Smart-card Deployment of an Electronic Voting Protocol

Herv

e Chabanne

1,2

, Emmanuelle Dottax

and Franck Rondepierre

Idemia, France

ecom ParisTech, France

Keywords:

e-Voting, Smart-cards, Biometrics, Belenios.

Abstract:

We present a solution to securely deploy e-voting protocols on the ﬁeld, thanks to smart-cards. Voters creden-

tials are securely stored on the cards, and the access is restricted by Match-on-Card biometrics. Interestingly,

the biometrics veriﬁcation is made against a list of eligible voters, which allows to restrict the number of cards

to one per voting booth. In contrast with previous e-voting solutions requiring a secure element per voter,

this constitutes an affordable solution. As an example, we describe how the voting scheme Belenios can be

implemented. We show that the resulting scheme gains receipt-freeness, and we give an implementation report

that shows the practicability of our solution.

1 INTRODUCTION

Different electronic voting (e-voting) systems have

been proposed together with their relative security

properties. Ballot privacy (secrecy of the vote) and

veriﬁability (capacity of checking that the election

produces the right result) are required. We here de-

scribe an implementation of such an e-voting system

based on smart-cards – named hereafter voting cards.

Our proposal takes advantage of the trust we can

put in voting cards. Indeed, the security of smart-

cards is today assessed by well-established evalua-

tion processes (as e.g. (Common Criteria, 2018)), and

they have already been identiﬁed as security enablers

in implementing e-voting schemes. However, all pro-

posals made until now assume one-card per voter, and

hence are facing cost and deployment difﬁculties for

large scale elections.

In our solution, voting cards are used as crypto-

graphic resources, but only one per voting booth is

required. And for a given voting station, each of its

voting booth will receive the same voting card. As-

suming the polling station takes N voters, any of this

N voters will be able to use these voting cards, but no

one else. To enforce this policy, the voting cards will

perform a biometrics Match-on-Card (MoC) against

the list of eligible voters. The idea of MoC is that

reference biometrics are securely stored on the card,

and that the comparison with the live biometrics (the

match) is performed inside the card. If the compar-

ison is made against one reference (i.e. authentica-

tion), it is called 1:1-MoC, and if N references are

compared (i.e. identiﬁcation), it is called 1:N-MoC.

There are today smart-cards with 1:N-MoC (NIST,

2011) deployed at national level but the idea of per-

forming 1:N-MoC is, to the best of our knowledge,

new for voting systems (see Sect. 2.2). It allows our

solution to enjoy the security beneﬁts of smart-cards

at a limited cost.

Despite its importance, as much we are aware of,

we are the ﬁrst to provide performances (see Sect. 5)

for the Belenios e-voting system. We provide ﬁgures

for both ﬁnite ﬁeld and elliptic curve based computa-

tions.

Another interesting feature of our solution is its

convenience. Indeed, all the material can be prepared

before the election and the process in the voting booth

is very light, making smoothness a key feature of the

proposal (see Sect. 3).

Finally, we want to stress out the fact that, in our

approach, we do not modify the underlying crypto-

graphic e-voting protocol. Rather, we exhibit an eco-

nomically viable deployment of it (for a broader per-

spective on the additional economical cost of secu-

rity systems in modern applications, see (Sklavos and

Souras, 2006)). As a comparison, in (Chaidos et al.,

2016a), the beneﬁts of secure hardware is pointed out

but in the presentation of this very work (Chaidos

et al., 2016b), it is indicated that giving a card to each

voter would be considered as too expensive. By not

changing the cryptographic speciﬁcations of the un-

derlying protocol, we aim at keeping most of its se-

curity properties. For the speciﬁc case of Belenios,

quoting (Chaidos et al., 2016a) again, we note that

we get the additional receipt-freeness security prop-

erty with our implementation (See Sect. 4).

Chabanne, H., Dottax, E. and Rondepierre, F.

Smart-card Deployment of an Electronic Voting Protocol.

