes the extraction of
votes so as to allow multiple votes per information about the plaintext from the
voter (in order to avoid coercion – see the ciphertext) and the election key (which is
Freeness requirement below) while taking produced using n-out-of-n threshold cryp-
into account for the tallying only the most tography by a number of key shares kept
recent vote; secretly by a group of mutually distrusting
• Secret: No way should exist that allows the keyholders – e.g. representatives of the
establishment of a link between a voter and candidates). Thus the vote is submitted
his/her vote. This requirement safeguards in an encrypted form and remains forever
against two important issues: a) The dis- secret, unless all keyholders collude (which
closure of the preferences of voters, and b) is unlikely). Then the Election Authority
Vote selling. In the protocol implemented reencrypts the encrypted process using the
in our system (Smith’s protocol) there is homomorphic property of the ElGamal
a double-encryption process for satisfying scheme. This reencryption prevents the
the secrecy requirement. First the voter voter from selling his/her vote by unen-
crypting his encrypted vote to some vote handicapped people who are not in position
buyer. This double encryption process to present themselves at the election center.
is accompanied by two zero-knowledge The traditional means for facilitating this
proofs: one from the voter, in order to prove “distant” voting is to allow voters to cast
the validity of the vote (this is important their votes through the post-office, in a
in homomorphic-function based elections, specially designed and certified envelope.
contrary to the ones based on mixnets) and Not all countries, however, have constitu-
one from the Election Authority (which is tional provisions for supporting this kind
designated verifier, able to persuade the of voting. Our system supports Internet
particular voter and not some, e.g., vote based voting and, thus, fully supports
buyer) that the vote was re-encrypted this requirement by allowing anyone to
without alterations. Moreover, the protocol vote from wherever he/she happens to be
allows the tallying of the votes without at the election day. Thus, our system can
decrypting them, due to the homomorphic securely replace envelope ballots and, thus,
property of the ElGamal scheme; allow distant voting without the security
• Direct: The election results are determined and ease-of-use issues inherent in the use
only by the votes cast by the voters and by of these ballots (e.g. envelop loss, ballot
no other means. This implies that the final stains etc.).
election result should depend only on the
preferences of the voters and not on some, In support towards the fulfillment of all
for instance, complex procedure that at- the above requirements, we have installed the
tempts to “interpret” these preferences. Our Intrusion Detection System (IDS) HELENA
system, by design, simply adds the votes, that was developed as an open source product
homomorphically in encrypted form, and by the security research group of our institute.
produces a result that only contains the This system is able to monitor any designated
sums of votes received by each candidate of server, subnet, or local network and determine
the election. The tallying process precludes whether some suspicious event is taking, which
any form of interference in producing the be a signal for an ongoing attack effort. This IDS
final result; is able to send timely messages to a designated
• Free: Voters cast their votes freely, without console monitored by a security specialist so as
being subjected to external pressure and co- to judge whether the information provides by
ercion. Our system allows voters to vote as the IDS is sufficient to trigger an attack alarm
many times as they wish, with only the most which, in turn, will be evaluated by the elec-
recent (according to a certified timestamp tion officers in order to authorize appropriate
appended to all votes) taken into account in countermeasures (e.g. shutting-down some
the determination of the election result. In server or redirecting traffic).
this way, the voter is given several chances
to vote and, thus, evade efforts for coercion
(e.g. by pretending to follow the coercer’s 4. WHY BROAD ADOPTION OF
“advice” when the coercer is present and EVOTING HAS BEEN SLOW?
then voting, again, later after the coercer
has stopped prying on the voter); In the previous section we attempted to give
• Personal: Voters should be facilitated an idea of the magnitude of effort we went
in casting their votes regardless of their through in order to ascertain that the final eVot-
physical condition of place of residence. ing platform is, and also, appears secure to the
This is important, for instance, for people users. One may argue that the technological
living abroad who wish to cast their votes advances in software and hardware today are
but without traveling to their country or for impressive. Consequently, any security threat,
such as the ones our team dealt with during the 3. In field user assessment: After the end
design and the implementation of the PNYKA of the voting process, users/voters should
system, can be tackled, at a satisfactory level, be motivated to assess the system and
with the appropriate amount of care and effort. the whole procedure, in terms of various
aspects: user-friendliness, efficiency, per-
4.1. The Role of Trust as the ceived trust, etc. This feedback should be
Cornerstone in Adopting taken seriously into account for improving
and Diffusing Innovations the system and the organization of the
voting procedure, for further applications.
The application of IT security primitives and Apart from the in-field assessment process,
protocols as well as technologies lies at the heart users should receive later another assess-
of a reasonable eVoting implementation and ment form that the system stakeholders
deployment approach. While strong IT security should design so as to take into consid-
is a necessary condition for successful eVoting eration the in-field assessment process
systems, as described in the previous sections, as well as the fact that the users have had
it is by no means (unfortunately) sufficient. In some time at their disposal to think about
what follows we present the components of a the whole election process (off-line user
step-wise, trust-driven approach towards the assessment);
adoption of eVoting by people. The approach 4. Organize pre- and post- application
involves all stakeholders (see Figure 1 and information campaigns: Information
Figure 4) at the same time and is targeted at campaign before an eVoting event improves
convincing them of the usefulness and security stakeholders’ understanding of the system’s
of using the eVoting system. capabilities and operation as well as use,
The principal axes of the approach are the while information days after the eVoting
following: event help stakeholder understand each
other’s views and propose improvements
1. Proven technological excellence for the on the operation and usability of the system.
system components: The system should These information days should include
use strong technological tools and computer technical people, voters, legislation of-
science primitives, preferably scientifically ficials, social scientists etc.
proven and standard-based. This ensures
the sound operation of the system and its 4.2. The Role of Social
robustness against potential attacks. This Interactions in Adopting
aspect, though not easy to address, may be and Diffusing Innovations:
approached using the latest technological Closely-Knit Social Groups
advances, especially in the field of security;
2. Use of open source software technologies As we have said, the lack of trust has been the
and publicly available information: Sys- main obstacle in the broad adoption of eVoting
tem development and operation should be technologies. What if we make the assumption
based on open source technologies to allow that this lack is removed, in some way, and indi-
independence from existing vendors and viduals are neither positive nor negative towards
increase transparency (Neumann, 2004). eVoting? How could one plan the introduction
The system should be open to scrutiny of eVoting in a country so as to attain adoption
by experts and auditors. An open call for by as many citizens as possible?
attacks before productive operation is Our intuition was that the best way to intro-
also useful, with an aim to prove system’s duce the PNYKA system to the public, was to
robustness and attract citizens’ trust; target, initially, small groups of closely related
individuals which would, gradually, increase in
size and population coverage. It appeared to us the fraction). Thus, we have an interplay be-
futile to attempt to introduce an eVoting system tween two parameters in a way that keeps their
abruptly to the whole population of a country ratio at least r . In other words, we require, at
or even the citizens of a large city of a country. the same time, strong internal relationships and
Although we have not had the opportunity weak outside relationships.
to test this intuition in practice (a thing which It was shown in Young (2003) that for
we plan to do in the near future) we nevertheless social relationship graphs, which in our case
came across a theoretical result that appears to model some kind of acquaintance or daily in-
be applicable to support this intuition. This result teraction, which are r − close-knitted for some
was stated and proved in Young (2003) in the r , innovations spread fast, where by “fast” we
context of diffusion of innovations in popula- mean that the time taken for all community
tions. In our context, we have an innovation, members to adopt the innovation is bounded,
eVoting and the system that realizes it, and the independently of how large the communities
goal is to diffuse it in as many people as possible. are. In other words, if community members
There seems to be a similarity between the two have strong links among them and are affected
contexts that leads us to consider that it may by relatively few links to outsiders who are
be possible to draw conclusions for our context neutral towards an innovation accepted by the
drawing on the theoretical study conducted in community, then soon they will manage to
young (2003). To this end, in what follows we convert all population members into accepting
