Editor’s Note
This is the online version of the proceedings for the “E-voting and e-Government Workshop in the UK”. Authors who submitted papers to the workshop were entitled to retain
copyright if they wished to have the paper published elsewhere. As such some papers
have been restricted to a short abstract in the online version. Similarly, some authors
wished to correct minor typographic errors that appeared in the printed version of the
proceedings and this is reflected in the online version.
The workshop organising committee recommends that the original authors are approached for copies of the full papers produced for this workshop which are not included
in the online version.
Workshop on e-Voting and
e-Government in the UK
University of
St Andrews
University of
Newcastle upon Tyne
Organising Commitee
Peter Ryan
Stuart Anderson
Tim Storer
Ishbel Duncan
Jeremy Bryans
Sponsored and Hosted by
e-Science Institute
15 South College Street
Edinburgh
EH8 9AA
27th –28th February 2006
About the Workshop
Mass-scale systems intended to deliver electronic government (e-government) in a democratic context pose a range of under-explored design problems. In particular, we are far
from having identified a core set of requirements for such systems. The need for confidentiality, privacy, transparency, accountability and user control are all critical to the
success of such systems yet we are still far from determining how to implement such
requirements and how the design of such systems will affect user behaviour. In this
workshop we aim to address these broad issues in general together with a more focused
examination of electronic voting (e-voting) as an exemplar of e-government systems.
This exemplar provides a sharp characterisation of many of the issues and design tradeoffs we encounter in many e-government systems.
Despite support for trial and adoption of new voting technologies by the government, which sees e-voting as a means of increasing turnout, we have not seen widescale adoption of the technology. E-voting requirements cover topics as varied as privacy/anonymity, authentication, verifiability, flexibility (with respect to different electoral systems) and usability. In particular, there is a need to specify the requirements
for a trusted e-voting system for UK elections. The diversity of issues suggest deployment of e-voting requires an interdisciplinary approach.
This workshop has been organised to appeal to attendees with a wide variety of research interests, all of which are relevant to e-government and e-voting. In addition, the
workshop will be of interest to attendees from a variety of non-academic backgrounds
including government and industrial stake-holders in the UK.
We hope you enjoy the presentations we have selected for the workshop and that they
are of interest to you in your work. We look forward to meeting you and discussing the
topics that arise over the two days.
Peter Ryan
Tim Storer
Stuart Harrington
Ishbel Duncan
Jeremy Bryans
(Organising Committee).
Contents
Panel Discussion 1: What should be expected from electronic voting technologies?
1
Paper Session 1: Schemes and Systems
Votinbox - a voting system based on smart cards . . . . . . . . . . . . . . . . . .
A variation of Prêt-à-Voter which satisfies privacy and fairness in the presence
of a corrupt authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Coercion-Free Internet Voting with Receipts . . . . . . . . . . . . . . . . . . . .
13
22
Keynote Presentation 1: E-voting in the United States: A Cautionary Tale
29
Paper Session 2: Requirements and Acceptability
What proof do we prefer? Variants of verifiability in voting . . . . . . . . . . . .
Digital voting and fraternal rights . . . . . . . . . . . . . . . . . . . . . . . . . .
Socio-technical trade-offs in Cryptographic voting schemes . . . . . . . . . . . .
31
33
40
42
Paper Session 3: Voting Scheme Analysis
Kleptographic Attacks on E-Voting Schemes . . . . . . . . . . . . . . . . . . . .
Performance modelling of a secure voting algorithm . . . . . . . . . . . . . . . .
47
49
51
Paper Session 4: e-Voting, e-Democracy and e-Government in Practice
DemoNet: Towards eParticipation in Democratic Decision Making . . . . .
Internet Elections: The Voters Viagra? . . . . . . . . . . . . . . . . . . . . . .
Transformations Needed for Electoral Change . . . . . . . . . . . . . . . . .
Electronic and Athenian Democracy . . . . . . . . . . . . . . . . . . . . . . .
59
61
62
78
79
.
.
.
.
.
.
.
.
3
5
Keynote Presentation 2: Edging Towards Modernisation of the Electoral
Process in Scotland
83
Panel Discussion 2: Is e-Voting part of e-Democracy?
85
Workshop Attendees
87
Detailed Programme
27th February
10.00-10.15
Workshop Welcome
Peter Ryan/Tim Storer
10.15-11.30
Panel discussion: What should be expected from electronic voting technologies?
• Paul Docker (Department for Constitutional Affairs)
• Tom Hawthorn (Electoral Commission)
• Stuart Anderson (National e-Science Centre)
11.30-11.50
Coffee
11.50-13.00
Paper Session 1: Schemes and Systems
Chair: Peter Ryan
• Votinbox - a voting system based on smart cards
Sébastien Canard and Hervé Sibert (France Telecom)
• A variation of Prêt-á-Voter which satisfies privacy and fairness in
the presence of a corrupt authority
Ben Smyth and Mark Ryan (University of Birmingham)
• Coercion-Free Internet Voting with Receipts
Miroslaw Kutylowski and Filip Zagórski (Wroclaw University of
Technology)
13.00-14.15
Lunch
14.15-15.45
Keynote
E-voting in the United States: A Cautionary Tale
Andrew Gumbel (The Independent)
15.45-16.15
Coffee
16.15-17.30
Paper Session 2: Requirements and Acceptability
Chair: Tim Storer
• What do we prefer? Variants of verifiability in voting.
Wolter Pieters (Radboud University Nijmegen)
• Digital voting and fraternal rights
Bob Watt (University of Essex)
• Socio-technical trade-offs in cryptographic voting schemes
Peter Ryan (University of Newcastle)
Tue 28th February
09.45-10.45
Paper Session 3: Voting Scheme Analysis
Chair: Ishbel Duncan
• Kleptographic attack on E-Election Schemes with Receipts
Marcin Gogolewski, Marek Klonowski, Przemyslaw Kubiak,
Miroslaw Kutylowski, Anna Lauks and Filip Zagórski (Adam
Mickiewicz University and Wroclaw University of Technology)
• Performance modelling of a secure voting algorithm
Jeremy T. Bradley, Stephen T. Gilmore and Nigel Thomas (Imperial College London, University of Edinburgh and University of
Newcastle upon Tyne)
10.45-11.15
Coffee
11.15-13.00
Paper Session 4: e-Voting, e-Democracy and e-Government in
Practice Chair: Peter Ryan
• Towards eParticipation in Democratic Decision Making
Colin Fraser (International Teledemocracy Centre)
• Transformations Needed For Electoral Change
Roy Hill (Opt2Vote)
• Internet Elections: The Voters’ Viagra?
Rachel Gibson (University of Leicester)
• Electronic Voting and Athenian Democracy
Paul Cockshott (University of Glasgow)
13.00-14.15
Lunch
14.15-15.30
Keynote:
Edging Towards Modernisation of the Electoral Process in Scotland
Jeff Hawkins (SOLAR)
15.30-16.00
Coffee
16.00-17.15
Panel discussion: Is e-Voting part of e-Democracy?
• Ela Smith (International Teledemocracy Centre)
17.15-17.30
Closing Remarks
Peter Ryan/ Tim Storer
Panel Discussion 1
What should be expected from
electronic voting technologies?
Participants
• Paul Docker (Department for Constitutional Affairs)
• Tom Hawthorn (Electoral Commission)
• Stuart Anderson (National e-Science Centre)
1
2
Workshop on e-Voting and e-Government in the UK
Paper Session 1
Schemes and Systems
3
4
Workshop on e-Voting and e-Government in the UK
National e-Science Centre 27th–28th February 2006
5
Votinbox - a voting system based on smart cards
Sébastien Canard∗, Hervé Sibert†
∗†
France Telecom, Research and Development, 42 rue des Coutures, BP 6243, F-14066 Caen Cedex 4, France
Email: {∗ sebastien.canard, † herve.sibert}@ francetelecom.com
Abstract— The complexity of voting procedures, and their
variations from country to country, make it challenging to design
a secure electronic voting system. In most of the usual proposals,
the security of the system relies mainly on a blackbox voting
machine. Meanwhile, the most advanced proposals base their
security arguments on (complicated) cryptographic protocols, e.g.
blind signatures or homomorphic schemes.
At Cardis 2004, Canard and Traoré [4] presented cryptographic primitives specially aimed at providing anonymous
services using smartcards. Among the proposed primitives is a
new list signature scheme. Such schemes are specially suitable
for electronic voting, as they provide specific properties such as
multiple vote detection. Moreover, unlike blind signatures, they
do not require the participation of a signing authority during
the ballot creation process.
The purpose of this paper is to present the Votinbox electronic
voting system, whose security relies on a tamper-resistant smart
card embedding several cryptographic protocols, including list
signatures.
I. I NTRODUCTION
The aim of an electronic voting system is to translate the
traditional vote to a digital context. Several experimentations
have already been done, based either on black-box machines
or on cryptographic frameworks. The purpose of electronic
voting systems is to obtain the results immediately after the
end of the poll, while (at least) preserving the security of the
traditional vote. Cryptography-based frameworks are designed
to enhance security while enhancing some functionalities that
remain mainly theoretical in traditional voting because of
practical issues.
In this paper, we propose a smart card-based electronic
voting scheme, designed to ensure the main properties that
one can await from such a scheme. Moreover, this scheme
is designed in a flexible way, which means some parts of it
can be slightly modified, or some components may be added,
in order to have it adapted to the legal voting constraints
of most countries. It also includes an anonymity revocation
mechanism, which makes it suitable for institutional elections
in the United Kingdom.
We first define more precisely the properties an electronic
voting system shall verify, and we mention recent related
works towards these directions in electronic voting. Second,
we provide an overview of our system, and the cryptographic
tools it relies on. Next, we describe the setup of the system,
both inside and outside the card. We then describe the interactions that take place on an election day, and, last, we show
how the proposed design addresses various security properties.
II. OVERVIEW
OF THE SYSTEM
In this section, we detail the properties of the proposed
electronic voting scheme, then we introduce the cryptographic
tools involved in our system. Next, we give a brief description
of our solution.
A. Properties of the scheme
An electronic voting scheme is a protocol allowing voters
to securely vote by interacting with a set of authorities who
collect the votes and calculate the result of the election. We
usually distinguish between two types of electronic voting:
on-line voting, a.k.a. remote voting, for example via Internet,
and off-line voting, by using a voting machine or an electronic
polling booth.
The main goal of a secure electronic voting system is
to ensure the privacy of the voters and the accuracy of
votes. Our electronic voting system fulfills the following usual
requirements:
• Eligibility: only votes of legitimate voters shall be taken
into account.
• Unreusability: each voter shall only be able to cast one
vote.
• Anonymity: all votes shall be secret.
• Accuracy: cast ballot cannot be altered.
• Fairness: it must be impossible to perform partial tabulation before the end of the election.
• Vote and go (or walk-away): once a voter has cast his
vote, there is no further action he needs to take.
• Public verifiability: anyone should be able to readily
check the validity of the whole voting process.
B. Cryptographic tools
Here is a description of the main cryptographic components
encountered in our voting system.
1) Signature Scheme.: Our system includes a classical
signature scheme to produce attendances. For this purpose,
every voter is provided with a PKI key pair. Every PKIcompatible signature scheme can be used in our system, and
as the signature is created inside the card, we recommend
lightweight signatures such as Schnorr signatures[12], or signatures derivated from the GPS scheme[8].
2) Encryption Scheme.: Our system requires a probabilistic
encryption scheme. It is used by each voter to encrypt his/her
ballot, which is decrypted during the counting phase. Several
choices for this scheme are possible in order to reach the
properties listed in section II-A.
6
Workshop on e-Voting and e-Government in the UK
First, it may be a simple classical encryption scheme such
as RSA or El Gamal [7], with only one key to encrypt
and one key, owned by the scrutineers, to decrypt. This
possibility makes it possible for a dishonest scrutineer to
decrypt ballots alone, which threatens fairness of the vote.
A second possibility consists in using a threshold encryption
scheme by using e.g. a discrete logarithm based encryption
scheme such as El Gamal [7]. In this case, there is a unique
encryption key, while each scrutineer owns one decryption
key, and decryption necessarily involves every scrutineer. Yet
another possibility is to use a mix-net [1], which implies more
computations for the smart card, but provides the voters with
extra anonymity, in case the voting machines would be open
to intrusions.
In this paper, we only detail the second possibility. Using the
El Gamal encryption scheme for example, we denote by eskSi
the private key of the scrutineer Si . The corresponding public
key is consequently epkSi = g eskSi , where g is a generator
of the group where all the computations are done. The global
encryption key that is used by the smart cards is then epkS =
Q
epkSi . Another solution is to use Shamir’s trick [13] to
obtain a threshold encryption scheme, that is a scheme where
the participation of only t out of n scrutineers is required.
3) Anonymous Signature Scheme.: An anonymous signature scheme is a mechanism that enables a user to authenticate
himself to another without revealing his complete identity:
he only proves that he owns some right. The best-known
anonymous signature are blind signatures [5] and group signatures. In our system, we use a variant of the latter, called list
signature [3]. More precisely, we use the list signature scheme
with anonymity revocation introduced at Cardis 2004 [4].
This scheme is very efficient since it can be built upon
a classical signature scheme, an encryption scheme and a
pseudo-random number generator (prng). Thus, we can choose
a low-cost signature scheme. The prng is designed by using
e.g. a symmetric scheme such as AES. The encryption scheme
must be asymmetric since the smart card encrypts an identifier
and only some designated authority can revoke the anonymity
by decrypting this identifier. In [4], every smart card owns the
same private signature key sskvr and has a proper identifier
and a proper secret key kV that is used in the prng (see
Section II-D for details). Thus, these smart cards shall be
tamper resistant.
In our system, a smart card produces a list signature of the
choice v and then encrypts the whole. In order to improve
the security of the list signature scheme, we divide the shared
private key into several ones, each of them being owned by
a distinct authority (called Key Authority). In fact, with this
mechanism, none knows the global shared private key, except
the smart cards.
The main advantage of this scheme is that it is both very
simple to implement and very efficient. The major drawback is
that the same private key is embedded into all smart cards. As
a consequence, if one smart card is broken, fake smart cards
could be created. A way to reduce this problem is to share
subgroups and consequently several shared keys. Moreover, we
will see that, in our system, several other mechanisms prevent
the creation of fake votes using a fraudulous card.
C. The Actors and their Roles
Our system is designed for off-line voting. Every voter owns
a voting smart card that is used twice: first, in a polling booth,
and second, in front of a ballot box, in order to remain close
to traditional vote.
Our new system involves several actors:
•
•
•
•
•
•
•
•
•
•
The Central Registration Center CRC is in charge of all
registration centers. This center is only involved during
the creation of the system.
Several Registration Centers RC where citizens register
to become voters, after some checks by authorities.
A Smart Card Creation Center SCCC where smart
cards are personalized for voters.
A Certification Authority CA that controls the certification of public signature keys for every voter. Each voter
will make an attendance using a digital signature1 and
needs, as a consequence, a certificate.
Several Controllers C who form a set of trusted entities
in charge, for a given voting room, of the election. They
generate all required data for the convenient execution
of the protocols. Each voting room is designated by an
identifier Idvr .
A Revocation Authority RA that will be called if it is
necessary to revoke the anonymity of a particular vote.
It owns a pair of keys epkRA /eskRA for an encryption
algorithm.
Several Key Recovery Authorities KRAi that will be
called by the Controllers in order to provide a voter that
has lose his/her smart card with a new one.
Several Key Authorities KAi in charge, for a given
Registration Center RC, of the generation of a shared
private signature key that is used for anonymity purpose
(see the used list signature scheme).
Every Voter V who owns a voter smart card and is
registered in a particular voting room. The voter is represented by a unique identifier Id V . This smart card may
authenticate its owner through a PIN code or biometrics.
In the following, we consider the PIN code case, which
also requires a visual authentication of the voter. Each
voter also owns a certificate Cert issued by CA.
Several Scrutineers S who form a set of entities involved
in the counting of the ballots. They own a pair of keys
epkS /eskS for an encryption algorithm. In fact, each of
them has a private key eskSi and the global public key
is computed using all these ones (see Section II-B).
Every election is denoted as an event by a unique identifier
Idelec , which may, for practical purpose, be diversified voting
room-wise and, in this case, contain the voting room identifier
Idvr . There are two major steps in our electronic voting
1 Our solution is also suitable for a handwritten signature, since some
electoral laws do not yet accept digital signatures.
National e-Science Centre 27th–28th February 2006
system. The first one consists of the system setup, with a subsetup for every new election, and the second one is the running
of an election.
When a voter wants to vote at election Idelec , he enters a
polling booth that contains a voting machine. This machine
enables the voter to create his/her ballot inside his/her smart
card. Outside the polling booth, the voter casts his/her ballot
on the ballot box machine and make his/her attendance, using
the smart card again. Figure 1 presents the global architecture
of our system.
D. Design of the Smart Card
The central component of our solution is the smart card.
Indeed, unlike several other smart card based voting systems,
the system described therein relies on advanced cryptographic
algorithms implemented inside the card, further than usual
RSA signature and encryption. The smart card we use handles
a PIN code protection the way banking cards do. We detail
more advanced cryptographic capabilities of the card.
•
•
•
•
•
•
Sign is a classical signature algorithm, such as RSA or
Schnorr signature. It takes on input a message m and a
private key sk and outputs a signature S.
Encrypt is a classical encryption algorithm that takes
on input a message m and the public key epkS of the
scrutineers, and outputs a ciphertext C.
Decrypt is the decryption algorithm corresponding to
Encrypt. It takes on input an encrypted message C
and the private key eskV of the voter, and outputs the
corresponding plaintext message m. The corresponding
public encryption key is denoted by epkV .
CreateSecretKey enables a smart card to create its
own secret key, which is involved as the symmetric key
in the PRNG procedure during the creation of anonymous
signatures (see Section III-A for details).
PRNG is a pseudo random number generator, required by
the list signature scheme to reproduce the same number
for the same input. This procedure is called using a secret
key and a seed. The algorithm used is, for instance, a
block cipher algorithm, such as AES, in CBC mode.
LSign is the list signature algorithm used during the
creation of the ballot. It is detailed in Figure 2.
– Algorithm: LSign
– Input2 : term Message m
card Shared private signature key sskvr
card Identifier Id V
card Secret key kV
term Linkability Identifier Id L (64 bits sized)
– Output: card Anonymous signature Sa
– Steps:
1) R = PRNG(kV , Id L )
2) C = Encrypt(Id V , epk RA )
3) M = Concat(R, C, m)
4) s = Sign(M, sskvr )
5) Sa = Concat(s, C, R)
6) Output Sa .
Fig. 2.
CreateBallot: this step consists in creating the ballot
inside the card.
2 In the following, we mention for each input of an algorithm executed by
the smart card whether it comes from the terminal term or from the card card
itself.
3 Depending on the elections law of the country, the smartcard might keep
a hash of m, so that the voter can check that his vote has been taken into
account. This induces minor anonymity concerns, as, for instance, if the
scrutineers decipher a ballot but do not publish its hash, and the corresponding
voter complains that his hash is not listed, then the scrutineers will know who
this voter voted for.
LSign Procedure
– Algorithm: CreateBallot
– Input: term Choice v
card Shared private signature key sskvr
card Secret key kV
term Public key epk S
term Election identifier Idelec
– Output: card Ballot B
– Steps:
1) S = LSign(v, sskvr , kV , Idelec )
2) m = Concat(v, S)3
3) B = Encrypt(m, epk S )
4) Output B.
Fig. 3.
•
•
We now detail the computational procedures implemented in
the card, which involve the cryptographic functions introduced
above.
•
7
•
CreateBallot Procedure
CreateAttendance: this step corresponds to the attendance signature by the voter, proving that he/she has
participated to the current vote.
CheckVoting: the smart card checks whether it has
already voted for the current election. For this purpose,
the card contains a file Listelec with append-only rights.
This file contains the identifiers of all the elections the
owner of the card has participated in. When invoked by
the terminal with input Idelec , this procedure checks that
Idelec is not already in Listelec , otherwise it ouputs an
error.
ValidateVoting: the smart card registers the fact that
it has participated to the current vote. This last procedure
completes the participation to an election. The smart card
will not be able to vote again for this election. When
invoked by the terminal with input Idelec , this procedure
appends Idelec to the file Listelec .
At last, the smart card sends various data to each voting
machine during the vote. For this purpose, three procedures
are implemented inside the card. The SendVotingRoomId,
SendCertificate and SendBallot procedures re-
8
Workshop on e-Voting and e-Government in the UK
Ballot Box
Machine
DBAS
DBBB
Voter V
Controllers C
RC
Voting Area
Request
Looking
Area
KAi
Voter V
Request
Polling Booth
SCCC
Response
CertReq
Cert
DBED
Send
RAi
Voting
Machine
CA
Running of an election
Registration of voters
Fig. 1.
Global Architecture
– Algorithm: CreateAttendance
– Input: card Private key ssk V
term Challenge value m = Idelec ktimestamp
– Output: term Signature S
– Steps:
1) S = Sign(m, ssk V )
2) Output S.
Fig. 4.
CreateAttendance Procedure
spectively send Idvr , Cert and the ballot created by
CreateBallot.
III. S YSTEM S ETUP
In this section, we describe the setup of our system. We
divide it into three parts, namely the personalization of voting
cards, the registration of the voters, and the specific setup that
takes place before every new election.
A. Smart Card Personalization
The personalization of the smart card consists in incorporating into the smart card some data that depends on the voter
himself/herself.
1) Embed the PIN that corresponds to that card. This PIN
is independently sent to the card owner. The case of
the PIN will not be discussed in this paper since it is
relatively standard.
2) Insert the identifier of the voting room Idvr of the voter
into the smart card.
3) Generation of signature keys: for the attendance sheet,
it is required that each voter signs a particular message.
This is done using a classical signature scheme and
a certificate. This personalization step consists (i) in
requesting the smart card to create its pair of signature
keys spkV /sskV and (ii) in asking CA to certify the
public one. The smart card finally imports its certificate
Cert .
4) Generation of a secret key: for the anonymous signature
scheme that this electronic voting system relies on, it
is required that each smart card owns a secret key used
by a block cipher algorithm (see the LSign algorithm).
The secret key generation process uses the public key
of the Key Recovery Authorities but these are not
necessary on-line during the creation of the card. In
our context, this algorithm takes on input epk1 , . . .,
epkK , and outputs the secret key k and K encrypted
values (c1 , . . . , cK ), one for each KRAi . This will
enable the key recovery authorities to create a new
smart card for the voter in case he has lost his/hers (see
Section IV). When the Smart Card Creation Center has
created enough smart cards, it can send to each Key
Recovery Authority KRAi the corresponding encrypted
secret key cKRAi . After that, each KRAi updates its
4 RNG
is smart card hardware specific random number generator.
National e-Science Centre 27th–28th February 2006
– Algorithm: CreateSecretKey
– Input: term Size of the secret key l
term K encryption keys epk1 , . . ., epkK
– Output: term Encryption data c1 , c2 , . . ., cK
card Secret key k
– Steps:
a) k = RNG4 (l)
b) for i from 1 to
− 1, mi = RNG(l)
LK
K−1
c) mK = k ⊕
i=1 mi
d) for i from 1 to K, ci = Encrypt(mi , epki )
e) Store k
f) Output (c1 , . . . , cK )
Fig. 5.
CreateSecretKey Procedure
database containing all created secret keys by adding
(Identity, cKRAi ).
5) Recovery of the shared signature private key: the anonymous signature we use requires that a signature private
key is shared by all smart cards attached to the same
voting room. During this phase, it is necessary that the
smart card, by way of SCCC, is connected to the key
authorities KA that are on charge of the shared private
key. The interactions between the Smart Card Creation
Center SCCC and a KAi are depicted in Figure 6.
The aim of this phase is to embed the shared private
key to ensure that only the smart cards can retrieve
the global shared private key sskvr . After receiving
SCCC
KAi
Idvr ,epkV
−−−−−−−−−−→
cKAi
cKAi = Encrypt(sski , epkV )
←−−−−−−−−−−
Fig. 6.
Generation of the Shared Private Key
all cKAi , the Smart Card Creation Center SCCC sends
the request StoreSharedKey to the smart card with
cKA1 , . . . , cKAP on input. As there is a global set of
– Algorithm: StoreSharedKey
– Input: term Encrypted keys cKA1 , . . . , cKAP
card Private key eskV
– Output: card Shared key ssk
– Steps:
a) for all i from 1 to P , sski
Decrypt(cKAi , eskV )
b) ssk = f (ssk1 , . . . , sskP )
c) Store ssk
Fig. 7.