DOI: 10.5220/0007443805030510

In Proceedings of the 5th International Conference on Information Systems Security and Privacy (ICISSP 2019), pages 503-510

ISBN: 978-989-758-359-9

503

Related Works. A ﬁrst version of Belenios appears

in (Cortier et al., 2014). The current release of the

software can be found online (Belenios, 2018b), as

well as a voting platform (Belenios, 2018a). This

protocol has been used in more than 200 local elec-

tions. The initial protocol is extended in (Chaidos

et al., 2016a) to enable receipt-freeness. This is done

at the price of relying on more complex cryptographic

primitives. A more detailed description is given in

Sect. 2.1.

There have been several e-voting system propos-

als coming with tamper-resistant devices. Proposals

to use smart-cards in the intent of achieving receipt-

freeness have been made in (Magkos et al., 2001;

Lee and Kim, 2002). Also, (Budurushi et al., 2012)

provides a survey of the use of national electronic

ID-card for remote e-voting in Estonia, Austria and

Germany, and for polling station e-voting in Finland.

More information on Estonia solution can be found

online (Estonia, 2018). Smart-card-based implemen-

tations of the Civitas e-voting protocol (Clarkson

et al., 2008) are proposed in (Neumann and Volkamer,

2012; Neumann et al., 2013).

In all these solutions, it is assumed that each voter

is provided with a personal, tamper-resistant voting

device.

2 BACKGROUND

2.1 Belenios

Belenios is an extension of Helios (Adida, 2008;

Adida et al., 2009), with an explicit registration au-

thority: eligibility is guaranteed by signing the bal-

lots. It also uses different zero-knowledge proofs.

It is close to Helios-C (Cortier et al., 2014) too, but

without the threshold support for the decryption of

the ballots. The description given here is compliant

with the one found in the recent paper (Cortier et al.,

2018). More details can be found in the speciﬁcation

(Glondu, 2018).

The main parties involved in the election are:

• A voting server S, representing the bulletin board

manager and operated by the server administrator

A. It is responsible for processing ballots in the

bulletin box BB.

• A credential authority C, who is responsible only

for the generation of credentials and their distri-

bution to the voters.

• A set of trustees T

,··· , T

. They are the pub-

lic authorities in charge of tallying and publishing

the result of the election. They also produce the

parameters of the election.

• The eligible voters V

,··· ,V

The following algorithms are used:

Setup(1

): The administrator A and the trustees gen-

erate the election encryption public key pk, and

trustees secret keys (sk

)

(i=1...m)

via a distributed

cryptosystem parametrized with security parame-

ter λ. Public key pk is an implicit input for all

remaining algorithms.

(upk

,usk

) for the voter id. This step is

run by C. The list L of the public keys of all

eligible voters is published, and it is considered

an implicit input for all remaining algorithms.

Vote(id, v, upk

,usk

): Constructs a ballot for the

voter id and vote v. The ballot is of the form

(id,upk

,c,s), where:

• c is the vote encrypted under the election key

pk, together with proofs that the vote is cor-

rectly formed,

• s is the voter signature on c, computed with the

signing key usk

This step is performed by voters willing to express

their vote.

Valid(BB, b, pk): Checks the validity of the ballot

with respect to the ballot box BB: veriﬁes the sig-

nature and the proof of b =(id, upk

,c,s), and

also checks there is no same identity id with dif-

ferent credential upk

and no different identity

with same credential. This is performed by the

voting server S whenever a new vote is received.

Box(BB,b): The voting server S returns the ballot

box BB ∪ b if Valid(BB, b, pk) holds, BB other-

wise. The ballot box is kept internally.

Publish(FBB): Returns the public views of BB:

• provides the talliers with FBB, a version of BB

with voters identities discarded (ballots are now

of the form (upk

,c,s)),

• extend each ballot with a hash of it, and publish

the result PBB= {(b, hash(b))|b ∈ FBB}.

This step is handled by the administrator A.

Tally(FBB, (sk

)

(i=1...m)

): Returns the result of the

election r, as well as a proof π that the tally was

computed correctly. To do so, the ballots signa-

ture and proofs are veriﬁed and invalid ballots are

discarded. Then, ciphertexts are added and the

sum is decrypted (thanks to homomorphic feature

of the encryption algorithm) to get the election re-

sult. This is performed conjointly by Administra-

tor A and trustees.