will briefly discuss the results given in that the innovation. A similar notion of “group
work and put them in perspective within our coherence” is the r-cohesiveness property. We
context, i.e. spreading eVoting to large country say that a set of individuals S is r − cohesive
populations. if every member of the set has at least r if its
Central to the ideas and the results given interactions with other members of the set. We
in Young (2003) is the concept of close-knitted observe that this property is weaker than the
sets of individuals. We assume that we deal property of close-knittedness since a r − close-
of sets of individuals who relate to each other knitted set is r − cohesive while the opposite
in some way, e.g. through their work, school, is not necessarily true. As it turns out, r −
professional interactions etc. Given a set of cohesiveness is not sufficient to guarantee fast
such individuals, the close-knittedness property spread of innovations in corresponding graphs.
quantifies how closely related they individuals In view of this result, our belief is that eVot-
of the set are relative (and this is important) ing has failed to gain much popularity in the
to their total relationships (this includes all various countries that it has been introduced (as
individuals, not only the ones in the given set). seen in isolation of the trust) because attempts
We say that a set of individuals is r − to introduce it were rather abrupt and targeted
close-knitted if the following condition holds: very large, virtually unrelated groups of indi-
viduals, even whole country populations. In
d (S ′, S ) other words, eVoting was introduced to groups
min ≥r of individuals that were not close-knitted and it
S ′⊆S
∑ i ∈s ′
di was, thus, difficult or impossible to adopt and
further diffuse the eVoting innovation. Putting
this observation in perspective, we believe that
Observe that by this condition not only do
eVoting has better chances of being diffused to
we require strong connectivity (i.e. many con-
large populations of individuals through a step-
nections) among individuals belonging to the
wise, gradual process that targets larger and
set (as reflected by the numerator of the frac-
larger sets of individuals that are close knitted.
tion) but we, also, require few outgoing con-
For instance, an eVoting system should
nections (as reflected by the denominator of
be applied, first, in closely related groups of
individuals in simple eVoting scenarios (e.g. We believe that following the “gradual
expression of opinion, polling etc.) and then introduction” approach outlined above, eventu-
applied to slowly increasing populations with ally eVoting will be adopted (as we believe) by
voting scenarios of increasing criticality and the majority of citizens in a country, something
complexity (e.g. election process in scientific which could not be achieved (and has not been
interest groups, elections in societies and or- achieved, as witness by documented cases of
ganizations, local elections for representatives, eVoting failures) if one attempted to diffuse, all
and finally to national elections). This gradual at once, eVoting technology to the whole popu-
adoption effort has a number of positive side lation of a country (say, by law enforcement).
effects too: first of all, it allows for thorough,
in-field evaluation of the system, using in-
creasingly more complex eVoting scenarios. 5. BEYOND EVOTING:
In addition, time is given to stakeholders to CURRENT CHALLENGES/
develop opinions and views about the system PROBLEMS FACING
that will contribute to its improvements in order THE ORGANIZATION
to face a more demanding eVoting procedure.
In this section we present CTI’s vision in shaping
This is exactly the approach that we followed,
the present and the future of the eParticipation
after the system was implemented and tested,
domain in Greece. CTI is in the fortunate posi-
in order to assess its appeal to users and try to
tion of combining two major ingredients, which
diffuse it to the Greek society. We would use a
are of considerable importance in realizing its
pilot operation in an election process in a small,
vision: it administers the Greek School Network
carefully selected group, as a vehicle towards a
and participates in a prominent European proj-
gradual introduction of the system to election
ect, called ABC4Trust, whose aim is to provide
scenarios of a larger scale. We engaged 200
a technical and legal framework for user-centric,
of the members of the Western sector of the
eIdentity management. We will, first, describe
Technical Chamber of Greece. This small group
briefly the Greek School Network, then the
was selected due to the easiness of conducting
ABC4Trust project and, finally, how these two
its members and the fact that, being engineers
elements combined can boost CTI’s role in the
themselves, they could, beyond voting, look at
eParticipation domain.
the security evidence produced as described in
Section 4, and pinpoint technical issues with the 5.1. ABCs and the
system. In addition, the Technical Chamber is ABC4Trust Project
interested in automating its voting procedures
and, thus, it was a good target for the system 5.1.1. Basic Concepts
trials. The overall impression was positive
and the feedback received is already under Attribute Based Credentials, or ABCs for short,
consideration for further improvements and can be viewed as a set of cryptographic protocols
enhancements of the system. Our goal, now, is which specify a user-controllable framework for
to enhance the PNYKA system so as to address defining and managing credential sets. These
our goals as they are stated in Section 6.2 and credential sets may be required for interac-
go to progressively larger groups of voters in tions with service providers (either private or
order to establish trust among as many people governmental) in order to access personalized
as possible. These people in turn, based on the services that require access only to a subset of the
theory of innovation diffusion outlined above, users’ credentials. Such services include simple
would help to further spread the word that the preferences management for e-commerce (e.g.
system can be trusted to even more people. book reading preferences), convincing of one’s
eligibility (e.g. age or occupation) in order to
access public information, and allowing govern- based on different number-theoretic problems
ment agencies access personal information that and also differ somewhat in the functionality
may reside in several other government agencies that they offer. There are two leading anonymous
(e.g. health information). The proposed creden- credentials systems: Idemix of IBM and U-
tial sets may include, except from assertions Prove of Microsoft. These two systems provide
about a user, hyperlinks to personal information functionality for supporting user credentials
residing elsewhere (e.g. government agencies), with the following requirements:
that the user desires to disclose to an eVoting
service provider (or prove something about this • Unforgeability (issuing);
information, not the information itself). • Selective disclosure with the user control-
Over the past 10-15 years, a number of ling the disclosed information set;
technologies have been developed to build ABC • Soundness (no false claims about the valid-
systems in a way that they can be trusted, like ity of a credential);
normal cryptographic certificates, while at the • No framing (showing transcript
same time protecting the privacy of their holder unforgeability);
(e.g., hiding the real holder’s identity). Such • Untraceability (showings wrt. issuing);
attribute-based credentials are issued just like • Unlinkability (between showings);
ordinary cryptographic credentials (e.g., X.509 • Limited-show unlinkability, untraceability.
credentials – see [X509]) using a digital (secret)
signature key. However, ABCs allow their These two systems provide nearly the
holder to uncover only a subset of the attributes same functionality, using different crypto-
contained in the original credential. Still, these graphic primitives. With regard to Idemix, it
transformed credentials verification procedure relies, mostly, on the hardness of the strong
just like ordinary cryptographic credentials RSA problem while U-prove is based, mostly,
(using the public verification key of the issuer) on the difficulty of discrete logarithms. Also,
and offer the same strong security. See Figure credentials are represented in different formats.
9 for a high-level view of the ABC concept.
In this figure we see a credentials holder/ 5.1.2. The Role of CTI in ABC4Trust
user who applies for issuance of a digital creden-
tial to the Identity Service Provider or ISP for Student evaluations of instructors and courses
short. The ISP issues a signed digital credential in higher education institutions are an impor-
to the user who, then, can present the credential tant tool for universities and governments for
to the verifier (most often a service provider correcting and adjusting the curricula so as to
to whom the users’ needs to prove something correspond best to students’ needs. Allowing
about himself/herself. Note that, in contrast evaluations over the Internet, through an eVoting
with a classical PKI authentication service, the platrofm, will facilitate greatly the evaluation
verifier (service provider) does not contact the process in two respects, as compared to the clas-
ISP (the analogous of the Certification Author- sical process based on paper evaluation forms:
ity – CA – in a PKI). In addition, the user can a) It allows the students to evaluate courses, b)
transform her credential and, thus, present to Automatically archives the evaluation results
each verifier a different credential form so that in electronic form allowing their further elec-
it is not possible for a party to link the differ- tronic processing, and c) Offers the possibility
ent credentials of the user together and, thus, of using strong cryptographic tools to ensure
uncover information (e.g. preferences when student anonymity and data confidentiality.
browsing on the Internet) about the user. However, the major challenge is to ensure
Research has put forth a number of different that only registered and eligible (i.e. to have
proposals how to realize anonymous credentials attended over 2/3 of the course classes) students
[Brands00, CamLys01, CamLys04] which are participate while not forcing them to provide
details which may reveal identifying personal 5.2. Extensions of the