=
StoreSharedKey Procedure
Key Authorities for all voting rooms, each Key Authority
KAi has to request its database DBKAi with the entry
Idvr to retrieve the correponding part of the key sski .
9
B. Registration of Voters
When a citizen with identification data Id V 5 wants to
register as a voter, he/she goes to a Registration Center RC
that verifies that he has the right to vote. If this is the case,
RC links the current voter to a voting room Idvr using some
predefined criteria, such as the address of the voter.
The Registration Center RC requests the Smart Card Creation Center SCCC for the creation and the personalization of
a new card for Id V that belongs to the voting room6 Idvr . It
consequently sends to SCCC a new entry with the following
data:
• the identity Id V of the voter,
• the belonging voting room Idvr ,
which in turn launches the smart card personalization procedure (see Section III-A).
At the end of this procedure, RC returns, for this voter, a
new smart card and updates its database by adding the new
voter. The PIN code of this smart card is directly sent to the
new voter. On the other hand, this latter must retrieve his/her
smart card at the Registration Center.
C. Setup of a New Election
When an election is scheduled, it is required to prepare
the system for this election. Part of the required actions
have to be undertaken before the election day, while others
are done on the election day. In this section, we introduce
some mechanisms and we detail the necessary updates of the
databases prior to the election.
1) Revocation of Voters: It is sometimes required to revoke
the right to vote of a particular voter Id V . This may be because
this voter has moved, or because he lost his right to vote. In
this case, the Registration Center has to update its database
by deleting the entry Id V .
Moreover, RC has to request the Certification Authority
CA for revocation by sending Id V . Then, the authority CA
searches its database for the certificate Cert of this voter and
adds Cert to the revocation list.
2) The Creation of the Voting Room: An election is created
at the level of a voting room by the Controllers C of this voting
room Idvr .
First of all, the Controllers C create the list of N candidates
Cd1 , . . ., CdN for the election Idelec (previously created by
RC) and the voting room Idvr .
They have then to create three databases needed throughout
the voting process. The first one, denoted by DB ED , consists
of the electoral data. It contains the following data:
• the identifier of the election Idelec ,
• the number N of candidates,
• the names of the candidates Cd1 , . . ., CdN ,
• the public key of the Scrutineers epk S
5 In practice, in order to shorten computations, Id
V is a unique identifier
derived from the identity of the voter.
6 We consider that the Smart Card Creation Center knows all data concerning a voting room, namely its address, its number and the corresponding
identifier.
10
Workshop on e-Voting and e-Government in the UK
The second database, denoted by DB AS , corresponds to the
Attendance Sheet. It contains, for each valid voter:
• the identity Id V of the voter,
• the corresponding certificate Cert ,
• the voting room Idvr of the voter Id V ,
• an empty field Att ready to contain the attendance of the
voter.
The third database is the ballot box, denoted by DB BB . This
database is empty for now and will contain:
• the ballot B,
• the belonging voting room Idvr .
3) Between the Controllers and the Scrutineers: The scrutineers have to create their cryptographic keys. These keys are
only valid for this election and will enable the final counting
of the result of this election for the voting room to which they
belong.
The creation process of all these keys is described in
Section II-B. At the end of the process, each scrutineer Si
owns a private key eskSi , and together they can compute the
corresponding public encryption key epk S . This key is sent
to the Controllers that enter it into their database DB ED . The
Controllers can then certify the public key epk S using their
signature key ssk C . The expiration date of this certificate
corresponds to the end of the election day, after the counting
phase.
All databases and computers are then sealed until the
day of the election.
IV. RUNNING
OF AN
E LECTION
During the election day, voters can come to the voting
room to vote. The process in the voting room is divided into
three steps that we detail in this section. We also describe a
mechanism used if a voter has lost his/her card, as well as a
possibility for anybody to watch the election process.
Everybody must be able to verify attendance and/or number
of cast ballots at every moment. For this purpose, the voting
room includes a screen which is linked with ballot box
database and displays required information. This step is no
more detailed in this paper.
When entering the voting room, each voter has to present
his/her voting smart card, so that the controllers can verify
the validity of this voter using visual checking of the voter
and the card. After this verification is done, the voter can
enter the polling booth. If someone has lost his/her smart card,
it is possible to create a new one without compromising the
security of our system.
A. Creating a New Voting Smart Card
In case the voter has lost his/her voting smart card, it is
possible to set up a mechanism that permits the Controllers
C to create (personalize), on-line, a new smart card for this
voter using the identity Id V of the voter and the following
procedures:
• Generation of the signature keys for the attendance.
Generation of a secret key for the anonymous signature.
We consider that the generation of the shared private signature
key has already been done during the creation of the smart
card, using the same mechanism as explained in Section IIIA.
The generation of the signature keys is standard and is not
developed anymore.
The recovery of the secret key that is used in the anonymous
signature is an interactive protocol between the new smart
card SC and all the Key Recovery Authorities KRA1 , . . .,
KRAN . The protocol described in Figure 8 is consequently
repeated for all KRAi . After that, the smart card can recover
•
SC
KRAi
Identity
−−−−−−−→
ki =Decrypt(Ci ,eskSC )
Fig. 8.
C
i
←−
ki =Recover(Identity)
Ci =Encrypt(ki ,epkSC )
Recover Process
LN
the global secret key by computing k =
i=1 ki . The
Recover procedure for KRAi consists in requesting its
database DBKRAi with the entry Id V so as to recover the
ki part of the key7 .
B. In the Polling Booth
In the polling booth, the protocol consists of interactions
between the voter V, his/her smart card SC, the voting
machine VM and the Electoral Data database DB ED . All
these interactions are described in Figure 9.
C. In Front of the Ballot Box
In front of the ballot box, the protocol consists of interactions between the voter V, his/her smart card SC, the ballot
box machine BBM, the Ballot Box database DB BB and the
Attendance Sheet DB AS . All these interactions are described
in Figure 10.
D. Counting Stage
At the end of the election day, the scrutineers can proceed
the results by doing the following
1) Verify, by comparing DB BB and DB AS , that there are
as many attendances as there are ballots
• If there are more attendances than ballots stop the
counting
• Otherwise continue
2) For all attendances Skm, verify S
• If one attendance is incorrect, then reject it and
continue
• If all attendances are correct, then continue
3) For all ballots B, do the following
a) m = v + S = Decrypt(B, esk S )8
b) Verify the signature S on V
7 This
key may be encrypted in the database.
fact, in this step, each scrutineer has to make a computation using his
private key.
8 In
National e-Science Centre 27th–28th February 2006
V
SC
11
VM
DBED
SendVotingRoomId()
Idvr
Request(Idvr )
Idelec , epkS , N
Cd1 , . . . , CdN
Cd1 , . . . , CdN
V
CheckVoting(Idglob )
CreateBallot(V, epkS )
“End”
Fig. 9.
V
In the Polling Booth
SC
BBM
DBBB
DBAS
CheckVoting(Idglob )
SendCertificate()
Cert
Request(Cert)
OK/Revoked
m = Idelec ktimestamp
CreateAttendance(m)
S/Error
Request(Identity)
OK/AlreadyV oted
SendBallot()
B/Error
B
Skm
ValidateVoting()
“End”
Fig. 10.
In Front of the Ballot Box
If the signature in incorrect, then drop the ballot
If the signature is duplicated, then drop the ballot
• If the signature in correct, then continue with the
next ballot
c) Take into account the choice V w.r.t. the candidates
4) If there are more incorrect attendances than incorrect
ballots, then output a “Counting error” and continue.
5) Publish the global counting results.
In case it is necessary to revoke the anonymity of a ballot,
the Revocation Authority RA uses its private key esk RA to
decrypt the C part of the list signature S = (s, C, R) (see
Figure 2 for details). Notice that the revocation process can
be strenghthened by using a mechanism similar to that of
Key Recovery, in order to require the joint action of several
Revocation Authorities.
•
•
V. P ROPERTIES
OF OUR
S OLUTION
A. Security Arguments
One can make it easier to trace fraud by implementing a
mechanism inside the card that provides each voter with a
hash of its plaintext ballot. This hash is kept inside the card,
and printed using another machine. Then, after the counting
phase, the hash of each deciphered ballot is published. This
makes it easy for a voter to check whether his ballot was taken
into account. However, this would introduce small anonymity
problems.
In order to minimize card attacks risk, only the cards of
the same voting room share a common private signature key.
However, in case of leakage of this key, a frauder would have
also to obtain access to the attendance and ballot databases
in order not to be detected. More precisely, if a card is
“broken”, the frauder will not be able to create a new certificate
(assuming that the Certification Authority does not participate
in the fraud attempt) and, even if he tries to vote many times,
only one ballot will be counted since the others will not
be accepted by the Controllers during the on-line attendance
verification phase.
The eligibility property is provided by the on-line verification of the attendance and by the use of the list signature
that can only be produced by authorized smart cards. The
anonymity property is ensured by the list signature scheme. It
12
Workshop on e-Voting and e-Government in the UK
is also necessary to unlink the attendances and the ballots since
they are sent at the same time (but to two different databases).
One solution is to use a mix-net encryption, as explained in
Section II-B.
The unreusability property is ensured by using the following
mechanisms:
• the voting smart card is designed to only authorize
one vote per election (using the CheckVoting and
ValidateVoting procedures),
• before sending the ballot into the Ballot Box Machine,
a possibly double-vote by the same voter is tested using
the electoral list and the attendances,
• the list signature scheme is a cryptographic tool that
permits to link two signatures made by the same list
member during a particular sequence (here a voting
phase). Consequently, during the counting phase, the
scrutineers will detect that two ballots come from the
same voter.
One may think that these three means are redundant. On the
contrary, relying only on the first mean would prevent us from
providing the ability to vote from any voting room. Indeed, in
case a voter votes with his smart card in a voting room, and
then goes to another voting room to vote once more, claiming
that he has lost his voting smart card, then using the procedure
presented in Section IV-A, he will be able to vote again.
However, if all voting rooms are connected, the attendance
verification will detect that he has already voted, thus the
second mean will prevent double-votes. In case of fraud on
the system management side, the attendance verification might
return false results. In that case, the third mean, which relies on
the card not being broken, will prevent the fraud. Thus, these
three means provide a good mix in order to prevent fraud,
except in the case both sides of the system collude, that is, if
voters succeeded in breaking their cards, and controllers are
corrupted.
B. Comparison with Other Systems
Our solution is very close to a blind signature approach
[11], [14]. The main difference is that it does not require to
communicate with a signing authority during the creation of
the ballot. Consequently, in our solution, all the security is
based on the smart card, without the need of a further “trusted”
authority. For practical concerns, we designed the solution
with a list signature that requires tamper-resistant cards, and
we constructed the framework such that even if cards were
broken, there would still be several mechanisms dedicated to
fraud prevention. However, from a security point of view, a list
signature in which all private list signature keys are distinct
should be preferred when it becomes possible to implement
one into a smart card. Then, the problems arising from cards
being broken would disappear.
Our solution is more efficient that homomorphic encryption
based electronic voting schemes [2], [10] in the case of multicandidate elections. In fact, the size of the proofs required
by the homomorphic approach drastically increase with the
number of possible choices during the election.
Electronic voting systems based solely on a mix-net require
the use of a universally verifiable mix-net [9], [6]. Such a tool
provides complex proofs that it has behaved properly. Thus,
this solution is less efficient than our proposal. Moreover, a
simpler mix-net (non universally verifiable) can be added to
protect the voters anonymity in case of intrusions into the
voting machines.
VI. C ONCLUSION AND F URTHER W ORKS
This paper presents a secure electronic voting system that
uses a tamper-resistant smart card. It provides the basic security properties required from electronic voting schemes. Unlike
other voting schemes, the smart card used in our scheme is the
cryptographic heart of the system, as it performs cryptographic
operations designed specifically for electronic voting.
A prototype of the solution is currently under development,
and will soon be complete. In order to address security
concerns, further works include thorough testing of the components of the system, and the integration of a more complex
list signature scheme into the cards. From our point of view,
this last step will result in an electronic voting scheme whose
main interest will be to ensure the same security as similar
blind signature-based systems, while making the voter more
confident in the scheme, as he himself will own the main tools
that participate in the security of the system.
R EFERENCES
[1] M. Abe. Universally Verifiable Mix-Net with Verification Work Independent of the Number of Mix-Servers. In K. Nyberg, editor, Advances in
Cryptology - Eurocrypt ’98, volume 1403 of Lecture Notes in Computer
Science, pages 437–447. Springer-Verlag, 1998.
[2] Olivier Baudron, Pierre-Alain Fouque, David Pointcheval, Jacques Stern,
and Guillaume Poupard. Practical multi-candidate election system. In
PODC, pages 274–283, 2001.
[3] S. Canard and J. Traoré. List signature schemes and application to electronic voting. Proceedings of Workshop on Coding and Cryptography
(WCC’03), pages 81–90, 2003.
[4] S. Canard and J. Traoré. Anonymous Services using Smart Card
and Cryptography. In J.-J. Quisquater, P. Paradinas, Y. Deswarte,
and A. A. El Kalam, editors, Smart Card Research and Advanced
Applications VI - Cardis 2004, pages 83–98. Kluwer, 2004.
[5] David Chaum. Blind signatures for untraceable payments. In CRYPTO,
pages 199–203, 1982.
[6] Jun Furukawa. Efficient, verifiable shuffle decryption and its requirement
of unlinkability. In Public Key Cryptography, pages 319–332, 2004.
[7] T. El Gamal. A Public Key Cryptosystem and a Signature Scheme Based
on Discrete Logarithms. IEEE Transactions on Information Theory,
31(4):469–472, 1985.
[8] M. Girault. An Identity-based Identification Scheme Based on Discrete
Logarithms Modulo a Composite Number. In I. Damgård, editor,
Advances in Cryptology - Eurocrypt ’90, volume 473 of Lecture Notes
in Computer Science, pages 481–486. Springer-Verlag, 1991.
[9] Jens Groth. A verifiable secret shuffle of homomorphic encryptions. In
Public Key Cryptography, pages 145–160, 2003.
[10] Martin Hirt and Kazue Sako. Efficient receipt-free voting based on
homomorphic encryption. In EUROCRYPT, pages 539–556, 2000.
[11] K. Kim, J. Kim, B. Lee, and G. Ahn. Experimental Design of Worldwide
Internet Voting System using PKI. SSGRR2001, 2001.
[12] C. P. Schnorr. Efficient Identification and Signatures for Smart Cards. In
G. Brassard, editor, Advances in Cryptology - Crypto ’89, volume 435
of Lecture Notes in Computer Science, pages 239–252. Springer-Verlag,
1990.
[13] Adi Shamir. How to share a secret. Commun. ACM, 22(11):612–613,
1979.
[14] J. Traoré. Are blind signatures suitable for on-line voting? Workshop
on Frontiers in Electronic Elections (FEE 2005), 2005.
National e-Science Centre 27th–28th February 2006
13
A variation of Prêt-à-Voter which satisfies privacy and
fairness in the presence of a corrupt authority
Ben Smyth and Mark Ryan
School of Computer Science, The University of Birmingham,
Edgbaston, Birmingham, United Kingdom, B15 2TT
{ug85bas, M.D.Ryan}@cs.bham.ac.uk
March 6, 2006
Abstract
The Prêt-à-Voter electronic voting protocol is unable to provide privacy, fairness and
receipt-freeness in the presence of a corrupt authority. We propose two variants which satisfy
privacy and fairness, even if the authority is corrupt. In contrast with another variant in the
literature, our solutions are entirely digital and do not rely on properties of physical devices.
We introduce an approach to achieve receipt-freeness.
1
Introduction
Voting is central to any democratic system and yet, contrary to the belief of many participants, very
little confidence is justified in the security properties offered by current mechanisms. Electronic
voting aims to provide cryptographic assurances of the election desiderata, therefore enforcing a
trusted architecture. There is a general consensus that the following properties must be provided:
Privacy: the way in which a voter cast her vote is not revealed to anybody.
Receipt-freeness: the voter is unable to prove that she voted in a particular way.
Fairness: no partial tally of results may be obtained until the official count.
Eligibility: only authorised voters may vote and at most once.
Universal verifiability: anybody can check that the published tally really is the sum of the
votes.
Individual verifiability: a voter can verify that her vote was really counted.
These properties are notoriously difficult to achieve. Two historic examples will illustrate the difficulties of achieving receipt-freeness. Hirt & Sako [1] showed that Benaloh & Tuinstra’s protocol [2]
is flawed and Okamoto corrected his original work [3] the year after the original publication [4].
Prêt-à-Voter (PaV) [5] is an election scheme which aims to provide privacy and individual
verifiability. In this paper, we show that, in the presence of a corrupt authority, the privacy
property fails. Additionally, the properties of fairness and receipt-freeness also fail. We propose
two variant methods for constructing the ballots in PaV. These result in systems that satisfy
privacy and fairness, even if the authority is corrupt. Furthermore, we introduce an approach to
achieve receipt-freeness.
Ryan & Peacock [6] also highlight the weakness of the authority in PaV and also offer an
alternative solution to ballot construction. However, their method relies on scratch strips on
1
14
Workshop on e-Voting and e-Government in the UK
the ballot papers, which currently cannot be implemented digitally. In ocontrast, our solution is
entirely digital.
Notation. We use E(M, P K) for the encryption of M with public key P K. Similarly, we use
D(M, SK) for the decryption of M with the secret key SK. If SK is the secret key corresponding
to the public key P K, then D(E(M, P K), SK) = M . We also sometimes write {M }P K instead
of E(M, P K).
Structure of paper. The remainder of this paper is structured as follows. The next Section
reviews the PaV protocol and Section 3 demonstrates its weaknesses. Section 4 presents the
cryptographic primitives our work will use. We provide two variants of the protocol in Section 5
which satisfy privacy and fairness. Section 6 provides an analysis of our work, and we compare it
to Ryan & Peacock’s solution in Section 7. Finally we outline a possible direction for future work
in Section 8.
2
The Prêt-à-Voter protocol
The PaV protocol involves voters, v candidates, k tellers and an authority. The duties of the
voters and candidates are self-explanatory: the voters cast votes for candidates running for a given
position. Each teller is responsible for performing two Chaum mixes and has two secret/public
key pairs associated with it. The necessity for two Chaum mixes is to facilitate the auditing of
tellers (see [5, 7] for further details). Finally the authority is responsible for creating the necessary
ballots and publishing a candidate list of size v. The remainder of this Section will cover the
necessary details of the protocol.
2.1
Constructing a ballot
Each ballot comprises of an offset and an onion, the construction of which will now be discussed.
The authority creates a unique random seed consisting of 2k values called germs:
seed := g0 , g1 , g2 , . . . , g2k−1
The seed is now used to derive the associated offset and onion. The offset is obtained by applying
a publicly known cryptographic hash function to each germ and taking the result modulo v:
di := hash(gi )
(mod v) i = 0, 1, 2, . . . , 2k − 1
The offset θ can now be computed as the sum of these values modulo v:
θ :=
2k−1
X
di
(mod v)
i=0
As previously discussed, each teller has two keys. More specifically, T elleri has public keys P KT2i
and P KT2i+1 in addition to the corresponding secret keys. The onion is formed by the nested
encryption of the germs under these keys:
(
)
o
n onion := g2k−1 , g2k−2 , . . . g1 , {g0 , D0 }P KT0 P K . . .
T1
P KT2k−3
P KT2k−2
P KT2k−1
The D0 value found in the centre of the onion is a unique random nonce. The intermediary layers
of the onion are as follows:
Di+1
onion
:= {gi , Di }P KTi
:= D2k
2
i = 0, 1, 2, . . . , 2k − 1
National e-Science Centre 27th–28th February 2006
2.2
15
Casting a vote
Once sufficiently many ballots have been constructed the voting stage can commence. Each voter is
assigned a ballot which, as previously discussed, incorporates a unique onion and its corresponding
offset. The offset is represented by a rotation by θ positions of the candidate list. A voter’s vote is
defined as the position of her chosen candidate on the original candidate list; thus 0 ≤ vote ≤ v −1.
By ticking the candidate in the rotated list, she performs the addition of her vote and θ modulo
v; we call this value r2k :
r2k := vote + θ (mod v)
To cast her vote the pair (r2k , D2k ) must be posted to the bulletin board. Although the protocol
fails to provide individual verifiability, the voter can be convinced that her vote was entered into
the tallying process by checking her pair (r2k , D2k ) appears on the bulletin board.
2.3
The role of the tellers
The role of the tellers is to reveal the votes once the voting stage is complete without compromising
privacy or fairness. Each teller is responsible for reading a batch of ballots from the bulletin board,
decrypting the outermost layer of the onion, partially recovering the vote, applying a secret shuffle
and finally posting the output back to the board. T elleri takes (r2i+2 , D2i+2 ) from the bulletin
board and decrypts D2i+2 with SKT2i+1 to get g2i+1 , D2i+1 :
g2i+1 , D2i+1 = D(D2i+2 , SKT2i+1 )
The hash function is applied to the germ to recover d2i+1 :
d2i+1 = hash(g2i+1 ) (mod v)
The new r value r2i+1 will now be obtained by subtracting d2i+1 from r2i+2 modulo v:
r2i+1 = r2i+2 − d2i+1
(mod v)
The new pair (r2i+1 , D2i+1 ) is formed. The operation is repeated for the entire batch. A secret
shuffle is applied and the resulting output is posted to the bulletin board. T elleri repeats this
process using SKT2i resulting in (r2i , D2i ). The remaining tellers perform the same role.
When T eller0 performs the final manipulation the values r0 and D0 will be posted to the
bulletin board, where r0 corresponds to the value of the voter’s original vote. To observe this,
note that r2k is equivalent to the modv sum of the voter’s vote and all the d values, i.e. vote + θ.
As the tellers processed the ballots each d was subtracted, thus cancelling out the previous addition
and recovering the original vote value:
r0 = r2k −
2k−i
X
di
(mod v) = r2k − θ
(mod v) = vote
i=0
Once the final teller has performed his duty it is clear to see the tallying stage may commence
and the result is universally verifiable.
3
Privacy, fairness and receipt-freeness flaws in light of a
corrupt authority
Initially the privacy, fairness and receipt-free properties appear to be preserved by the distribution
of trust amongst a large number of tellers. As pointed out in [6] this is not the case due to the
necessity to trust the authority. The authority knows the offset that corresponds to a given onion
and can therefore reveal the vote without the aid of the tellers. This breaks the fairness property.
3
16
Workshop on e-Voting and e-Government in the UK
The authority makes a list of every (D2k , θ) pair whilst constructing the ballots. Since the
authority can look up θ for a given D2k , the authority can simply read the (r2k , D2k ) pairs from
the bulletin board, derive the θ that corresponds to D2k and discovers vote by subtracting θ from
r2k modulo v:
vote = r2k − θ (mod v)
In addition if the authority knows which voter got each ballot, either because it sees which
ballot the voter picked, or because it colludes with the voting device (or both) the privacy and
receipt-freeness property are also broken.
4
Cryptographic primitives
Prior to the discussion of our PaV variants we will briefly explain the cryptographic primitives
known as public key homomorphic encryption and blind signatures which will be used later.
4.1
Public key homomorphic encryption
An encryption scheme is public key if a public key P K can encrypt an arbitrary message M and
only the corresponding secret key SK can decrypt the message, that is D(E(M, P K), SK) =
M . Since SK is kept private and it is not possible to derive SK from P K the mechanism is
secure. The homomorphic property adds a further requirement. An encryption scheme is said
to be homomorphic iff there is a way of deriving E(M0 · M1 ) from E(M0 ) and E(M1 ). ElGamal
encryption [8] is one instance of a public key homomorphic encryption scheme and will be used for
the remainder of the paper. As with any public key encryption schema, ElGamal involves three
stages: key generation, encryption and decryption. Key generation involves the selection of a large
prime p and random generator g of Zp . The secret key is selected as a random integer x such that
1 ≤ x ≤ p − 2. The public key is given by (p, g, y) where y = g x mod p. To encrypt a message M ,
such that 0 ≤ M ≤ p − 1, select a random integer k where 1 ≤ k ≤ p − 2 and form the ciphertext
E(M ):
E(M ) = (g k mod p, y k M mod p)
To decrypt (a, b) compute:
D(a, b) = b/ax mod p
Consider the example where Bob wishes to send Alice E(4). He obtains her public key (p = 23,
g = 5, y = 2), selects k = 7 and computes E(4) = (g k mod p, y k M mod p) = (57 mod 23, 27 4 mod
23) = (17, 6). Bob sends his ciphertext (a, b) to Alice, who recovers the plaintext using her secret
key x = 2 by computing M = b/ax mod p = 6/172 mod 23 = 4.
