Norwegian internet voting protocol revisited: ballot box and receipt generator are allowed to collude.

Norway experienced internet voting in 2011 and 2013 for municipal and parliamentary elections, respectively. Its security depends on the assumptions that the involving organizations are completely independent, reliable, and the receipt codes are securely sent to the voters. In this paper, we point out the following aspects: The vote privacy of the Norwegian scheme is violated if Ballot Box and Receipt Generator cooperate because the private key of Decryption Service can be obtained by the two former players. We propose a solution to avoid this issue without adding new players. To assure the correctness, the receipt codes are sent to the voters over a pre-channel (postal service) and a post-channel (Short Message Service [SMS]). However, by holding both SMS and the postal receipt code, a voter can reveal his vote even after the elections. Albeit revoting is a fairly well solution for coercion or concealment, intentional vote revealing is still a problem. We suggest SMS only for notification of vote submission. In case the codes are falsely generated or the pre-channel is not secure, a vote can be counted for a different candidate without detection. We propose a solution in which voters verify the integrity of the postal receipt codes. Copyright (C) 2016 John Wiley & Sons, Ltd.