ICISSP 2019 - 5th International Conference on Information Systems Security and Privacy

504

Verify(pk, PBB, r,π): This algorithm allows one to

check that the tally corresponds to the public bul-

letin board FBB via veriﬁcation of the proof π.

VerifyVote(b,PBB): Checks that the ballot b belongs

to the public bulletin board. It is intended to

the voters, for checking that their ballot is indeed

taken into account.

The security of voting schemes is a vast subject

that has attracted a lot of attention. Informally stated,

the key properties to achieve are ballot privacy (no

one can gain information on the choices of the vot-

ers), completeness (all valid votes are counted), eligi-

bility (no one who is not allowed to vote can vote),

soundness (any invalid vote is not counted).

For an extensive-review of theses properties and

the schemes that offer them, we refer to, e.g., (Be-

naloh et al., 2017). Machine-checked proofs in Easy-

Crypt for privacy and veriﬁability in Belenios are pro-

vided in (Cortier et al., 2018).

As Helios, Belenios does not achieve receipt-

freeness (a voter has no means to prove how she

voted). Indeed, the voter can record and reveal the

randomness used to encrypt her ballot. It is then

possible to re-encrypt the claimed vote and to check

the presence of the corresponding ballot in the pub-

lic bulletin board (see Sect. 5 for details regarding the

encryption process). A receipt-free version of Bele-

nios, called BeleniosRF, has been proposed in (Chai-

dos et al., 2016a).

2.2 1:N-MoC

Biometric traits can be represented as vectors, known

as templates, and can be further compared. To mea-

sure the performance of a biometric system, one usu-

ally considers its False Acceptance Rate (FAR) – the

proportion of impostors being wrongly accepted –

and False Rejection Rate (FRR) – the proportion of

genuine users being rejected erroneously. We here

give ﬁgures for different modalities: 1:1-MoC for ﬁn-

geprint and 1:N-MoC for iris and face.

The deep convolutional network Facenet (Schroff

et al., 2015) outputs 128-byte vectors embedded in an

Euclidean space for coding face images. Two tem-

plates match whenever their euclidean distance (l

norm) is below a given threshold. An accuracy recog-

nition performance as high as 99.63% = 1−FRR can

then be reached (on the dataset named Labeled Faces

in the Wild (Huang et al., 2008)).

As far as 1:1-MoC is concerned, the Minex pro-

gram (NIST, 2011) by NIST is dedicated to the eval-

uation of ﬁngerprint minutia matchers running on

smart-cards. It reports, for instance, a solution with

ﬁngerprints coded on 512 bytes, and with (FRR,FAR)

equal to (0.0047,0.01) or (0.0086,0.001).

In what follows, we consider that voting cards

contain a set of such reference templates for iden-

tifying eligible voters. Instead of performing brutal

search by performing N matches against the freshly

captured biometric data, a better strategy is ﬁrst to

check whether this latter is close enough to one vector

within the set. This problem is known in the litera-

ture as Nearest Neighbour Search. As an example of

what has already been done in this ﬁeld (Hao et al.,

2008), we want to describe a method based on Local-

ity Sensitive Hashing (LSH). The deﬁnition of LSH is

recalled:

Deﬁnition 1. Let B be a metric space, U a set with

smaller dimensionality, r

∈ R with r

< r

and

, p

∈ [0, 1] with p

> p

A family H = {H

,...,H

},H

: B → U is

, p

)-LSH if for all h ∈ H, x, x

∈ B,

Pr[h(x) = h(x

)] > p

if d

(x, x

) < r

and Pr[h(x) =

h(x

)] < p

if d

(x, x

) > r

That deﬁnition, together with the fact that two biomet-

ric traits measurements coming from the same per-

son (resp. from different persons) are close (resp. are

far) in the underlying distance, gives to (Hao et al.,

2008) the basis of its identiﬁcation algorithm, the sin-

gle collision principle. The principle can be stated as:

two similar biometric records will have high chance

to have “colliding” H

. The identiﬁcation proceeds

by ﬁrst looking at collisions through LSH functions

between the fresh captured biometric data and all the

references stored, and then, for the most likely candi-

dates, by checking if a match actually happens. Iden-

tiﬁcation in (Hao et al., 2008) is made against a large

iris database. Iris templates are 256-byte long vectors

embedded in the Hamming space, and the LSH func-

tions are simply projections over random coordinates.

