Академический Документы
Профессиональный Документы
Культура Документы
The background
In 2004, the Norwegian Ministry of Local Government and Regional Development appointed a working group for giving recommendations on the future of electronic elections in the country. The results were published in January 2006, see the report Electronic voting challenges and possibilities see http//:www.e-valg.dep.no This presentation discusses one important topic in the report, namely how to achieve trust in e-voting over an insecure system like a home PC connected to Internet.
o i.e. a technical solution must be feasible in unsupervised environments, even though it may be used only in supervised environments
G. Skagestein November 2006 Bregenz-4 Strasbourg How to create trust-4
Ballots
Ballots
Untrusted system
Unsupervised environment, partly untrusted system, voter has no possibility for immediate inspection of the verification log How can we achieve the voters trust in the complete system when a part of it is not trustworthy? How can we establish a trustworthy Verification log?
G. Skagestein November 2006 Bregenz-6 Strasbourg How to create trust-6
Some observations
If you have something that you do not completely trust, you compensate by trying to build in security into the levels above Why do we trust Internet banking? o we can check the statement of account o if something goes wrong, the bank takes the blame (usually).
Voter
Voting client Datanet Datanett
Ballots
Untrusted systems
Trusted system
But what about the secrecy of the vote? (The Recommendation, Standard 17)
G. Skagestein November 2006 Bregenz-9 Strasbourg How to create trust-9
Voter
Voting client Datanet Datanett
Ballots
Untrusted systems
Voteextracting server
Voter is allowed to send several ballots only the last one is regarded as the e-vote Voter may override any e-vote by a traditional paper ballot on Election day
G. Skagestein November 2006
Votes
On Election Day
the Election officials will have access to an updated Voter register, where the e-voters have been marked When an e-voter shows up in the polling station, the Election official will send an annul-ballot-message to the e-voting system before allowing the voter to vote by traditional means (i.e. anonymous paper ballot in a supervised environment)
Why not?
o May reduce the solemnity of voting o Must maintain the connection between the voter and the ballot until the end of the election (increased risk of loss of secrecy)
G. Skagestein November 2006 Bregenz-12 Strasbourg How to create trust-12
if the ballot is disclosed, there is no way to know whether this is the final ballot and the vote to be counted
G. Skagestein November 2006 Bregenz-13 Strasbourg How to create trust-13
Encrypted ballot
Digital signing with voters private key
Ballot
Vote counting
G. Skagestein et. al: How to create trust in electronic voting over an untrusted platform. In Krimmer, R. (Ed.): Electronic Voting 2006, GI Lecture Notes in Informatics, P-86, Bonn, 2006.
G. Skagestein November 2006 Bregenz-17 Strasbourg How to create trust-17
Ballot database
Envelope opening
Vote extraction
Voter register Decrypting the session key with the private key of the election event
Votes
Firewall
Verification log
Datanet Datanett
Ballotreceiving server
Ballotstorage server
Ballotinspection server
Ballots
annul
Untrusted system
Voter register
Election official
annul-ballot message
Ballotannulling server
in case of
Voter register
Security module
Vote-counting server
or to a derived pseudo-identity
o the working committee recommends using the real identity, since this makes the annulment of e-votes on Election Day
Traditional voting with paper ballots in supervised environments on Election Day (phase 2) is maintained
Any paper ballot takes precedence over the e-ballot
Summary
We have shown that by relaxing the requirement for an absolute secrecy of the vote, the vote as registered may be inspected by the voter This possibility for inspection gives the voter trust in the untrusted part of the system The loss of secrecy is compensated by the possibility to revote, even by traditional means on Election Day The Election Day should be kept free of any kind of e-voting
The coexistence of e-voting and traditional paper ballot voting makes a soft transition possible
The solution complies with the intentions of the Recommendation, although not always with its wording. Some rewording in the Recommendation?
G. Skagestein November 2006 Bregenz-23 Strasbourg How to create trust-23