strasbourg – how to create trust-1 © g. skagestein november 2006 how to create trust in...

Strasbourg – How to create trust-1© G. Skagestein November 2006

How to create trust in electronic voting

over an untrusted platform

A possible solution and its implications with regard to the Recommendation

Gerhard SkagesteinUniversity of Oslo

Development in the field of e-voting

Council of Europe

Strasbourg 23-24 November 2006

Bregenz-2© G. Skagestein November 2006 Strasbourg – How to create trust-2

The background

In 2004, the Norwegian Ministry of Local Government and

Regional Development appointed a working group for

giving recommendations on the future of electronic

elections in the country.

The results were published in January 2006, see the report

Electronic voting – challenges and possibilities

– see http//:www.e-valg.dep.no

This presentation discusses one important topic in the

report, namely how to achieve trust in e-voting over an

insecure system like a home PC connected to Internet.


Some basic principlesThe working committee maintains that

Traditional paper voting should coexist with e-voting

e-voting should be available only during the advanced voting period (called phase 1))

i.e.: No e-voting on Election Day (called phase 2)

Same technological solution for e-voting in both supervised and unsupervised environments

o Same program –> same user interface, same operational procedures, same security measures, less amount of programming code to maintain, test and certify

o i.e. a technical solution must be feasible in unsupervised environments, even though it may be used only in supervised environments


e-voting in supervised environments

DatanettDatanet

VoterBallot-

receiving server

BallotsVotingclient

Supervised environment, trusted system

Verifi-cation

log


e-voting in unsupervised environments

How can we achieve the voters trust in the complete system when a part of it is not trustworthy?

How can we establish a trustworthy Verification log?

DatanettDatanet

VoterBallot-

receiving server

BallotsVotingclient

Unsupervised environment, partly untrusted system,voter has no possibility for immediate inspection of the verification log

Verifi-cation

logUntrusted system


Some observations…

If you have something that you do not completely trust,

you compensate by trying to build in security into the

levels above

Why do we trust Internet banking?

o we can check the statement of account

o if something goes wrong, the bank takes the blame

(usually).


Possible e-voting solutions

Redundancy:

Let the voter send several ballots, possible through

different channels, and let the system compare notes

o Cumbersome for the voter

o The voter may still feel insecure

Feedback control:

Let the voter inspect the ballot as it is registered in the

trusted part of the system

(analogous to checking the statement of account

in Internet banking)


Feedback through another channel

DatanettDatanet

VoterBallot-

receiving server

BallotsVotingclient

Verifi-cation

logUntrusted systems

But what about the secrecy of the vote?(The Recommendation, Standard 17)

Ballot-inspecting

serverSMS-nettSMS-net

Trusted system


Multiple casting of ballots

DatanettDatanet

VoterBallot-

receiving server

BallotsVotingclient

Verifi-cation

logUntrusted systems

Voter is allowed to send several ballots – only the last one is regarded as the e-vote

Voter may override any e-vote by a traditional paper ballot on Election day

Ballot-inspecting

serverSMS-nettSMS-net

Vote-extracting

server

VotesRun only when

election is closed


On Election Day…

… the Election officials will have access to an updated Voter

register, where the e-voters have been marked

When an e-voter shows up in the polling station,

the Election official will send an ”annul-ballot”-message to the

e-voting system before allowing the voter to vote by traditional

means (i.e. anonymous paper ballot in a supervised environment)


Several ballots from the same voter? Why?

o Alleviates the ”family-voting” problem

o Alleviates the vote-buying/selling problem

o Maintains a certain level of secrecy – even when ballot-inspection is possible

…because nobody can know whether the current ballot will be the final one

o Technically, it comes next to free – as a side effect of the mechanism to ensure only one valid vote from each voter

Why not?

o May reduce the solemnity of voting

o Must maintain the connection between the voter and the ballot until the end of the election (increased risk of loss of secrecy)


What about the secrecy of the vote?

Wouldn’t this solution increase the risk for disclosing the

secret vote to other people?

