A video demonstration of DRE-ip

We have made available a video demonstration of the DRE-ip voting system on YouTube. The video was made by Ehsan Toreini.

DRE-ip (Direct Recording Electronic with Integrity and Privacy) is an end-to-end verifiable e-voting system without tallying authorities, designed by Siamak Shahandashti and myself in 2016. The DRE-ip paper was presented in ESORCIS’16 and is freely available at: https://eprint.iacr.org/2016/670.pdf.

We ranked 3rd in the Economist Cyber Security Competition 2016

In the announcement for the winners of the 2016 Economist Cyber security Challenge, our team “Security upon Tyne” from the School of Computing Science, Newcastle University, won the 3rd place in this international competition. Universities that participated in this competition were selected by invitation based on their track record in cyber security research (particularly in bitcoin and voting) to participate. In the end, 19 universities from the UK and USA accepted the challenge.

In the final outcome, Newcastle University is the only UK university in the final top three, and it came after the New York University and the University of Maryland.

In this challenge, each team was tasked “to design a blockchain-compliant system for digital voting” to address the following aspects of an election: ensuring privacy and the ability to check the votes, protecting voting under duress, prohibiting publication of of interim results, supporting undecided voters and addressing any potential dispute in voting aftermath.

Each team had to prepare a 3000 word report describing their work in two weeks from September 15, 2016 to September 29, 2016 and then, they had a week to produce two videos for the challenge. One video describes their proposal in between 3 to 5 minutes and an elevator pitch clip no more than 2 minutes. The attendants were asked to provide a proof of concept implementation of their solution to demonstrate the feasibility of their proposal. It was an intense challenge to do all these within the short 2-3 weeks. The full list of participants, as well as the detailed description of their proposed solutions, is available here.

In our report, we presented a proof-of-concept implementation of the Open Vote Network e-voting protocol as a self-enforcing voting algorithm over the Ethereum blockchain. Ethereum is a decentralized peer to peer block chain that ensures execution of code as smart contracts. In our proposal, the blockchain is not only used as a bulletin board for publishing encrypted votes, but a trusted platform to verify all cryptographic data before they are published. Ethereum provides the opportunity to implement a self-tallying algorithm in the Open Vote network protocol as a smart contract so the correct execution of the algorithm is enforced by the consensus-based mechanism in Ethereum. Our full report could be accessed via here. Furthermore, our team videos are here.

Our solution is designed for small scale e-voting over the internet. To support large-scale elections, we have suggested two further solutions, using the DRE-i and DRE-ip protocols for the centralized remote voting and centralized polling station voting respectively. Overall, our three suggested systems could fulfill all the challenge criteria. However, due to the space limit in the report, we focused on the small-scale voting over the Internet and only briefly covered the large-scale elections for both onsite and internet voting scenarios. We noted that the two top winning teams primarily focused on large-scale elections for onsite voting. An overview of our proposed algorithms is shown below:

How our proposed algorithms fulfilled the challenge criteria in the economist cyber security competition

How our proposed algorithms fulfilled the challenge criteria in the economist cyber security competition

Our team consisted of three PhD students, Maryam Mehrnezhad, Ehsan Toreini and Patrick Mccorry, in the Secure and Resilient Systems Group in Newcastle University, United Kingdom. In the announcement for winners, Kaspersky, the sponsor for this Economist Cyber security Challenge, commented on the Newcastle solution: “Newcastle University’s (proposal) is the best solution in which remote voting is permitted.”

Cyber Security: a MOOC in progress

Members of the research group in Secure and Resilient Systems at Newcastle University are currently preparing a new MOOC (Massive Open Online Course) on the practicalities of Cyber Security. The three-week course Cyber Security: Safety at Home, Online, in Life will be running on the FutureLearn platform from 5th September 2016.

Preparing to discuss how we handle risks in everyday life

The course team preparing to film a discussion on how we handle risks in everyday life

Although it’s the first time our group has participated in MOOC development, it’s the 5th course that Newcastle University’s Learning and Teaching Development Service (LTDS) will have delivered, so we feel we’re in safe hands. Our aim is to introduce course participants to current topics in cyber security research and show how they relate to everyday life: privacy of data, safety of financial transactions, and security implications of smart devices, to take three examples.

For us as researchers and lecturers in security and resilience, it’s an interesting and sometimes challenging process to think about how best to present material in this medium. We’re moving from research papers and presentations, lectures and coursework assignments to short articles, discussion topics, quizzes and video. We hope it will be of interest to anyone with some background knowledge in cyber security and an interest in finding out current practice and research directions in this area.

We hope you can join us on 5th September! You can register for the course at https://www.futurelearn.com/courses/cyber-security.

Real-world Electronic Voting: Design, Analysis and Deployment

We are pleased to announce the completion of a new book “Real-world Electronic Voting: Design, Analysis and Deployment”, which is due to be published by the CRC Press. It’s still in press, but you can pre-order it from Amazon (the book will be freely available in the open-access domain two years from its publication).

This book is co-edited by Peter Ryan and myself. It aims to capture all major developments in electronic voting since 2003 in a real-world setting. It covers three broad categories: e-voting protocols, attacks reported on e-voting, and new developments on the use of e-voting.