The same “single collision principle” is used in

(Bringer et al., 2009), where a facial MoC implemen-

tation is considered. The smart-card here serves to

enforce the privacy inside a biometric terminal.

In the case of templates encoded as vectors in the

Euclidean space, LSH can be thought as a random

projection where each of the H

is associated with a

random line in a 2-dimensional space.

3 BELENIOSHW

In this section, we describe our solution to se-

curely deploy the Belenios system with the following

tweaks:

Smart-card Deployment of an Electronic Voting Protocol

505

• the replacement of the login/password used for

voter authentication in Belenios by a 1:N-MoC,

• the provisioning of voters credentials in a smart-

card.

Election Preparation. The election is prepared by

performing the following steps:

• Enrolment: biometric templates of eligible voters

are gathered.

• Smart-cards provisioning: for each polling sta-

tion, a set of identical cards is prepared (one per

voting booth and some spare). Each card contains

the templates of all the voters of the polling sta-

tion, and for each voter id, his template

is asso-

ciated with his secret credential usk

– the same

as the one used in standard Belenios. Each card

also contains the public key pk of the election,

used to encrypt the ballots.

• Material deployment: Each polling station is

equipped with some terminals, and the set of

cards.

Remark 1. Each voting card can come equipped

with its own storage keys. These (symmetric) keys

will serve to securely store (conﬁdentiality, integrity)

data outside the card. More speciﬁcally, all the data

needed by a voter to vote, i.e. his cryptographic keys

along with some pre-computed data which do not de-

pend on his vote (see Remark 4) can be placed out-

side the voting cards. Whenever a voter has identiﬁed

himself, the card will retrieve all the data this very

voter needs to vote. This solution can be envisaged

as a trade-off to increase the storage capacity of the

voting card, at the cost of little more computations.

Election. We propose to supply each voting booth

with a terminal with the adequate interfaces for the

voter, the required biometric sensor(s), and a voting

card. Once the voter has entered a voting booth in his

polling station, his journey is the following:

• The voter presents his biometric data, and the 1:N-

MoC is performed;

• If the MoC is successful, the voter is prompted by

the terminal to make his choice according to the

election;

• The choice is sent to the card, the card builds

the ballot by computing the encryption, the proofs

and the signature;

• The ballot is sent to the terminal.

Remark 2. As computations are performed by the

smart-card connected to a terminal, the voter has

no mean per-se to get his ballot value, and hence

no mean to check its presence in the public bulletin

board. We propose to rely on a secure interface to dis-

play the hash value of his ballot to the voter. For more

convenience, an extra printer can also be added in the

voting booth to print a paper with the hash value of

the ballot. The voter can easily check that the printed

value is the same than the one printed. Moreover, do-

ing so, the voter can use it later to check his ballot has

been cast.

The rest of the process – the validation of the bal-

lots by the voting server, the publication of the ballots

and the tally by the trustees – is performed exactly as

in Belenios.

4 SECURITY PROPERTIES

The variant of Belenios we propose only makes few

changes to the original scheme. We here give a de-

tailed view of the modiﬁcations, using the notation

introduced in Sec. 2.1, and we discuss the impact of

these changes on the voting scheme.

Set-up: This step is left unchanged.

dential authority still generates the signing keys

for the voters, but instead of sending them to the

voters, these secrets are securely stored in smart-

cards, each key being associated to the biometric

template of the corresponding voter. The cards are

distributed in the polling stations.

Once the cards are personalized this way, the cre-

dential authority publishes the list of public keys

and forgets the secrets, like in standard Belenios.