The homomorphic property allows us to take the encryption of the product of two plaintexts
M0 · M1 given their ciphertexts (a0 , b0 ) = E(M0 ) and (a1 , b1 ) = E(M1 ) where k0 , k1 are the
random numbers chosen, by computing:
E(M0 · M1 ) = (a0 · a1 , b0 · b1 ) = (g k0 g k1 mod p, y k0 y k1 M0 M1 mod p)
For example using Alice’s public key (p = 23, g = 5, y = 2), E(5) = (20, 22) and E(4) = (17, 6)
we can obtain E(20) = E(5 · 4 mod 23) = (20 · 17 mod 23, 22 · 6 mod 23) = (18, 17). Using Alice’s
secret key x = 2 we can obtain the M = 17/182 mod 23 = 20 as would be expected.
4.2
Homomorphic signature schemes
We also require a homomorphic signature scheme, i.e. a signature function σK such that σK (M0 ·
M1 ) can be constructed from σK (M0 ) and σK (M1 ). Details of how to obtain such a scheme can
be found in [9].
4
National e-Science Centre 27th–28th February 2006
4.3
17
Blind signature schemes
A blind signature is simply an instance of a digital signature scheme with the added requirement
that the signer is unable to see the contents of the message which they are signing. Alice takes
a message m and applies some blinding factor f . She sends the message to Bob, who signs the
blinded document and returns it to Alice. Alice unblinds the message using her original blinding
factor leaving the original message signed by Bob:
unblind σSKB blind(m, f ) , f = σSKB (m)
Blind signatures schemes were invented by David Chaum [10]. Chaum also created the first
implementation [11] which uses the RSA algorithm.
5
Privacy and fairness preserving variations of the Prêt-àVoter protocol
We will now introduce two variants of PaV which eliminate the privacy and fairness flaws. We
achieve our goal by eliminating the authority and thus modifying the way in which the ballot is
constructed.
5.1
Variation A: Eliminating the authority
It is apparent from Section 3 that divulging the relationship between the onion and offset to any
party other than the voter violates privacy and fairness. We therefore propose the delegation of
the ballot creation (Section 2.1) to the voter whilst maintaining the remainder of the PaV protocol.
This eliminates the single point of failure introduced by the authority and upholds privacy and
fairness requirements.
Unfortunately, however, this protocol does not satisfy receipt-freeness. The voter can prove
how she voted to any other agent. The next Section presents a distributed solution which satisfies
a weaker definition of receipt-freeness, in which the voter can prove how she voted only to T eller0 .
5.2
Variation B: A distributed solution
In collaboration with the tellers the voter constructs a ballot in such a way that only she learns
the relationship between the onion and offset. This satisfies the privacy and fairness requirements.
Furthermore, the values which comprise the seed are not revealed to the voter. This upholds a
weaker definition of receipt-freeness, improving upon variant A.
The definition of a candidate’s position on the candidates list will need to be slightly amended,
the numbering will begin at 1 as opposed to 0 i.e. a voter’s vote will appear in the range 1 ≤
vote ≤ v and v must be a prime number greater than or equal to the number of candidates.
5.2.1
Constructing a ballot
The voter enters the ballot booth and contacts each teller in turn. T elleri creates a unique random
seed comprising 2k values which we call germs:
seed2i := g2i,0 , g2i,1 , g2i,2 , . . . , g2i,2k−1
These values are used by T elleri to derive the associated offset θ2i :
θ2i :=
2k−1
Y
g2i,j
j=0
5
(mod v)
18
Workshop on e-Voting and e-Government in the UK
T elleri then sends each T ellerj the blinded germ values g2i,2j and g2i,2j+1 . On receipt of the
message T ellerj signs the blinded germs with SKT2j and SKT2j+1 respectively and returns them.
T elleri unblinds the message, verifies the signature and encrypts the signed values using the
homomorphic encryption scheme with P KT2j and P KT2j+1 respectively. Let these modified germ
values be called bacilli:
b2i,j := E σSKTj (g2i,j ), P KTj
j = 0, 1, 2, . . . , 2k − 1
T elleri then creates a nonce, gets T eller0 to sign it blindly using SKT0 and encrypts it with P KT0
resulting in d2i . The θ2i , d2i and bacilli values are then sent to the voter using a secure communications channel. T elleri repeats the process for seed2i+1 , θ2i+1 , d2i+1 and the corresponding
bacilli.
Once in possession of the θ, d and bacilli values from each teller the voter can begin the
construction of the ballot. A new offset Θ defined as the product of the each θi modulo v is
calculated:
2k−1
Y
Θ :=
θi (mod v)
i=0
She then produces a new seed consisting of 2k values termed colonies. Each colony is calculated
as the product of the bacilli from each teller, and must be computed using the homomorphic
technique discussed in Section 4.1:
cj :=
2k−1
Y
bi,j
(mod p) j = 0, 1, 2, . . . , 2k − 1
i=0
Since bi,j is a pair; the multiplication is done pairwise; cj is also a pair. Because of the homomorphic property:
!
2k−1
Y
cj = E σSKTj
gi,j , P KTj
j = 0, 1, 2, . . . , 2k − 1
i=0
D0 is computed in a similar manner:
D0 :=
2k−1
Y
di
(mod p)
i=0
The onion will now be formed using a similar technique to the original protocol. Colonies will
however be used as opposed to germs:
(
)
n o
onion := c2k−1 , c2k−2 , . . . c1 , {c0 , D0 }P KT0 P K . . .
T1
P KT2k−3
P KT2k−2
P KT2k−1
The intermediary layers of the onion are similarly defined:
Di+1
onion
5.2.2
:= {ci , Di }P KTi
:= D2k
i = 0, 1, 2, . . . , 2k − 1
Casting a vote
The voter is now in possession of the (D2k , Θ) pair and is able to calculate r2k as the product of
her vote and Θ modulo v:
r2k := vote · Θ (mod v)
The pair (r2k , D2k ) may now be posted to the bulletin board.
6
National e-Science Centre 27th–28th February 2006
5.2.3
19
The role of the tellers
In addition to aiding the construction of the onion as previously discussed the tellers are again responsible for revealing the vote without compromising privacy or fairness. T elleri takes (r2i+2 , D2i+2 )
from the bulletin board and decrypts D2i+2 with SKT2i+1 to get c2i+1 , D2i+1 :
c2i+1 , D2i+1 = D(D2i+2 , SKT2i+1 )
The product of the tellers ith germ values, signed by T elleri may now be revealed by decrypting
c2i+1 using the secret key SK2i+1 :
2k−1
Y
σSKT2i+1
gi,j = D(c2i+1 , SKT2i+1 )
i=0
The teller will now verify that the germ has indeed been signed using its public key P K2i+1 , and
can extract the product of the tellers ith germ values:
!
2k−1
2k−1
Y
Y
gi,j = checksign σSKT2i+1
gi,j , P K2i+1
i=0
i=0
The new r value r2i+1 will now be obtained by dividing r2i+2 by the product of
modulo v (recall that v was chosen to be prime):
r2i
r2i+1 = Q2k−1
(mod v)
i=0 gi,j
Q2k−1
i=0
gi,j all
The new pair (r2i+1 , D2i+1 ) is formed. The operation is repeated for the entire batch. A secret
shuffle is applied and the resulting output is posted to the bulletin board. T elleri repeats this
process using SKT2i resulting in (r2i , D2i ). The remaining tellers perform the same role.
The final teller will need to decrypt the central D0 value in addition to his normal duty. Once
his task is complete the final vote and D0 will appear on the bulletin board. To see this, note
that:
r2k
r2k
r0 = Q2k−1 Q2k−1
=
= vote
Θ
(mod v)
i=0
j=0 gi,j
The tallying stage may now commence.
6
Analysis
Both our proposed variants A (Section 5.1) and B (Section 5.2) satisfy privacy, fairness, eligibility
and universal verification. Furthermore, variant B provides individual verifiability. The failure to
provide receipt-freeness in either protocol is discussed in Section 6.1.
Privacy: A vote may only be deciphered from r2k with complete knowledge of the offset, as the
tellers only learn part of this value they are unable to reveal a vote without the aid of all
the tellers. The relationship between the voter and her vote is hidden by the secret shuffles
applied by the tellers. Together these properties ensure the privacy requirement is preserved.
Fairness: The onion maintains the necessary information to decipher votes from the r2k values.
As each teller must process the onion to enable the votes to be revealed fairness is ensured.
Eligibility: Assuming the bulletin board only permits the posting of (r2k , D2k ) pairs from eligible
votes, this property is guaranteed.
Universal verifiability: Since the unencrypted votes are posted to the bulletin board it is clear
to see this property is achieved.
Individual verifiability (Variant A only ): Given that the (vote, D0 ) pair appear on the bulletin board and the voter created her D0 value, she can verify that her vote was included in
the final tally.
7
20
6.1
Workshop on e-Voting and e-Government in the UK
Breaking receipt-freeness
We will now show how a receipt can be created in both of our proposed protocols. Variant A
allows the voter to convince any agent how she voted. Variant B satisfies a weaker definition of
receipt-freeness, in which the voter can prove how she voted only to T eller0 .
6.1.1
Variant A: Eliminating the authority
To reveal how a voter cast her vote she must reveal her seed which will permit the reconstruction
of the corresponding onion and offset, she can now convince any agent of her vote by looking up
her (r2k , D2k ) pair on the bulletin board and subtracting θ from r2k :
vote = r2k − θ
(mod v)
In addition the vote may be revealed using the nonce D0 .
6.1.2
Variant B: A distributed solution
The second proposal restricts to whom the voter is able to reveal her vote, namely T eller0 . Since
the voter is able to show the teller how to construct the inner most layer of her onion:
D1 = {c0 , D0 }P KT1
And given that this value will appear on the bulletin board, the teller will be satisfied that the
(r1 , D1 ) pair do indeed belong to the voter. As the teller is responsible for processing the final set
of values he will be convinced that the voter cast her vote in a certain way. In a similar approach
the D0 value could also be used.
7
Ryan & Peacock’s Prêt-à-Voter variant
Ryan & Peacock [6] also highlight the weakness of the authority in PaV and also offer an alternative
solution to ballot construction. Their report is somewhat incomplete and the material presented
here is our interpretation. The proposal is based on onions encrypted using ElGamal. The ballot is
constructed by a number of clerks in such a way that the relationship between the onion and offset
is not learnt by any single entity. The first clerk generates a suitable number of ElGamal onions.
The remaining clerks perform a shuffle and re-encryption. The last clerk collects the permuted
onions and for each produces two re-encryption onionLH and onionRH . The paired onions are
printed onto the bottom of the ballot, onionLH on the left and onionRH on the right. OnionRH is
concealed with a scratch strip. The clerk then sends the ballot papers to the tellers who establish
the offset θ by decrypting onionLH . The candidate list is printed on the ballot rotated by θ
positions and onionLH is removed. The voting and counting stages follow the original protocol.
Ryan & Peacock’s variant has some drawbacks. At present, scratch strips cannot be implemented digitally. Since all scratch strips must be identical to avoid an association with the
candidate list, there is no way to conceal the unique onionRH . This precludes a fully electronic
version and increases cost. Furthermore, T eller0 can violate privacy and fairness if it can ensure
a voter is given a certain ballot paper. This could be achieved by directly handing a voter a ballot
or colluding with an election official. Since T eller0 learns the offset that corresponds to a ballot
paper the vote can be derived from r2k .
8
Further work
At present receipt-freeness has not be satisfied. If variant B could be adapted in some way to
allow the construction of the onion without divulging any information about the colonies, then
the property would be obtained. Feige, Kilian & Naor [12] present “A Minimal Model for Secure
Computation,” which provides a theoretically sound solution, but is computationally unfeasible.
This problem remains open for future research.
8
National e-Science Centre 27th–28th February 2006
21
References
[1] Hirt, M. & Sako, K. (May 2000). Efficient receipt-free voting based on homomorphic encryption. In Advances in Cryptology — EUROCRYPT ’00, vol. 1807 of Lecture Notes in
Computer Science. Springer-Verlag, pp. 539–556.
[2] Benaloh, J. & Tuinstra, D. (1994). Receipt-free secret-ballot elections (extended abstract). In
STOC ’94: Proceedings of the twenty-sixth annual ACM symposium on Theory of computing.
ACM Press, New York, USA, pp. 544–553.
[3] Okamoto, T. (1996). An electronic voting scheme. In Proceedings of IFIP’96, Advanced IT
Tools. Champman & Hall, pp. 21–30.
[4] Okamoto, T. (1998). Receipt-free electronic voting schemes for large scale elections. In Proceedings of the 5th International Workshop on Security Protocols. Springer-Verlag, London,
UK, pp. 25–35.
[5] Chaum, D., Ryan, P. Y. A. & Schneider, S. (2005). A practical voter-verifiable election
scheme. In Proceedings of ESORICS 2005: 10th European Symposium on Research in Computer Security. pp. 118–139.
[6] Ryan, P. Y. A. & Peacock, T. (2005). Prêt-à-Voter: a Systems Perspective. Tech. rep., School
of Computing Science, University of Newcastle.
[7] Chaum, D. (2004). Secret-ballot receipts: True voter-verifiable elections. Security and Privacy
Magazine, IEEE, 2(1), pp. 38–47.
[8] Gamal, T. E. (1985). A public key cryptosystem and a signature scheme based on discrete
logarithms. In Proceedings of Crypto ’84 on Advances in cryptology. Springer-Verlag, New
York, USA, pp. 10–18.
[9] Johnson, R. et al. (2002). Homomorphic signature schemes. In Proceedings of the RSA
Security Conference (Cryptographers’ Track). pp. 244–262.
URL citeseer.ist.psu.edu/article/johnson02homomorphic.html
[10] Chaum, D. (1983). Blind signatures for untraceable payments, pp. 199–203.
[11] Chaum, D. (1985). Security without identification: transaction systems to make big brother
obsolete. Communications of the ACM, 28(10), pp. 1030–1044.
[12] Feige, U., Killian, J. & Naor, M. (1994). A minimal model for secure computation (extended
abstract). In STOC ’94: Proceedings of the twenty-sixth annual ACM symposium on Theory
of computing. ACM Press, New York, USA, pp. 554–563.
9
22
Workshop on e-Voting and e-Government in the UK
WORKSHOP ON ELECTRONIC VOTING AND E-GOVERNMENT IN THE UK
1
Coercion-Free Internet Voting with Receipts
Mirosław Kutyłowski, Filip Zagórski
Abstract—We present the first voter verifiable Internet voting scheme
which provides anonymity and eliminates the danger of vote selling even
if the computer used by the voter cannot be fully trusted. The ballots cast
remain anonymous - even the machine does not know the choice of the
voter. It makes no sense to buy votes - the voter can cheat the buyer even if
his machine cooperates with the buyer. Nevertheless, the voter can verity
that his vote has been counted.
Keywords: electronic voting, vote receipt, vote selling, coercion resistance, anonymity
I. I NTRODUCTION
Recently, there is a lot of public interest in electronic voting
schemes. There are expectations that in a near future modern
technologies may significantly improve the election procedures.
However, while it became evident that traditional procedures
have many inevitable flaws, it is still an unsolved problem how
to design electronic voting schemes that fulfill all security demands. In this paper we concern the problem of casting a vote
via Internet, which is the most challenging problem.
A. Coercion-free voter-verifiable Voting Schemes
One can regard a (voter-verifiable) voting scheme as a process of submitting messages v(xi ) to a kind of bulletin board by
voters x1 , ..., xN in such a way that
• every xi can verify if v(xi ) is delivered to the bulletin board
(voter verifiability),
• it is infeasible to link xi with his vote; even if xi is cooperating, it is infeasible to build a convincing proof that xi
voted in a particular way (coercion freeness).
B. Motivations for Internet Voting
The first reason for introducing Internet voting is cost reduction. A growing fraction of the society has access to Internet,
so one can try to use the existing infrastructure to reduce the
costs and avoid manual work, which is the main cost factor in
traditional schemes. For economical reasons, Internet voting is
particularly interesting for countries with a low population density.
The second reason are the social costs of participation in elections. A person voting at a polling station is forced to get there,
and this may cost time and money, and in some cases prohibit
the voter to participate in the elections. The last factor becomes
a growing problem in some countries. Internet voting may contribute to simplicity, flexibility and availability of voting.
The problems mentioned can be solved by mail-in voting,
which becomes more and more popular in some countries. The
dark side of mail-in voting are significant security flaws that endanger the basic principles of democracy. Vote selling, blackmailing the voters, removing the ballots and adding new ones
are significant problems that seem to be unsolvable for mail-in
procedures.
Institute of Mathematics and Computer Science
Wrocław University of Technology
C. Voter Identification
In certain countries (like USA) the main practical problem
is a reliable identification and authentication of voters. In other
countries this is not a problem due to existing procedures of registration of inhabitants, advanced techniques implemented in ID
cards and passports (e.g. in Malaysia). Biometric technology
becomes mature and provides a high level of confidence for the
election procedures. Moreover, price of biometric devices becomes affordable. Together with digital signatures this provides
technical means that yield more reliable authentication than for
the traditional voting procedures with manual checks.
D. Problems and Risks of the Internet Voting
To some extent anonymity can be achieved by traditional
voting on paper ballots. (Of course, there is no guarantee that
the ballots do not contain hidden features that are invisible for
the voter. In some political situations, even the threat that there
might be such hidden features may prohibit to vote freely.)
Electronic ballots are much harder to handle: if the ballots are
identical, then there will be plenty of ways to attack the system
by casting additional votes. If the ballots are unique, then they
might be used for uncovering voters’ preferences and for vote
selling.
Verifiability of the election results is one of the major issues
for electronic voting: while for the paper ballots there is a relatively reliable procedure preventing election frauds (as long as
the commissions are honest), electronic voting is virtual and the
voter may distrust the security mechanism of mixing and counting the votes. Therefore, one of the important features would be
to provide the voter a (printed) trace that enables her to check
that her vote has been counted and included in the final result.
This approach of voting receipts is a central feature in many
schemes (see for instance [2]).
Vote selling is the most important problem for Internet voting with profound consequences. Unlike in the case of the traditional voting process, buying votes might be very efficient,
non-risky and does not require direct supervision of the buyer.
Simply, the voter downloads and installs a special program that
supervises his voting activities on his computer. This software
sends appropriate information in an encrypted form to some remote server, even unknown to the voter selling a vote. Finally,
the voter receives some reward - for instance in the form of
digital cash, access codes to some Internet services or software
products. One may try to secure the PC of the voter against such
programs, but this seems to be a hopeless approach. An overwhelming majority of the users will not change the operating
system or make affords to reconfigure it only for the sake of Internet voting. Another problem is that a single voter may want
to sell a vote. In this case he will not implement the countermeasures or he will unmount them, if they are already deployed
in the system. Necessary tools will be provided by the buyers
of the votes.
National e-Science Centre 27th–28th February 2006
2
23
WORKSHOP ON ELECTRONIC VOTING AND E-GOVERNMENT IN THE UK
E. Scale of the Problems
Systems in which vote buying is easy are extremely dangerous. When we compare amount of money spent on election
campaign and number of votes achieved, one can see that expenses per vote in some cases are higher than 40$! So, from an
economic point of view, it is reasonable to buy votes instead of
launching an election campaign.
There are many documented cases of vote selling. For example, during the parliament election in Poland in 2005 one
could buy votes in the Internet auction (a picture of a voting
card taken with a digital camera was considered as a proof for
casting a vote in the way expected). Similar cases were reported
in Germany a few years earlier. One could buy mail-in votes in
packages per 1000 and 10.000 ballots (!). There are cases reported of removing ballots in the case of mail-in voting. There
is a famous example of the USA presidential election in 2004
in Duval County, Florida, where 58.000 of mail-in votes disappeared from a post office.
In many countries, there are cases reported that the number
of invalid ballots is strongly correlated with the support for a
particular candidate. This concerns the Bush-Kerry and BushGore cases in USA [1], [24].
F. Previous Solutions
Let us summarize the discussion above and point out problems with the previous solutions. Mail-in voting is a quite flexible and convenient system, so it becomes very popular in some
countries (during the Bundestag elections in Germany in 2005,
25% of votes were mail-in votes). So, the influence of frauds
could be significant in this case. The mail-in procedures are of
questionable value for two reasons – it is perfect for vote selling and even worse, there is no way to verify correctness of the
results (for instance the votes against a ruling party can be discarded).
Many electronic voting systems were proposed so far. Many
of them are receipt-free [12], [19] and assume that that the machines used for voting are honest. This approach seems to be
unsuited for implementing electronic elections – one would require a detailed audit at least of the operating system and of the
application used for voting. Such a verification of voter’s hardware and software is practically impossible. Moreover, if a non
negligible fraction of voters distrusts the system (even if it is
honest), it should not be implemented for electronic elections.
Many Internet voting schemes allow a voter to cast a vote
only once (or from a single machine). This makes vote selling
very easy: a machine may have a special software installed that
monitors voting activities and provides appropriate information
to the buyer. A solution to this problem was implemented in the
Estonian Internet voting system: a voter can revoke the previous
ballot and cast a new one (this time in a traditional way). Each
ballot is signed digitally by the voter, so it is possible to check
which vote has to be removed (the signatures are removed before decryption of the ballots starts). The main problem of this
system is that it provides no verifiability of the election results
and that vote selling is possible.
A problem of untrusted voting machines can be solved with
receipts. The first solution for which a voter gets a receipt prov-
ing that her vote was counted and at the same time it is meaningless for anybody else was presented by David Chaum [2].
In this case the voter becomes convinced about the election results, but at the same time she cannot sell her vote. Afterwards,
other schemes with receipts were proposed. All these systems
use a two stage verification. In the first stage, a voter can check
that her vote appears a certain bulletin board. The second stage
should convince her that her vote was properly processed by
an array of mix-servers. Two major techniques are used for
this purpose: Randomized Partial Checking [15] or Neff’s zero
knowledge proof procedures [22].
Recently, Klonowski et al. [18] proposed another scheme for
voting machines. For this scheme each vote contains two parts,
each part consists of two halves. One part contains an encoded
vote, the other part contains a random identifier. The halves of
each part should appear after the final decoding, lack of any half
is an evidence of a fraud during mixing and decoding. Each of
the halves is processed separately and the processing servers
cannot link them together until the final decoding. For this
scheme a double verification is implemented:
• a voter can check that her vote identifier is included in the
final bulletin board; so, she may be convinced that her vote
is on the bulletin board as well,
• correctness of decoding and mixing is evidenced by the fact
that there are two matching parts for each part of a vote.
In the systems [2], [18] the voting machine must be trusted to
a certain degree - it knows the preferences of the voters; still, it
cannot change them.
G. Properties of the New Scheme
We design an Internet voting system according to the following assumptions:
• the PC of a voter cannot be trusted,
• a voter may try to sell his vote, there are buyers ready to
buy a vote,
• a voter should have an opportunity to convince herself that
her vote was included in the final tally,
• a fraud attempt concerning a single vote should become detected with a constant probability, the malicious authority
should be identified.
We design a protocol that generalizes the scheme from [18].
Let us list the main technical features of this protocol:
1. Each ballot is processed by a sequence of tallying authorities that perform mixing and partial decoding; if at least
one of these tallying authorities is honest, then the vote remains anonymous.
2. While casting a vote the user obtains a receipt that can be
used to check that his vote has been properly processed. If
this is not the case for this single vote, then cheating can
be detected with a fairly high probability and at least one
of the cheating authorities can be identified.
3. The receipt and the transcript of the voting session on the
computer of the voter do not suffice to determine the preferences of the voter. While casting a ballot the voter obtains a short message through an independent communication channel that is hidden for the machine used for voting.
4. A voter can change his decision by casting another ballot,
which cancels the previous vote. Both ballots: the first one
24
Workshop on e-Voting and e-Government in the UK
Mirosław Kutyłowski Filip Zagórski : COERCION-FREE INTERNET VOTING WITH RECEIPTS
and the cancelling one appear in the final tally. Ballots are
designed in such a way that they cannot be linked together.
It follows that we combine two properties that are somewhat
contradictory: a voter can be convinced that his ballot has been
counted, but simultaneously buying votes does not make sense.
Indeed, even if the buyer supervises the computer of the voter
(and can see what the voter is doing at the moment of casting a
vote), he cannot be sure that the vote will not be revoked later.
Moreover, in this case the voter can vote once more for another
candidate or sell his vote to another party.
II. M ATHEMATICAL BACKGROUND
A. RSA-RE Ciphertexts and Signatures
Now, we recall a construction of ciphertexts that may be
signed and re-encrypted afterwards together with the signature. The idea is already used in the context of voting in [18],
and comes from papers [9], [17]. The main advantage of reencryption is that it allows instant verification of the mixing
process without revealing any information about the contents
of the ciphertexts and allowing checking the message origin.