Table of contents [PDF]

Foreword (Josh Benaloh) [PDF]

Preface (Feng Hao and Peter Ryan) [PDF]

Part 1: Setting the scheme

  • Chapter 1: Software Independence Revisited (Ronald L. Rivest and Madars Virza)
  • Chapter 2: Guidelines for Trialling E-voting in National Elections (Ben Goldsmith)

Part II: Real-world e-voting in national elections

  • Chapter 3: Overview of Current State of E-voting World-wide (Carlos Vegas and Jordi Barrat)
  • Chapter 4: Electoral Systems Used around the World (Siamak F. Shahandashti)
  • Chapter 5: E-voting in Norway (Kristian Gjøsteen)
  • Chapter 6: E-voting in Estonia (Dylan Clarke and Tarvi Martens)
  • Chapter 7: Practical Attacks on Real-world E-voting (J. Alex Halderman)

Part III: E2E verifiable protocols and real-world applications

  • Chapter 8: An Overview of End-to-End Verifiable Voting Systems (Syed Taha Ali and Judy Murray)
  • Chapter 9: Theoretical Attacks on E2E Voting Systems (Peter Hyun-Jeen Lee and Siamak F. Shahandashti)
  • Chapter 10: The Scantegrity Voting System and its Use in the Takoma Park Elections (Richard T. Carback, David Chaum, Jeremy Clark, Aleksander Essex, Travis Mayberry, Stefan Popoveniuc, Ronald L. Rivest, Emily Shen, Alan T.
    Sherman, Poorvi L. Vora, John Wittrock, and Filip Zagórski)
  • Chapter 11: Internet voting with Helios (Olivier Pereira)
  • Chapter 12: Prêt à Voter – the Evolution of the Species (Peter Y A Ryan, Steve Schneider, and Vanessa Teague)
  • Chapter 13: DRE-i and Self-Enforcing E-Voting (Feng Hao)
  • Chapter 14: STAR-Vote: A Secure, Transparent, Auditable, and Reliable Voting System (Susan Bell, Josh Benaloh, Michael D. Byrne, Dana DeBeauvoir, Bryce Eakin, Gail Fisher, Philip Kortum, Neal McBurnett, Julian Montoya, Michelle Parker, Olivier Pereira, Philip B. Stark, Dan S. Wallach, and Michael Winn)

J-PAKE adopted by ISO/IEC standard

J-PAKE is a password-based authenticated key exchange protocol, developed by Peter Ryan and myself in 2008. Over the past six years, the protocol has withstood all sorts of attacks and has started to see some real-world use in providing end-to-end secure communication for Internet users. The full records of discussions on J-PAKE can be found in the previous lightbluetouchpaper blog.

About six months ago, in the ISO/IEC SC 27 meeting held at Hong Kong in April 2014, I gave a presentation on the rationale of including J-PAKE into the ISO/IEC 11770-4 standard. The presentation slides are available here. An accompanying document was officially circulated among the national bodies under ISO before the meeting. It was agreed in that meeting to start a six-month study period on Revision of ISO/IEC 11770-4 and invite all national bodies to comment my proposal.

This week, in its meeting held in Mexico City, October 20-24, 2014, ISO/IEC SC 27 Working Group 2 considered the contributions received under the study period. After some discussion, SC 27/WG 2 unanimously agreed that this standard should be revised to include J-PAKE.

In the same meeting, two security weaknesses of the existing SPEKE protocol in ISO/IEC 11770-4 were discussed based on the findings reported in our SSR’14 paper. (A copy of the paper is publicly available at IACR ePrint and the paper is discussed in a previous blog post.) After some discussion, it was agreed that the SPEKE specification in ISO/IEC 11770-4 should be revised to address the attacks reported in our SSR’14 paper. The revision work on ISO/IEC 11770-4 starts immediately with myself being one of the editors. We expect to provide the first working draft for comment by 15 Dec, 2014.

On a more lightweight subject, while in Mexico, I try to do as Mexicans do: i.e., drink a glass of cactus (mixed with celery, parsley, pineapple and orange) during the breakfast. It was such a horrible taste that I was unable to finish it the first time. However, the more I try it, the more I like it. Now I can’t have a breakfast without it. The way our body treats a new taste of drink reminds me of the way how our mind treats a new idea. A “new” idea usually has a bitter taste in it as it challenges our mind into accepting something different. The natural reaction is to reject it and remain satisfied where we are and what we already know. However, to appreciate the “sweetness” out of the initial “bitterness” of any new idea, it takes time and patience – and in fact, lots of patience. When I return to the UK, I am sure this will be the drink I miss most from Mexico. So, cheers one more time before my flight home tomorrow!

Cactus drink

CFP: Special issue on security and privacy in cloud computing

The following is a CFP for the special issue on security and privacy in cloud computing, to be published by the Journal of Information Security and Applications (Elsevier) in 2015.

Submission deadline: 15 Jan 2015 (changed to 15 April, 2015).

http://www.journals.elsevier.com/journal-of-information-security-and-applications/call-for-papers/special-issues-on-security-and-privacy-in-cloud-computing/

Research works that contain “new” ideas and are driven by tackling “real-world” security/privacy problems in cloud computing are especially welcome.

First post

This post is to announce the birth of “Security Upon Tyne” – a blog on security research at the School of Computing Science, Newcastle University, Newcastle-upon-Tyne, UK.

We hope this blog will provide a platform to facilitate two-way communication: 1) to disseminate our research results to people outside the school; 2) more importantly, to allow any reader over the Internet to comment, scrutinize and criticize our work.