information. This requirement can be satisfied Basic eVoting Model Using
using attribute based credentials where for each the ABC Concept
student a set of credentials will be defined that
allows proofs of their eligibility for participat- 5.2.1. Refined, Aposteriori Decision
ing in a specific evaluation (e.g. proof that they Making Based on Voting Results
are indeed students of the department offering
the course, proof that they are registered to the In this section we address how eVoting pro-
course under evaluation, proof that they have cedures that take advantage of information on
attended sufficient number of classes (without, individuals’ profiles may provide more infor-
however, revealing the exact attendance num- mation about voting results, beyond simple
ber). The pilot scenario appears in Figure 10. tallies. To this end, we will provide an example
Our team will have discussions with stu- utilizing Bayesian statistics.
dents that participated in the scenario in order to Let a probability (sample) space be parti-
collect, using properly designed questionnaires, tioned into n classes (classes of citizens in our
their opinion of the usability of the system they case) E1, E 2 ,… En . Bayesian statistics gives us
used as well as more general issues as to how a useful tool for evaluating posterior probabil-
they imagine, they could use anonymous cre- ities, based on a priori ones:
dentials in other interactions they have in their
daily lives as citizens who also participate in Pr (Ei ) Pr (B | Ei )
voting procedures. Pr (Ei | B ) = n

