220 likes | 394 Views
How to create trust in electronic voting over an untrusted platform A possible solution and its implications with regard to the Recommendation. Gerhard Skagestein University of Oslo Development in the field of e-voting Council of Europe Strasbourg 23-24 November 2006. The background.
E N D
How to create trust in electronic votingover an untrusted platformA possible solution and its implications with regard to the Recommendation Gerhard SkagesteinUniversity of Oslo Development in the field of e-voting Council of Europe Strasbourg 23-24 November 2006
The background • In 2004, the Norwegian Ministry of Local Government and Regional Development appointed a working group for giving recommendations on the future of electronic elections in the country. • The results were published in January 2006, see the reportElectronic voting – challenges and possibilities – see http//:www.e-valg.dep.no • This presentation discusses one important topic in the report, namely how to achieve trust in e-voting over an insecure system like a home PC connected to Internet.
Some basic principles The working committee maintains that • Traditional paper voting should coexist with e-voting • e-voting should be available only during the advanced voting period (called phase 1)) • i.e.: No e-voting on Election Day (called phase 2) • Same technological solution for e-voting in both supervised and unsupervised environments • Same program –> same user interface, same operational procedures, same security measures, less amount of programming code to maintain, test and certify • i.e. a technical solution must be feasible in unsupervised environments, even though it may be used only in supervised environments
e-voting in supervised environments Voter Votingclient Ballot-receiving server Ballots Datanet Datanett Verifi-cationlog Supervised environment, trusted system
e-voting in unsupervised environments • How can we achieve the voters trust in the complete system when a part of it is not trustworthy? • How can we establish a trustworthy Verification log? Voter Votingclient Ballot-receiving server Ballots Datanet Datanett Verifi-cationlog Untrusted system Unsupervised environment, partly untrusted system,voter has no possibility for immediate inspection of the verification log
Some observations… • If you have something that you do not completely trust, you compensate by trying to build in security into the levels above • Why do we trust Internet banking? • we can check the statement of account • if something goes wrong, the bank takes the blame(usually).
Possible e-voting solutions • Redundancy:Let the voter send several ballots, possible through different channels, and let the system compare notes • Cumbersome for the voter • The voter may still feel insecure • Feedback control:Let the voter inspect the ballot as it is registered in the trusted part of the system(analogous to checking the statement of account in Internet banking)
Feedback through another channel • But what about the secrecy of the vote?(The Recommendation, Standard 17) Ballot-inspecting server SMS-net SMS - nett Voter Votingclient Ballot-receiving server Ballots Datanet Datanett Verifi-cationlog Untrusted systems Trusted system
Multiple casting of ballots • Voter is allowed to send several ballots – only the last one is regarded as the e-vote • Voter may override any e-vote by a traditional paper ballot on Election day Ballot-inspecting server SMS-net SMS - nett Voter Votingclient Ballot-receiving server Ballots Datanet Datanett Vote-extracting server Verifi-cationlog Untrusted systems Run only when election is closed Votes
On Election Day… • … the Election officials will have access to an updated Voter register, where the e-voters have been marked • When an e-voter shows up in the polling station, the Election official will send an ”annul-ballot”-message to the e-voting system before allowing the voter to vote by traditional means (i.e. anonymous paper ballot in a supervised environment)
Several ballots from the same voter? • Why? • Alleviates the ”family-voting” problem • Alleviates the vote-buying/selling problem • Maintains a certain level of secrecy – even when ballot-inspection is possible …because nobody can know whether the current ballot will be the final one • Technically, it comes next to free – as a side effect of the mechanism to ensure only one valid vote from each voter • Why not? • May reduce the solemnity of voting • Must maintain the connection between the voter and the ballot until the end of the election (increased risk of loss of secrecy)
What about the secrecy of the vote? Wouldn’t this solution increase the risk for disclosing the secret vote to other people? Yes, but • the ballot-inspection server should authenticate the voter just as thoroughly as the ballot-receiving server • with the session key (see later), the ballot can only be inspected, not modified • it is the responsibility of the voter to keep the session key unavailable to other people • if the ballot is disclosed, there is no way to know whether this is the final ballot and the vote to be counted
The technical solution • The technical solution builds upon the principle of hybrid cryptography
The hybrid crypto principle • Symmetric cryptography: The same key is used for encryption and decryption of the message • Asymmetric cryptography: One key of a key pair is used for encryption, the other key of the key pair for decryption of the message • Hybrid cryptography:The message is encrypted symmetrically by a randomly selected session key, which is then encrypted asymmetrically.To decrypt, the session key is decrypted asymmetrically, then the message is decrypted symmetrically with the session key.
The session key • Hybrid crypto with a session key is traditionally used for efficiency reasons • In this solution, we use the session key also to allow the voter to inspect his registered ballot • To be able to inspect the ballot, the voting client must keep the session key • For inspecting the ballot through other channels, the session key must be transferable to the client on the other channels
Electronic voting with ballot-inspection Encrypting with the public key of election event Digitally signed, encrypted ballot Encryptedballot Digital signing with voter’s private key Encrypting with the session key Ballot Ballot database Removing outer envelope with voters public key Decrypting ballot with the session key Election event key pairVoter’s key pair Session key Vote counting Ballot(as registered) G. Skagestein et. al: How to create trust in electronic voting over an untrusted platform.In Krimmer, R. (Ed.): Electronic Voting 2006, GI Lecture Notes in Informatics, P-86, Bonn, 2006.
Envelope opening Ballot database Voterregister Vote extraction Decrypting the session key with the private key of the election event Verification of digital signature with voters public key Votes Decrypting the votes with the session keys Encrypted anonymouse-votes List of e-votersto be marked inthe voter register e-votesto be counted
annul Architecture of the e-voting system Ballotforms Voterregister Verifi-cationlog Fire-wall Ballot-storage server Ballot-receiving server Datanet Datanett Voter Voting client Ballot-inspection server SMS-net SMS - nett Ballots Untrusted system Voterregister Ballot-annulling server annuling (”red”)envelope annul-ballotmessage Election official to the vote-counting system
annul Election is closed – time to count From the e-voting system Ballots in case of distributed storage of ballots Integration of ballot files Voterregister Checkedvoterregister Valid-vote extracting server Electronic ballot box constituency Securitymodule Vote-counting server Private key ofelection event Electronic votes list
Identification and authentication of the voter • Identification and authentication of the voter should be done by a generally available PKI-system (citizen identity card) • cheaper that a special purpose election credential • the voter will not be tempted to sell it • The e-vote may be connected to the voters real identity, or to a derived pseudo-identity • the working committee recommends using the real identity, since this makes the annulment of e-votes on Election Day easier if the voter wants to cast a paper ballot
Basic Design Principles • e-voting is allowed in phase 1 only • Repeated casting of e-ballots is allowed – last ballot counts(The Recommendation Standard 5?) • The e-voter is allowed to inspect his e-ballot as it is registered(The Recommendation Standard 17?) • Traditional voting with paper ballots in supervised environments on Election Day (phase 2) is maintained • Any paper ballot takes precedence over the e-ballot
Summary • We have shown that by relaxing the requirement for an absolute secrecy of the vote, the vote as registered may be inspected by the voter • This possibility for inspection gives the voter trust in the untrusted part of the system • The loss of secrecy is compensated by the possibility to revote, even by traditional means on Election Day • The Election Day should be kept free of any kind of e-voting • The coexistence of e-voting and traditional paper ballot voting makes a soft transition possible • The solution complies with the intentions of the Recommendation, although not always with its wording. • Some rewording in the Recommendation?