Privacy and verifiability in electronic voting

Privacy and verifiability refer to fundamental principles of democratic elections and therefore belong to the set of established security requirements which each electronic voting scheme is expected to meet. However, very different ideas and opinions about privacy and verifiability exist in the scientific community, which shows that both properties are not well understood yet. Moreover, although the desired properties (captured by the security requirements) should be separated from the assumed adversary model (expressed by adversary capabilities), specific adversary capabilities are inherently assumed for the privacy-related security requirements of receipt-freeness and coercion-resistance, which complicates the analysis of voting schemes. The first part of this thesis presents a taxonomy for privacy and verifiability in electronic voting. We compile the conceivable levels of privacy and verifiability and investigate the relation between both properties. To this end, we introduce a conceptual model capturing both privacy and verifiability. We also provide a comprehensive adversary model for electronic voting by considering different adversary capabilities. The conceptual model, the levels of privacy and verifiability, and the adversary capabilities together form our taxonomy for privacy and verifiability in electronic voting. The presented taxonomy provides a deeper understanding of privacy and verifiability and their correlation in electronic voting. We show how the taxonomy can be used to analyze the security of voting schemes by identifying the level of privacy and verifiability provided depending on the adversary capabilities assumed. Moreover, the taxonomy allows to select appropriate levels of the requirements for different types of elections, and to determine reasonable adversary models for individual election scenarios. The second part of this thesis considers long-term aspects of verifiability in remote electronic voting. The lawfulness of any legally binding election must be provable for several years due to possible scrutiny proceedings. Therefore, specific documents such as the ballots must be retained. The election records are usually retained for the legislative period of the elected body; however, this period may be extended if scrutiny procedures are pending. Retention obligations apply not only to conventional paper-based elections, but also to remote electronic voting. But contrary to the case of paper-based elections, general regulations or guidelines on retention of remote electronic election data have not been issued so far. In particular, the question which records should be retained is yet unanswered. The second part of this thesis sets out to identify the election records that have to be retained in order to prove the proper conduct of a remote electronic election. We derive retention requirements for online elections from legal regulations which apply