∑ Pr (Ek ) Pr (B | Ek )
k =1
Figure 9. Attribute based credentials
The meaning of the probabilities involved The normalizing constant. This is equal to
in this equation is summarized below: the sum of the quantities in the numerator for
all events Ek . Thus, Pr (B | Ei ) represents the
Pr (Ei ) likelihood of event Ei relative to all other ele-
ments of the partition of the sample space:
Prior distribution for the Ei ’s. It summa-
rizes the beliefs about the probability of event Pr (Ei | B )
Ei before Ei or B is observed:
The posterior distribution of Ei given B .
Pr (B | Ei ) It represents the probability of event Ei , after
event B been observed.
The conditional probability of B given In our context, Ei are the sets into which
Ei . It summarizes the likelihood of event B our voter population is partitioned based on a
particular attribute that characterizes them, e.g.
given Ei :
“occupation”, “sex”, “educational level” etc.
For simplicity, given a particular characteristic,
∑ k
Pr (Ek ) Pr (B | Ek ) we assume that no overlaps exist (e.g. for the
attribute “occupation”, there is no member of
the population that is both a “doctor” and a
Figure 10. Architecture of the course evaluation scenario
“computer engineer”). Then the probabilities We will not expand on this issue but the benefits
reflect fractions of individuals of various proof using provable credentials can lead to very
files and behaviours. accurate conclusions about citizens’ opinion on
Let us assume that B is a question about major reform issues.
a reform in government policy making, for
instance “Do you agree with publicizing on a 5.2.2. Voter Profile
bulletin board the names and incomes of all Constrained eVoting
citizens (to aid transparency in financial ad-
ministration)?” Based on the attribute based A voter within a certain population possesses a
credentials eVoting model, each voter casts his/ set of attributes (e.g. “sex” and “occupation”)
her vote (“Yes” or “No”) and proves his/her and for each attribute there is a certain set of
occupation attribute. At the end of the voting allowed values (e.g. “male/female”, “doctor/en-
process, a situation like that in Figure 11 will gineer/accountant”). Classical PKI certificates
appear, where the figure assumes that the “oc- also provide a form of authentication (see, for
cupation” attribute has 4 possible values (that instance, [X509]) but the major drawback is
is citizen occupations) and the common areas that the authenticated individual is known to
of each of the “occupation” classes with B the certification authority after the authentica-
denotes the percentage of the class population tion process is completed (i.e. anonymity is
that agrees with B . not provided).
That is, based on the attribute based cre- The important assumption with regard to
dential proofs of occupation, we have a very these attributes, to be justified in Section 5, is
accurate picture of the percentage of population that each voter can prove the value of a certain
within each occupation class that agrees with characteristic (e.g. “sex”, “occupation”) with-
out revealing his/her real identity using only a
reform issue E1 , without violating citizen’s
pseudonym, which he/she may change for dif-
anonymity. This means that we know, accu- ferent situations so as to avoid linking together
rately, all probabilities appearing on the right- his/her different actions in different eParticipa-
hand side of Bayes’ formula. Let us consider a tion situations. Note that this assumption is not
particular occupation class, say E1 . Then is supported by current PKI technologies, even by
what information is conveyed by Pr (E1 | B ) , role based certificates since in order to prove
which is computed by the formula; It gives the possession of, say, a role within society (e.g.
percentage of the population of the occupation occupation) one has to reveal his/her identity.
PKI only guarantees that the person presenting
class E1 that will be satisfied if B is adopted,
a certificate is the person claimed to be. All the
where the percentage now is taken over all attributes of an individual are known by either
classes, and over all citizens that will be satis- the service provider or the PKI.
fied by B (shaded area in the figure). Note that
it is possible that this a priori percentage may 5.3. The Challenge: Strengthening
be different, in general, than the percentage of eParticipation and Supporting
population within class E1 that really agrees Governmental Decision Making
with B , thus additional information can be
derived which may affect governments’decision The Greek School Network (GSN) is the
to pass or not to pass B officially. educational intranet of the Greek Ministry of
The accuracy of the probabilities on the Education that interconnects all schools and
right-hand side of Bayes’ formula is tantamount a large number of educational administrative
to deciding numerous statistical properties units and organizations. It is the biggest pub-
related to a society composition (e.g. deciding lic network in the country, having the largest
distribution parameter, decision making etc.). number of users, and has been recognized
Figure 11. Partitioning a probability space
internationally as a remarkable educational lists, websites, blogs, video, as well as of social

