A distributed-responsibility electronic voting system Alan Ward Associated professor University of Andorra Plaça de la Germandat, Sant Julià, Co-principality of Andorra [email protected] Abstract In this paper a possible way of building a remote voting system is described, that is based on freely-available commercial-grade software technologies. Based on remote access through untrusted transmissions on the Internet, it has the advantages of easy access and speed of use that kiosk-based systems do not, and so may help reduce voter abstention. At the same time, it is immune to most deficiencies that have been described in the past, including lack of trustworthiness of the results. Our system uses private/public key pair cryptography and distributes responsibilities among several independent servers, and enables the vote to be verified both by the voter and by an independent organization. It is also possible to implement redundancy in the system described. Keywords: remote voting, distributed system, redundancy, voter abstention, vote verifiability. Introduction Electronic voting systems have been implemented in several countries over the last decade, some of them based on a voting machine, or kiosk, set up in an ordinary ballot station (United States, Ireland), others on access to a voting server through Internet (Switzerland, or Estonia as described in [Drechsler 2003]). The reasons for introducing this variation on more classical physical voting have been described – and contradicted – in many places. Suffice it to say that those which seem most compelling are enabling people to vote, who either have physical disabilities or are unable to attend a polling station in person for another reason. This seems reasonable in a world in which computer literacy and access to the Web is reaching high proportions of the population in many countries, and also in which commercial cryptography has had some years of use on the Internet in order to mature. Since the 2001 US election, and more specifically the conflictive handling of the situation in Florida, many people have expressed justified concern about electronic voting systems. In the US, Dr. Rebecca Mercuri [Mercuri 2002] is well-known for her positions. In Ireland, McGaley and Gibson [McGaley 2003] have criticized a similar system, and for similar reasons. On the other hand, the experience of the Geneva Chancellery of voting by Internet has lead to better results, as is expressed on their web site [Geneva]. In response to this situation, Keller and others have analyzed the needs and aims of a trustworthy electronic voting system, set out in [Keller 2004]. In [Lee 2002], the main requirements are accepted to be: - privacy (anonymous voting), - completeness (all valid votes are counted), - soundness (no invalid vote is counted), - non-reusability (no voter can vote twice), - eligibility (no one who is not allowed to vote can vote). To these, I would like to add: - verifiability of the results (independent third parties may verify correctness of the result). In this paper a system is described which, based on modern-day commercial technology used on the Internet for commercial purposes, aims at solving most of the drawbacks found in existing systems. Contrarily to previous systems, it relies neither on specific electronic hardware that tends to be expensive, nor on cryptographic algorithms specially designed for this purpose but that are not always easily comprehensible to non-specialists. After defining specific terms used in the context of electronic voting, the system, based on Internet technologies, is described. In each section, the characteristics and requirements that would be desirable are analyzed, and we will examine its sensitivity as a whole to attacks and other quirks of the Internet.

Parts of this work owe much to [Kofler 2003] as regards their two-stage algorithm, and to [Joaquim 2003] and [Levre 2004] for the REVS - Robust Electronic Voting System. Definitions I would like to define the following terms, as used here: Voter: a physical person legally authorized to vote. Authorizing organization: the organization that authorizes a Voter; that is, that certifies that this particular person is allowed to vote in a certain constituency on a certain date. It would probably be the same organization that will have the authority to authorize a candidate to present him- or herself. Polling organization: the organization that accepts valid votes, and will publish the results at a later time. This organization is responsible for accepting valid votes from the Voter, and presenting a true accounting to the public after the vote has taken place. Verifying organization: an independent organization that verifies that voting is carried out correctly, specifically as regards correct accounting of all votes. The three organizations are ideally different, independent bodies. Local councils could authorize votes, while the Parliament organizes polling servers and the process is verified by an international body of observers, for example. The main basis of the system described is the separation of responsibilities, in order to make sure that any attack or misuse must affect more than one part, making it thus much less probable or possible. Authorizing the Voter to vote We suppose that all organizations have public Web servers, and hold well-known public certificates that can be verified by the Voter through commercial certifying authorities such as VeriSign (Mountain View, CA, USA) or Thawte (Cape Town, South Africa). All electronic communications are made with the Voter through encrypted SSL (Secure Socket Layer) links. It is further supposed that the organizations' servers are linked through trustworthy dedicated channels, which is easy to do since their number is small. Before the actual vote, the Voter must obtain a certificate from the Authorizing Organization, in order to authenticate his or herself. This certificate is the electronic equivalent of the elector's card necessary in some countries in order to vote, and contains: • •

an RSA (Rivest, Shamir, Adleman) public/private key pair a certificate identifying both the holder and the constituency in which he or she may vote