B. Key setup and ciphertext creation
Let N = pq be an RSA number, and let g be an arbitrary
generator of a subgroup G ⊆ Z∗N , where G is a group with
hard discrete logarithm problem. We skip the notation “mod
N ” whenever operations within ZN are concerned.
The authority responsible for vote creation chooses e, which
is co-prime with ϕ(N ) and d such that e · d = 1 mod ϕ(N ).
Then d is the private signing key, whereas e is the public key for
signature verification. An authority publishes ĝ = g d .
Assume that each ballot has to be processed by λ mix servers
before getting decrypted. For 1 ≤ j ≤ λ, let yj be the public
key (for encryption) of the jth mix, and let xj be the corresponding private key, where yj = g xj . Every server obtains
also a public key for signature verification, which is equal to
ŷi = yid .
In order to prepare a ciphertext we choose a string k1 uniformly at random. Then the ciphertext has the form:
(α, β, γ, δ) := (m·(y1 ·. . .·yλ )k1 , g k1 , md ·(ŷ1 ·. . .· ŷλ )k1 , ĝ k1 ) .
C. Decoding process
When after some decoding and re-encryption such a ciphertext is delivered to mix i, it has the following form:
(αi , βi , γi , δi ) = (m·(yi ·. . .·yλ )ki , g ki , md ·(ŷi ·. . .·ŷλ )ki , ĝ ki ) .
We call it an onion since there are many “layers” of encryption and we have to remove these layers in order to decode it.
Namely, the onion gets partially decrypted and re-encrypted –
the following operations are executed with a randomly chosen
ri :
(αi+1 , βi+1 , γi+1 , δi+1 ) :=
αi /βixi · (yi+1 · . . . · yλ )ri , βi · g ri ,
γi /δixi · (ŷi+1 · . . . · ŷλ )ri , δi · ĝ ri .
3
It is easy to see that after performing these operations for
ki+1 = ki + ri we get:
(αi+1 , βi+1 , γi+1 , δi+1 ) =
(m · (yi+1 · . . . · yλ )ki+1 , g ki+1 ,
md · (ŷi+1 · . . . · ŷλ )ki+1 , ĝ ki+1 ) .
It should be clear that anybody can re-encrypt ue(m) in a
similar way. For this purpose, only the knowing the public keys
of servers is necessary.
D. Signature verification:
If a RSA-RE-onion signature is correct, then for some k we
have α = m · y k , γ = md · ŷ k , so γ = αd . Hence the verifier
accepts the signature if and only if α = γ e .
E. Notation:
One can see that first two parts of an onion, (α, β) are
ordinary ElGamal ciphertexts encrypted with the public key
y1 · . . . · yλ . We will write ue(m) for a RSA-RE-onion of a
message m, and e(m) for its first two components corresponding to an ElGamal ciphertext.
F. Raising to a power
Let us observe that one can raise m hidden in ue(m) to an
arbitrary power l without destroying the signature. Indeed:
ue(m)l = (αl , β l , γ l , δ l ) =
(ml · (y1 · . . . · yλ )k·l , g k·l , md·l · (ŷ1 · . . . · ŷλ )k·l , ĝ k·l ) .
The last expression is ue(ml ), a RSA-RE-onion of a message
ml , with exponent k · l used for encryption.
G. Zero Knowledge Proof of Exponent Equality
In our protocol we use computational zero-knowledge protocols for equality and inequality of discrete logarithms. The
input for these protocols are numbers (α, β, g, h) from a group
with hard discrete logarithm problem. Additionally, the prover
knows a secret x such that α = g x . In the first case the prover
has to show that β = hx ; for the second case the prover has to
show that β 6= hx .
Non-interactive zero-knowledge proofs of these problems are
quite well known, therefore we skip their description (for details
see for instance [25]).
III. B UILDING B LOCKS
Let us describe design of a voting card and a voting ballot
which are used in our protocol. Later on in Section V on implementation issues we provide some further details necessary
to provide a appropriate security level. There are the following
basic assumptions:
• There is a known list of possible voting options (list of
candidates):
o[0], o[1], ..., o[K].
• One of the options corresponds to an invalid vote, i.e.
o[0] = void, to allow voters cast invalid votes.
• There is a fixed label p that will be used on the identifier
card.
National e-Science Centre 27th–28th February 2006
4
25
WORKSHOP ON ELECTRONIC VOTING AND E-GOVERNMENT IN THE UK
A. Voting card
A voting card is the main building block of our scheme.
Every card contains four parts (labeled A, B, C, D) which
have similar contents. For a card x a random permutation
π over {0, . . . , K} is chosen independently at random. For
the sake of the ease of use, we confine ourselves to random
cyclic shifts, that is, we choose k at random and define π(j) =
j + k mod (K + 1). Using random cyclic shifts instead of random permutations seems to be:
• more handy – it is much easier to pass information about
cyclic shift used in the card than the information about a
permutation. Moreover, choosing a voting option in that
case is simpler,
• more secure – a potential subliminal channel is much
smaller.
For i = A, B, C, D, the part i of a card x contains the following values:
x
x
• a ciphertext e(ri ) of a random header ri ,
x
x
• ciphertexts of identifiers oi [0],. . . , oi [K] listed in the order
determined by π, namely e(oxi [π(0)]), . . . , e(oxi [π(K)]),
the values of the identifiers are defined below,
x
x
• a list of ciphertexts e(vi [0]), . . . , e(vi [K]) of random valx
x
ues vi [0], . . . , vi [K].
All values contained in a card are encrypted with the version of
ElGamal scheme discussed in the previous section. The public
key used is the product of the public keys of all tallying authorities. A card can be depicted as it is presented on the Figure
1.
Additionally, a proper card x fulfills the following conditions:
x
x
x
x
• rA = rB and rC = rD ,
• π is a cyclic shift,
x
x
x
• for every k and i, j, we have oi [k] = oj [k] and vi [k] =
x
vj [k]
Recall that o[i] denotes an identifier of candidate i (o[0] serves
as a void candidate). There are two types of proper cards used:
• If oi [π(j)] = o[π(j)] for j ≤ K, then we call it a voting
card.
• If oi [π(j)] = p for j ≤ K, then we call it an identifier
card.
A voter obtains n pairs of cards (where n is parameter chosen
by a voter), each pair consists of a voting card and an identifier
card posted in a random order.
B. Voting ballot
A voting ballot is obtained from a voting card and an identifier card of the same pair. The following steps are performed in
order to cast a vote (details are described in Section IV):
1. one of the rows on both cards is chosen,
2. the headers are modified so that the equal headers remain
equal; similarly the values vix get modified - the values
from parts A and B remain equal, those from C and D
become different,
3. all ciphertexts are re-encrypted,
4. the voting system attaches an RSA-RE-signature to each
ciphertext,
More precisely, if ue(z) denotes e(z) after re-encryption and
RSA-RE-signing by one of the Registration Servers and a voter
has chosen row j, then a voting ballot has the form presented
on the Figure 2a or, depending on the order of a voting and an
identifier cards received from BGS, presented on the Figure 2b.
Finally, all parts A, B, C, D are signed by the voter, moreover, the parts C and D are encapsulated in a special ciphertext
before delivering the ballot to the voting system (and will be
used only in the case of a vote revocation).
C. Infrastructure
The parts involved in the voting protocol are:
• tallying authorities,
• a Ballot Generation Server (BGS), responsible for generating cards,
• registration servers (RS) that are interfaces between the
voters and the tallying authorities,
• a voter, say Alice, who uses an application A PP on her PC.
IV. VOTING P ROCESS
Part I: Ballot Generation Procedure
This part of the protocol is executed in interaction between
BGS, Alice and application called A PP running on her PC.
1. BGS prepares pairs of cards and publishes them. Each
pair consists of a voting card and a corresponding identifier
card.
2. Alice requests n pairs of cards. Each request and response
from BGS (a pair of cards) is being sent by an anonymous
communication channel. BGS should not be aware who is
requesting voting cards. BGS responds with the following
data (n times):
• voting card requested,
• identifier card requested,
• non-interactive zero knowledge proofs stating that these
cards are proper,
• commitments on the cyclic shifts used for constructing
these cards.
3. A PP checks the zero-knowledge proofs of correctness of
the cards.
4. Alice chooses one pair of cards for preparing a ballot and
informs BGS about her choice. Then:
• A PP obtains the value rA used in the identifier card chosen,
• Alice gets information about the cyclic shift used in the
cards chosen. This information is sent through a channel
that is inaccessible to the PC running A PP (e.g. phone,
SMS, . . . ) and contains not only the shift itself, but also
a code to open the commitment to this shift.
5. BGS uncovers the shifts used in the remaining cards chosen by Alice and shows that the values encoded in these
cards agree with the shifts and the commitments.
6. A PP verifies the proofs and signatures obtained and confirms receiving them.
The cards in a pair are transmitted in a random order, so neither the voter nor the voter’s PC knows, which of the two cards
is a voting card and which one is an identifier card. Also the
cyclic shift used in the voting card remains hidden for the PC
of Alice. Moreover, the probability that the shift declared by
the BGS differs from the real one is equal to n1 and thus Alice
can make it as small as desired (by getting more cards). Let us
26
Workshop on e-Voting and e-Government in the UK
Mirosław Kutyłowski Filip Zagórski : COERCION-FREE INTERNET VOTING WITH RECEIPTS
5
Figure 1. A voting card
voting card x
x
)
e(rA
e(ox
A [π(0)])
x
e(oA [π(1)])
e(ox
A [π(2)])
e(ox
A [π(3)])
...
e(ox
A [π(K)])
part A
x
[0])
e(vA
x
[1])
e(vA
x
e(vA [2])
x
e(vA [3])
...
x
[K])
e(vA
x
)
e(rB
e(ox
B [π(0)])
x
e(oB [π(1)])
e(ox
B [π(2)])
e(ox
B [π(3)])
...
e(ox
B [π(K)])
part B
x
[0])
e(vB
x
[1])
e(vB
x
e(vB [2])
x
e(vB [3])
...
x
[K])
e(vB
x
)
e(rC
e(ox
C [π(0)])
x
e(oC [π(1)])
e(ox
C [π(2)])
e(ox
C [π(3)])
...
e(ox
C [π(K)])
part C
x
[0])
e(vC
x
[1])
e(vC
x
e(vC [2])
x
e(vC [3])
...
x
[K])
e(vC
x
e(rD
)
e(ox
D [π(0)])
x
e(oD [π(1)])
e(ox
D [π(2)])
[
e(oD π(3)])
...
e(ox
D [π(K)])
part D
x
[0])
e(vD
x
[1])
e(vD
x
[2])
e(vD
x
e(vD [3])
...
x
[K])
e(vD
Figure 2a. An example voting ballot
u
l
part A
ue(r)
ue(o[π(j)])
ue(s)
ue(p)
ue(vj0 )
ue(vj0 )
part B
ue(r)
ue(o[π(j)])
ue(s)
ue(p)
ue(vj0 )
part C
ue(s)
ue(o[π(j)])
ue(vj0 )
ue(t)
ue(p)
ue(vj0 )
part C
ue(t)
ue(p)
ue(v̂j )
part D
ue(s)
ue(o[π(j)])
ue(v̄j )
ue(v̂j )
ue(t)
ue(p)
ue(v̄j )
ue(v̂j )
part D
ue(t)
ue(p)
ue(v̄j )
Figure 2b. A different form of a voting ballot
u
l
part A
ue(s)
ue(p)
ue(r)
ue(o[π(j)])
ue(vj0 )
ue(vj0 )
part B
ue(s)
ue(p)
ue(r)
ue(o[π(j)])
ue(vj0 )
resume state of knowledge of the participants at the end of the
Ballot Generation Procedure:
• BGS know which voting card (and identifier card) will be
used by a voter. So in the following steps we will change
form of the cyphertexts.
• Alice should be convinced (thanks to the steps 4, 5) that the
shift used in her voting card corresponds to the obtained
one.
• A PP knows neither the contents of a voting card nor Alice’s
choice.
Part II: Vote casting
The purpose of the following part of the protocol is not only to
allow Alice to cast a vote, but also to change the appearance
of parts of a voting card to keep an Alice’s choice secret from
BGS. Participants of this part of the procedure are Alice, the
application A PP on the PC of Alice, and a registration server
RS.
1. Alice makes her choice - she chooses a row w of the cards
according to the cyclic shift used and her voting preferences. Namely, if she chooses the jth candidate, then the
row w has to contain a ciphertext of o[j] in the voting card,
that is π(w) = j.
Let l and u be the cards chosen by the voter (l stands for
the lower card, u stands for the upper card). From now on
we skip the index w and use the notation rs,x for rsx , os,x
for oxs [π(w)], and vs,x for vsx [π(w)], for s = A, B, C, D,
x = u, l.
2. A PP performs the following steps:
(2.1) it creates a ballot by selecting the values from the
headers and the chosen row w. For Y = A, B, C, D,
and x = l, u let
Yx = (e(rY,x ), e(oY,x ), e(vY,x )) .
ue(s)
ue(o[π(j)])
ue(v̂j )
ue(s)
ue(o[π(j)])
ue(v̄j )
Then two parts consisting of four blocks are formed:
Tu = (Au , Bu , Cu , Du )
• Tl = (Al , Bl , Cl , Dl )
(2.2) A PP modifies the values rY,x and vY,x contained in
Tu and Tl . For this purpose each plaintext of them is
raised to a random power (the operation is performed
on ciphertexts, as described before). For ciphertexts
containing the same values (e.g. rA,x , rB,x ) the same
random powers are used - therefore these values remain
equal. The only exception is for the ciphertexts encoding vY,x for Y = C, D, x = u, l - for them the powers
chosen should be different. The random powers used for
modifying the headers rY,x are stored for the later use.
(2.3) A PP prepares a zero knowledge proof P which
shows that the steps [2.1] and [2.2] have been performed
correctly.
(2.4) A PP sends Tu , Tl (after all modifications performed)
and the proof P to RS.
3. The RS performs the following steps:
(3.1) It verifies the proof P .
(3.2) It modifies the values vY,x for Y = C, D, x = u, l,
by raising the ciphertexts to random powers. These powers must be different to ensure that the ciphertexts held
so far in vC,x and vD,x become different in a way that is
not known by A PP.
(3.3) It signs all ciphertexts using RSA-RE-signature
scheme,
(3.4) RS prepares a zero knowledge proof P 0 that the step
(3.2) has been executed according to the protocol.
(3.5) RS sends modified and signed ballots Tu , Tl together
with P 0 back to A PP.
4. A PP performs the following steps:
(4.1) A PP verifies the proof P 0 and the signatures,
•
National e-Science Centre 27th–28th February 2006
6
27
WORKSHOP ON ELECTRONIC VOTING AND E-GOVERNMENT IN THE UK
(4.2) A PP re-encrypts all ciphertexts (together with the
signatures).
(4.3) A PP performs a random permutation of the list
Au , Bu , Al , Bl , the same steps are executed for
Cu , Du , Cl , Dl .
(4.4) A PP prepares zero knowledge proofs PAB , PCD
showing that the operations [4.2] and [4.3] have been
performed according to the protocol.
(4.5) A PP contacts RS and obtains a challenge c.
(4.6) The voter signs the challenge obtaining sigv (c), a
deterministic signature scheme is used.
(4.7) A PP derives (in a deterministic way) an encryption
key K := R(sigv (c)) from a pseudorandom generator
R.
(4.8) Together with the voter, A PP prepares the following
packets:
(a) (Au , Al , Bu , Bl , PAB )sig(Alice)
(b) EncK ((Cu , Cl , Du , Dl , PCD )sig(Alice) ) sig(Alice)
where Zsig(Alice) denotes Z together with the Alice’s
signature attached to Z, and EncK denotes symmetric encryption with the key K. We say that the second packet contains a revocation code. A PP sends both
packets to RS.
(4.9) RS checks the signatures and the correctness of the
first packet according to PAB . The first packet is stored
in the set of votes cast, the second (encrypted) packet
is stored in a repository of revocation codes. RS also
provides a receipt for the voter which is a signature of
RS under both packets.
A. Properties of ballots
Before we discuss how the votes are revoked and counted
let us discuss basic properties of the procedure of creating the
ballots:
• A ballot prepared by Alice and A PP together with RS consists of two sets of ciphertexts - each originating from a
different card. Neither Alice nor RS can separate the ciphertexts corresponding to the voting card. This prevents
removal of Alice’s vote. (The remaining ciphertexts can
be used to check correctness of vote counting and detect a
malicious authority if some ciphertexts are missing).
• Each half of the ballot contains two parts: one composed
from parts A and B used for voting or detecting manipulations, the parts C and D are used for composing a revocation code (again, one part is responsible for revocation
itself, while the other part guards against manipulations).
• The revocation code is encapsulated in a ciphertext that
cannot be opened by RS until Alice provides the key by
signing the challenge. Alice need not to use the PC on
which application A PP was running - the challenge can be
presented to Alice by RS on her demand.
• The revocation code cannot be distinguished from the
codes constructed from parts A and B, until it is fully decrypted.
• The values vx,i contained in the votes are not known to
anybody until the final decryption.
• The parts A and B (C and D, respectively) of a ballot composed from the same card contain the same header. So, if
•
during counting procedure no part is removed, then in the
final result each header occurs exactly twice.
The header of parts A and B of an identifier card is known
to the voter. Originally it is known to BGS. Then Alice
get informed about the header and she raises it to a random
power. The remaining headers (including the header of
parts C and D of the voting card used for revocation) are
not known to anybody - the initial values set by BGS are
modified at random.
B. Vote revocation
A voter can cancel his previous vote by signing a challenge
which was used during the previous vote casting. The procedure of voting for the second (third, ...) time contains an additional step. It is a fair exchange between a commission and a
voter. The voter sends a signature for the challenge used during
the previous vote generation to the commission. The commission uses it for decryption of the revocation vote, posts it on
the Bulletin Board number 0 and increments the number of the
canceled votes.
C. Tallying process
After closing the polling stations the RS servers are closed as
well. For the process considered below each of the parts A, B,
C, D is called a block. Note that each block consists of three
signed ciphertexts. During the procedure described below, each
block is processed together.
First, each RS mixes all its blocks and sends them to the Bulletin Board with the index 0. Now, the mixing procedure is
executed by an array of mix servers run by independent tallying
authorities. For 1 ≤ i ≤ λ, the ith tallying authority runs a
server that executes the following steps:
• it reads the blocks from Bulletin Board i − 1 and checks
the signatures,
• it partially decodes the ciphertexts in each block with its
private key,
• it re-encrypts each ciphertext,
• it mixes the blocks at random and sends them to the Bulletin Board i.
The last tallying authority gets, after decryption, plaintexts of
the ciphertexts included in the blocks. It presents them in the
Bulletin Board λ together with a Zero Knowledge Proof of correct decoding. Now, on the λth-Bulletin Board one can find
election results. Namely, it contains the triples of the forms:
(r, o[i], v), and (s, p, v 0 ) .
For the sake of convenience, we sort them in a lexicographic
way.
D. Vote Counting and Checking Correctness
First we check that for each r there are two triples of the form
(r, −, −) or no such a triple. If this is not the case that somebody
is cheating and an investigation starts. The algorithm used can
be borrowed from the scheme from [18].
Now assume that the following triples appear on the bulletin
board:
(r, e, v), (r, e0 , v 0 )
28
Workshop on e-Voting and e-Government in the UK
Mirosław Kutyłowski Filip Zagórski : COERCION-FREE INTERNET VOTING WITH RECEIPTS
Elections →
trusted parties
verification process
who can cast additional votes
who
can
remove/invalidate
votes
level of anonymity
(anonymity set)
vote selling
7
traditional
members of each
polling
station
committee
summing up partial
results
local commissions
electronic [18]
voting machine, at
least one tallying
authority
verifiable receipts
mail-in
whole post system,
central counting
commission
none
Internet (Estonia)
application, operator, central counting commission
none
our scheme
at least one tallying
authority
local commissions
nobody
nobody
central
sion
central
sion
commis-
local commissions
central commission
postman, ...
commis-
nobody
local commission
local commission
full
?
full
possible
impossible
very easy
impossible
impossible
If e 6= e0 , then something went wrong (and the same random
header occurred for two votes). So assume that e = e0 . Now,
the following cases are possible:
• e = o[i], that is, e is one of the voting options then:
– if v = v 0 , then it is vote for o[i],
– if v 6= v 0 , then it is a revocation of a vote for o[i].
• e = p, then:
– if v = v 0 , then r is a vote identifier (which can be controlled by some voter)
– if v 6= v 0 , then r is an anti-vote identifier (it can be controlled by a voter together with RS, if RS reveals the
exponent used to modify the header.
V. I MPLEMENTATION I SSUES
Here we point out some implementation issues which can endanger voters anonymity. If one allows the options (labels) to
be sequences of (for example) 20 bits, then encrypting them by
ElGamal encryption scheme with key of the length 1024 allows
the BGS to include in the ciphertext informations needed to leak
voter’s anonymity (by an appropriate choice of the padding). So
it is necessary to add additional conditions on the verification of
correctness of the voting cards and identification cards. For admissible voting options: o[0], o[1], ..., o[K] and “dummy” option p for identifier cards BGS should present non-interactive
zero knowledge proofs that every option (on the voting card or
identifier card) belongs to the set {o[0], ...o[K]} and are pairwise different or are equal to p. Such proofs can be constructed
effectively, as it was shown in [11] thanks to the notation of
the Σ-proofs proposed in [5]. Moreover, by applying the FiatShamir heuristics [6] any Σ-proof can be made non-interactive.
Let us remark that in some countries, like United Kingdom, it
is required by law that a voting scheme should enable to reveal
a voter’s choice. In countries with such requirement an appropriate padding in ciphertexts of o[i] can be used.
VI. C ONCLUSIONS
We have presented an Internet voting scheme which is
coercion-free without assumption of certified software on a secure machine used in a voting process. The diagram on the top
of the page contains a short comparison between the existing
voting schemes.
R EFERENCES
[1] Agresti, A., Presnell, B.: Misvotes, Undervotes and Overvotes: The 2000
Presidential Election in Florida. Statist. Sci. 17,4 (2002) 436-440.
verifiable receipts
[2] Chaum, D.: Secret-Ballot Receipts and Transparent Integrity. Better and
less-costly Electronic Voting and Polling Places. IEEE S&P’04.
[3] Chaum, D.: Untraceable Electronic Mail, Return Addresses, and Digital
Pseudonyms. Communications of the ACM 24(2), 84-88, 1981.
[4] Chaum, D., Ryan, P. Y. A., Schneider, S.: A Practical Voter-Verifiable
Election Scheme. ESORICS ’2005, LNCS 3679, 118-139.
[5] Cramer, R.: Modular Design of Secure yet Practical Cryptographic Protocols. PhD Dissertation, CWI and University of Amsterdam, 1996.
[6] Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. Advances in Cryptology – CRYPTO
’86, LNCS 263, 186-194.
[7] Furukawa, J., Sako, K.: An Efficient Scheme for Proving a Shuffle. Advances in Cryptology- CRYPTO ’2001, LNCS 2139, 368-387.
[8] Gomułkiewicz, M., Klonowski, M., Kutyłowski, M.: Rapid Mixing and
Security of Chaum’s Visual Electronic Voting. ESORICS’2004, LNCS
2808, 132-145.
[9] Golle, P.: Reputable Mix Networks. Privacy Enhancing Technologies
(PET) 2004, LNCS 3424, 51-62.
[10] Golle, P., Jakobsson, M., Juels, A., Syverson, P.: Universal Re-encryption
for Mixnets. CT-RSA ’2004, 163-178.
[11] Hirth, M.: Receipt-Free K-out-of-L Voting based on ElGamal Encryption.
Workshop on Frontiers in Electronic Elections 2005.
[12] Hirth, M., Sako. K.: Receipt-Free Electronic Auction Schemes Using
Homomorphic Encryption. Information Security and Cryptology - ICISC
2003.
[13] Jakobsson, M.: A Practical Mix. Advances in Cryptology- EUROCRYPT ’1998, LNCS 1403, 448-461.
[14] Jakobsson, M.: Flash Mixing. ACM Symposium on Principles of Distributed Computing ’1999, 83-89.
[15] Jakobsson, M., Juels, A., Rivest, R.L.: Making Mix Nets Robust for Electronic Voting by Randomized Partial Checking. USENIX Security Symposium ’2002, 339-353.
[16] Karlof, C., Sastry, N., Wagner, D.: Cryptographic Voting Protocols: a
Systems Perspective. USENIX Security Symposium ’2005, 33–50.