network that promotes the introduction and networking and e-learning services. In particu-
exploitation of Information and Communication lar, the number of active email boxes exceeds
Technologies (ICT) in the Greek educational 135.000, while more than 9.000 educational
system. Because of its sensitive educational websites are hosted in GSN’s servers. Also,
character and the need to protect students while 3.515 digital courses have been developed by
accessing the Internet, the GSN has adopted as 890 schools (current school year). More than
a strong and basic requirement the certification 10.000 educational blogs and 100 educational
of its users. So, the users are distinguished communities are provided by GSN, and are
in the following categories: (i) School units, visited by more than 150.000 unique visitors
which are provided with multiple accounts to per month. Finally, the GSN portal is the most
access the network and the GSN services. (ii) highly visited educational portal in Greece, with
Administrative offices, which are also given more than 220.000 unique visitors in a typical
one or more accounts. (iii) Teachers who are month. All the above data have been recorded
offered personalized services. The identifica- as of 23 May 2011.
tion process for teachers is provided through an At the same time, CTI through its participa-
automated environment. (iv) Students, who are tion in the ABC4Trust project aims to deepen
given access mainly through the school labora- the understanding of a new privacy preserving,
tories, but are also provided with personalized eIdentity management technology, based on
services. The identification of the students is Attribute Based Credentials. This technology
performed directly from their schools, with the enables the user to uncover only the elements
collaboration of school administration software of his/her eIdentity which are required in order
and GSN’s LDAP service. (v) Administrative to prove his/her eligibility in using a service.
personnel, who have access through their In addition, the project will organize and run
schools or offices, and are also provided with the first ever pilots of ABC deployment in two
personalized services. The number of connected real application environments, collecting useful
units is 16.620 schools and 925 administration feedback from the users that will participate
units. Broadband penetration exceeds 93% for in the pilots. One pilot will be performed in
secondary schools, 73% for primary schools and Sweden and will develop a privacy respecting
30% for kindergartens. The number of teachers public consultation and discussion environment
that have a personal account is approximately for secondary school pupils while the other pilot
77.000 and the number of students is 51.000. will involve, in a privacy preserving manner,
There is also particularly high utilization of a number of University students to perform
telematic services, especially email, emailing
electronic evaluation of a course they have force to bring those elements close to the Greek
attended at the University. educator and student.
Today, CTI is facing a challenge: a set of
technologies and eParticipation vehicles. As
reflected in Figure 12 one of the major CTI’s REFERENCES
vision is to create a Panhellenic, privacy pre-
serving discussion forum where the educational Antoniou, A., Korakas, C., Manolopoulos, C., &
communities of all levels can discuss issues, Panagiotaki, A. Sofotassios, D., Spirakis, P., &.
Stamatiou, Y. C. (2007). A trust-centered approach
take part in referendums and public discussions, for building e-voting systems. In Proc. 6th Interna-
vote for important issues related to educational tional Conference on eGovernment (EGOV 2007)
reform – all in a way where everyone is able (pp. 366-377). Lecture Notes in Computer Science,
to prove, anonymously however, his/her status Springer-Verlag.
and eligibility to participate. Barber, B., & Davey, J. (1992). The use of the
CTI’s vision is to create a privacy preserv- CCTA risk analysis and management methodology
ing discussion forum where the educational CRAMM in health information systems. In K. C.
communities of all levels in Greece can discuss Lun, P. Degoulet, T. E. Piemme, & O. Rienhoff
(Eds.), MEDINFO 92 (pp. 1589–1593). North Hol-
issues, take part in referendums and public
land Publishing Co..
discussions, vote for important issues related to
educational reform – all in a way where everyone Beldad, A., de Jong, M., & Steehouder, M. (2010).
is able to prove, anonymously however, his/her How shall I trust the faceless and the intangible? A
literature review on the antecedents of online trust.
status and eligibility to participate. The ePar- Computers in Human Behavior, 26(5), 857–869.
ticipation platform (PNYKA) and the attribute doi:10.1016/j.chb.2010.03.013.
based credentials (ABC4Trust project innova-
tions) are some key technological elements to Bouras, C., Katris, N., & Triantafillou, V. (2003).
An electronic voting service to support decision-
implement our vision while the Greek School making in local government. Telematics and
Network, on the other hand, is the vehicle and Informatics, 20(3), 255–274. doi:10.1016/S0736-
the new legislation status of CTI is the enabling 5853(03)00017-0.
Figure 12. CTI’s role in the eParticipation domain
Bouti, A., & Kadi, D. A. (1994). A state-of-the-art Manolopoulos, C., Panagiotaki, A., Sofotasios, D.,
review of FMEA/FMECA. International Journal Spirakis, P., & Stamatiou, Y. C. (2008). Experiences
of Reliability Quality and Safety Engineering, 1(4), and benefits from the application of a formal risk
515–543. doi:10.1142/S0218539394000362. assessment framework in the evoting domain. In
Proceedings of the 7th International Conference on
Bradley, J. T., & Gilmore, S. T. (2006). Stochastic eGovernment (EGOV 2008).
simulation methods applied to a secure electronic
voting model. Electronic Notes in Theoretical Mason, S. (2004). Is there a future for Internet voting?
Computer Science, 151(3), 5–25. doi:10.1016/j. Computer Fraud & Security, (3): 6–13. Retrieved
entcs.2006.03.009. from http://www.votobit.org/lallave/mason.html
doi:10.1016/S1361-3723(04)00039-9.
Coleman, J. S. (1990). Foundations of social theory.
Cambridge, MA: The Belknap Press of Harvard Putman, J. R. (2000). Architecting with RM-ODP.
University Press. Prentice-Hall.
Gritzalis, D. A. (2003). Secure electronic vot- Sæbø, Ø., Rose, J., & Flak, L. S. (2008). The shape of
ing. Series: Advances in Information Security, 7. eParticipation: Characterizing an emerging research
Kluwer Academic Publishers. doi:10.1007/978-1- area. Government Information Quarterly, 25(3),
4615-0239-5. 400–428. doi:10.1016/j.giq.2007.04.007.
Grose, T. J., Doney, G. C., & Brodsky, S. A. (2002). Siu, N. (1994). Risk assessment for dynamic systems:
Mastering XMI: Java programming with XMI, XML, An overview. Reliability Engineering & System Safe-
and UML. Wiley. ty, 43, 43–73. doi:10.1016/0951-8320(94)90095-7.