The key pair should be protected with a shorter human-readable password known as a pass phrase in cryptographic terms. In order to bypass problems with the insecure computing platforms used by most voters – see [Rivest 2002] on this point – it is suggested that any software needed for voting be bundled together with the certificate on a unique CD. The software should be aware either of the public certificates assigned to each server, or of channels permitting their verification (the server of a Certification Authority). The software could be modeled on the Java classes used by some banks in order to access accounts on-line, in a safer manner than through a mere HTTPS password login session. The CD should be delivered to the Voter through a secure channel: i.e. he or she must go to an official and show proof of identity in order to receive the bundle. Naturally, the transfer would be recorded. It does not seem sufficiently secure to use electronic transmission in order to deliver the certificate. In order for a third party to impersonate the Voter, he or she would need both a copy of the CD – in order to have the RSA private key – and the pass phrase. On the other hand, a Voter the security of whose certificate is compromised can always inform the Authorizing Organization, so as to have their previous certificate made void and a new one delivered.

Certificates could be automatically generated, and changed, at regular intervals – though perhaps not for every election, as that would defeat the purpose of not having to make a visit in person. For example, a certificate emitted for a general election could be deemed valid for the duration of the four- to six-year term that government serves.

Figure 1: System architecture Getting a ballot The requirement at this stage is to ensure that the Voter really has the right to vote – and has not yet voted. The period for voting should be long enough to resolve any major technical problems. Though those arising within the system itself can be foreseen and prepared for, Internet is a complex melting pot of technologies and personal and corporate interests, and one can never quite know what will happen next ... If on the other hand, the period for electronic voting is set before that for the physical vote, Voters who have tried, but not succeeded in voting through electronic means may use the more traditional means as a fall-back. In many countries, a period of postal voting takes places before the vote itself. It is suggested that such a time would be appropriate for voting through the Internet. In case of technical problems, there is sufficient time to find a solution before the period ends. During this period, the Voter can initiate the vote at any time, by selecting a polling server, as in action 1. Due to the lack of trustworthiness of the Internet, it is important that the Voter be sure to be able to contact a polling station before requesting his or her ballot. Several polling stations may be supplied, in order to reduce traffic on each, and their results consolidated at the end of the vote.

In action 2, the Voter identifies him- or herself to the Authorizing Organization – who knows who can vote, and who has already voted – and is delivered, in action 3, a ballot valid for a limited time and for the polling server given by the Voter. The ballot is an RSA Public/Private key pair, in the form of a numbered X.509 Certificate. The Voter is sent both keys, while the Polling Organization gets only the public key. The reasons for limiting the ballot in time are the following: 1. A possible attack could be using a packet sniffer on the Internet to intercept the ballot, so it can be used by third parties to impersonate the Voter. Even though DSA- or AES-encrypted links are difficult to decrypt, it is possible in theory, given sufficient computing power and enough time. It we reduce the period of time a ballot is valid for, we then also reduce the probability that it could be used for malicious purposes. 2. An eventuality that seems more probable is a defect of transmission, either between the Authorizing Organization and the Voter, or further on between the Voter and the Polling Organization's server. In this case, the Voter will end up not receiving his receipt – and will be able to try again a bit later on, when his ballot has timed out and a new one can be emitted. The Voter votes The requirement is here to ensure that a disconnection can be operated between the identity of the Voter, and his vote; i.e. we want the vote to be anonymous. Paradoxically, it is perhaps easier to ensure this on the Internet than in “real life”, since the physical presence of the Voter is not needed. However, we must make sure that neither the Authorizing Organization nor the Polling Organization hold complete data on both the Voter's identity and the vote. In action 4, the Voter signs his vote with the Private key from his ballot, and sends it to the Polling Organization's server. This can then be verified as to it's authenticity by using the Public Key sent by the Authorizing Organization. It should be noted that: - the Authorizing Organization knows the Voter's identity and the ballot number; - the Polling Organization knows the ballot number and the content of the vote. In order to compromise the Voter's identity, both organizations would need to share information – so we need to take the necessary measures to ensure their complete independence from each other. Triple confirmation of the vote At this point in time, the vote itself has taken place, but it cannot yet be considered completely valid. We now need to pursue the remaining requirements of verifiability and non-reusability. The Voter should not be able to vote twice, and at the same time, it should be possible both for the Voter to ensure the vote he has cast has not been altered, and for the Verifying Organization to hold a separate count of the votes. In action 5, the Polling Organization sends the ballot certificate, signed, back to the Authorization Organization. This must be done within the time limit given: the Authorization Organization now knows that this Voter has really voted. He or she is then marked as such, and acknowledgment is sent back to the polling server. The Polling Organization can then mark the vote as confirmed. All communications between these organizations are identified uniquely through the ballot number. We obtain non-reusability. In action 6, the Polling Organization strips the vote of its signature, and sends it to the Verifying Organization. This signs it with its' own private key. The Verifying Organization cannot send the vote directly back to the Voter, as to do so it would need to hold both the vote and a clue to the Voter's identity (IP address), which is unacceptable for the requirement of anonymous voting. It will thus send, in action 7, the signed vote back to the Polling Organization through the same connection by which it has been received. It is then sent back to the Voter. Using the Public Key of the of Verifying Organization he or she holds on the CD, the signature can be verified and it can be seen that the vote has effectively been registered in an unaltered form. Finally, in actions 8 and 9, both the Polling Organization and the Verifying Organization publish independent results, consolidating if necessary the votes registered by different physical servers. Conclusions and further remarks In this paper, a system by which commercial-grade software can be used to make it possible to organize a vote through Internet is described. Unlike previous systems, it uses neither ad hoc hardware nor cryptographic algorithms.