[17] Klonowski, M., Kutyłowski, M., Lauks, A., Zagórski, F.: Universal Reencryption of Signatures and Controlling Anonymous Information Flow.
Wartacrypt 2004.
[18] Klonowski, M., Kutyłowski, M., Lauks, A., Zagórski, F.: A Practical Voting Scheme with Receipts. International Security Conference (ISC)’2005,
LNCS 3650, 380-393.
[19] Lee, B., Kim, K.: Receipt-Free Electronic Voting Scheme with a TamperResistant Randomizer. Information Security and Cryptology - ICISC
2002, LNCS 2587, 389-406.
[20] Mitomo, M., Kurosawa, K.: Attack for Flash MIX. Advances in
Cryptology- ASIACRYPT ’2000, LNCS 1976, 192-204.
[21] McGaley, M.: Report on DIMACS Workshop on Electronic Voting - Theory and Practice, http://dimacs.rutgers.edu/
SpecialYears/2003\_CSIP/reports.html
[22] Neff, C.A.: A Verifiable Secret Shuffle and its Application to E-Voting.
ACM Conference on Computer and Communications Security ’2001,
116-125.
[23] Rivest, L.R.: voting resources page, http://theory.lcs.mit.
edu/~rivest/voting/
[24] Smith, W. D.: Cryptography Meets Voting. http://www.math.
temple.edu/~wds/homepage/cryptovot.pdf
[25] Schnorr, C.P.: Efficient Signature Generation by Smart Cards. Journal of
Cryptology 4, 161-174, 1991.
Keynote Presentation 1
E-voting in the United States: A
Cautionary Tale.
Andrew Gumbel
Abstract
The United States offers an object lesson in how not to go about the adoption of electronic
voting. The system operates without congressional oversight, without transparency and
with only a minimal, and flawed, technical verification process. Demand for e-voting machines has surged since the presidential election meltdown in Florida in 2000 – which
was erroneously blamed on faulty and outdated machinery rather than a singularly dirty
political environment – and hundreds of millions of dollars have been spent on touchscreen devices, developed by private companies of no great prestige or reputation, that
are not only vulnerable to hacking and other forms of foul play but turn out to be poorly
programmed and, in some cases, incapable of handling even basic addition problems.
This presentation will not dwell on the technical aspects of electronic voting so much as
it will place the current battle for America’s electoral integrity against a backdrop of a
singularly vicious history of electoral conflict, in which machines and associated voting
procedures have been developed for the convenience of county officials and their political
backers, not for the voters.
Biography
Andrew Gumbel is the US correspondent with The Independent and author of Steal This
Vote: Dirty Elections and the Rotten History of Democracy in America (Nation Books,
2005).
Andrew Gumbel has been a professional journalist for the past 18 years, working mostly
as a foreign correspondent for Reuters (1987-93), the Guardian (1993-94) and the Independent (1995-present). He was in Berlin when the Wall came down, in Kuwait right
after the first Gulf War, and in the Balkans both during and after the wars of Yugoslav
secession. Since 1998 he has been a U.S. correspondent for the Independent, based in Los
Angeles, where he has also contributed to the Los Angeles Times, The Nation, Mother
Jones and other publications. His work investigating Timothy McVeighs possible coconspirators in the Oklahoma City bombing broke the record for hits on an individual
story on the Independents website. His work on the perils of computer voting machines
won a Project Censored award, and was widely circulated among voting rights activists.
Gumbel was born and educated in Britain, and received a first class honors degree in
modern languages (French and Italian) from Oxford University.
29
30
Workshop on e-Voting and e-Government in the UK
Paper Session 2
Requirements and Acceptability
31
32
Workshop on e-Voting and e-Government in the UK
National e-Science Centre 27th–28th February 2006
33
What proof do we prefer?
Variants of verifiability in voting ∗
Wolter Pieters
Institute for Computing and Information Sciences
Radboud University Nijmegen
PO Box 9010, 6500 GL Nijmegen, The Netherlands
wolterp@cs.ru.nl
Abstract
In this paper, we discuss one particular feature of Internet voting, verifiability, against the background of scientific literature and experiments in the Netherlands. In order
to conceptually clarify what verifiability is about, we distinguish classical verifiability from constructive verifiability in
both individual and universal verification. In classical individual verifiability, a proof that a vote has been counted can
be given without revealing the vote. In constructive individual verifiability, a proof is only accepted if the witness (i.e.
the vote) can be reconstructed. Analogous concepts are defined for universal verifiability of the tally. The RIES system used in the Netherlands establishes constructive individual verifiability and constructive universal verifiability,
whereas many advanced cryptographic systems described
in the scientific literature establish classical individual verifiability and classical universal verifiability.
If systems with a particular kind of verifiability continue
to be used successfully in practice, this may influence the
way in which people are involved in elections, and their image of democracy. Thus, the choice for a particular kind
of verifiability in an experiment may have political consequences. We recommend making a well-informed democratic choice for the way in which both individual and universal verifiability should be realised in Internet voting, in
order to avoid these unconscious political side-effects of the
technology used. The safest choice in this respect, which
maintains most properties of current elections, is classical individual verifiability combined with constructive universal verifiability. We would like to encourage discussion
about the feasibility of this direction in scientific research.
∗
This work is supported by a Pionier grant from NWO, the Netherlands
Organisation for Scientific Research. The author wishes to thank (in
alphabetical order) Bart Jacobs, Erik Poll and Martijn Warnier for useful comments on drafts of this paper.
1. Introduction
In the Netherlands, several experiments with online voting have been conducted during the last couple of years. In
the European Elections 2004, Dutch citizens staying abroad
were allowed to vote online. The system used, called KOA
(Kiezen Op Afstand), was designed by Logica CMG for the
Dutch Ministry of Domestic Affairs [22]. Meanwhile, a second system was being developed by the “waterschap” (public water management authority) of Rijnland, in cooperation
with the company Mullpon. This system was labelled RIES
(Rijnland Internet Election System), and has been used in
the elections of the “waterschappen” Rijnland and Dommel
in fall 2004 [12].
There are several interesting features offered by the systems experimented with in the Netherlands. For example,
the KOA system uses personalised (randomised) ballots,
in order to prevent attacks by e.g. viruses residing on the
voter’s computer. Moreover, the counting software, written
at the Radboud University Nijmegen, was specified and verified using formal methods. Unfortunately, the KOA system does not offer verifiability to the voters, and is therefore likely never to transcend the level of small-scale subelections that will not have a profound influence on the overall result.
The RIES system does offer verifiability, and people
seem to appreciate this.1 However, the kind of verifiability
that is offered by RIES seems to be quite different from the
verifiability that is offered in more advanced cryptographic
systems in the literature. In some sense, RIES seems to be
too verifiable to provide resistance against coercion or vote
buying.
1
Much depends on the interface though. Before RIES was actually
used in an election, a trial session revealed that a too difficult verification procedure decreases trust in the system among voters. The
user-friendliness of the verification procedure was improved after the
trial.
34
Workshop on e-Voting and e-Government in the UK
In this paper, we investigate the concept of verifiability
vis-a-vis the scientific literature and the concrete developments in the Netherlands. We propose a distinction between
various concepts of verifiability, and argue that the choice
between these concepts should be the outcome of a political
discussion, rather than the unconscious influence of technosocial developments.
2. Voter-Verifiable Elections
Verifiability of electronic voting systems has achieved a
great deal of attention in computer science literature. In the
context of electronic voting machines (DRE’s), much discussion has taken place around the possible introduction of
a voter-verified audit trail (VVAT)2 . Typically, this includes
a paper copy of each vote being kept as a backup trail for recovery or recount. This should increase trust in the proper
operation of the black-box DRE machines. Also, cryptographic receipts have been proposed, e.g. in [6].
However, there is considerable political pressure to make
the transition to Internet voting, so the question is whether
it is profitable to develop or purchase a new generation of
voting machines at all. A better direction, in our view, is investigating how verifiability can be increased in the case
of remote electronic voting. Here, it is typically impossible to maintain a paper trail without re-introducing traditional means of communication, such as regular mail. Even
then, it is hard to make sure that the electronic trail and the
paper trail match, even in case all electronic equipment operates properly.3
Traditionally, two types of verifiability have been distinguished in research on electronic elections. When a system
establishes individual verifiability, every voter can check if
her vote has been properly counted. In universal verifiability, anyone can check that the calculated result is correct
[18, 21]. Typically, a bulletin board or some other electronic
means is used to publish a document that represents the received votes. Voters can look up their own vote there, and
people interested in the results can do correctness checks on
the tally.
However, these types of verifiability have been implemented in very different ways. We think that at least one
more conceptual distinction is necessary to categorise the
different systems appropriately. We will introduce this distinction via an analysis of the relation between verifiability
and receipt-freeness.
2
3
See e.g. [25]. The notion was introduced by Rebecca Mercuri.
Voters may intentionally send different votes to the different trails, in
order to spoil the elections. See e.g. [31].
3. Verifiability and Receipt-Freeness
One of the basic requirements of election systems is the
resistance against coercion and vote buying. Therefore, people should not be able to prove how they voted, even if they
want to. This makes it impossible for someone who forces
them to vote in a certain way, or someone who buys their
vote, to check if they actually complied. This requirement
is hard, if not impossible, to realise in an environment without public control, as opposed to the classical polling booth.
People can watch over your shoulder if you are not guaranteed a private environment for voting, and thereby obtain
proof of your vote [26].4 Some scientists hold the view that
this and other security problems make it advisable not to implement Internet voting at all [14].
There is empirical evidence, however, that vote buying
may “survive the secret ballot”, despite isolating the voter
in a polling booth [5]. This means that buying does happen,
even if individual votes are secret. Brusco et al. [5] mention
three possible explanations for the fact that voters comply
to the buyer’s wishes in spite of the secret ballot. These include the expectation of future benefits if enough people in
a district vote for the desired party, feelings of moral obligation of the voters, and the preference of immediate benefits over vague political promises. Similar effects may exist
for coercion.
Thus, the fact that people vote in a non-controlled environment does not need to be a fundamental problem compared to the current situation. If the risks of vote buying and
coercion increase at all, the risks are the same as those involved in postal ballots. Organisational and legal measures
may be put in place to minimise the risks.
If we accept this argument, there is still a second problem
involved. For it is one thing that people physically present
at the act of voting can influence the voter, the possibility to prove remotely that you voted for a certain party is
worse. This means that people could provide proof to a coercer or get money for their votes after they voted themselves. This is more convenient for an attacker than buying
or stealing access codes and casting all votes herself. There
is a trade-off between verifiability and resistance against coercion here. If every voter can check if her vote has been
counted correctly, i.e. if the vote in the results corresponding to her own vote maps to the right party or candidate, then
she can also show this check to a coercer or buyer as a proof.
Thus, we generally do not want a voter to be able to show
a proof of her vote after the election is over. In the litera4
Some systems introduce “practice ballots” or similar measures to prevent such attacks. However, these measures severely limit verifiability, because the tallier still needs to be able to distinguish real ballots from practice ballots, whereas the attacker should not be able
to detect this via the means of verification offered to the voter. See
e.g. http://zoo.cs.yale.edu/classes/cs490/03-04b/adam.wolf/Paper.pdf,
consulted December 9, 2005.
National e-Science Centre 27th–28th February 2006
ture, this restricted property is often called receipt-freeness
[4, 11]. 5
Some systems, among which the RIES system, do indeed
allow a voter to check after the elections for which party
or candidate her vote has been counted [2, 3, 12, 21, 34].
These systems are therefore not receipt-free in the technical sense. Although the fact that people can see what they
voted for after the elections may increase trust in the system, the lack of resistance against coercion and vote buying
makes these systems debatable candidates in elections for
which we cannot be sure that the chances of buying and coercion are low.
In many systems [6, 15, 18], this is remedied by allowing a voter to check that her vote has been counted, but not
how. The idea is that it is impossible, or at least computationally infeasible, for an attacker to make the system count
a different vote for this voter in case the check turns out to
be OK. Receipt-freeness can thus be provided by limiting
the information that a voter can retrieve about her vote after the election, while still assuring cryptographically that
this is indeed a proof that the vote has been counted for the
party or candidate that was chosen during the election.
Thus, the relation between individual verifiability and
receipt-freeness gives rise to a distinction between two different types of individual verifiability. In the following section, we discuss the different options for verifiability in remote electronic elections based on this observation.
4. Variants of Verifiability
Following the analysis of the relation between individual verifiability and receipt-freeness, we observed a distinction between two kinds of individual verifiability. We will
label these two types based on an analogy with the distinction between classical logic and constructive logic. In classical logic, one can prove an existential formula without actually showing an instance in the domain that satisfies this
formula.6 In constructive logic, one has to produce a witness in order to prove the existential formula. We argue that
there is a similarity with verifiability in electronic voting
here.7
When a voter can only verify that her vote has been
counted, this amounts to showing that a certain vote exists
in the results that can be attributed to this voter. However,
the actual witness (i.e. the choice this voter made) cannot be
5
6
7
If a system is resistant against coercion even if the coercer can interact with the voter during voting, the term coercion-resistance is sometimes used instead of receipt-freeness [16]. In order to avoid confusion, we consequently use the term receipt-freeness here.
Equivalently, one shows that the negation of the formula does not hold
for all instances.
The analogy does not hold for computational issues around finding a
witness. Still, we think that it is useful for understanding what the difference is between the two types of verifiability.
35
recovered from the verification procedure. Here, the voter
will believe that her vote was recorded correctly if the election authority can show something that proves the existence
of a vote by this voter in the results, without re-examining
the original vote.8 Proving the existence of something without showing a witness can be done in classical logic. We
will label this type of verifiability classical individual verifiability.
On the other hand, some systems allow a voter to check
afterwards for which candidate her vote has been counted.
This means that the actual instance of a vote is shown as
a proof to the voter. Here, the voter does not believe the
election authority unless she can reproduce the original vote
from the results. This corresponds to the proof of an existential formula in constructive logic. Therefore, we will label this type of verifiability constructive individual verifiability.
Definition 1 Classical individual verifiability is the property of an election system that a voter can verify that her
vote has been counted correctly based on a document representing the received votes, without being able to reconstruct her choice from that document.9
Definition 2 Constructive individual verifiability is the
property of an election system that a voter can verify that her vote has been counted correctly by reconstructing her choice from a document representing the received
votes.
The first type of individual verifiability has become fairly
standard in computer science discussions on voting systems. However, the second type has been used in practice as
well, and we think these developments deserve some consideration from both a scientific and a political perspective.
For universal verifiability we can make a similar distinction. We take universal verifiability, to prevent confusion,
to mean that any observer can verify that the final tally is
correct, given a document representing the received votes.
Thus, universal verifiability does not necessarily mean that
anyone can check that all cast votes have been included in
this document.
Definition 3 Classical universal verifiability is the property of an election system that it can be shown that the tally
is correct given a document representing the received votes,
without all the data necessary to perform the calculation
being publicly accessible.
Definition 4 Constructive universal verifiability is the
property of an election system that all data necessary for
8
9
Equivalently, one shows that it is not the case that one’s vote has not
been counted.
All types of proof discussed in this section may be relative to cryptographic assumptions.
36
Workshop on e-Voting and e-Government in the UK
calculating the result from a document representing the received votes are publicly accessible, and that a verifier can
compute the tally from this set independently of the election authorities.
Systems in which votes are encrypted with public keys
of talliers or mix servers typically establish classical universal verifiability, e.g. via zero-knowledge proofs by these
servers that show that they did their job correctly, or via homomorphic encryption schemes [6, 18, 24]. This proves that
there is a set of votes corresponding to the published document and to the tally, but the calculation of the tally from
the document is not public. Constructive universal verifiability is not possible in this case, unless the private keys are
made public after the elections. However, this typically violates secrecy requirements; especially in the case of mix
servers, the encryption is intended to maintain secrecy of
the individual votes.
In the REVS system [15], the private key of the election
authorities is published, but this also sacrifices the receiptfreeness of the system. In the system proposed by Kim and
Oh [18], it seems to be possible to publish keys after the
election as well. However, this system is only receipt-free if
the voter keeps her private key secret, which she will typically not do if she wants to sell her vote. The designated
verifier proof used in this system, which could seem a good
way to achieve constructive individual verifiability without
sacrificing receipt-freeness, only works if the voter has a
strong motive to keep her private key to herself, even in case
she can get money for it.
Systems which only use public functions to calculate the
result from the set of received votes typically do establish
constructive universal verifiability [12, 21, 34]. However,
these systems need special measures to prevent the votes
from being linked to individual voters. Because the received
votes are used in public calculations of results, without any
intermediate trusted computations that scramble them, the
link between voter and vote should be destroyed in a nontrusted environment beforehand. In the UK, the situation is
even more complicated due to the requirement that this link
can be recovered in special cases [34].
Moreover, all the systems we included in our research
that offered constructive universal verifiability, also offered
constructive individual verifiability, and are therefore not
receipt-free. For example, the RIES system used in the
Netherlands [12] establishes both constructive individual
verifiability and constructive universal verifiability. Hash
functions are used to publish the links between all possible
votes and the corresponding candidates before the elections.
The original votes are only derivable from a secret handed
to the voter. The confidentiality of these secrets is achieved
via organisational security measures, in the same way that
identification codes for bank cards are handed out. After the
elections a table of received votes is published. By comput-
ing hashes, individual voters can check for which party or
candidate their vote has been registered, and any observer
can calculate the result from the list of received votes.
Thus, systems that allow constructive individual verifiability and constructive universal verifiability are beginning
to be used in practice, in small-scale or low-risk elections.
Meanwhile, many advanced cryptographic systems that establish classical individual verifiability and classical universal verifiability are being developed. We also saw that
when the latter type of systems is adapted in order to offer constructive universal verifiability, constructive individual verifiability seems to appear as a side-effect, and receiptfreeness is thereby sacrificed. But which combination of individual and universal verifiability is most desirable? And
why do we care?
5. The Political Issue
In his famous study “Do artifacts have politics?”, Langdon Winner showed that technological designs may have
political implications [36]. These may occur either intentionally or unintentionally. Winner’s famous example of intentional political effects concerns the building of bridges in
New York between 1920 and 1970 that were too low for the
buses of public transport, and therefore the lower income
classes, to pass underneath. One can easily imagine similar
things happening unintentionally as well. Since then, many
cases of such influences have been investigated, and many
theories about how they come about have been developed in
philosophy of technology and science and technology studies (STS).
We may assume similar effects, be they unintentional,
occurring in Internet voting technology. Internet voting will
undoubtedly, depending on the way in which it is implemented, make certain things possible and others impossible, just as the New York bridges did. One can easily imagine that an Internet voting system will, depending on the
types of verifiability that are offered, include different voters in different ways in the election procedure, and thereby
change the image of and trust in democracy.
In this sense, choosing a particular kind of verifiability
in a particular experiment is not a choice that only influences this particular system. Instead, the type of verifiability offered and the surrounding practices in the elections
may mediate the idea that people have of elections. For example, if the RIES system is successful in an experiment
with elections for the local water management authorities,
people may start to think that constructive individual verifiability is a good thing in general. People may also wonder why they cannot verify their choice in the same way in
a later election that uses a different system.
Thus, we would like to stress that choosing a particular kind of verifiability in an experiment may have politi-
National e-Science Centre 27th–28th February 2006
cal consequences, not only for the elections that the system
is being used in, but also in terms of expectations that are
raised about future elections. Therefore, we urge both scientists and politicians to consider these consequences in their
decisions on designing or using a certain system.
6. What Proof Do We Prefer?
Now, how can we decide which kind of verifiability we
wish to implement or use? Because of the role of voting
systems in people’s experience of democracy, basing a decision on technical requirements only is not the way to go.
Technology, and especially a politically sensitive one such
as electronic voting, occupies a place in people’s lifeworlds,
i.e. their daily experiences and acts [13]. The trust that people have in a voting system is the basic value here, to which
the technical requirements are only secondary [10, 29, 28].
Based on a phenomenological approach to technological innovation [13, 35] and the work on trust by Luhmann
[19, 20], we think that there are two basic ways of acquiring trust in large-scale technology such as electronic voting:
• connecting to experiences that people are already familiar with (focusing on familiarity of experience);
• connecting to a clear vision of a future good to be
achieved, for which democratic support exists (focusing on expectations of action).
In the case of voting, a good example of the former strategy is the introduction of the Nedap voting machines in the
Netherlands in the mid-nineties. Because the layout of the
interface of the voting machines was very similar to the previously used paper ballots, one of the reasons that the system was so easily accepted may have been the familiarity
of the interface. Now that people are already familiar with
voting machines, the introduction of a Voter Verified Audit Trail can be considered an example of the latter strategy, since there is a strong public agreement on the beneficial properties of audit trails.
Public consensus about the necessity of verifiability in
remote electronic elections appears to be fairly strong as
well. Following the theory of Smits on adoption of new
technologies [32, 33], we argue that this consensus is not
only based on scientifically assessable risks, but also on
the discontinuities that are perceived between paper elections and electronic elections in terms of transparency. The
“black box” character of technology may be seen as causing a clash between the cultural categories of democracy
and technology. Although Schoenmakers [31] argued that
we can “compensate for the lack of transparency” by means
of cryptography — an approach that led to an impressive
amount of research — we think that transparency is a too
important attribute of democracy to allow for such easy
37
replacement. We would welcome more empirical research
into such issues.
In case we choose to implement verifiability features, we
have to face the fact that people are generally not familiar
with vote and result verification, and people will probably
not be happy with their verifiability if the complete election
system is turned upside down. So how can we maintain familiarity in Internet elections if people are not familiar with
verification, but at the same time demand the possibility of
verification of the results? The best we can do is preserve as
many of the things that people are familiar with in current
elections, while offering verification to make Internet elections acceptable. Two main demands, which are not only
functional requirements, but also part of a ritual that establishes familiarity with elections, can be mentioned here:
• the demand of the secret ballot;10
• the demand of the public character of vote counting.11
How do these requirements relate to the various types
of verifiability? In the case of individual verifiability, the
demand of the secret ballot implies that constructive individual verifiability is not desirable. Thus, from the perspective of connecting to existing experiences, we should choose
classical individual verifiability. This does not mean that we
argue for this type because of functional requirements, but
rather from an “if it ain’t broke, don’t fix it” perspective.
Unless there is democratic consensus about the desirability
of constructive individual verifiability, either from the point
of view of enhancing trust or from the point of view that
democracy functions better without the secret ballot (which
is held for many representational bodies such as parliament
and meetings such as party congresses), we had better stick
to the demand of the secret ballot, and implement classical individual verifiability.
However, the existing schemes that offer classical individual verifiability, to the best of our knowledge, also offer
classical universal verifiability. The limitation of the ability of result computation to dedicated parts of the system,
with accompanied proofs of correctness, goes against the
demand of the public character of vote counting. Typically,
any encryption with a public key implies that the public
character of vote counting is being set aside, unless the corresponding private key is made public afterwards, which is
generally not the case. As much as the secret ballot is an important part of the ritual of voting, so is the public character of vote counting. Therefore, we think that constructive
universal verifiability, in which any party can do an independent calculation of the result, is preferable, unless there
is democratic consensus about arguments for the opposite
point of view.
10 Cf. Dutch constitution art. 53.2 and Dutch election law (“Kieswet”)
art. J 15.
11 Cf. Dutch election law (“Kieswet”) art. N 1, N 8 and N 9.
38
Workshop on e-Voting and e-Government in the UK
7. Conclusions
In this paper, we distinguished between two types of individual verifiability and two types of universal verifiability in electronic elections, based on scientific literature and
concrete developments. We made this distinction based on
an analogy with proofs in classical and constructive logic,
and labelled the corresponding types of verifiability classical and constructive verifiability, respectively. This distinction is meaningful both for individual and universal verifiability, and we think that it is a useful tool for explicating the
hidden assumptions of the way in which verifiability is realised in concrete systems.
We argued that choices for particular kinds of verifiability in experiments may have political implications, not only
for the specific election that a system is used in, but also
in terms of expectations of future elections. Therefore, it
is wise to attempt to arrive at political consensus about the
kinds of verifiability that are desirable. We argued that even
if verifiability is widely accepted as a good thing, we still
have to maintain familiarity with elections in order to make
the whole system acceptable. The best we can do here is
maintain the existing properties of vote secrecy and public
counting. This can be done with a system that establishes
classical individual verifiability and constructive universal
verifiability.
Instead of the current scientific focus on public key
crypto systems, which do not have the property of constructive universal verifiability, and the practical focus on RIESlike systems, which are not receipt-free, we encourage scientists to investigate the possibilities for designing a system with a combination of classical individual verifiability and constructive universal verifiability. Intuitively, this
means that a document is published after the elections in
which voters can see that their vote is present (or absent, in
case they did not vote), not what they voted for, but from
which anyone can compute the final result.
