How to create trust in electronic voting over an untrusted platform

A possible solution and its implications with regard to the Recommendation

Gerhard Skagestein
University of Oslo

Development in the field of e-voting Council of Europe

Strasbourg 23-24 November 2006

G. Skagestein November 2006

Strasbourg How to create trust-1

The background
In 2004, the Norwegian Ministry of Local Government and Regional Development appointed a working group for giving recommendations on the future of electronic elections in the country. The results were published in January 2006, see the report Electronic voting challenges and possibilities see http//:www.e-valg.dep.no This presentation discusses one important topic in the report, namely how to achieve trust in e-voting over an insecure system like a home PC connected to Internet.

G. Skagestein November 2006

Bregenz-2 Strasbourg How to create trust-2

Some basic principles

The working committee maintains that Traditional paper voting should coexist with e-voting e-voting should be available only during the advanced voting period (called phase 1)) i.e.: No e-voting on Election Day (called phase 2) Same technological solution for e-voting in both supervised and unsupervised environments o Same program > same user interface, same operational procedures, same security measures, less amount of programming code to maintain, test and certify

o i.e. a technical solution must be feasible in unsupervised environments, even though it may be used only in supervised environments
G. Skagestein November 2006 Bregenz-4 Strasbourg How to create trust-4

e-voting in supervised environments

Voter
Voting client Verification log Datanet Datanett Ballotreceiving server

Ballots

Supervised environment, trusted system

G. Skagestein November 2006

Bregenz-5 Strasbourg How to create trust-5

e-voting in unsupervised environments

Voter
Voting client Datanet Datanett Ballotreceiving server Verification log

Ballots

Untrusted system

Unsupervised environment, partly untrusted system, voter has no possibility for immediate inspection of the verification log How can we achieve the voters trust in the complete system when a part of it is not trustworthy? How can we establish a trustworthy Verification log?
G. Skagestein November 2006 Bregenz-6 Strasbourg How to create trust-6

Some observations
If you have something that you do not completely trust, you compensate by trying to build in security into the levels above Why do we trust Internet banking? o we can check the statement of account o if something goes wrong, the bank takes the blame (usually).

G. Skagestein November 2006

Bregenz-7 Strasbourg How to create trust-7

Possible e-voting solutions

Redundancy: Let the voter send several ballots, possible through different channels, and let the system compare notes o Cumbersome for the voter o The voter may still feel insecure Feedback control: Let the voter inspect the ballot as it is registered in the trusted part of the system (analogous to checking the statement of account in Internet banking)

G. Skagestein November 2006

Bregenz-8 Strasbourg How to create trust-8

Feedback through another channel

Ballotinspecting server Ballotreceiving server Verification log

SMS-net SMS -nett

Voter
Voting client Datanet Datanett

Ballots

Untrusted systems

Trusted system

But what about the secrecy of the vote? (The Recommendation, Standard 17)
G. Skagestein November 2006 Bregenz-9 Strasbourg How to create trust-9

Multiple casting of ballots

Ballotinspecting server Ballotreceiving server Verification log

SMS-net SMS -nett

Voter
Voting client Datanet Datanett

Ballots

Untrusted systems

Voteextracting server

Voter is allowed to send several ballots only the last one is regarded as the e-vote Voter may override any e-vote by a traditional paper ballot on Election day
G. Skagestein November 2006

Run only when election is closed

Votes

Bregenz-10 Strasbourg How to create trust-10

On Election Day
the Election officials will have access to an updated Voter register, where the e-voters have been marked When an e-voter shows up in the polling station, the Election official will send an annul-ballot-message to the e-voting system before allowing the voter to vote by traditional means (i.e. anonymous paper ballot in a supervised environment)

G. Skagestein November 2006

Bregenz-11 Strasbourg How to create trust-11

Several ballots from the same voter?

Why? o Alleviates the family-voting problem

o Alleviates the vote-buying/selling problem

o Maintains a certain level of secrecy even when ballot-inspection is possible because nobody can know whether the current ballot will be the final one o Technically, it comes next to free as a side effect of the mechanism to ensure only one valid vote from each voter

Why not?
o May reduce the solemnity of voting o Must maintain the connection between the voter and the ballot until the end of the election (increased risk of loss of secrecy)
G. Skagestein November 2006 Bregenz-12 Strasbourg How to create trust-12

What about the secrecy of the vote?

