christian bull evoting

E-voting: An Acceptable Risk?

Project CSO Christian Bull

Background

Background

…or not. We don’t have time for that!

Remote Voting Over The Internet

Legal requirements for remote e-voting

• The secrecy of the ballot can not be compromised!

• Secrecy is retained by implementing the following:

– Allowing unlimited re-voting

– Votes cast in a controlled environment always supersede those cast uncontrolled (paper votes may supersede electronic votes)

– An e-voting system that does not reveal or retain any connection between voter and vote

– A good authentication mechanism

– E-voting only in the advance voting period

– Remote voting only as a supplement to paper voting

E-voting systemE-voting system

Receipt code

- Log on

- Submit vote

A quick overview of the solution

Polling card

How does the system know who I am?

Authentiwhat?

• When you turn up at the polling station, you

are required to identify yourself.

• Only since 2007 have you been required to

produce an ID-card.

• This is analogous to the process of

authentication to a computer system, for

instance using an eID.

Important properties of a good eID

• It must be obvious to the user that this is an

identity document.

• A voter should not be tempted to sell his voting

credentials.

– It must have other uses than just e-voting.

– These other uses must be familiar and of value to the

voter

The Challenges of Remote e-

voting

• Auditability / transparency to the lay person

• The buying and selling of votes

• Coercion / family voting

• Home computer security

• Anonymity of the vote

• Attacks scale


voting






Transparent e-voting?

• Complete openness and transparecy in all aspects of the project

• Available source code

– Unfourtunately cryptography is really, really hard.

• Cryptographic proofs of correctness

– Even the voter gets one

– The good thing about crypto is that it’s all just maths

• Logging of all system events

Transparent e-voting?

• Obviously open source won’t make the system understandable to ”everyone”

• …and extensive use of esoteric cryptography makes things worse…

• ..but at least the lay person can choose which expert to trust.

• Besides, paper voting really isn’t that easy to understand either!

Communicating the crypto

protocol• The cryptographer behind it is working on a

conceptual description which should be

understandable for anyone with high school

maths

• Amongst other things, we will try to integrate the

protocol into maths education in high school.


voting






Buying and selling of votes

• In practice this doesn’t scale

• The seller can re-vote

– Receipt for all cast votes, not only the final

• Votes submitted from a polling station will supersede any vote cast remotely

• Buyer would have to control seller’s eID

– Would require the voter to give up a lot more than his vote


voting






Coercion/family voting

• The coerced can re-vote

– Receipt for all cast votes, not only the final

• Votes submitted from a polling station will supersede any vote cast remotely

• The system will never divulge that a previous vote has allready been recorded

• If you accept that bastards are evenly distributed across the political spectrum, this doesn’t scale either.


voting






Encryption and storage of the vote

Return Code

Generator

Vote

Collection

Server

Voting

clientInternet

Vote verification

Mix and

count

Air gap

Conceptual model

M of N key shares

from parties with

competing interests

Voter Administrative

system

Distribution of secrets

Counting e-votes

Parti A 2

Parti B 1

”Cleansing service”

Mixing serviceDecryption service

christian bull evoting

Documents