Note that this step could be managed such that

only the cards know the secrets. It is indeed pos-

sible to generate the signing key pairs inside one

card, and to securely communicate the secrets to

the other cards of the same polling station. Note

also that in the new scheme, the voters have no

access to the value of their secrets.

Vote: This step is exactly the same as in Belenios,

except that the computations are made by a smart-

card instead of a software client on voter’s com-

puter. There is however a difference. Belenios

authenticates voters via a login/password proce-

dure, and voters enter their secret key. Our solu-

tion enforces voter authentication via biometrics

and hence have the nice feature of preventing a

dishonest voter to sell his vote by giving away his

password. In addition, as computations are made

in smart-cards, nobody – including the voter – has

access to intermediate results. In particular, the

voter has no mean to learn the details of the en-

cryption computation.

ICISSP 2019 - 5th International Conference on Information Systems Security and Privacy

506

Valid, Box, Publish, Tally, Verify: These steps are

left unchanged.

VerifyVote: The voter uses the printed hash value of

the ballot to check his ballot has been cast (see

Remark 2).

As can be seen, we make no additional, speciﬁc as-

sumption on the parties involved in the process:

• On the trustees side, there is strictly no change.

• No change on the Voting Server side, either.

• The Credential authority behaves the same and

has access to the same information. Only, send-

ing the keys to the voters is replaced by associ-

ating a voter’s key to his biometrics in a smart-

card. There is no new possibility for this party

when dishonest.

On the voter side, the usage of a smart-cards

changes the scheme regarding the receipt-freeness

property. As already mentioned, Belenios (as well as

Helios) is not receipt-free because the voter can get

the random involved in the encryption and use it to

prove how he voted. The fact that the encryption be

performed by a smart-card prevents this, assuming the

card is tamper-proof. As acknowledged in (Chaidos

et al., 2016a), using such hardware tokens is indeed a

way to add receipt-freeness to Belenios.

As a conclusion, BeleniosHW enjoys the same se-

curity properties as Belenios, with the addition of the

receipt-freeness, based on the usage of a tamper-proof

device.

5 PERFORMANCES

Exponentiation Algorithms. We hereafter deﬁne

two different exponentiations that will be used to im-

plement the algorithms. We take into account the fact

that when the base is a value known in advance, it is

possible to provision the card with pre-computed val-

ues.

Double Exponentiation (DE) is the computation of

the value u

·v

, when no assumption can be made on

the value of u or v. Using the Straus-Shamir’s trick

(Straus, 1964; Gamal, 1984), this computation can be

made with the same performances as computing the

simple exponentiation u

. This trick requires scan-

ning the exponents from the most signiﬁcant bits to

the less signiﬁcant bits, and the pre-computation of

the value u·v.

Known Value Exponentiation (KVE) is the compu-

tation of the value u

, when u is a static value, known

in advance (such as a group generator, or a static pub-

lic key). This case can be treated as a special case of

DE – with half-length exponents. Indeed:

= u

·v

, where e = e

+ e

·2

, v = u

, and ` is

the bit-size of e. Since u is a known value, we assume

that v is available with negligible cost. As the cost of

an exponentiation is linear with the exponent length,

a KVE is twice as fast as a DE.

Ballot Encryption. We stick to Belenios and use

the ElGamal encryption scheme. Operations are made

in a group of order q, generated by a generator g.

To compute c

(i)

enc

(i)

,β

(i)

, the encryption of the

choice m

(i)

, we shall:

• Pick a random value r

(i)

∈ Z

• Compute α

(i)

= g

(i)

, for which we can use a KVE.

• Compute β

(i)

= pk

(i)

·g

(i)

, for which we can use

a DE.

Remark 3. Only β depends on the election choice

(i)

Ballot Signature. We consider that the key pair

(upk

,usk

), generated in the register phase, has

been stored in the voting card. This constitutes

a slight difference with the Belenios speciﬁcation

(Glondu, 2018), as there is no need to compute

upk

. Belenios uses a Schnorr-like digital signature

scheme. We denote by H

signature

the hash func-

tion dedicated to the signature scheme. To get s =

(challenge,response), we shall compute:

• a random value w ∈ Z

• A = g

, using a KVE.