Kletz, T. (1999). Hazop and hazan: Identifying and Smith, W. D. (2005). Cryptography meets voting,
assessing process industry hazards (4th ed.). Taylor September.
& Francis.
Stølen, K., den Braber, F., Dimitrakos, T., Fredrik-
Konstantinou, E., Liagkou, V., Spirakis, P., Stama- sen, R., Gran, B. A., Houmb, S.-H., et al. (2003).
tiou, Y. C., & Yung, M. (2004). Electronic national Model-based risk assessment in a component-based
lotteries. In Proc. Financial Cryptography (FC 2004, software engineering process: The CORAS approach
LNCS 3110) (pp.147-163). Springer Verlag. to identify security risks. In F. Barbier (Ed.), Business
component-based software engineering, Kluwer,
Konstantinou, E., Liagkou, V., Spirakis, P., Stamatiou, pp. 189-207). The CORAS framework is freely.
Y. C., & Yung, M. (2005). Trust engineering: From Retrieved from http://coras.sourceforge.net/
requirements to system design and maintenance – a
working national lottery system experience. In Proc. Susha, I., & Grönlund, Å. (2012). eParticipation
Information Security Conference (ISC 2005, LNCS research: Systematizing the field. Government In-
3650) (pp. 44-58). Springer Verlag. formation Quarterly, 29(3), 373–382. doi:10.1016/j.
giq.2011.11.005.
Krutchten, P. (1999). The rational unified process.
An introduction. Addison-Wesley. Young, P. (2003). The diffusion of innovations in
social network. In L. E. Blume, & S. N. Durlauf
Lenstra, A. K., & Lenstra, H. W., Jr. (1990). Algo- (Eds.), The economy as a complex evolving system
rithms in number theory. In J. van Leeuwen (Ed.), (Vol. III). Oxford University Press.
Handbook of theoretical computer science (pp. 673-
715). A North-Holland, Amsterdam.
Luhmann, N. (2000). Familiarity, confidence, trust:
Problems and alternatives. In D. Gambetta (Ed.),
Trust: Making and breaking cooperative relations
(pp. 94–107). Oxford, UK: Blackwell.
Christos Manolopoulos is a graduate of School of Law Economics and Political Sciences of the
National & Kapodistrian University of Athens (1983) and holds a PhD from the Psychology
Department of the Panteion University. He has been the Director of Public IT Projects Sector
of CTI since 1999 and has significant professional experience in the management of large infor-
mation systems projects. He is, also, Director of the eGovernment and Publications Sectors of
the Computer Technology Institute & Press “DIOPHANTUS”. His principal research interests
lie in the areas of game theory in economics and population dynamics as well as aspects of
eParticipation and the applications of ICT for governance reform.
Dimitrios P. Sofotassios received a B.E. degree in Computer Engineering and Informatics from
University of Patras in 1989 and a PhD in 2007. He is currently Deputy Director of eGovernment
and Publications Sectors of the Computer Technology Institute & Press “DIOPHANTUS”. His
research interests include Data Structures and Algorithms, Production Management Systems,
eGovernment Architectures, Standards & Services and IS security. He has published over 25
research articles in peer reviewed international journals and conferences and he is co-author of
a book on production management, a book chapter on privacy protection and a book chapter on
electronic voting. Since 1990, he supports various teaching activities in the Computer Engineer-
ing and Informatics Department of University of Patras and was involved in a number of R&TD
projects funded by the European Union, the General Secretariat for Research & Technology of
Greece and private contracts.
Paul Spirakis obtained his PhD from Harvard University, in 1982. He is currently the President
of the Computer Technology Institute & Press “DIOPHANTUS” and a Full Professor in Patras
University, Greece. Paul Spirakis has seriously affected the growth of the Computer Technology
Institute & Press “DIOPHANTUS”, which is now a major organization. Was acknowledged
between the top 50 scientists worldwide in Computer Science with respect to “The best Nurturers
in Computer Science Research”, published by B. Kumar and Y.N. Srikant, ACM Data Mining,
2005. His research interests include Algorithms and Complexity and interaction of Complexity
and Game Theory. Paul Spirakis has extensively published in most of the important Computer
Science journals and most of the significant refereed conferences. He was elected unanimously
as one of the two Vice Presidents of the Council of the EATCS. He is a member of Academia
Europaea, a member of the ACM Europe Council and has been appointed as a Member of the
Executive Body of the Polytechnic University of Cyprus. Paul Spirakis is a high level consul-
tant for the Greek Ministry of Education. Paul Spirakis has gained many European competitive
research funds and has served in several scientific bodies of the EU.
Yannis Stamatiou graduated from the University of Patras, Department of Computer Engineering
and Informatics. He is currently Associate Professor at the Department of Business Administra-
tion of the University of Patras, Greece and Consultant (with deputy director responsibilities)
on Cryptography and Security for the Security Sector of the Computer Technology Institute &
Press (“Diophantus”) in Patras, Greece. His interests lie in cryptography, modeling of computer
viruses/worms in computer networks, cryptanalysis and ICT security with a focus in eVoting and
eGovernement related security protocols and systems. He has extensive experience in theoretical
and applied computer science with a focus on cryptography and ICT security. He leads the R&D
efforts of the Security Sector of CTI and coordinates a team of more than 10 junior and senior
researchers in basic research as well as development of security solutions for various R&D
projects. He is, also, acting as a Program Committee member in several security/cryptography
related conferences as well as a reviewer for several peer reviewed scientific journals. He has
published over 50 research articles in peer reviewed international journals and conference
proceedings while he has given numerous invited lectures on cryptography and ICT security
related subjects. Finally, he has also participated as a reviewing expert three times in EU calls
for proposals in security related areas.
APPENDIX
We now provide, below, the basic steps involved in the eVoting protocol presented in Smith, 2005,
with italicized comments (where applicable) that briefly explain the security goals achieved by each
of them (see this paper for a detailed analysis of the protocol and its security properties). When
the term “Zero Knowledge Proof” is used it refers to an important cryptographic technique by
which a prover (voter in our case) proves to a verifier (Election Authoity or eVoting server in our
case) that he/she knows a secret value or a fact about a secret value without actually revealing it:
1. A set of appointed election officers called “keyholders”, whose number is denoted by s ,