Wouldnt this solution increase the risk for disclosing the secret vote to other people? Yes, but the ballot-inspection server should authenticate the voter just as thoroughly as the ballot-receiving server with the session key (see later), the ballot can only be inspected, not modified it is the responsibility of the voter to keep the session key unavailable to other people

if the ballot is disclosed, there is no way to know whether this is the final ballot and the vote to be counted
G. Skagestein November 2006 Bregenz-13 Strasbourg How to create trust-13

The technical solution

The technical solution builds upon the principle of hybrid cryptography

G. Skagestein November 2006

Bregenz-14 Strasbourg How to create trust-14

The hybrid crypto principle

Symmetric cryptography: The same key is used for encryption and decryption of the message Asymmetric cryptography: One key of a key pair is used for encryption, the other key of the key pair for decryption of the message Hybrid cryptography: The message is encrypted symmetrically by a randomly selected session key, which is then encrypted asymmetrically. To decrypt, the session key is decrypted asymmetrically, then the message is decrypted symmetrically with the session key.

G. Skagestein November 2006

Bregenz-15 Strasbourg How to create trust-15

The session key

Hybrid crypto with a session key is traditionally used for efficiency reasons In this solution, we use the session key also to allow the voter to inspect his registered ballot To be able to inspect the ballot, the voting client must keep the session key For inspecting the ballot through other channels, the session key must be transferable to the client on the other channels

G. Skagestein November 2006

Bregenz-16 Strasbourg How to create trust-16

Electronic voting with ballot-inspection

Encrypting with the public key of election event

Encrypted ballot
Digital signing with voters private key

Digitally signed, encrypted ballot

Ballot

Encrypting with the session key

Ballot database Removing outer envelope with voters public key

Election event key pair Voters key pair Session key

Decrypting ballot with the session key Ballot (as registered)

Vote counting

G. Skagestein et. al: How to create trust in electronic voting over an untrusted platform. In Krimmer, R. (Ed.): Electronic Voting 2006, GI Lecture Notes in Informatics, P-86, Bonn, 2006.
G. Skagestein November 2006 Bregenz-17 Strasbourg How to create trust-17

Ballot database

Envelope opening

Vote extraction

Voter register Decrypting the session key with the private key of the election event

Votes

Verification of digital signature with voters public key

List of e-voters to be marked in the voter register

Encrypted anonymous e-votes

Decrypting the votes with the session keys

e-votes to be counted

G. Skagestein November 2006

Bregenz-18 Strasbourg How to create trust-18

Architecture of the e-voting system

Voter Ballot register forms

Firewall

Verification log

Datanet Datanett

Ballotreceiving server

Voter Voting client

SMS-net SMS -nett

Ballotstorage server
Ballotinspection server

Ballots
annul

Untrusted system
Voter register

Election official

annul-ballot message

Ballotannulling server

annuling (red) envelope

to the vote-counting system

G. Skagestein November 2006 Bregenz-19 Strasbourg How to create trust-19

Election is closed time to count

From the e-voting system
Ballots
annul

Integration of distributed storage of ballot files

ballots Checked voter register

in case of

Voter register

Valid-vote extracting server

Electronic ballot box

constituency

Security module

Private key of election event

Vote-counting server

Electronic votes list

G. Skagestein November 2006 Bregenz-20 Strasbourg How to create trust-20

Identification and authentication of the voter

Identification and authentication of the voter should be done by a generally available PKI-system (citizen identity card) o cheaper that a special purpose election credential o the voter will not be tempted to sell it The e-vote may be connected to the voters real identity,

or to a derived pseudo-identity
o the working committee recommends using the real identity, since this makes the annulment of e-votes on Election Day

easier if the voter wants to cast a paper ballot

G. Skagestein November 2006

Bregenz-21 Strasbourg How to create trust-21

Basic Design Principles

e-voting is allowed in phase 1 only Repeated casting of e-ballots is allowed last ballot counts (The Recommendation Standard 5?) The e-voter is allowed to inspect his e-ballot as it is registered (The Recommendation Standard 17?)

Traditional voting with paper ballots in supervised environments on Election Day (phase 2) is maintained
Any paper ballot takes precedence over the e-ballot

G. Skagestein November 2006

Bregenz-22 Strasbourg How to create trust-22

Summary
We have shown that by relaxing the requirement for an absolute secrecy of the vote, the vote as registered may be inspected by the voter This possibility for inspection gives the voter trust in the untrusted part of the system The loss of secrecy is compensated by the possibility to revote, even by traditional means on Election Day The Election Day should be kept free of any kind of e-voting

The coexistence of e-voting and traditional paper ballot voting makes a soft transition possible
The solution complies with the intentions of the Recommendation, although not always with its wording. Some rewording in the Recommendation?
G. Skagestein November 2006 Bregenz-23 Strasbourg How to create trust-23