Security Properties for Electronic Voting

Due: 9:00am Thursday, Feb. 7, 2002

General Instructions. Students are expected to work individually on this project.

No late assignments will be accepted.


Purpose of Assignment

As should now be clear, "security" is just as ill-defined a notion as "correctness". It means different things for different systems, different environments, and different kinds of users. Refining a requirement that the system be "secure" into consitutents is a cruicial part of the security engineer's job.

This assignment is intended to help you get experience in doing such refinement. We focus on electronic voting systems because (i) it is topical, (ii) you will be building such a system as this semester's course project, so knowing what is needed will be useful, and (iii) there is a rich set of literature to consult on the subject.

As a practicing engineer, you should be ever alert to building on the shoulders of the giants rather than standing on their feet. ("If I see farther than other men it is because I stand on the shoulders of giants.") When faced with a new problem, you should not hesitate to study the literature on a subject---read first and then, if you must, think. This assignment hopes to make that point in a concrete way.

Background: Electronic Voting

An electronic voting system uses computers in tallying votes to determine the outcome of an election. Each election involves voters and a slate of candidates. The voters cast secret votes in favor of candidates, and the candidate receiving the largest number of votes wins the election.

Recent events have led to public debate about implementing an electronic voting system for electing government officials. The question is a complex one, involving technical as well as non-technical issues. Among the technical issues are concerns about software engineering (viz would the software be buggy), reliability (viz how to ensure hardware failures do not disrupt an election), and security. Those security concerns are the subject of this assignment.

What does it mean for an electronic voting system to be secure? Clearly, we would like to ensure that only votes from eligible voters are counted and that an eligible voter casts at most one vote. But the question is actually far broader, encompassing all sorts of properties that promote confidence in having the outcome of an election, as determined by this system, be consistent with the unmanipulated free will of the eligible voters. An actual system implementation would likely involve servers that do the vote counting and clients that enable voters to cast their votes. Now, we should be concerned with:

Thinking more generally about voting systems leads to other desirable security properties; thinking more specifically about implementation details approaches also leads to additional desirable security properites.

The Assignment

Prepare a document comprising a bulleted list of security properties that the builders of an electronic voting system might be required to implement. You are unlikely to do a thorough job of identifying these properties just by thinking about the problem, so feel free to consult technical literature on security properties for electronic voting systems. Study that literature and, where appropriate, borrow from it (being careful to attribute each idea you borrow to the publication where you first saw that idea discussed).

What to Hand In. Your document should be formatted in html and, if printed (with 10 point or larger font) run no longer than 5 pages. The document should consist of a list of properties (the start of such a list appears above) followed by a list of bibliographic references for useful source publications on the subject. Elements in the bulleted list of properties should contain citations to source publications, where appropriate.

Submission Procedure. Create a file named xxxxx0.html containing your paper, where xxxxx is your Cornell network id. Copy that file to the following folder:

\\Goose\courses\cs513-sp02\proj00.submit

Don't be disturbed by warnings informing you that the file cannot be accessed after it has been copied. Should you wish to revise your submission after you have copied it to our folder, then simply correct the files and recopy it---but this time use the name xxxxx1. Revisions to that should be named xxxxx2, and so on. We will grade only the largest-numbered file of a series.

Grading. The assignment will be graded on the basis of (i) the completeness of the list of security properties included, (ii) the care with which those properties are described, and (iii) the evidence that you have read a sufficiently large body of literature to have a good understanding of the issues.

Top student papers will be posted on the course web site, so all can benefit from your efforts.