The system is based on distributed responsibilities between organizations. It is necessary to ensure in practice the complete independence of the three organizations: Authorizing, Polling and Verifying. The requirements of remote voting are met with: privacy, completeness, soundness, non-reusability, eligibility, and more specifically attention is given to anonymous voting and the verifiability of the results. One possible type of attack that is only treated in part in this paper is Denial-of-Service attacks. Two of the servers used, by the Polling and Verifying Organizations, are easy to replicate to ensure redundancy. This technique is used by many large organizations to protect their information systems on the scale of the Internet: if one or more servers are attacked, others can replace them giving service on a local level for a time. However, the replication of the server of the Authorizing Organization could give rise to difficulties to ensure data consistency between servers: who has voted, and who has not. A further problem that has not been addressed in this paper is the possibility of both physical or electronic coercion (see [Juels 2002]), or other forms of vote buying – though it should be noted that many of these also arise in postal voting. It would seem that such practices cannot be solved by purely electronic means, where a remote voting system is used. However, confirmation or infirmation would be useful. Finally, the question of cost could be further discussed. Kiosk-based systems are very expensive, as they add the cost of the machinery to that of opening and staffing physical polling stations. However, they reduce the costs of vote accounting quite a bit, while accelerating the process. On the other hand, the remote voting system proposed would incur costs both to edit the individual CDs and to maintain the servers. It is believed that these costs would be rather low, as the technology used is common-place and cheap, and existing services and staff can be used to distribute the CDs. But a more complete economic study could throw more precise figures for a voting population of a given size. References [Acquisti 2004] Acquisti A., Receipt-Free Homomorphic [Kwangjo 2001] Kwangjo K., Kim J., Lee B., Ahn G., Elections and Write-in Ballots, Carnegie Experimental Design of Worldwide Mellon University, 2003 rev. 2004 Internet Voting using PKI, 2001 [Byers 2004]

Byers S., Rubin A., Kormann D., [Lebre 2004] Defending against an Internet-based Attack on the Physical World, ACM Transactions on Internet Technology, 2004

Lebre R., Joaquim R., Zúquete A., Ferreira P., Internet Voting: improving resistance to malicious servers i REVS, IADIS International Conference on Applied Computing, 2004

[Chaum 2004]

Chaum D., Secret-Ballot Receipts: True [Lee 2002] Voter-Verifiable Elections, IEEE Security and Privacy, Jan/Feb 2004

Lee B., Kwangjo K., Receipt-free Electronic Voting Scheme with a TamperResistant Randomizer, 2002[Mercuri 2002] Mercuri R., A Better Ballot Box?, IEEE Spectrum Online, Oct. 2, 2002

[Drechsler 2003] Drechsler W., The Estonian E-voting Laws Discourse: paradigmatic benchmarking for Central and Eastern [McGaley 2003] McGaley M., Gibson J., Electronic Voting: Europe, 2003 A Safety Critical System, National University of Ireland, Maynooth, 2003 [Joaquim 2003] Joaquim R., Zúquete A., Ferreira P, REVS – a Robust Electronic Voting System, [Rivest 2002] Rivest R., Electronic Voting, MIT, 2002 2003 [Weiler 2000] Weiler N., Plattner B., Secure Anonymous [Juels 2002] Juels A., Jakobsson M., CoercionProtocols for Local and Multicast Resistant Electronic Elections, 2002 Environments, 2000 [Keller 2004]