privately and randomly produce their election key shares K 1, K 2 , …, K s and jointly produce
s
the public keys (voting parameters) g and h k , where, K = ∏ K j of an ElGamal encryp-
j =1
tion scheme to be used in the election process. From this point on, any effort to interfere
with the process requires the coalition of all keyholders. However, most often, they have
conflicting interests (e.g. they represent different candidates) and, thus, malicious collabora-
tions among them are highly unlikely;
2. The voter produces his/her vote based on a publicly available candidate list. The vote consists
of an integer u ;
3. The voter encrypts u , homomorphically, using the ElGamal encryption function. This step
provides secrecy of the votes;
4. The voter sends the encrypted vote M to the Election Authority (EA);
5. The EA re-encrypts, with the same method, the encrypted vote using its public key K E .
That is, if the initial encrypted vote is M = (g r , h r , iV ) , with r randomly chosen by the
voter and i an element of a publicly known number group, the new vote is M ′ = (g s , h s , iV ),
where s is random and it is, actually, equal to the value r chosen by the voter and the “dif-
ferent” “ r ” of the EA (say, this “r” is equal to q ). The re-encryption of the vote is a defense
against vote selling since, after the second encryption it is impossible for the voter to prove
that the doubly encrypted vote is the vote desired by a potential vote buyer;
6. The voter and the EA jointly produce a Zero-Knowledge proof of the validity of the re-
encrypted vote. If the proof succeeds, then the EA appends to M ′ a timestamp, producing
the final message M ′′ , which is send back to the voter. Timestamping the votes allows vot-
ers to cast as many votes as they like with only the last one taken into account in the tallying
process. This step defenses against voter coercion;
7. If the proof fails, the EA notifies the voter and refuses to accept the vote, omitting the steps
that follow below;
8. The EA privately delivers to the EA a Zero-Knowledge proof of the fact that the message
M ′ is, indeed, a valid ElGamal re-encryption of the voter’s vote M . This proof should be
designated-verifier proof that is a proof which can convince the specific voter alone. This
step assures the vote that the system has correctly reencrypted his/her vote. This step protects
the voter from a malicious or malfunctioning eVoting system;
9. The voter verifies the validity of the timestamped vote M ′′ , signs it and then sends it back
to the EA;
10. The EA notifies the voter if the signature was not valid;
11. The EA signs the vote too;
12. The EA adds the final, doubly signed, doubly encrypted, time stamped and doubly verified
(through the Zero-Knowledge proofs) on a publicly accessible bulletin board, besides the
name of the voter. The EA prints two copies of the stored vote in bar-code format. Then it
sends one to the voter (it may be sent electronically and the voter may print it) and keeps
one to itself for later cross-verification of the election result. The bar-code version of the
vote can be used by all the voters who participated in the election in order to collaborate in
reproducing (“universal verifiability”) the tallying result announced by the eVoting system
after the end of the voting procedure;
13. The voter checks the bar-code version of the vote against the vote appearing in the bulletin
board;
14. The voters may vote several times, if they wish, but only the last, according to the timestamp
value, vote counts. This is a defense against voter coercion;
15. When all votes are cast and stored, the EA (or an external tallier) uses the most recently cast
votes of the voters (in case they voted several times) and adds them, homomorphically,
multiplying element by element the ElGamal encryption pairs. The outcome of these opera-
tion is to have the election result, encrypted with the election key K ;
16. The s keyholders partially decrypt, in turn, using the ElGamal scheme the election results
using their keys K 1, K 2 , …, K s (delivering, at the same time, a Zero-Knowledge proof each,
showing that they used the same keys as the ones used in the beginning of the election) and
deliver the election result T (i.e. total sum of the votes) in the form iT . This step guards
against malicious key-holders;
17. One may use a discrete logarithm algorithm in order to recover T (e.g. Pollard’s λ and ρ
methods).