Yes, but

the ballot-inspection server should authenticate the voter

just as thoroughly as the ballot-receiving server

with the session key (see later), the ballot can only be

inspected, not modified

it is the responsibility of the voter to keep the session key

unavailable to other people

if the ballot is disclosed, there is no way to know whether

this is the final ballot and the vote to be counted


The technical solution

The technical solution builds upon the principle

of hybrid cryptography


The hybrid crypto principle

Symmetric cryptography: The same key is used for encryption and decryption of the message

Asymmetric cryptography: One key of a key pair is used for encryption, the other key of the key pair for decryption of the message

Hybrid cryptography:The message is encrypted symmetrically by a randomly selected session key, which is then encrypted asymmetrically.To decrypt, the session key is decrypted asymmetrically, then the message is decrypted symmetrically with the session key.


The session key

Hybrid crypto with a session key is traditionally used for

efficiency reasons

In this solution, we use the session key also to allow the voter to

inspect his registered ballot

To be able to inspect the ballot, the voting client must keep the

session key

For inspecting the ballot through other channels, the session

key must be transferable to the client on the other channels


Encryptedballot

Ballot Encrypting with the session key

Digital signing with voter’s private key

Digitally signed, encrypted ballot

Ballot database

Electronic voting with ballot-inspectionEncrypting with

the public key of election event

Removing outer envelope with

voters public key

Decrypting ballot with the session key

Ballot(as registered)

Vote countingG. Skagestein et. al: How to create trust in electronic voting over an untrusted platform.In Krimmer, R. (Ed.): Electronic Voting 2006, GI Lecture Notes in Informatics, P-86, Bonn, 2006.

Election event key pair

Voter’s key pair

Session key


Envelope opening Ballot database

Vote extraction

Encrypted anonymous

e-votes

Verification of digital signature

with voters public key

List of e-votersto be marked in

the voter register

Decrypting the session key with the private key of the election event

e-votesto be counted

Decrypting the votes with the session keys

Votes

Voterregister


DatanettDatanet

SMS-nettBallots

Ballot-storage server

Voterregister

Ballot-inspection server

Ballot-annulling serverElection official

Voterregister

Ballotforms

Voting clientVoter

SMS-net

Fire-wall

annul-ballotmessage

annuling (”red”)envelope

Ballot-receiving

server

Untrusted system

Architecture of the e-voting system

to the vote-counting system

annul

Verifi-cation

log


Election is closed – time to count

Valid-vote extracting server

constituency

Vote-counting server

Securitymodule

Integration of ballot files

Electronic ballot box

Private key ofelection event

Electronic votes list

Voterregister

Checkedvoter

register

From the e-voting system

in case of distributed storage of ballots

Ballots

annul


Identification and authentication of the voter

Identification and authentication of the voter should be done by

a generally available PKI-system (citizen identity card)

o cheaper that a special purpose election credential

o the voter will not be tempted to sell it

The e-vote may be connected to the voters real identity,

or to a derived pseudo-identity

o the working committee recommends using the real identity,

since this makes the annulment of e-votes on Election Day

easier if the voter wants to cast a paper ballot


Basic Design Principles

e-voting is allowed in phase 1 only

Repeated casting of e-ballots is allowed

– last ballot counts

(The Recommendation Standard 5?)

The e-voter is allowed to inspect his e-ballot as it is registered

(The Recommendation Standard 17?)

Traditional voting with paper ballots in supervised environments on

Election Day (phase 2) is maintained

Any paper ballot takes precedence over the e-ballot


Summary We have shown that by relaxing the requirement for an absolute

secrecy of the vote, the vote as registered may be inspected by the voter

This possibility for inspection gives the voter trust in the untrusted part of the system

The loss of secrecy is compensated by the possibility to revote, even by traditional means on Election Day

The Election Day should be kept free of any kind of e-voting

The coexistence of e-voting and traditional paper ballot voting makes a soft transition possible

The solution complies with the intentions of the Recommendation, although not always with its wording.

Some rewording in the Recommendation?

strasbourg – how to create trust-1 © g. skagestein november 2006 how to create trust in...

Documents