designing electronic voting

Download Designing Electronic Voting

Post on 07-Apr-2018

213 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • 8/3/2019 Designing Electronic Voting

    1/73

  • 8/3/2019 Designing Electronic Voting

    2/73

    Contents

    Introduction 3

    Aims of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

    Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

    1 System Analysis 8

    1.1 Domain Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

    1.2 Generic Requirements . . . . . . . . . . . . . . . . . . . . . . . 9

    1.3 Conventional Elections . . . . . . . . . . . . . . . . . . . . . . . 10

    1.4 Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

    1.5 On Revoking Ballots . . . . . . . . . . . . . . . . . . . . . . . . 15

    1.6 E-voting Requirements . . . . . . . . . . . . . . . . . . . . . . . 15

    1.6.1 Functional Requirements . . . . . . . . . . . . . . . . . . 151.6.2 Non-functional Requirements . . . . . . . . . . . . . . . 18

    2 System Design 20

    2.1 Theoretical Basis . . . . . . . . . . . . . . . . . . . . . . . . . . 20

    2.1.1 Model of the Real World . . . . . . . . . . . . . . . . . . 21

    2.1.2 Electronic Voting Scheme . . . . . . . . . . . . . . . . . 21

    2.1.3 Public Key Infrastructure . . . . . . . . . . . . . . . . . . 23

    2.1.4 Time-stamping . . . . . . . . . . . . . . . . . . . . . . . 26

    2.1.5 Bulletin Board . . . . . . . . . . . . . . . . . . . . . . . 26

    2.1.6 Threshold Encryption and Signature . . . . . . . . . . . . 27

    2.1.7 Implementations of EVS . . . . . . . . . . . . . . . . . . 30

    2.1.8 On the Freedom of Choice . . . . . . . . . . . . . . . . . 34

    2.2 Designing Framework . . . . . . . . . . . . . . . . . . . . . . . . 35

    2.2.1 Real World Model . . . . . . . . . . . . . . . . . . . . . 35

    2.2.2 Computing Device . . . . . . . . . . . . . . . . . . . . . 36

    2.2.3 Software . . . . . . . . . . . . . . . . . . . . . . . . . . 38

    1

  • 8/3/2019 Designing Electronic Voting

    3/73

    2.2.4 Threshold Trust . . . . . . . . . . . . . . . . . . . . . . . 38

    2.2.5 Connection . . . . . . . . . . . . . . . . . . . . . . . . . 402.2.6 PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

    2.2.7 Time-stamping . . . . . . . . . . . . . . . . . . . . . . . 47

    2.2.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 47

    2.3 Design for Bulletin Board . . . . . . . . . . . . . . . . . . . . . . 48

    2.3.1 Some Simple Ideas . . . . . . . . . . . . . . . . . . . . . 49

    2.3.2 Synchronous Environment . . . . . . . . . . . . . . . . . 50

    2.3.3 Asynchronous Environment . . . . . . . . . . . . . . . . 51

    2.3.4 Practical Solutions . . . . . . . . . . . . . . . . . . . . . 52

    2.4 Design Pattern for E-voting System . . . . . . . . . . . . . . . . 53

    2.4.1 Computing Result . . . . . . . . . . . . . . . . . . . . . 57

    2.4.2 Meta Process . . . . . . . . . . . . . . . . . . . . . . . . 61

    2.4.3 Design for Single Authority EVS . . . . . . . . . . . . . 61

    2.4.4 Design for Multiple Authority EVS . . . . . . . . . . . . 63

    2.4.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 65

    3 Summary 66

    Resumee (In Estonian) 68

    Bibliography 69

    2

  • 8/3/2019 Designing Electronic Voting

    4/73

    Introduction

    Recently, the topic of implementing electronic voting (e-voting) has become very

    popular: multiple workshops have been held, there exist firms that provide cor-

    responding services, real attempts of e-voting have taken place, media is eagerlycovering this topic. The main purpose of electronical elections is allow voters to

    vote from as many locations as possible, ideally from their personal computing de-

    vices. An intermediate option would be to have specialized computers (kiosks) be

    deployed everywhere like ATMs (automated teller machines) currently are. Com-

    munication media would probably be Internet or something similar. The justifi-

    cation is that it would be more convenient, which would increase voter turnout.

