Online voting: cryptography to the rescue

As far as Steve Kremer is concerned, 2015 is sure to go down as a pivotal year. " In the space of just a few months I was called upon to head up a new team within the Inria Nancy Grand-Est research centre (Pesto) and to launch the SPOOC project, which had been selected by the ERC the previous year, explains the researcher.It was a very exciting time for me, and with hindsight I see it now as the planets aligning: it's always easier to bring together a new team around a brand new project!”PESTO, which is currently comprised of 10 permanent members, focuses on the development of methods and techniques used to analyse and design security protocols.“Nowadays, these cryptographic protocols play a crucial role in the way in which we use the internet, as well as in our everyday lives more generally.They are vital components when it comes to being able to trust instant messaging services, online retailers and online banking. These security protocols are also key to the development of online voting, and it is this last aspect that is central to the SPOOC project (Automated Security Proofs of Cryptographic Protocols:Privacy, Untrusted Platforms and Applications to E-voting Protocols)." 

Making online voting more secure

Online voting is already widely used for professional elections and is showing signs of developing in the public sphere as well - whether this is in Estonia, a pioneer when it comes to e-voting, in Australia or in Switzerland - but there has not yet been the great surge that many had predicted. A number of countries, including Norway, abandoned their attempts after initial experiments. The French government went further, allowing French citizens living abroad to vote online in the 2012 legislative elections, only to reverse their decision for the 2017 elections. This decision was taken largely on security grounds. During the first electoral campaign, a French engineer had shown that it was possible to use malicious software (malware) to disclose and even change votes by replacing the choice made by the voter with another at the time of voting. This incident highlighted the complex nature of the issue of security when it comes to online voting, which depends not only on the intrinsic reliability of security protocols but also on the capacity of voting systems to withstand external attacks.

Anonymity the key

Within the framework of the ERC Consolidator grant, Steve Kremer made the decision to concentrate on one of the essential security parameters for voting: anonymity.“Simply put, following an election, it should not be possible to discover who a particular voter voted for. Non-traceability has to be a guarantee.”The first phase of the SPOOC project dealt with designing protocol verification tools specific to the issue of anonymity. This is new terrain for formal verification, which had previously been used more for authentication and privacy. " We were able to make considerable progress on this aspect of the project, developing an initial tool. Christened DEEPSEC (which stands for Deciding Equivalence Properties in Security Protocol), the latter was the subject of a prizewinning paper at the most recent IEEE symposium on security and privacy."

Security for compromised platforms

The second phase of the project focused on technical studies that could be used to execute security protocols on compromised platforms. " Up until fairly recently, there was a tendency to believe that attackers only targeted networks and that computers themselves remained secure platforms.The proliferation of malware has since forced us to accept that attackers are now capable of taking control of sections of the machines themselves.”The objective of the SPOOC project here is to consider the necessity of introducing additional security measures that would make it possible to deal with this loss of trust when it comes to computers. Two possible avenues are currently being assessed. The first involves the use of dedicated hardware for processing sensitive data (cryptographic keys, USB sticks, etc.). The second focuses on multi-factor methods involving an external object not connected to the computer being used to confirm authentication, similar to confirmation codes sent via text message to confirm purchases made online. “Our work is currently focused on studying the protocols involving the use of a second authentication factor employed by online giants, as well as their capacities to withstand external attacks."

A first industrial collaboration

Functioning as a synthesis of the two preceding phases, the third phase of the SPOOC project is currently getting under way.“Our aim is to apply tools and techniques developed elsewhere to the specific issue of electronic voting”, continues Steve Kremer. This will involve not only designing new formal verification techniques for use in cryptographic protocols for the purposes of voting security, with regards to both anonymity and verifiability (my choice is the one that was saved), but also rendering the process more sustainable by incorporating external hardware into the security loop so as to avoid any risks involving machines that may have been compromised as a result of external attacks."The initial work carried out on this phase forced us to reflect on the formal description of the "secret ballot", as things currently stand it has been difficult for us to arrive at a precise definition. What’s more, members of the PESTO team began working with the Spanish company Scytl on a process of formally verifying the anonymity and verifiability properties for voting systems with a view towards deployment in the Canton of Neuchâtel in Swizterland."

The ERC grant: recognition and stimulus

Three years after the SPOOC project was launched, Steve Kremer looks back fondly on his ERC adventure. "Winning an ERC grant is international recognition, it’s a significant achievement. However, it also provides a way of obtaining the best possible conditions for work and research. In hindsight, the grant ended up saving us a considerable amount of time. It we were able to finance recruitment at an early stage without having to “go fishing for resources”. In concrete terms, it enabled us to enlist the services of two talented young researchers. They would no doubt be working elsewhere by now if we had been forced to source the budget to recruit them via the usual channels!"