Helios is an open-audit internet voting system providing cryptographic protections to voter privacy, and election integrity. As part of these protections, Helios produces a cryptographic audit trail that can be used to verify ballots were correctly counted. Cryptographic end-to-end (E2E) election verification schemes of this kind are a promising step toward developing trustworthy electronic voting systems. In this research we approach the discussion from the flip-side by exploring the practical potential for threats to be introduced by the presence of a cryptographic audit trail.

We conducted a security analysis of the Helios implementation and discovered a range of vulnerabilities and implemented exploits including:

We also examine privacy issues including a random-number generation bias affecting the indistinguishably of encrypted ballots. We reported the issues and worked with the Helios designers to address the issues, and the vulnerabilities have been fixed.

Watch Nick’s attack demo

Technical Paper

The Cloudier Side of Cryptographic End-to-end Verifiable Voting: A Security Analysis of Helios
Nicholas Chang-Fong and Aleksander Essex
32nd Annual Computer Security Applications Conference (ACSAC '16), CA, 2016.
[ Citation ]