christian bull evoting
DESCRIPTION
TRANSCRIPT
E-voting: An Acceptable Risk?
Project CSO Christian Bull
Background
Background
…or not. We don’t have time for that!
Remote Voting Over The Internet
Legal requirements for remote e-voting
• The secrecy of the ballot can not be compromised!
• Secrecy is retained by implementing the following:
– Allowing unlimited re-voting
– Votes cast in a controlled environment always supersede those cast uncontrolled (paper votes may supersede electronic votes)
– An e-voting system that does not reveal or retain any connection between voter and vote
– A good authentication mechanism
– E-voting only in the advance voting period
– Remote voting only as a supplement to paper voting
E-voting systemE-voting system
Receipt code
- Log on
- Submit vote
A quick overview of the solution
Polling card
How does the system know who I am?
Authentiwhat?
• When you turn up at the polling station, you
are required to identify yourself.
• Only since 2007 have you been required to
produce an ID-card.
• This is analogous to the process of
authentication to a computer system, for
instance using an eID.
Important properties of a good eID
• It must be obvious to the user that this is an
identity document.
• A voter should not be tempted to sell his voting
credentials.
– It must have other uses than just e-voting.
– These other uses must be familiar and of value to the
voter
The Challenges of Remote e-
voting
• Auditability / transparency to the lay person
• The buying and selling of votes
• Coercion / family voting
• Home computer security
• Anonymity of the vote
• Attacks scale
The Challenges of Remote e-
voting
• Auditability / transparency to the lay person
• The buying and selling of votes
• Coercion / family voting
• Home computer security
• Anonymity of the vote
Transparent e-voting?
• Complete openness and transparecy in all aspects of the project
• Available source code
– Unfourtunately cryptography is really, really hard.
• Cryptographic proofs of correctness
– Even the voter gets one
– The good thing about crypto is that it’s all just maths
• Logging of all system events
Transparent e-voting?
• Obviously open source won’t make the system understandable to ”everyone”
• …and extensive use of esoteric cryptography makes things worse…
• ..but at least the lay person can choose which expert to trust.
• Besides, paper voting really isn’t that easy to understand either!
Communicating the crypto
protocol• The cryptographer behind it is working on a
conceptual description which should be
understandable for anyone with high school
maths
• Amongst other things, we will try to integrate the
protocol into maths education in high school.
The Challenges of Remote e-
voting
• Auditability / transparency to the lay person
• The buying and selling of votes
• Coercion / family voting
• Home computer security
• Anonymity of the vote
Buying and selling of votes
• In practice this doesn’t scale
• The seller can re-vote
– Receipt for all cast votes, not only the final
• Votes submitted from a polling station will supersede any vote cast remotely
• Buyer would have to control seller’s eID
– Would require the voter to give up a lot more than his vote
The Challenges of Remote e-
voting
• Auditability / transparency to the lay person
• The buying and selling of votes
• Coercion / family voting
• Home computer security
• Anonymity of the vote
Coercion/family voting
• The coerced can re-vote
– Receipt for all cast votes, not only the final
• Votes submitted from a polling station will supersede any vote cast remotely
• The system will never divulge that a previous vote has allready been recorded
• If you accept that bastards are evenly distributed across the political spectrum, this doesn’t scale either.
The Challenges of Remote e-
voting
• Auditability / transparency to the lay person
• The buying and selling of votes
• Coercion / family voting
• Home computer security
• Anonymity of the vote
Encryption and storage of the vote
Return Code
Generator
Vote
Collection
Server
Voting
clientInternet
Vote verification
Mix and
count
Air gap
Conceptual model
M of N key shares
from parties with
competing interests
Voter Administrative
system
Distribution of secrets
Counting e-votes
Parti A 2
Parti B 1
”Cleansing service”
Mixing serviceDecryption service