Microsoft Research has proposed a mitigation for a known potential attack against verifiable electronic voting machines that could help prevent insiders from being able to alter votes after the fact. The countermeasure to the “trash attack” involves adding a cryptographic hash to the receipts that voters receive.
Many verifiable voting systems already include hashes on the receipts, but that hash typically is of the ballot data for each specific voter. The idea proposed by Microsoft Research involves using a running hash that would add a hash of the previous voter’s receipt to each person’s receipt, ideally preventing a privileged insider from using discarded receipts to alter votes. The trash attack that the mitigation is designed to address involves election workers or others who might be motivated to change votes gathering discarded receipts and then altering those votes.
“The provision of receipts to voters who may not want them, however, suggests a very simple means by which election workers could find votes that are good candidates for alteration: poll workers could simply collect the contents of the nearest trash receptacles. Any receipts that have been discarded by voters would be strongly correlated with votes that could be altered without detection.3 Active collection of receipts may also be viable through social engineering,” Josh Benaloh of Microsoft Research and Eric Lazarus of DecisionSmith wrote in a research paper, “The Trash Attack”.
Electronic voting systems have made their way into a lot of jurisdictions in recent years, replacing older manual machines. But security researchers have discovered a number of serious security vulnerabilities in various machines, which could lead to vote alteration and questionable election results.
The solution that Benaloh and Lazarus propose would involve generating an initial value for each machine, and the value would comprise in part the date of the election and a unique identifier for the device.
“If a running hash were to be incorporated, this insider’s options would be severely limited. If the insider had the ability to alter a ballot and a corresponding running hash value in real time (i.e. before the next voter uses a device), then the same 60% success rate could be achieved. But if the insider cannot mount a real-time attack, after-the-fact alteration of 10 ballots would only escape detection if they were all cast after the last ballot whose corresponding receipt was verified by a voter. Not only does this substantially restrict the pool of ballots available to the insider, but this threat can now be completely eliminated by a single diligent voter or observer recording the final running hash value at the end of the voting period,” the paper says.
The researchers said that the mitigation may need to be implemented differently in each voting system, but that the result would be the same.
“Although the details may vary between systems, it is clear that the simple inclusion of a running hash within voter receipts mitigates a serious vulnerability that may occur when insiders or others, who may have the ability to change votes after they have been cast, can use external information to tell which voters are more likely to check their receipts against published lists,” they wrote.