    Also, one might expect that in future e-voting would become less expensive than

    conventional voting. At the current time e-voting is viewed as a complement to

    conventional elections because, for instance, not all people have access to comput-

    ers and Internet (or skills to use them).

    Despite its tempting simplicity, this problem is much more complex than itseems at the first moment. The main issues are security and reliability. The prob-

    lem of organizing e-voting consists roughly of three parts:

    Solving problem mathematically, which includes formulating model of the

    real world (e.g. formalizing the notion of trust), stating requirements, and

    finally finding a mathematical construction and proving that it satisfies these

    requirements. Such construction is called electronic voting scheme (EVS):

    a collection of protocols and algorithms, which implement e-voting within

    formulated model of the real world. I will call all this theoretical activity.

    Provided there is an EVS, it is needed to implement it. In particular, real

    world model, which was used, must be implemented. Besides that, EVS

    has usually relatively simple structure (nevertheless being complex mathe-

    matically), which assumes some inputs and produces some outputs. It does

    not consider the process of preparing input data and consuming output data.

    Also, e-voting must be somehow integrated into existing conventional voting

    3

  • 8/3/2019 Designing Electronic Voting

    5/73

    process. Real implementation must consider the whole iterative process of

    organizing elections. I will call this technical activity.

    Finally, e-voting will inevitably differ from conventional elections: voter

    must perform different actions, there are different (and probably bigger) se-

    curity threats, different demographical groups have different level of access

    to the Internet, etc. For this reason politicians and sociologists must evaluate

    impact of e-voting on the democratic process and decide whether it is useful

    at all and provide suggestions what should be changed. Besides that, laws

    must be changed to accommodate e-voting into conventional voting process.

    I will call this political activity.

    Theoretical activity belongs to the field of cryptography and has lasted for at

    least twenty years. The most influentious papers in this field are (personal opinion):

    [Cha81], [Ben87], [BT94], [CGS97]. Reader can find a partial overview of this

    topic in my semester work [Myr00]. Basically, it can be said, that there exist

    solutions of acceptable security and complexity, although there is enough place for

    further advances.

    There exist some number of firms, which provide e-voting solutions. The most

    well-known of them are probably [VoteHere.net] and [Election.com]. The first

    of them provides (at least) some description of their technology and is based on

    [CGS97], which is a good cryptographical construction. On the other hand the

    second of them has received more media attention, but does not present any de-

    scription of their technology at their web site (which is a disadvantage, to my opin-

    ion).

    A number of workshops have been conducted, which concentrated on political

    and technical aspects: National Workshop on Internet Voting [IPI], Voting Integrity

    Project [VIP], California Internet Voting Task Force [CIVTF]. Their major finding

    is that although there is enough theoretical basis for implementing e-voting, tech-

    nologically it is not possible to make systems secure enough. The biggest problem

    is insecurity of conventional personal computers and Internet. At the same time

    they propose using e-voting kiosks in near future.

    Aims of the Thesis

    This thesis can be viewed as continuation of my semester work [Myr00], where

    I dealt with theoretical problems of e-voting. In this work I will concentrate on

    the technical aspect: I will try to formulate requirements for the system and out-

    line system design. Software engineering ideology and notation (UML) will be

    followed throughout the text.

    4

  • 8/3/2019 Designing Electronic Voting

    6/73

    Although it is clear that risks of voting from usual PCs over Internet are too

    high, it is still interesting to design e-voting system and see where and why theserisks come up.

    Acknowledgement

    I would like to express my gratitude to Helger Lipmaa for introducing me to this

    subject and motivating me to deal with it and also