[Kofler 2003]

[Kohno 2003]

Keller A., Mertz D., Hall J., Urken A., [Vora 2005] Vora P., David Chaum's Voter Verification Privacy Issues in an Electronic Voting using Encrypted Paper Receipts, 2005 Machine, 2004 Web pages Kofler R., Krimmer R., Prosser A., Electronic Voting: Algorithmic and [Geneva] État de Genève Implementation Issues, Proceedings of www.geneve.ch/evoting/ the 36th Hawaii International Conference on System Sciences, 2003 Lorrie Craner's Electronic Voting Hot List lorrie.craner.org/voting/hotlist.html Kohno T., Stubblefield A., Rubin A., Wallach D., Analysis of an Electronic Mercuri R., Electronic Voting Voting System, John Hopkins TR-2003-19 www.notablesoftware.com/evote.html

A distributed-responsibility electronic voting system

Internet, it has the advantages of easy access and speed of use that .... and personal and corporate interests, and one can never quite know what will happen ...
Download PDF
157KB Sizes 1 Downloads 211 Views
Report

Recommend Documents

Electronic Voting
electronic voting systems: the “secure platform problem.” Cryptography is not the problem. Indeed, many wonderful cryptographic voting protocols have been proposed; see [2] for a sample bibliography. The problem is interfacing the voter to the cr
Auto-verifying voting system and voting method
Feb 14, 2005 - mechanical or electronic comparison of the printed ballot with the data stored from the voter input. The present invention has elements that may be consid ered to be covered generally by class 235, particularly sub class 51 covering ma
Auto-verifying voting system and voting method
Feb 14, 2005 - in memory or on storage media. A printed ballot produced by the computer voting station which shows the votes of a voter is then presented to the voter and either compared by the voter, or by operation of the computer program for the v
Electronic photography system
May 25, 2007 - Another advantage of the present system is that the output station may ... achieved via a wireless communication transceiver associ ated with ...
Comments on" A Fully Electronic System for Time Magnification of ...
The above paper by Schwartz et al. recently demonstrates time stretching of RF signals entirely in the electronic domain [1], which is in contrast to the large body ...
Electronic commerce transactions within a marketing system that may ...
Jun 15, 2006 - combination of a marketing business With a membership ..... Amway Priority Service Plus 1992-1993 brochure, “Discover hundreds of ways to simplify your ... END-ALLTM homepage software Solutions for your Grow ing Business ... Bragg, S
Oscar Voting System Poses Problems - WSJ.Feb2009
Feb 6, 2009 - Then, in another upside-down outcome, a movie can win for best picture even if .... of elections in the Numbers Guy blog. Complete Coverage: ... computer simulations to study how easily different systems can be manipulated.
Blended Voting System Certification of Democracy ... - State of California
Aug 21, 2015 - o Adjudication Client, version 2.4.1.14601. • Premier ... o Premier GEMS Election Management System, version 1.18.24 ... 4.1 Programming and configuration of election management system/software, including audit.
ELECTRONIC COMMUNICATION SYSTEM BY GEORGE ...
ELECTRONIC COMMUNICATION SYSTEM BY GEORGE KENNEDY.pdf. ELECTRONIC COMMUNICATION SYSTEM BY GEORGE KENNEDY.pdf. Open.
Blended Voting System Certification of Democracy ... - State of California
Aug 21, 2015 - Kern County requested administrative approval of the Dominion Voting Systems, ... 4.1 Programming and configuration of election management system/software, including audit ... ballot tally program to the Secretary of State.
high temperature pt alumina co fired system for 500c electronic ...
high temperature pt alumina co fired system for 500c electronic packaging applications.pdf. high temperature pt alumina co fired system for 500c electronic ...
Voting Systems
Florida,. 1 and in 2004, the dispute over counting votes in Ohio sparked members of ... First, because of the Electoral College, George Bush won the election even though ... First, for a vote to count, all voters must cast an equally effective vote.
The NEW EudraVigilance System and the electronic ... - Infarmed
Understand how to use EVWEB to create, send and access ICSRs and acknowledgments .... and/or digital camera, to be used by DIA in promotional ... Signature.
The new Eudravigilance system and the electronic reporting of ICSRs ...
This hands-on training course covers the functionalities of the new EudraVigilance web application ... which provides access by marketing authorisation holders (MAHs) to ICSRs submitted by national .... and/or digital camera, to be used by DIA in pro
The NEW EudraVigilance System and the electronic reporting of ...
and/or digital camera, to be used by DIA in promotional materials, publications, and website and waive any ... http://www.diaglobal.org/EUTerms. Date. Signature.