References
[1] R.M. Alvarez and T.E. Hall. Point, click & vote: the future
of Internet voting. Brookings Institution Press, Washington
D.C., 2004.
[2] F. Baiardi, A. Falleni, R. Granchi, F. Martinelli, M. Petrocchi, and A. Vaccarelli. SEAS: a secure e-voting applet system. In K. Futatsugi, F. Mizoguchi, and N. Yonezaki, editors, Software security — theories and systems, LNCS 3233,
pages 318–329. Springer, Berlin, 2004.
[3] F. Baiardi, A. Falleni, R. Granchi, F. Martinelli, M. Petrocchi, and A. Vaccarelli. SEAS, a secure e-voting protocol:
design and implementation. Computers & Security, 24:642–
652, 2005.
[4] J.C. Benaloh and D. Tuinstra. Receipt-free secret ballot elections (extended abstract). In Proc. 26th ACM Symposium
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
on the Theory of Computing (STOC), pages 544–553. ACM,
1994.
V. Brusco, M. Nazareno, and S.C. Stokes. Vote buying in Argentina. Latin American Research Review, 39(2), 2004.
D. Chaum. Secret-ballot receipts: true voter-verifiable elections. IEEE Security & Privacy, 2(1):38–47, 2004.
R. Cramer, M. Franklin, B. Schoenmakers, and M. Yung.
Multi-authority secret-ballot elections with linear work. In
Advances in Cryptology - EUROCRYPT’96, volume 1070 of
LNCS, pages 72–83. Springer-Verlag, 1996.
R. Cramer, R. Gennaro, and B. Schoenmakers. A secure and
optimally efficient multi-authority election scheme. In Advances in Cryptology - EUROCRYPT’97, volume 1233 of
LNCS, pages 103–118. Springer-Verlag, 1997.
D. Evans and N. Paul. Election security: perception and reality. IEEE Security & Privacy, 2(1):24–31, January/February
2004.
D. Fahrenholtz and A. Bartelt. Towards a sociological view
of trust in computer science. In M. Schoop and R. Walczuch,
editors, Proceedings of the eighth research symposium on
emerging electronic markets (RSEEM 01), 2001.
M. Hirt and K. Sako. Efficient receipt-free voting based on
homomorphic encryption. In B Preneel, editor, Proc. EUROCRYPT 2000, number 1807 in LNCS, pages 539–556, 2000.
E.-M.G.M. Hubbers, B.P.F. Jacobs, and W. Pieters. RIES
– Internet voting in action. In R. Bilof, editor, Proc. 29th
Annual International Computer Software and Applications
Conference, COMPSAC’05, pages 417–424. IEEE Computer
Society, July 2005.
D. Ihde. Technology and the lifeworld. Indiana University
Press, Bloomington, 1990.
D. Jefferson, A.D. Rubin, B. Simons, and D. Wagner. Analyzing internet voting security. Communications of the ACM,
47(10):59–64, 2004.
R. Joaquim, A. Zquete, and P. Ferreira. REVS – a robust
electronic voting system. IADIS International Journal of
WWW/Internet, 1(2), 2003.
A. Juels, D. Catalano, and M. Jakobsson. Coercion-resistant
electronic elections. In Proc. WPES’05. ACM, 2005.
C. Karlof, N. Sastry, and D. Wagner. Cryptographic voting
protocols: a systems perspective. In Proceedings of the 14th
USENIX Security Symposium, pages 33–50, 2005.
S. Kim and H. Oh. A new universally verifiable and receiptfree electronic voting scheme using one-way unwappable
channels. In C.-H. Chi and K.-Y. Lam, editors, AWCC 2002,
number 3309 in LNCS, pages 337–345. Springer, 2004.
N. Luhmann. Trust and power: two works by Niklas Luhmann. Wiley, Chichester, 1979.
N. Luhmann. Familiarity, confidence, trust: problems and alternatives. In D. Gambetta, editor, Trust: Making and breaking of cooperative relations. Basil Blackwell, Oxford, 1988.
D. Malkhi, O. Margo, and E. Pavlov.
Evoting
without
’cryptography’.
2002.
http://www.cs.huji.ac.il/labs/danss/papers/2002/MMP02.ps.
Ministerie
van
Binnenlandse
Zaken
en
Koninkrijksrelaties.
Kiezen
op
afstand.
http://www.minbzk.nl/grondwet en/kiezen op afstand,
consulted December 21, 2005.
National e-Science Centre 27th–28th February 2006
[23] D.P. Moynihan. Building secure elections: E-voting, security and systems theory. Public administration review, 64(5),
2004.
[24] C.A. Neff. A verifiabile secret shuffle and its application to evoting. In Proceedings of the 8th ACM Conference on Computer and Communications Security, pages 116–125. ACM,
2001.
[25] A.M. Oostveen and P. Van den Besselaar. Security as belief: user’s perceptions on the security of electronic voting systems. In A. Prosser and R. Krimmer, editors, Electronic Voting in Europe: Technology, Law, Politics and Society, Lecture Notes in Informatics, volume P-47, pages 73–82.
Gesellschaft fr Informatik, Bonn, 2004.
[26] W. Pieters and M. Becker. Ethics of e-voting: An essay on requirements and values in internet elections. In
Philip Brey, Frances Grodzinsky, and Lucas Introna, editors,
Ethics of New Information Technology: Proc. Sixth International Conference on Computer Ethics: Philosophical Enquiry (CEPE’05), pages 307–318, Enschede, 2005. Center
for Telematics and Information Technology.
[27] B. Randell and P.Y.A. Ryan. Voting technologies and trust.
Technical Report CS-TR-911, School of Computing Science,
University of Newcastle upon Tyne, 2005.
[28] R. Riedl. Rethinking trust and confidence in european egovernment: Linking the public sector with post-modern society. In Proceedings of I3E 2004, 2004.
[29] A. Riera and P. Brown. Bringing confidence to electronic
voting. Electronic Journal of e-Government, 1(1):43–50,
2003.
[30] A.D. Rubin. Security considerations for remote electronic
voting. Communications of the ACM, 45(12):39–44, 2002.
[31] B. Schoenmakers. Compensating for a lack of transparency.
In Proc. of the 10th conference on computers, freedom and
privacy, pages 231–233. ACM, 2000.
[32] M. Smits. Monster ethics: a pragmatist approach to risk controversies on new technology. In Proceedings of the Research in Ethics and Engineering conference. Technical University of Delft, April 25–27 2002.
[33] M. Smits. Monsterbezwering: de culturele domesticatie van
nieuwe technologie. Boom, Amsterdam, 2002.
[34] T. Storer and I. Duncan. Practical remote electronic elections for the UK. In S. Marsh, editor, Proceedings of the
Second Annual Conference on Privacy, Security and Trust,
pages 41–45. National Research Council Canada, 2004.
[35] P.P.C.C. Verbeek. What things do: Philosophical Reflections
on Technology, Agency, and Design. Pennsylvania State University Press, 2005.
[36] L. Winner. Do artifacts have politics? Daedalus, 109(1):121–
136, 1980.
39
40
Workshop on e-Voting and e-Government in the UK
Digital voting and fraternal rights
Bob Watt
Department of Law
University of Essex
Voting is only a means to an end. It is the means whereby citizens ‘… take part in the
conduct of public affairs …through freely chosen representatives’. 1 Clearly this
statement implies the existence of some sort(s) of both individual and collective
right(s).
The right to vote is the paradigm of an individual right protected by the major
international human rights conventions such as the International Covenant on Civil
and Political Rights quoted above and the European Convention on Human Rights.
The European Convention on Human Rights , the operative part being Article 3 of the
First Protocol, is incorporated into national law by the Human Rights Act 1998 The
legal instruments and aids to their interpretation are here set out. Whilst the use of a
remote digital technology (Internet, diTV, sms/txt, landline telephone) as a voting
mechanism does not, as a matter of principle, pose a threat to the exercise of the right
to vote, it may pose grave threats as a matter of practice and this matter has been
explored extensively elsewhere.2 These arguments are briefly summarised. It must
be emphasised that the objection is not to the use of digital technologies in polling
stations, for this may be a helpful innovation, but to the use of these technologies to
facilitate remote voting
Those earlier explorations have also included some theoretical analysis of the
collective right involved. The argument has been based upon that advanced by John
Stuart Mill who argued that the characterisation of the right to vote as an individual
right led electors to believe that the vote was to be used for their own individual
benefit. It was argued that voters should not exercise their votes in accordance with
their individual personal interests but should, instead, exercise the franchise in
accordance with their best judgement of the interests of the polity as a whole.
It is now time to advance the legal arguments which support this position. They flow
from the analysis of a number of cases, in particular McGuinness v United Kingdom
and Buscarini v San Marino. These cases are set out and discussed. They are
especially relevant in the context of electronic voting because, as a number of authors
have noted,3 the internet is a highly individualistic and individualised medium and it
will be valuable to test the legality of internet voting against that which appears to be
a species of collective right. It will not be claimed that there is a ‘pure’ collective
right somehow hidden, but nonetheless present, in Article 3 of the First Protocol
ECHR. It will be argued that a special kind of collective right is inherent to the
Article. This I shall term a fraternal right. Thus there are two matters discussed in this
paper; firstly it will be claimed that whilst the internet fosters égalité and liberté, it is
1
Article 25 International Covenant on Civil and Political Rights
See, for a full account Watt, B, UK election law: a critical examination (London; Glasshouse, 2005).
See also Birch & Watt ‘Remote electronic voting : free, fair and secret?’ (2004) 75 Political Quarterly
60, Watt, Human Rights and RVEM (2003) 39 Representation 210
3
See, in particular, Sunstein C, Republic.com (Princeton, Princ. UP, 2001)
2
National e-Science Centre 27th–28th February 2006
destructive of fraternité, secondly it will be argued that some political rights are best
characterised as fraternal rights as opposed to individual rights or collective rights
The conclusion will not surprise those who have read the earlier works: there are
powerful reasons for refusing to develop or adopt remote digital voting
methodologies. The argument is that political disengagement will, rather than being
reversed by the adoption of remote digital technologies for voting, will be both
hastened and worsened and politics, which is one of the highest forms of human
activity, will be further degraded
41
42
Workshop on e-Voting and e-Government in the UK
Socio-technical trade-offs in Cryptographic Voting Schemes
P Y A Ryan, University of Newcastle
21 February 2006
Abstract
The trustworthiness of voting systems and technologies has received a high level of media attention of late
with the problems with the recent US presidential elections, UK postal voting trials etc. At the same time,
considerable progress has been made in the last few years in developing cryptographic voting schemes.
Whilst many of these are marvels of the cryptographer’s craft, they are typically unsuitable for real
elections, in particular general elections. The subtle mathematical arguments justifying the trustworthiness
of these schemes are beyond the electorate at large and they often involve quite complex interactions
between the users (voters, officials etc.) and the system which are prone to error or “social engineering”
style attacks.
On the one hand, voting systems, like all “secure” systems, are prone to failure due to human and systems
factors. On the other hand, users can and should contribute to the trustworthiness of the system, as with the
“voter-verifiable” schemes. Indeed, with voting systems we would ideally like the trust to ultimately reside
with the electorate rather than having to trust officials, manufacturers etc. We are striving for
“dependability by the people for the people!” We thus have the rather paradoxical situation of wanting, on
the one hand, to make the voter experience as simple as possible, “vote and go”, whilst arranging for the
trust ultimately to reside with the voters.
I outline the goals and key features of a number of voting schemes and describe some of their system-based
failures modes. I will then discuss attempts to design schemes to take account of the role of the human
users and strike the right balance between technical and social enforcement of the security requirements.
Introduction
A voting system is a highly adversarial system: voters are (potentially) trying to cheat the system, the
system is trying to cheat the voters, coercers are trying to coerce the voters and voters are trying to cheat
the coercers. Actually this last is a form of cheating is one that we want to encourage, or at least enable.
Ideally we would like to develop a system in which nobody has to trust anyone. More precisely we would
like the trust ultimately to rest on the electorate themselves. Of course the electorate could set up a large
collusion to corrupt the system, but what would be the point. Presumably the outcome would be democratic
anyway as long as the collusion set has to be a majority!
Significant progress has been made recently in the development of voting systems with remarkable
technical properties such as universal verifiability, coercion resistance, minimal dependence on system
components etc. Some of these treat the problem as a special case of the problem of distributed, secure
computation, and as such, tend not to scale well and to involve some fairly daunting mathematics.
A rather different approach, exemplified by the voter-verifiable schemes of Chaum [1] and Neff [2] and
Prêt à Voter [3], strives toward schemes that, whilst achieving similar goals, are more practical and
accessible. These provide the voter with an encrypted receipt which the voter can later use to check that
their receipt is entered into the decryption/tabulation phase via a secure web bulletin board. However, all of
these schemes harbor certain system-based vulnerabilities, see Karlof et al for an analysis of the Chaum and
Neff schemes [4] and Ryan and Peacock for Prêt à Voter [5]. Some of these can be thought of as “social
engineering” style attacks: the vote capture device induces the voter to follow the protocol steps in an
altered sequence. Thus, for example, the “cut and choose” element of the protocol can be turned into a
National e-Science Centre 27th–28th February 2006
“choose and cut”, thus allowing vote corruption to go undetected. Alternatively, the device could feign an
abort if the voter makes the “wrong” choice and repeat the protocol until the voter gets it “right”.
We can illustrate the tension between trying to make the voter experience as simple as possible on the one
hand, whilst trying on the other to minimize the system-based vulnerabilities, by reference to a design
choice in the Prêt à Voter scheme. The key innovation of the Prêt à Voter scheme is to use ballot forms for
which the candidate permutation is randomized. Information allowing the tellers reconstruct the
permutation, and hence extract the vote value, is buried cryptographically on the ballot forms. In effect, the
frame of reference in which the vote is encoded is randomized. Consequently, there is no need to directly
encrypt the voter’s selection and hence no need for the vote capture device to learn the voter’s selection. It
is essential for the accuracy of the tabulation to ensure that, for each ballot form, the cryptographic values
accurately reflect the permutation shown on the form.
Thales
Zeno
Democritus
Socrates
Plato
Aristotle
R5T23kH857
Fig 1: typical Prêt à Voter ballot form.
X
R5T23kH857
Fig 2: the corresponding receipt encoding a vote for Democritus.
In the original Prêt à Voter [6] this is ensured using a “cut and choose” mechanism: in essence two
permutations along with corresponding crypto values are given per ballot form. The voter makes a random
choice which to use to cast their vote. The permutation against which the voter makes their mark is
destroyed whilst the unused one is preserved and can subsequently be checked. An alternative approach,
adopted in the later, ESORICS version of Prêt à Voter [3], is to use a single permutation on each (preprinted) ballot form and use random audits to detect any attempts to decouple the candidate permutations
and crypto values. In essence, the cut and choose element is separated out from the vote casting protocol
and is performed by independent auditing authorities rather than by the voters themselves.
The first approach (which is closer in spirit to Chaum’s original scheme) enables on demand creation of
ballot material and does not depend on assumptions about the probity of the authorities or procedures that
perform the random audits. It is however more vulnerable to the social engineering style attacks mentioned
earlier and does depend on the voters being reasonably diligent and making unpredictable choices during
the vote casting protocol.
All of this might suggest that the most robust implementation is to combine the two approaches. In fact,
this doesn’t seem to quite work out either: whilst we do get the best of both approaches we also get the
worst. In particular we have the problem that the pre-auditing approach requires prior commitment to the
ballot material which is also opens up certain system-based vulnerabilities, e.g., chain voting [5].
A possibility is to use a two sided ballot form:
43
44
Workshop on e-Voting and e-Government in the UK
Thales
Zeno
Democritus
Socrates
Plato
Aristotle
R5T23kH857
Fig 3: one side, call it “side 1”, of a double sided Prêt à Voter ballot form.
Plato
Zeno
Aristotle
Thales
Socrates
Democritus
62f3J685Sm9
Fig 4: flip side, “side 2”, of the Prêt à Voter ballot form (shown flipped around a vertical axis with respect
to side 1). Note that each side has an independent randomization of the candidate order and the
corresponding two crypto values appear on both sides.
The voter uses only one side to encode their vote and they make a random choice between the sides.
Suppose that the voter in this case chooses what we are referring to as side 2 and wants to cast a vote for
“Thales”. They place an X against Thales on side 2 and then destroy the left hand strip that shows the
candidate order for side 2. This results in a ballot receipt of the form:
X
62f3J685Sm9
Whilst the flip side will appear as:
Thales
Zeno
Democritus
Socrates
Plato
Aristotle
R5T23kH857
The voter’s choice is now encoded on “side 2” of the receipt. The flip, unused side does not contain any
information about the voter’s selection but the candidate order is still visible along with the corresponding
crypto value. Note that the permutations of the candidate list on the two sides are wholly independent and
hence the voters mark on one side is unrelated to the candidate order shown on the other.
At the time of casting the vote, the information on both sides would be recorded and, after the close of
polls, would be posted to the WBB. Clearly, the info on the flip side conveys nothing about the voter
choice, but it can be used to check the well-formedness of (the unused side of) the ballot form.
National e-Science Centre 27th–28th February 2006
This is very close in spirit then to Chaum's original scheme but with the extra feature that we are now
introducing the idea of well-formedness checks on the material on the WBB. This was actually possible in
Chaum's original scheme but seems not to have been proposed. Chaum’s original scheme has the idea of
voters using checking devices provided by independent authorities on the way out of the polling station.
The same could also be done here of course as an extra layer of security and a way to pick up problems
earlier.
This scheme has the appealing feature that the two sides are symmetric and hence there should be no voter
bias between them. Such ballot forms could be printed on demand. The downside is that it is important that
the voters understand the process sufficiently. For example, it is important that they appreciate that they
should only mark the chosen side and that the LH strip of the chosen side should be destroyed. It may be
possible to automate this or enforce it procedurally but of course this requires transferring trust to the
devices or processes that enforce this.
Conclusions
In [7], Anderson shows that cryptographic systems typically fail not due to technical failures but as a result
of crude system failures. This observation is, if anything, even more valid when applied to voting systems.
These have the characteristic that they are required to be usable by the entire electorate. Furthermore they
are used only infrequently so we can we assume little in terms of user familiarity and understanding. On the
other hand, we would like the trustworthiness of our voting system to rest ultimately on the electorate.
Thus, in designing voting systems for “real” use, it is essential that account be taken of the role of the
human. A delicate balance must be struck between making the voter’s role as simple as possible whilst
enabling the voters to contribute the overall dependability of the system.
References
[1]
David Chaum, Secret-ballot receipts: true voter-verifiable elections. IEEE Security and Privacy,
2(1):38-47, January-February 2004.
[2]
Andy Neff, Practical high certainty intent verification for encrypted votes, 2004.
http://www.votehere.net/documentation/vhti.
[3]
D Chaum D , P Y A Ryan and S A Schneider “A Practical, Voter-verifiable Election Scheme”,
proceedings of ESORICS 2005. LNCS 3679, Eds De Capitani di Vimercati et al. Springer-Verlag 2005.
[4]
C Karlof, N Sastry and D Wagner, Cryptographic Voting Protocols: A systems perspective. In
USENIX Security Symposium, LNCS 3444 pages 186-200. Springer-Verlag 2005.
[5]
T Peacock and P Y A Ryan, Prêt à Voter: a Systems Perspective, Technical Report CS-TR-929,
University of Newcastle. Revised version submitted to the IEEE CSFW.
[6]
P Y A Ryan, A Variant of the Chaum Voter-verifiable election scheme, Proceedings of WITS
2005. ACM 2005. Technical Report 864, October 2004.
[7]
Ross Anderson, “Why Crypto Systems Fail”. In Conference on Computer and Communications
Security. ACM, 1993.
45
46
Workshop on e-Voting and e-Government in the UK
Paper Session 3
Voting Scheme Analysis
47
48
Workshop on e-Voting and e-Government in the UK
National e-Science Centre 27th–28th February 2006
Kleptographic Attacks on E-Election Schemes
with Receipts
Marcin Gogolewski1 , Marek Klonowski2 , Przemysław Kubiak2 , Mirosław
Kutyłowski2 , Anna Lauks2 , and Filip Zagórski2
1
2
Faculty of Mathematics and Computer Science, Adam Mickiewicz University,
Institute of Mathematics and Computer Science, Wrocław University of Technology,
Marcin.Gogolewski@amu.edu.pl, {Marek.Klonowski, Przemyslaw.Kubiak,
Miroslaw.Kutylowski, Anna.Lauks, Filip.Zagorski}@pwr.wroc.pl
Abstract. We propose kleptographic attacks against voting machines
that allow some kind of non-determinism. We present attacks working,
among others, against Chaum’s visual voting and Neff’s scheme.
Keywords: kleptography, voting receipt, voter verifiable election
Many voters distrust black box electronic voting machines. Current experience even shows that this may have good reasons. The main measure proposed
in order to win voters’ trust are voter verifiable voting schemes. The main change
is that the voter obtains a receipt after casting a vote. The receipt is constructed
in such a way that the voter can detect cheating by a voting machine. Moreover,
she can convince herself whether her vote has been included in the final result. In
particular, this holds if the receipt is generated by a malicious voting machine.
Such an approach is much more reasonable than relaying completely on audit of
electronic voting machines. The problem with such schemes is that the receipt
should not help the voter to sell her vote – in other words she should not be able
to prove that she voted for a particular candidate.
In order to be secure, an output of a voting machine should be in some
sense unpredictable - otherwise an observer could try to link the output of the
voting machine with the voter’s decisions. So, a kind of (pseudo)randomness in
behavior of a voting machine seems to be necessary. On the other hand, any
kind of randomness in the output yields a threat of a kleptographic attack: in
this case the random component of a receipt is not really random, but it is
generated in a cryptographic way. The goal is to leak information about voters
preferences or some data that can be used to change the election result. The
point is that the attack might be far more dangerous than a simple subliminal
channel: the information leaked can be retrieved only by a party possessing a
certain secret key. Moreover, such a malicious implementation neither changes
the protocol executed nor can be detected without reverse engineering the device
(which, for other reasons, should be protected against penetration). The point
is that even if one reveals malicious code and data inside the device, it remains
impossible to perform the same attack thanks to other devices infected in the
same way. It is even impossible to point to a malicious party who uses the
49
50
Workshop on e-Voting and e-Government in the UK
malicious code. The technique, called kleptography [6, 7], is based on a principle
that the malicious kleptographic code uses a public key, and a malicious party
can retrieve information with a secret key, which is not present in the device.
We show weaknesses of major election schemes and receipts. We concern four
electronic election schemes:
–
–
–
–
visual voting scheme of David Chaum [1],
Andrew Neff’s scheme [5],
Prět á Voter scheme from ESORICS’2005 [2],
Klonowski’s, Lauks’s, Kutyłowski’s, Zagórski’s scheme from ISC’2005 [4].
These schemes seem to be reliable enough and suitable for real applications.
Nevertheless, we show that for each of them one can implement a kleptographic
trapdoor allowing (depending on the scheme) to: efficient vote selling/buying,
manipulating election results, breaking voter’s anonymity. In some sense our
work is an extension of paper [3] of Karlof et. al., but we point to several aspects
that are far more dangerous. Some of the weaknesses revealed seem to be hard
to repair.
A general conclusion that can be derived from the attacks is that the amount
of randomness and freedom of choices for a voting machine should be reduced
whenever possible. Instead, one should use deterministic procedures that are
both verifiable and provide unpredictable results for an external observer. Such
features are delivered for instance by deterministic signature schemes such as
RSA. Conditioned by implementation details (which are missing in [1]), the
visual voting scheme of Chaum is quite well prepared against proposed attacks.
It requires only a careful control that the serial numbers are used in a prescribed,
deterministic way. If this is not the case, a malicious voting machine can betray
information that may enable a designated recipient to reconstruct the choices of
all voters using this machine.
On the other hand, any voting machine that uses explicitly random values
can use them to construct a kleptographic channel for exporting its secrets.
References
1. David Chaum. Secret-ballot receipts: True voter-verifiable elections. IEEE Security
and Privacy Magazine, 2(1):38–47, January/February 2004.
2. David Chaum, Peter Y. A. Ryan, and Steve Schneider. A practical voter-verifiable
election scheme. In ESORICS’2005, LNCS 3679, pp. 118–139.
3. Chris Karlof, Naveen Sastry, and David Wagner. Cryptographic voting protocols:
A systems perspective. In USENIX Security Symposium’2005, pp. 33–50.