A Framework For Protecting Voters Privacy in Electronic Voting Procedures

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Framework For Protecting Voters Privacy in Electronic Voting Procedures

Uploaded by

Copyright:

Available Formats

Journal of Cases on Information Technology, 15(2), 1-33, April-June 2013 1

A Framework for Protecting

1. ORGANIZATION site http://pnyka.cti.gr/), Operational Program

a set of libraries, in other systems with similar 3. CASE DESCRIPTION

conventional voting): democracy (only voters implementation processes (many of which we

Figure 1. The trust-centered approach

based on provably secure cryptographic • Externally visible operational sound-

procedure. Then, of course, we need them to 3.5. Building Demonstrable

Figure 3. The CORAS framework

Figure 4. Use case diagram

Figure 5. Class diagram

Figure 6. Activity diagram

Figure 8. Time sequence diagram: Zero-Knowledge proofs of validity

Table 1. Security critical assets of the eVoting system identified by HAZOP

Asset Description Designated Entity

Table 2. A fragment of the HAZOP table

Asset: Key Holders’ Keys

Table 3. Part of high-level risk table

Table 4. Fault tree diagram (ITEM Toolkit)

Table 5. Assessment of likelihood of occurrence of unwanted incidents

3.6. Summary: Coverage of system achieves the following election proper-

Table 6. Qualitative assessment of consequence using FMEA (ITEM Toolkit)

Table 7. Risk categorization matrix

Table 8. Risk treatment table

details which may reveal identifying personal 5.2. Extensions of the

Figure 9. Attribute based credentials

Figure 10. Architecture of the course evaluation scenario

Figure 11. Partitioning a probability space

internationally as a remarkable educational lists, websites, blogs, video, as well as of social

Figure 12. CTI’s role in the eParticipation domain

1. A set of appointed election officers called “keyholders”, whose number is denoted by s ,

You might also like