• challenge =H

signature

(upk

,A,c

(1)

enc

,...,c

(n)

enc

)

mod q

• response = w − usk

·challenge mod q

Remark 4. As A does not depend on the voter nor on

the election choices, it can be pre-computed.

Ballot Proof of Correctness. For a given ciphertext

(α,β), we shall prove that it is the encryption of a

valid message, i.e. that it has the form (g

, pk

·g

with m ∈ {M

,...,M

} ({0,1} in our case). This

is achieved with a dedicated zero-knowledge proof

involving the random r used in the construction of

(α,β). The proof consists in a sequence of chal-

lenges/responses, one for each possible valid choice

The proof has been made non-interactive thanks to

a hash function H

iproof

to determine the sum of all

challenges.

Let m = M

. To create the complete proof, we

perform the following steps.

Smart-card Deployment of an Electronic Voting Protocol

507

Table 1: Theoretical timings for the computation of a ballot.

DL timings (ms) EC timings (ms)

# candidates # candidates

1 8 16 32 1 8 16 32

Vote-indep. 240 1247 2,397 4,969 37 194 374 733

Vote-dep. 479 2493 4,795 9,397 74 383 737 1,444

Total 719 3,740 7,192 14,096 111 577 1,111 2,177

Step 1: For all j 6= s:

• Pick c

, p

at random in F

• Compute A

= g

·α

−c

= g

−r ·c

, using a

KVE,

• Compute B

= pk



β·g

−M



−c

, using a DE,

• Set challenge

= c

and response

= p

Step 2: For the index s:

• Pick w at random in F

• Compute A

= g

and B

= pk

• Set challenge

iproof

(upk

,α,β,A

,...,A

) −

∑

j6=s

challenge

mod q

• Set response

= w + r ·challenge

mod q

In our case, m

(i)

∈ {0,1} for each ciphertext c

(i)

enc

and min(x) 6 m =

∑

(i)

6 max(x) for the overall

proof. Hence, we have:

(i)

challenge

(i)

,response

(i)

challenge

(i)

,response

(i)

overall

challenge

overall

min(x)

,response

overall

min(x)

...,

challenge

overall

max(x)

,response

overall

max(x)

Remark 5. Note that it is possible to slightly

modify the process so as to compute A

and

in Step 1. Indeed, in this case A

·α

−c

= g

−r ·c

and B

= pk



β·g

−M



−c



·g

−M



−c

= pk

−r ·c

. It is then sufﬁ-

cient to set w = p

− r ·c

mod q in the computation

response

. Doing so, all the A’s can be pre-computed,

and only the B’s depend on the election choice. Fur-

thermore, given an election setup, the values g

−M

can be pre-computed and hence be available at no

cost.

Summary. On the voter side, a total of 3n + 2 KVE

and 3n + 1 DE has to be processed. We also have no-

ticed that among those exponentiations, 3n + 2 KVE

may be processed at any time as they do not depend

on the choice of the voter. For instance, the card may

compute those values between two voting sessions.

We can also consider pre-computing all theses values

if we have access to an external storage. In this case

the data would be stored encrypted with a key known

only by the card, so as not to decrease the security of

the solution.

The exponentiations in the encryption, as well as

in the computation of the A

’s, use an ephemeral se-

cret r

(i)

. They should be implemented with a regular

or an atomic algorithm to prevent side-channel attacks

(see e.g. (Peeters, 2013)). We express hereafter the

cost of DE and KVE in terms of “low level” operations

for `-bit size operands: modular multiplication M(`),

modular addition/subtraction A(`) and modular inver-

sion I(`). We will uses these formulæ in the next sec-

tion to evaluate the time required to compute a ballot

in a voting card.