4. Marek Klonowski, Miroslaw Kutyłowski, Anna Lauks, and Filip Zagórski. A practical voting scheme with receipts. In ISC’2005, LNCS 3650, pp. 490–497.
5. Andrew Neff. Neff’s system. Personal Communication,
6. Adam Young and Moti Yung. The dark side of "black-box" cryptography, or: Should
we trust capstone? In CRYPTO’96, LNCS 1109, pp. 89–103.
7. Adam Young and Moti Yung. Kleptography: Using cryptography against cryptography. In EUROCRYPT’97, LNCS 1109, pp. 62–74.
2
National e-Science Centre 27th–28th February 2006
51
Performance modelling of a secure voting algorithm
Jeremy T. Bradley1
Stephen T. Gilmore2
Nigel Thomas3
1
Department of Computing, Imperial College London
180 Queen’s Gate, London SW7 2BZ, United Kingdom.
jb@doc.ic.ac.uk
2
Laboratory for Foundations of Computer Science
The University of Edinburgh,
Edinburgh EH9 3JZ, United Kingdom.
Stephen.Gilmore@ed.ac.uk
3
School of Computing Science,
University of Newcastle-upon-Tyne,
Newcastle-upon-Tyne NE1 7RU, United Kingdom.
Nigel.Thomas@ncl.ac.uk
Abstract
We present a model of a secure voting protocol analysed using a Markovian process algebra and
stochastic simulation. By systematically generating rate equations from a process description, we can
use tools developed for chemical and biochemical reaction analysis to provide time-series output for
models with state spaces of O(1010000 ) and beyond. This far exceeds earlier attempts to use stochastic
process algebra to model voting protocols.
1 Introduction
Voting is the foundation of the democratic process. Electronic voting has many potential attractions in
providing (ideally) ease of use and a quick, reliable count. Making electronic voting secure has been an
active topic of research for more than twenty years and many secure electronic voting schemes have been
introduced since the inception of anonymous channels to separate voters and votes by Chaum [1]. The
most publicly visible form of secure voting is the use of online systems for voting in political elections
which has been introduced in several countries. This form of voting has several obvious requirements:
1. Only registered voters are allowed to vote
2. Voters only vote once
3. It should not be possible to find out who voted, or how they voted
These factors mean that any voting scheme for use in this scenario has to provide adequate authentication,
vote management and so-called blinding mechanisms, while operating over a potentially insecure communication medium. Fujioka et al [2], formalised these requirements as completeness (all votes counted
correctly), soundness (a dishonest voter cannot disrupt the election), privacy (of votes), unreuseability
(cannot vote twice), eligibility (to vote), fairness (of the vote), verifiability (of the result). In addition,
Iversen [3] introduced the requirement of receipt freeness; many protocols issue receipts or tokens of some
form to prove to the voter that the system behaved as it should. However, these receipts might be used by
a dishonest voter to prove that they voted in a certain way, thus facilitating vote selling.
Many secure voting schemes rely in some way on encrypting data and even with fast processors encryption
and decryption adds an overhead to data processing. However, the major overheads arise because of the
additional communication that is required in order to ensure that the requirements of the secure vote are
met. Secure voting schemes will generally use some form of anonymous channel, digital pseudonyms,
52
Workshop on e-Voting and e-Government in the UK
blind signatures, trusted authorities and multiple key ciphers to separate the voter, the authority to vote, the
vote itself and the counting of the vote. Clearly there is a substantial overhead in providing these measures
and therefore the performance of such a system is of obvious practical interest.
2 A secure electronic voting algorithm
This case study considers a secure electronic voting scheme proposed by Fujoika et al [2] which has been
implemented in at least two systems, SENSUS [4] and EVOX [5]. The scheme has been extended in [6]
to incorporate multiple administrative domains to address some of the scalability issues that arise with a
centralised system.
The scheme consists of an arbitrary number of voters, one or more administrators to issue authority to
vote, and a teller system to collect votes and to determine the result. An anonymous channel is used to
communicate the vote between the voter and the collector/counter. The scheme is outlined below:
Preparation: Voter i
1. Choose the voting strategy.
2. Commit to the strategy using a bit commitment scheme c i .
3. Blind the committed ballot, bi .
4. Sign the blinded ballot svi .
5. Send to the administrator the signed blinded ballot, the blinded ballot and unique voter ID, ID i .
Administration: Administrator
1. Receive message from voter i.
2. Check right to vote for voter i.
3. Check voter i has not voted already.
4. Verify the signature; if valid sign the blinded ballot, sa i .
5. Send sai to voter i.
6. When the administration period is over, publish a list containing every {ID j , bj , svj }.
Voting: Voter i
1. Unblind sai to give the ballot signed by the Administrator, ba i .
2. Check signature.
3. Send {ci , bai } to the Counter through an anonymous channel.
Collecting: Teller
1. Receive message from voter i.
2. Check Administrators signature on bai ; if valid add {N, ci , bai } to a list, where N is a unique
reference number.
3. When the collecting period is over, publish a list containing every {N, c i , bai }.
Opening: Voter i
1. Checks that the vote appears on the list published by the Counter; if not appeal.
2. Send the bit commitment key ki to the Counter through an anonymous channel.
Counting: Teller
National e-Science Centre 27th–28th February 2006
1. Use ki to retrieve the voting strategy.
2. Check the strategy is valid.
3. When all votes are counted, publish the final result.
It is clear from this description that voting according to this scheme has to follow a prescribed sequence of
events. It is reasonable to assume that an election will consist of a great many voters, generally thousands
or perhaps hundreds of thousands in any given administrative domain, and millions in the election as a
whole. At any given time there will be many voters wishing to cast their votes electronically and so the
system has to be able to respond to multiple simultaneous requests at every stage of the process without
hindering the voter by introducing unreasonable delays. As such, an analysis of this scheme should be able
to determine the scalability (with respect to voters) of a given configuration of administrators and tellers.
An election occurs over a fixed time frame, typically of the order of 12 hours, during which all votes must
be cast and following which counting will occur. From a performance perspective we can therefore deduce
that the time taken to count the votes can be treated as a separate optimisation problem from the earlier
phases. Furthermore it is imperative that the administration phase does not cause a bottleneck which might
delay voters to such an extent as they are unable to cast their vote or lose interest or trust in the system.
Therefore the throughput of voters in the administration phase is of key practical interest.
3 PEPA model
In this section, we present a simulation model of the voting protocol expressed in PEPA. There are a
number of significant differences from the model of [7].
1. We model only one round of the election because we are conducting a course-of-values time series
simulation instead of performing a steady-state computation. In [7] the voting process is made to
cycle in order that the model defines an ergodic Markov chain. Here we have components which
conduct their designated activities and then terminate. We use the definition of a terminated process
in PEPA (denoted by Stop) from [8].
Thus the termination state of this model is an untidy one, as determined by the end point of the
election: some voters may not ever register, some might not confirm that their votes were correctly
recorded, and so forth. This contrasts with the requirement for tidy termination in order that the system is irreducible or strongly-connected (required in [7] for meaningful steady-state computation).
2. In contrast to [7] we use an inversion of control model to have a control process determining the
progress of the election from one stage to the next. This leads to a simplification of the descriptions
of the voters, administrators, collectors and counters in the model. Choices are removed from the
definitions of these components and moved into the control process at the meta-level.
Thus, the two PEPA models are not in a relationship such as the bisimulation relation of strong equivalence [9] and are instead only alternative models of the same system.
Preparation, voting and opening
Voter 0
Voter 0 1
Voter 0 2
Voter 0 3
Voter 0 4
Voter 0 5
Voter 0 5b
def
=
def
=
def
=
def
=
def
=
def
=
def
=
(choose, c1 ).Voter 0 1
(bitcommit, b1 ).Voter 0 2
(blind 1 , b2 ).Voter 0 3
(blind 2 , b3 ).Voter 0 4
(voter sign, s1 ).Voter 0 5
(sendA, s2 ).Voter 0 5b
(sendV , ⊤).Voter 1
53
54
Workshop on e-Voting and e-Government in the UK
def
(unblind 1 , u1 ).Voter 1 1
(unblind 2 , u2 ).Voter 1 2
(verify 1 , v2 ).Voter 1 3
(verify 2 , v3 ).Voter 1 4
(sendC , s6 ).Voter 2
(check, p × c4 ).Voter 3
(check, (1 − p) × c4 ).Voter 2b
(sendCo, s7 ).Voter Finished
(appeal, a1 ).Voter 2b
Stop
Voter 2b
Voter 3
Voter Finished
=
def
=
def
=
def
=
def
=
def
=
+
def
=
def
=
def
=
Administrator
Administrator 2
Administrator 3
Administrator 4
Administrator 5
Administrator 6
Administrator 7
Administrator Finished
=
def
=
def
=
def
=
def
=
def
=
def
=
def
=
Voter 1
Voter 1 1
Voter 1 2
Voter 1 3
Voter 1 4
Voter 2
Administration
def
(sendA, ⊤).Administrator 2
(check , c2 ).Administrator 3
(check 2 , c3 ).Administrator 4
(verify, v1 ).Administrator 5
(admin sign 1 , s3 ).Administrator 6
(admin sign 2 , s4 ).Administrator 7
(sendV , s5 ).Administrator Finished
Stop
Collecting
Collector 0
Collector 0a
Collector 0a1
Collector 0a2
Collector Finished
def
=
def
=
def
=
def
=
def
=
(sendC , ⊤).Collector 0a
(collector verify 1 , v4 ).Collector 0a1
(collector verify 2 , v5 ).Collector 0a2
(add, a2 ).Collector Finished
Stop
Counting
Counter 1
Counter 1a
Counter Finished
def
=
def
=
def
=
(sendCo, ⊤).Counter 1a
(check strategy, c5 ).Counter Finished
Stop
The election process
The Election process itself is of a different character to the others in the model. The election itself is not
an actor in the electoral process: rather it exists at the level of a virtual process controlling phases of the
simulation, it could be considered as being part of the legal framework of the election. There is a similarity
both with the net structure in a PEPA net [10] and with the stochastic probes [11] used to witness events
in a PEPA model, but the control process is different from either in that it structures the voting process
into phases (preparation, voting, counting, and finished), allowing selected activities in each phase, and
prohibiting them where they are inappropriate.
A stochastic probe observes performance-significant events. A meta-level control process allows performancesignificant events and generates simulation-control events (ending one phase, beginning another, and terminating the simulation overall).
It would be possible to realise the same effect in an alternative way using PEPA extended with functional
rates [12]. The election process would be a function over the global state space of the model, allowing
the appropriate actions at the appropriate times and disallowing them otherwise. We have chosen here
National e-Science Centre 27th–28th February 2006
to represent this function instead as a PEPA component and observe that the θ function would be a very
suitable way in general to implement functional rates.
Election Preparation
Election Voting
Election Counting
Election Finished
def
=
+
+
+
+
+
+
+
+
+
+
+
+
def
=
+
+
+
+
+
+
+
+
def
=
+
+
+
+
+
def
=
(choose, ⊤).Election Preparation
(bitcommit, ⊤).Election Preparation
(blind 1 , ⊤).Election Preparation
(blind 2 , ⊤).Election Preparation
(voter sign, ⊤).Election Preparation
(sendA, ⊤).Election Preparation
(check , ⊤).Election Preparation
(check 2 , ⊤).Election Preparation
(verify, ⊤).Election Preparation
(admin sign 1 , ⊤).Election Preparation
(admin sign 2 , ⊤).Election Preparation
(sendV , ⊤).Election Preparation
(publishA, er).Election Voting
(unblind 1 , ⊤).Election Voting
(unblind 2 , ⊤).Election Voting
(verify 1 , ⊤).Election Voting
(verify 2 , ⊤).Election Voting
(sendC , ⊤).Election Voting
(collector verify 1 , ⊤).Election Voting
(collector verify 2 , ⊤).Election Voting
(add, ⊤).Election Voting
(publishC , er).Election Counting
(check , ⊤).Election Counting
(check , ⊤).Election Counting
(sendCo, ⊤).Election Counting
(appeal, ⊤).Election Counting
(check strategy, ⊤).Election Counting
(final publish, er).Election Finished
Stop
The system as analysed was composed of the above sequential components in the following assembly:
Election Preparation
Electoral P ersonae
L
where:
Electoral Personae
Electoral Apparatus
def
Electoral Apparatus
= Voter 0 [N ] M
def
= Collector 0 [N ] || Counter 1 [N ] || Administrator [N ]
and:
N = 10, 000
L = {choose, bitcommit, blind 1 , blind 2 , voter sign, sendA, sendV ,
unblind 1 , unblind 2 , verify 1 , verify 2 , sendC , check, check , sendCo,
appeal, publishA, check , check 2 , verify, admin sign 1 ,
admin sign 2 , collector verify 1 , collector verify 2 , add, publishC ,
M
check strategy, final publish}
= {sendA, sendV , sendC , sendCo, publishC }
55
56
Workshop on e-Voting and e-Government in the UK
4 Results
The models presented above are now converted to rate equations using the techniques of [13], then analysed
numerically using data derived from an implementation of the voting scheme. The data is based on using
RSA with a key length of 1024 bits, a maximum bit commitment length of 50 bits, a random padding of
100 bytes per message and a mix message block size of 110 bytes. By far the most significant time delays
in the scheme are the decryption of the blinded votes and revelation messages. Other significant delays are
encountered in the communication involved in sending the various messages and the overhead in signing the
blinded messages. All other actions are very fast by comparison. This has the effect of making the resultant
underlying continuous time Markov chain very stiff. Experiments with the implementation showed that the
system is particularly sensitive to the padding length and mix message block lengths as these impact the
slowest operations.
Number of Administrator components in derivative states
10000
Administrator
Administrator_2
Administrator_7
Administrator_Finished
Number
8000
6000
4000
2000
0
0
5
10
15
Time, t
25
20
30
Fig. 1. A simulation of the Administrator component
Number of Voter components in derivative states
10000
Voter0
Voter0_4
Voter0_5b
Voter1
Number
8000
6000
4000
2000
0
0
5
10
15
Time, t
20
25
30
Fig. 2. A simulation of the Voter component through its early evolution to Voter 1
National e-Science Centre 27th–28th February 2006
57
Number of Voter derivatives against Election state
10000
Election_Preparation
Election_Voting
Election_Counting
Election_Finished
Voter0
Voter1
Voter2
Voter_Finished
8000
Number
6000
4000
2000
0
0
10
20
30
Time, t
40
50
60
Fig. 3. A joint simulation of Voter and Election components where the phases of the Voter follow those of the Election
Figs. 1 to 3 show information extracted from simulations of the voting model. In each case, the numbers
of derivatives of a component (possible successor states of a component) are shown against time. So as not
to over-clutter the diagrams, we have only shown qualitatively distinct derivative traces.
In Fig. 1, we present a selection of simulations for different derivatives of the Administrator component.
The first component plot is of the number of Administrator components which have not seen a transition
sendA out of the Administrator state. There is a slight delay while the Administrators wait to synchronise
with the first sendA actions from the population of Voters, but thereafter the decline in number is almost
exponential. The derivatives Administrator 2 and Administrator 7 are transient states of the component
and so the populations here almost approach 0. The last state and also the absorbing state of the component
is Administrator Finished, which ends up with the bulk of the population in this trace.
The simulations of the Voter component are shown in Figs. 2. It shows the smooth evolution of Voter to
derivative Voter 1 . There is a close relationship between Election and Voter that can be seen more closely
in Fig. 3 and involves the later stages of the Voter lifecycle.
Fig. 3 shows the inherent synchronisation between Voter and Election derivatives in the same simulation. Clearly, the termination of the Voter 1 and Voter 2 phases is attributed to the time-out for that
phase of the election as dictated by the Election component, in its state change to Election Voting and
Election Counting respectively. The end of the final Election phase is not seen by the Voter as it concerns
the completion of counting the votes.
5 Conclusion
With some new techniques, we have carried out simulations on a model of an electronic voting protocol
from [7, 14]. The representation of the voting system as a simulation has enabled us to analyse a state space
of O(1010000 ) states; far beyond the capability of traditional explicit state-space representation techniques.
58
Workshop on e-Voting and e-Government in the UK
References
[1] D. Chaum, “Untraceable electronic mail, return addresses and digital pseudonyms,” Communications
of the ACM, vol. 24, no. 2, pp. 84–88, 1981.
[2] A. Fujioka, T. Okamoto, and K. Ohta, “A practical secret voting scheme for large scale elections,”
in ASIACRYPT’92: Proceedings of the Workshop on the Theory and Application of Cryptographic
Techniques, (London), pp. 244–251, Springer-Verlag, 1993.
[3] K. Iversen, “A cryptographic scheme for computerised general elections,” in Advances in Cryptology
– Proceedings of CRYPTO’91 (J. Feigenbaum, ed.), vol. 576 of Lecture Notes in Computer Science,
pp. 405–419, Springer-Verlag, 1991.
[4] L. Cranor and R. Cryton, “Sensus: A security-conscious electronic polling system for the internet,”
in Proceedings of the Thirtieth Hawaii International Conference on System Sciences (HICSS 30),
pp. 561–570, IEEE Computer Society, 1997.
[5] M. Herschberg, “Secure electronic voting over the world wide web,” MEng thesis, MIT, 1997.
http://theory.lcs.mit.edu/∼ cis/voting/voting.html.
[6] R. Joaquim, A. Zuquete, and P. Ferreira, “Revs a robust electronic voting system,” in Proceedings of
IADIS International Conference e-Society 2003, vol. 1, pp. 95–103, 2003.
[7] N. Thomas, “Performability of a secure electronic voting algorithm,” in PASM’04, Practical Applications of Stochastic Modelling (J. T. Bradley and W. J. Knottenbelt, eds.), (The Royal Society, London),
pp. 81–94, Imperial College London, September 2004.
[8] N. Thomas and J. Bradley, “Terminating processes in PEPA,” in Proceedings of the Seventeenth UK
Performance Engineering Workshop (K. Djemame and M. Kara, eds.), (University of Leeds), pp. 143–
154, July 2001.
[9] J. Hillston, A Compositional Approach to Performance Modelling. Cambridge University Press, 1996.
[10] S. Gilmore, J. Hillston, M. Ribaudo, and L. Kloul, “PEPA nets: A structured performance modelling
formalism,” Performance Evaluation, vol. 54, pp. 79–104, Oct. 2003.
[11] A. Argent-Katwala, J. Bradley, and N. Dingle, “Expressing performance requirements using regular
expressions to specify stochastic probes over process algebra models,” in Proceedings of the Fourth
International Workshop on Software and Performance, (Redwood Shores, California, USA), pp. 49–
58, ACM Press, Jan. 2004.
[12] J. Hillston and L. Kloul, “An efficient Kronecker representation for PEPA models,” in Proceedings of
the first joint PAPM-PROBMIV Workshop (L. de Alfaro and S. Gilmore, eds.), vol. 2165 of Lecture
Notes in Computer Science, (Aachen, Germany), pp. 120–135, Springer-Verlag, Sept. 2001.
[13] J. Bradley, S. Gilmore, and N. Thomas, “Performance analysis of stochastic process algebra models
using stochastic simulation,” in Proceedings of 5th IEEE International Workshop on Performance
Modeling, Evaluation and Optimization of Parallel and Distributed Systems, IEEE Computer Society,
2006.
[14] J. T. Bradley and S. T. Gilmore, “Stochastic simulation methods applied to a secure electronic voting model,” in PASM’05, Proceedings of 2nd International Workshop on Practical Applications of
Stochastic Modelling (N. Thomas, J. T. Bradley, and W. J. Knottenbelt, eds.), (Newcastle), July 2005.
Paper Session 4
e-Voting, e-Democracy and
e-Government in Practice
59
60
Workshop on e-Voting and e-Government in the UK
National e-Science Centre 27th–28th February 2006
DemoNet: Towards eParticipation in Democratic
Decision Making
Colin Fraser
Abstract
eParticipation, which may be loosely defined as the use of ICTs in
engaging citizens to participate in the processes of democratic decision
making, remains a field in its infancy. In this talk, we will outline the DemoNet project which aims to map out the research challenges which face
researchers in this exciting and emerging area, including : technological
and sociopolitical barriers to eParticipation; criteria to enable a standardised approach to eParticipation; knowledge representation of documents
for informed decision making for policy makers and practictioners.
61
62
Workshop on e-Voting and e-Government in the UK
Internet Elections: The Voters Viagra?
Rachel K. Gibson, Department of Media and Communication, University of Leicester1
Abstract
This paper profiles the main variants of internet or ‘i-voting’ available to policy makers and
assesses the case for and against their use in elections to public office. Although the evidence
suggests that use of the technology would almost certainly deliver a boost in the numbers voting,
principally by making voting more convenient, the logistical, financial and legal implications
surrounding such a move are seen as raising significant barriers. The paper concludes by
pointing to the need for more research into the attitudinal effects of i-voting before any moves
toward implementation are made at either national or local level.
1
This paper is an abridged version of a chapter that appeared in The European Union and EVoting: Addressing the European Parliament’s Internet Voting Challenge Eds., Alexander
Trechsel and Fernando Mendez. Routledge: Oxon, UK. 2005. See www.routledge.com/politics
for further information and titles by the author on the internet and politics.
National e-Science Centre 27th–28th February 2006
Introduction
Rising fears about the performance of democracy in modern nation states have been fuelled
to a large extent by reports of a decline in voter turnout. Parliamentary elections across Western
Europe throughout the 1990s saw a downward trend in voters going to the polls, almost without
exception.1 Levels of participation in European Parliament elections have made for particularly
gloomy reading with turnout falling again in 2004 to a record low average of 46% across the EUmember states. These figures represent a fall of over ten percent in EP elections since 1984
within the EU-12, leading the President of the European Parliament to announce that the results
should serve as a ‘wake-up call’ to EU leaders.2 Across the Atlantic attention has also focused on
the issue of voter abstention. While the 2004 U.S. presidential election saw a bounce in voter
numbers, with up to 55 percent of the voting age population going to the polls (an increase of four
percent from 2000), this upswing followed a largely downward trend in postwar turnout. In 1968
just over seven percent of registered voters did not vote in the US presidential election. By 2000
that figure had almost tripled to just under nineteen percent. The British General election of 2001
of course saw turnout fall to its lowest level since 1918, with just over sixty percent of those
between eighteen to twenty four reporting they had not voted. While the 2005 election saw
numbers rise slightly to just over 60 percent, the decline sparked concerns about the democratic
health of the UK. Following the British election of 2001 a report by the UK Electoral Reform
Society warned that:
A democracy in which the public does not participate is in trouble. Falling turnout at
elections is a worry for all of us, because we know that voting is the most basic act of
democratic participation; people who do not vote tend not to participate in other civic
activities.3
In looking for ways to engage people in the electoral process policy makers have a number of
options available. Early intervention strategies such as civic education programs in schools that
teach children the values and responsibilities of citizenship are one possible solution. More
‘surface level’ approaches include altering the electoral and party finance rules to encourage a
wider range of parties and independent candidates to enter the fray, and thereby hopefully
increasing levels of competition and voter interest.4 All such tactics are of course highly complex
and costly to implement and unlikely to deliver the quick fix that are needed to quell current
concerns. Little wonder then that governments’ around the world are turning to consider more
immediately implementable and comparatively low cost options – namely voting over the internet
via home or work personal computers (PCs).
63
64
Workshop on e-Voting and e-Government in the UK
This paper aims to review the case for using internet voting or i-voting (as it is termed here) in
elections to political office by profiling the main arguments for and against the practice that have
put forward. In doing so we look at the development of the practice of i-voting in countries across
the world and identify the main variants of the method that have been used. We then examine
their implications for key democratic values of voter equality, privacy, anonymity as well as the
authenticity or legitimacy of the outcome. Any gains in voter participation rates clearly have to be
weighed up alongside the civic, financial, logistical, and legal costs to any widespread roll-out.
Finally, we call for further research to examine the possibility of ‘mode’ effects associated with
using the new voting technology given the growing use of the practice around the world. Does
‘mouse-clicking’ your vote into a virtual election booth really deliver the same civic reward and
reinforcement as physically attending the polling booth along with your fellow citizens? Perhaps it
makes very little difference? At present, however, we face a lack of the systematic evidence
needed to properly address this question.
The Development of Internet Voting
Internet voting or i-voting is the casting of a secure and secret electronic ballot that is transmitted
to officials over the internet.5 As such, i-voting is a sub-type of electronic voting or e-voting which
refers to the casting of a ballot via a broader range of electronic telecommunications technology
including telephones, cable and satellite television, and computers without internet connections.
