In the parliamentary elections of September 2013, more than 250 000 Norwegians in selected municipalities were able to vote from home. They were taking part in a national trial of Internet voting, building on an advanced cryptographic protocol.
The Norwegian e-vote project started in 2008, and was used for live election trials in 2011 and 2013. By using cutting-edge cryptography and committing to a high degree of openness in all parts of the execution, the project aimed to overcome public concerns about security risks and lack of verifiability.
To promote security, the entire voting system was implemented using a complex and verifiable cryptographic protocol, with no assumed trust between different system functions. To promote openness, the entire election system source code is publicly available, as well as most project documentation. The voting system would published the SHA-256 hashes of encrypted ballots on GitHub every hour, and detailed instructions were provided to voters on how to verify that their vote had been submitted.
In the run-up to the 2013 elections, the author audited the cryptographic Java implementation of the back-end election system, making a number of surprising findings. During the actual elections, a major encryption bug was discovered in the Javascript frontend code, potentially revealing the preferences of a large number of voters.
Most hackers and cryptographers are highly sceptical of Internet voting, due to legitimate security concerns. Even so, insufficient technical security, or even the perception of such, does not appear to be a main reason for why the project was discontinued.
The aim of this talk is twofold. First, we shall look at Norway's Internet voting project in its social and political context, highlighting the reasons why it came to be, and some of the key forces shaping the project throughout. Secondly, we discuss the findings, experiences and lessons learned from attempting to audit a large, public, complex and security-critical code base.