Discrete Logarithm. Let (p,q,g, ·) denote the

multiplicative group used to compute the ballot, such

that g

≡ 1 mod p. A naive implementation of DE re-

quires 1 square and 0.75 multiplication per bit, and we

assume an atomic implementation with the same tim-

ings for squares and multiplies. As already said, KVE

is twice as fast. We then have the following formulæ:

DL-DE(p, q) = |q|·(1.75)·M(|p|)

DL-KVE(p, q) = 0.5 ·DL-DE(p, q)

Elliptic Curve. We denote by (E (p),q,g,+) the

additive group used to compute the ballot, such that

[q]g = O. We chose the atomic implementation

proposed in (Rondepierre, 2013) with a point dou-

bling/addition cost of 10 ﬁeld multiplications and 10

ﬁeld additions/subtractions and 1 doubling and 0.5

addition per bit. Each scalar multiplication also re-

quires one modular inversion. We then have the fol-

lowing formulæ:

ICISSP 2019 - 5th International Conference on Information Systems Security and Privacy

508

Table 2: Timings for modular operations on a dedicated hardware.

Field size Multiplication Addition Inversion

(bits) (µs)

256 3.21 0.566 230

3072 214.05 NA NA

EC-DE(p, q) =|q|·(1.5)·

(10M(|p|) + 10A(|p|)) + I(|p|)

EC-KVE(p, q) =0.5 ·|q|·(1.5)·

(10M(|p|) + 10A(|p|)) + I(|p|)

Real Component. Let us take usually recommended

key lengths |q| = 256 and |p| = |g| = 3072 in the DL

case and |q| = |p| = 256 in the EC case (in bits). In

order to get an insight of the timings on an actual

component, we give the ﬁgures for modular multipli-

cation, addition/subtraction and inversion in Table 2.

These ﬁgures correspond to a component equipped

with a smart-card dedicated hardware efﬁciently im-

plementing the modular arithmetic.

Performing ballot pre-computations saves around

a third of the overall performances which is worth

mentioning.

REFERENCES

Adida, B. (2008). Helios: Web-based open-audit voting.

In van Oorschot, P. C., editor, Proceedings of the

17th USENIX Security Symposium, pages 335–348.

USENIX Association.

Adida, B., de Marneffe, O., Pereira, O., and Quisquater,

J.-J. (2009). Electing a University President Using

Open-Audit Voting: Analysis of Real-World Use of

Helios. In D. Jefferson, J.L. Hall, T. M., editor,

Electronic Voting Technology Workshop/Workshop on

Trustworthy Elections. Usenix.

Belenios (2018a). Belenios election server. https://belenios.

loria.fr/admin.

Belenios (2018b). Belenios veriﬁable online voting system.

http://www.belenios.org/.

Benaloh, J., Bernhard, M., Halderman, J. A., Rivest, R. L.,

Ryan, P. Y. A., Stark, P. B., Teague, V., Vora, P. L., and

Wallach, D. S. (2017). Public evidence from secret

ballots. CoRR, abs/1707.08619.

Bringer, J., Chabanne, H., Kevenaar, T. A. M., and Kindarji,

B. (2009). Extending match-on-card to local biomet-

ric identiﬁcation. In Biometric ID Management and

Multimodal Communication, Joint COST 2101 and

2102 International Conference, BioID MultiComm,

pages 178–186.

Budurushi, J., Neumann, S., and Volkamer, M. (2012).

Smart cards in electronic voting: Lessons learned

from applications in legally-binding elections and ap-

proaches proposed in scientiﬁc papers. In EVOTE

2012, pages 257–270.

Chaidos, P., Cortier, V., Fuchsbauer, G., and Galindo, D.

(2016a). BeleniosRF: A Non-interactive Receipt-Free

Electronic Voting Scheme. In Proceedings of the 2016

ACM SIGSAC, pages 1614–1625.

Chaidos, P., Cortier, V., Fuchsbauer, G., and Galindo, D.

(2016b). BeleniosRF: A Non-Interactive Receipt-Free

Electronic Voting Scheme. Presentation at CCS 2016.

https://www.youtube.com/watch?v=Fzj29WTVWb8.

Clarkson, M. R., Chong, S., and Myers, A. C. (2008). Civ-

itas: Toward a secure voting system. In IEEE Sympo-

sium on Security and Privacy, pages 354–368.

Common Criteria (2018). ICs, Smart Cards and Smart

Card-Related Devices and Systems , Certiﬁed Prod-

ucts. https://www.commoncriteriaportal.org/products/

#IC.

Cortier, V., Dragan, C. C., Strub, P.-Y., Dupressoir, F., and

Warinschi, B. (2018). Machine-checked proofs for

electronic voting: privacy and veriﬁability for belenio.

In Proceedings of the 31st IEEE Computer Security

Foundations Symposium (CSF’18). To appear.

Cortier, V., Galindo, D., Glondu, S., and Izabach

ene, M.

(2014). Election Veriﬁability for Helios under Weaker

Trust Assumptions. In Computer Security - ESORICS

- Proceedings, Part II, pages 327–344.

Estonia (2018). E-Estonia. https://e-estonia.com/solutions/

e-governance/i-voting/.

Gamal, T. E. (1984). A public key cryptosystem and a sig-

nature scheme based on discrete logarithms. In Ad-

vances in Cryptology - CRYPTO ’84, pages 10–18.

Glondu, S. (2018). Belenios speciﬁcation. version 1.5.

https://gforge.inria.fr/projects/belenios/.

Hao, F., Daugman, J., and Zielinski, P. (2008). A fast search

algorithm for a large fuzzy database. IEEE Trans. In-

formation Forensics and Security, 3(2):203–212.

Huang, G. B., Mattar, M., Berg, T., and Learned-Miller,

E. (2008). Labeled Faces in the Wild: A Database

forStudying Face Recognition in Unconstrained Envi-

ronments. In Workshop on Faces in ’Real-Life’ Im-

ages: Detection, Alignment, and Recognition. Erik

Learned-Miller and Andras Ferencz and Fr

eric Ju-

rie.

Lee, B. and Kim, K. (2002). Receipt-free electronic vot-

ing scheme with a tamper-resistant randomizer. In In-

formation Security and Cryptology - ICISC 2002, Re-

vised Papers, pages 389–406.

Magkos, E., Burmester, M., and Chrissikopoulos, V. (2001).

Receipt-freeness in large-scale elections without un-

tappable channels. In Towards The E-Society: E-

Commerce, E-Business, and E-Government, The First

Smart-card Deployment of an Electronic Voting Protocol

509

IFIP Conference on E-Commerce, E-Business, E-

Government (I3E, pages 683–693.

Neumann, S., Feier, C., Volkamer, M., and Koenig, R. E.

(2013). Towards A practical JCJ / civitas imple-

mentation. In Informatik 2013, 43. Jahrestagung der

Gesellschaft f

ur Informatik e.V. (GI), pages 804–818.

Neumann, S. and Volkamer, M. (2012). Civitas and the

real world: Problems and solutions from a practical

point of view. In Seventh International Conference on

Availability, Reliability and Security, Prague, ARES,

pages 180–185.

NIST (2011). MINEX II - An Assess-

ment of Match-on-Card technology.

https://www.nist.gov/itl/iad/image-group/

minex-ii-assessment-match-card-technology.

Peeters, E. (2013). Advanced DPA Theory and Practice:

Towards the Security Limits of Secure Embedded Cir-

cuits. Springer Publishing Company, Incorporated.

Rondepierre, F. (2013). Revisiting atomic patterns for scalar

multiplications on elliptic curves. In Smart Card

Research and Advanced Applications - 12th Interna-

tional Conference, CARDIS, Revised Selected Papers,

pages 171–186.

Schroff, F., Kalenichenko, D., and Philbin, J. (2015).

Facenet: A uniﬁed embedding for face recognition

and clustering. In IEEE Conference on Computer Vi-

sion and Pattern Recognition, CVPR, pages 815–823.

Sklavos, N. and Souras, P. (2006). Economic models &

approaches in information security for computer net-

works. I. J. Network Security, 2(1):14–20.

Straus, E. G. (1964). Addition chains of vectors (problem

5125). Am. Math. Monthly, 70:806–808.

ICISSP 2019 - 5th International Conference on Information Systems Security and Privacy

510