E-voting has been used widely in elections around the world, mainly through direct recording
electronic voting (DRE) devices such as touch screen computers at the polling station,6 The
practice of i-voting is far less common. One of the earliest political uses of the technology was in
1996 when the US Reform Party allowed members to select its presidential nominee by casting
an online ballot from their PC. Many of the subsequent experiments in i-voting have also taken
place in the US. In Alaska, the Republican party primary elections of 2000 were trialled on the
internet, but the results were disappointing, with only 35 votes being cast online, (less than one
percent of eligible voters). Later in November 2000, voters in three counties in California and
Arizona were allowed to cast a vote for president in a non-binding trial of the technology.
Probably the most widely publicised and well known example of i-voting to take place to date,
however, was the Arizona Democrats’ online primary in March 2000.7 This marked the first use of
i-voting in any large scale and legally binding manner for nomination to public office.8 Since then,
however, the Michigan Democrats have also taken the plunge into online primaries, offering an ivoting alternative for their 2004 nomination process.
Worldwide Initiatives in i-voting
The Arizona primary also served to stimulate the interest of governments outside the US in using
internet-based technologies for elections. Placing itself ahead of the curve, the UK government, in
National e-Science Centre 27th–28th February 2006
conjunction with Election.com (the company responsible for the Arizona primary), and British
Telecom piloted a series of i-voting systems for local elections in 2002 and 2003. This resulted in
a total of nine authorities in 2002 experimenting with some type of new ICT-enabled voting in
selected wards. The options trialled included interactive digital TV and SMS via mobile phones,
as well as home PCs and internet connected public kiosks in libraries and supermarkets.9 These
experiments were heralded by Robin Cook, the former leader of the House of Commons, as the
first steps toward an online general election, an event that he viewed as vital in signalling the
continuing relevance of government to people’s lives.10 Warming to his theme, Mr Cook poked
fun at the antiquities of the current system, saying for those under 40, polling day was possibly
the only time when they would face using a pencil stub and this was why it was tied to a piece of
string, “ it’s so rare and they might pocket it as a souvenir.”11 The programme for 2003 proved
even more ambitious with a total of 17 local authorities offering some form of new electronic
means of voting at an estimated cost of £18.5 million12, a five-fold increase on the figures
reported from year before, and beyond the projected £10 million allocated by the Chancellor in
2002.13
The EU has also displayed a keen interest in the prospect of i-voting for parliamentary
elections.14 The ‘CyberVote’ project was a key exploratory initiative launched by the European
Commission in September 2000.15 The aim of the project was to develop and demonstrate an
online voting system that could be used by member countries for local, national and European
elections. The system envisaged voting on the internet from fixed sites (i.e. home voting from
PCs) alongside mobile devices (i.e. mobile phones and handheld devices). Pilot schemes in
selected locations in Germany, France and Sweden were carried out during December 2002 and
January 2003. While the cybervote scheme officially concluded in 2003, a new ‘e-Vote’
programme, sponsored by the EU and operated by a consortium of academics and member
governments, appears to have picked up where it left off, running trials and publishing reports
highlighting the advantages of the system.16
Individual member governments have also shown interest in adopting i-voting for local and
general elections within the next decade. When Otto Schily, the German Interior Minister spoke at
a conference in 2001 on electronic democracy he spoke of the government’s intention to see ivoting fully operational for the 2010 general election, with a more limited form being introduced by
2006.17 These expectations appear to have taken hold in the public mind. By mid-2002 almost
half of Germans were reporting that they expected i-voting to be available in the near future.18
Elsewhere, the Swedish and Swiss governments have established formal inquiries into the
prospects for i-voting, and in 2004 the Swiss canton of Geneva allowed citizens to vote in a
federal referendum through i-voting.19
65
66
Workshop on e-Voting and e-Government in the UK
Initiatives in i-voting have also been seen outside of the US and Northern and Western
Europe. Eastern European states such as Estonia and Latvia have experimented with
implementing i-voting despite low level of internet use among the mass of the population. While
Latvia took a more experimental approach to the Riga mayoral elections, Estonia with a
population of less than two million, took the bolder step of running capital city online in October
2005. Having gained parliamentary approval earlier in the year, the internet option was offered to
voters along with other methods, and apparently proceeded without any obvious problems.20 In
Poland the state electoral commission provided ten percent of local polling stations with
computers and internet access during 2002. While not allowing citizens the chance to vote online,
the transmission of final results to the commission’s central server were planned to take place via
the internet, with results being publicised on a website on a rolling basis during the course of the
evening. 21
Despite what appears to be a rising crescendo of government support for i-voting worldwide,
it is also clear that recent trends point toward a cooling of enthusiasm for continued roll-out of the
technology both in the UK and the U.S. In July 2003 the U.S. government had expressed strong
interest in expanding the i-voting component of its Federal Voting Assistance Program (FVAP)
beyond military personnel and to include more states.22 However, during 2003 a major
controversy erupted over the integrity of the Diebold Election Systems, suppliers of electronic and
internet voting to U.S. election authorities in numerous states. A group of academic researchers
revealed they had been able to access the systems’ source code and their led to congressional
hearings. By early 2004 further serious questions had been raised about the safety of i-voting and
other electronic methods with the publication of a government sponsored report into the Secure
Electronic Registration and Voting Experment (SERVE). The report pointed to major
shortcomings in online voting in terms of its vulnerability to fraud and malicious attack and cast
major doubts on the use of i-voting in the 2004 election.23 By 2005 the British government was
starting to withdraw its support for any future plans to expand use of internet and mobile
technologies at the local level and issued a clear statement that it has shelved plans for further
trials of the technology in 2006. Although the release did indicate they were keeping the door
open to possible use in the next general election.24
Models of i-voting
Given this growing debate over the use of i-voting it is clearly important to distil the key
advantages and disadvantages associated with the method as set out by its proponents and
critics. In order to review the costs and benefits of applying the new technology to elections it is
first necessary to specify exactly how i-voting takes place. Although much discussion has focused
National e-Science Centre 27th–28th February 2006
67
on people using personal computers (PC’s) at home and work, this is only one of the ways in
which i-voting could be introduced at elections. There are essentially four models of i-voting have
been practiced in elections and they are based in turn around two distinct logics or approaches:25
1) Internet Voting at the Polling Place (IV@PP) - votes are cast at official polling stations and
transmitted via the internet to election officials
2) Remote Internet Voting (RIV) - votes are cast in any location with an internet connection and
transmitted via the internet to election officials.
The crucial differences between the systems from an administrative perspective are that (i) voter
authentication in the IV@PP model is done at the polling place by election officials, whereas for
RIV it is done through a pre-arranged Personal Identification Number (PIN) or digital signature;
and (ii) the infrastructure or voting platform (machine and environment) is not controlled by
officials for RIV at any outlet. These distinctions give rise to the following models of i-voting
represented below in diagrammatic form:
MODELS26
home station
Votes sent via internet Æ HQ
Voter id checked by poll officials
(1) IV@PP
infrastructure
controlled by
elec. authority
any station
public kiosk
Votes sent via internet Æ HQ
Voter id checked by digital sig.
(2) RIV
any outlet
infrastructure not
controlled by
elec. authority
As presented here, IV@PP is the most traditional model in that it simply replaces the existing
equipment such as paper ballots or punch cards with a machine that records the votes locally and
then transfers those votes via the internet to a central tally centre. RIV from any outlet, at the
other end of the spectrum represents the most radical departure from existing practice, offering
voters the possibility of voting from any machine that is connected to the internet. Voters log on to
the election web site from their PC at home or work, or through their digital TV or mobile phone to
cast a vote. Intermediary options vary from maintaining polling station voting but allowing voters
to use any site to cast their vote, to opening kiosk-style outlets that are owned and managed by
the election authority, but can be located in a variety of public places such as post offices,
libraries and shopping malls.
68
Workshop on e-Voting and e-Government in the UK
These four models form a useful reference point to assess the implications of i-voting, since they
offer a somewhat different reconciliation of the costs and benefits associated with the method.
While RIV carries a far higher risk of outside interference and compromise to security, it offers
potentially far greater potential benefits in terms of freeing up the voting process and allowing
people to participate from unconventional locations, that are most convenient for them. IV@PP
on the other hand, while reducing the risks of any malicious sabotage and keeping voters under
the watchful eye of election administrators, obviously does not change much from the individual
voters’ perspective, other than providing a new computerised context for casting their vote. The
controversy that greeted the Arizona Democrats experiment in i-voting is hardly surprising,
therefore, given that they opted for RIV from any location, the most radical of the options on offer.
Criticisms poured in, ranging from heightened security fears to the possibility of violation of
democratic rights due to the unequal distribution of computers across the state, and the
trivialisation of the voting act if people could do so ‘in their pyjamas’. Based on the claims made
for and against the Arizona Democrats’ i-voting experiment, and the continuing debate it has
sparked, the main arguments offered by the proponents and opponents of i-voting are
summarised and expanded upon below.
In Support of I-Voting
The arguments for i-voting generally rest on three central claims: that it (1) increases
participation; (2) enhances administrative efficiency; and (3) forms a natural or logical progression
in existing practice and resistance to it is driven largely by inertia or ignorance,
(1) Increasing participation
Boosting the numbers of people that vote is one of the principal arguments offered by those who
advocate i-voting. This is certainly the case for the EU in their Cybervote Project. According to the
Press Release issued in October 2000 the first objective was stated as:
...an improvement of the democratic process by increasing voter participation and thereby
increasing the number of votes. On-line voting should lead to an increase of citizens taking
part in numerous types of elections.”27
In the UK, the move to adopt i-voting was explicitly promoted as a means to reverse the
disastrous decline turnout seen in 2001 general election.28 In a government statement released
prior to the local elections of May 2003, Local Government minister Nick Raynsford said:
The electoral pilots aim to improve turnout, in particular among a key groups of people who
National e-Science Centre 27th–28th February 2006
might otherwise be excluded, such as people who are working away from the area, younger
voters, the elderly and people with mobility problems.29
Why should this be the case? The primary explanation offered is increased convenience. I-voting
would allow voting to be spread over a series of days, affording voters greater flexibility in terms
over when they can vote. While IV@PP would also give voters a choice over which polling station
to attend, RIV would offer an even greater ease of access, allowing people to vote from wherever
they have access to the internet. In so doing, RIV would have the added benefit of helping those
voters who might find it difficult to make it to the polling station, to cast their ballot. People with
mobility restrictions, for instance, the disabled, the ill and the elderly, would be able to vote from
home or a kiosk near to their residence. Those in transit for work or holiday or those living in
remote rural locations and expatriates living in another country would also find it much easier to
vote. In addition, with i-voting the authorities could also target areas with low participation rates.
Strategically placed kiosks in libraries, schools, supermarkets, and bus stations, staffed by
election officials might be able to draw in more people from more disadvantaged groups such as
the poor and ethnic minorities.
Beyond convenience there is also an argument that i-voting would also increase turnout due to
the ‘pull’ of the internet itself. This argument is considered particularly relevant for young people
who tend to be less attracted to voting in its traditional form but are also at the high end of users
of digital technologies. This is particularly exciting for governments given the high levels of apathy
and disinterest evinced by young people in the political process.
(2) Increasing Administrative Efficiency
As well as reducing costs for voters, moving to i-voting offers considerable efficiency gains for
administrators at all stages of the election. As with other forms of e-voting, ballot production and
distribution expenses are eliminated along with the inevitable wastage of over-production - an
environmental plus! RIV would reduce staffing costs for polling stations and voting machines. In
addition to monetary savings, i-voting could reduce errors in the voting process on the part of
voters and electoral administrators. Voters could be prevented from making mistakes on their
ballot entry, particularly if the ballot is long and complicated. Intelligent software could prevent
them from over-voting or skipping a contest for instance. Online help could be made available to
aid voters when completing the ballot in different languages. Approved summary information on
each of the candidates could also be provided for voters to consult as required. Finally, if all votes
were cast electronically, errors in the count and the time taken to produce the final tally would be
significantly reduced, as vote totals would be produced at the click of a button.
69
70
Workshop on e-Voting and e-Government in the UK
(3) Logical Progression
A final argument presented by the proponents of i-voting is that most, if not all election
administration uses digital technology at some point in the process, be it in the pre-election stage
of compiling the voter roll and registering voters or the post-election phase of ballot counting.
Offering voters the opportunity to vote via their computers, therefore, simply pulls the ‘public’ face
of elections administration into line with its ‘private’ or internal face. A senior elections
administrator in Australia, for instance, went on record to argue that “…just about every electoral
transaction could be conducted over the internet, from enrolment to voting to displaying the
results, and everything in between.30 In the US this argument carries particular resonance since
voting machines have long been a feature of the electoral landscape. In the UK, the case for ivoting has been directly linked to the wider wiring of the elections process in a government
consultation paper issued by the office of the e-envoy in the UK during 2002. 31 The document
after advancing the case for a limited roll-out of i-voting went on to outline plans for an online
electoral register, voter registration, postal vote application, and electronic counting and collating
of results.
By virtue of the very rational and logical nature of the process outlined, proponents of this line of
reasoning can also quite reasonably claim that the objections to implementation of i-voting,
particularly among politicians actually stem from a basic unwillingness to embrace modern
technology, either due to fear, ignorance or an inherent conservatism toward changing
established practice, particularly where it involves a significant outlay of expenditure. As the
manufacturers of these voting systems are at pains to point out, all new electoral methods attract
opposition and suffer teething pains, and no method is free from error or the risk of fraud. Mail-in
ballots, for example, are far from one hundred percent secure and the state of Oregon took ten
years to move the proposal from the legislative agenda to full implementation. However, this now
constitutes the principle method of casting ballots in the state.
Arguments Against i-voting:
Objections to i-voting are generally based on three main lines of argument: (1) the negative
consequences for equality of voter influence; (2) the potential for violations of security and voter
privacy; and (3) the reduced quality of participation.
(1) Equality of voter influence
A major criticism of the use of the internet by public bodies is that it is not yet a truly public
medium. Figures on net usage around the world show that, even in the more advanced
industrialised democracies it is generally only a minority of the population that have access and
are using the new medium regularly.32 In terms of voting, such discrepancies carry serious
National e-Science Centre 27th–28th February 2006
consequences since they make it easier for some people to cast their vote than others, thereby
providing them with potentially greater influence over the election outcome. Given that studies of
internet users consistently show that they are younger, more affluent and more educated than
non-users, switching to i-voting runs the risk of actually widening the existing participation gap
between the more and less advantaged sectors of society. Of course, such problems emerge
only if RIV or self-administered kiosks are used since IV@PP would maintain the fixed opening
hours and locations of polling stations.
(2) Security
While social and political concerns about equality of voter influence are important in this debate,
arguments about security and the potential for violation of voter privacy have become increasingly
salient. These concerns have been highlighted in a series of reports issued by government
appointed agencies or independent policy institutes during the past two years that have assessed
the feasibility of i-voting.33 While not dismissing the possibility of i-voting entirely, they recommend
strongly against any use of RIV specifically on security grounds. With voters and the voting
infrastructure removed from watchful eye of the elections administration staff there are just too
many opportunities for compromising the outcome. Even with IV@PP there are heightened
security risks, however, since the ballot has to travel across a publicly accessible network and so
is open to external interference and manipulation. In general, security objections cover three main
aspects of the voting process:
Authentication - ensuring that the voter is who they claim to be.
A major concern in any election is ensuring that voters are properly identified. For the remote
types of i-voting some kind of electronic identification is necessary. In Arizona a combination of
PINs and personal information was used and in the UK local elections a 16 digit voter id number
was matched with a 4 digit PIN. Such measures, however, are seen by some as too weak to
thwart a determined attack, which would be far more likely in the case of a nationwide general
election than in the context of small scale local elections. Ben Fairweather, at De Montfort
University, a member of the research team commissioned by the Government to investigate the
possibilities for e-voting in local and national elections made this point in press reports prior to the
May 2002 elections, saying that in “piloting [i-voting] at the local level you’re not facing the
challenges you’ll face in the real thing.” The temptations offered to saboteurs by a general
election, he argued, were far stronger, given the greater magnitude of any disruption caused, and
the implications of any changes to the outcome that might be achieved.34 A digital roll call and
digital signatures using biometric data have been offered as a potential solution, however, such
measures would still not be able to prevent the unauthorized use of another person’s ballot. The
remote voting environment permits a greater degree of voter coercion and bribery than can occur
71
72
Workshop on e-Voting and e-Government in the UK
at the traditional polling place.35 Such criticisms can of course be lodged against other methods
such as absentee or mail-in votes. The effects of any instances of fraud in these systems,
however, would arguably be more localised and less compromising overall to the validity of the
elections process.
Privacy/Secrecy – ensuring that the voter’s ballot is anonymous.
Another key concern in an election is that votes remain secret, a requirement that clearly
runs counter to the need for voter authentication. While this tension exists in all election systems,
it is particularly acute for i-voting given its more stringent identification requirements. The use of
PINs and digital signatures offer election officials an electronic trail linking voters to their vote in a
manner that is not possible with conventional paper methods. Remote methods of i-voting create
further problems in this regard since it makes possible interception and monitoring of one’s vote
by a range of unauthorised parties. Voting from work, for instance, on a PC connected to a local
area network (LAN) allows your system manager do spy on and retain a copy of your ballot.
Although software to protect the secrecy of your ballot could be made available, the level of
computer literacy necessary to download and install such anti-surveillance software may well
prove beyond the capacity of many voters if was offered as a ‘DIY’ option.
Integrity – ensuring the voter’s ballot is not subject to interference.
In addition to properly identifying voters and maintaining the secrecy of how they voted, any
legitimate election must ensure that that vote is an accurate reflection of the voters’ intention.
Votes should not be tampered with or changed in any way from the time of their being cast to the
point where they are counted. All forms of e-voting face acute problems in this regard since
automation means that one successful instance of fraud could invalidate the entire vote count.
Electronic ballot images are typically stored on flash memory cards which, if accessed, could be
changed en masse. The chances of such infiltration are markedly increased, however, with ivoting given its reliance on an open network. While these risks can be limited for IV@PP by
configuring machines to store ballots and upload them to the central server at intervals in batch
mode, such protection does not extend to RIV. Some of the more serious methods of interference
include distribution of so-called ‘Trojan horse’ viruses to users PC’s via web or email downloads.
Such programmes, when activated, could rearrange the ballot such that parties or candidates
voting boxes are moved around and a false vote sent back, without the user detecting the
mistake.
(3) Quality of Participation
A third major criticism of i-voting is that it will erode the significance of voting which will in turn
lead to a further decline in levels of political engagement among the public. This claim is centered
National e-Science Centre 27th–28th February 2006
on the understanding that voting is an important act that cements civic life, and requires a public
ritual to instill and perpetuate it. If casting one’s vote is reduced to the equivalent of checking
email or buying a book online then this reduces its salience and significance in individuals lives.
Government’s in turning to new ICTs as a means of improving falling participation rates are seen
as falling victim to the lure of ‘the modern fix’ which is that ‘if something isn’t working, throw some
technology at it….’36 Far from revitalising the body politic, however, these critics argue i-voting
may actually prove to be “…one more way people are disconnecting from the body politic.”37 The
act of voting becomes ‘privatised’ and people are encouraged to weigh their own individual
interests above those of the body politic.
For these reasons, the consequences of i-voting for social cohesion need to be carefully
considered argues Richard M. Schum, project director of the Internet Policy Institute workshop
that examined i-voting. The act of voting is “far more than simply a means by which to elect
officers of government” he argues, “For this one moment, all citizens who enter the voting booth
are of equal stature – each casts one vote notwithstanding their differences in race, education,
occupation or net worth.” RIV, however, allows a select group “...to opt out of going to the polls,”
with negative consequences for the community as a whole.38 Worse still, once instituted for
elections, i-voting can then be used to run referenda on a more frequent basis, which for some is
the death knell to deliberative politics.39 Increasingly, interest groups will hold sway, leading to a
situation of ‘accelerated pluralism’ as Bruce Bimber described it (1998), whereby a cacophony of
highly specialised interests, clamour to be heard.40 At worst, one might see groups and
individuals putting forward a stream of proposals to voters to vote up or down from the comfort of
their own homes, with democracy descending into little more than a game show.
One additional concern about democratic quality that should be introduced here too, is the
potential threat that e-voting poses to electoral choice. While smart software can prevent voter
error it also allows the authorities far greater power to constrain voter choice by determining
permissible responses. Ballots could be constructed to prevent individuals from spoiling their
ballots or leaving them blank. Such measures would leave governments with considerably more
power to control levels of protest voting, therefore.
Conclusions and future research directions
The aim of this paper has been to identify the key arguments made by the proponents and critics
of i-voting. Drawing these claims together it has revealed that two basic questions need to be
addressed by politicians and election administrators when making any decision move to i-voting:
(1) Is it workable? How far can i-voting meet basic standards of privacy, accuracy and fairness
required for any legitimate election?; and (2) Can it promote democracy by helping to engage
73
74
Workshop on e-Voting and e-Government in the UK
more people in the political process? Clearly, extensive empirical evidence and the physical
testing of systems is now needed to answer these questions. A remit that goes beyond the scope
of this paper. From a brief scan of the growing technical literature on this first question (discussed
above), however, it does appear that significant doubts are emerging about whether i-voting,
particularly in its more radical remote form, can meet basic workability standards for a large scale
national election. The vulnerability to fraud and/or internal collapse and the consequences of any
such failure are increasingly being seen by officials as too great, at least in the short to medium
term.
Answers to the second more ‘political’ question about the wider impact of i-voting on the
democratic system has not suprisingly produced a more divided range of opinion. Responses
clearly depend on what we understand democracy to mean, and the link between it, and the act
of voting. If one sees democracy as a directly participatory and communitarian experience, then
one would probably see i-voting as having very little impact on citizen engagement. Indeed one
would no doubt be highly critical, seeing it as the latest gimmick of political leaders desperate to
prop up their creaking and antiquated system of representation. If the act of voting is seen as a
crucial stepping stone, however, binding people to the state and inculcating citizenship, as the
introductory quote from the Electoral Reform Society made clear, then i-voting may indeed
significantly influence the standard of democratic life.
From an enthusiast perspective, if i-voting succeeds in attracting new and younger voters into the
process then it will no doubt be regarded as helping pave the way to future civic engagement.
Adopting a more critical perspective, however, one could argue that it is not simply the act of
voting that cements this connection, but the way in which it is done. Can mouse clicking a box
during a chat over your morning coffee, or texting your vote from the local pub really provide the
same foundation to citizenship as being actively mobilised to go to the ‘public space’ of the polling
station and mix with your political peers? Indeed, might these new methods serve to further
downplay the significance of electoral choice in voters minds, thereby leading to increased
disengagement from the system?
As yet, we do not know the answer to these questions. And while not wanting to endorse the
more exaggerated fears of the i-voting sceptics, one avenue for future empirical research does
appear to lie in further examination of this question of ‘mode’ effects in i-voting. Does the use of
the new ICT-enabled methods affect levels of voter attachment to the political system and their
fellow voters, compared with other methods? Given the current mixture of methods in place, as
more countries move toward trials of the new voting systems, investigation of this question has
become both highly timely and possible.
National e-Science Centre 27th–28th February 2006
Notes
1
See IDEA. 2002. Voter Turnout since 1945: A Global Report. Stockholm, Sweden: International
IDEA; Wattenberg, M. 2000. “Turnout” in Russell Dalton and Martin Wattenberg, eds.,
Unthinkable Democracy: Parties without Partisans. Cambridge, UK: Cambridge University Press.
2
‘EU vote turnout a ‘wake-up call’ The Guardian 14/06/04 Available at
<http://politics.guardian.co.uk/elections2004/0,14549,1211033,00.html> Accessed on 20/02/06.
3
‘Elections in the 21st century: from paper ballot to e-voting.’ The Report of the Independent
Commission on Alternative Voting Methods. February 2002. Electoral Reform Society, UK.
www.electoral-reform.org.uk. Preface, p.5
4
See Norris, P. 1999. ‘Institutional Explanations for Political Support.’ in P. Norris, Critical
Citizens: Global Support for Democratic Governance. Oxford University Press; Oxford. pp.217235, for a comprehensive discussion of how institutional arrangements can strengthen public
support for democracy.
5
This is the definition adopted by the California Internet Voting Task Force in its report, A Report
on the Feasibility of Internet Voting. (Office of the Secretary of State for California: Sacramento,
California, January 2000). The task force was established in January 1999 by the Secretary of
State, Bill Jones to examine the feasibility of internet voting. The full report is available at
www.ss.ca.gov/executive/ivote.
6
After production of a smart card or token, voters register their choices directly on the screen.
Votes are stored on the local computer or network and then transferred to an electronic database
where they are cumulated and counted. Belgium, the Netherlands and Brazil in particular have
been pioneers in this regard. Brazil having used computers to vote at polling stations since 1990
where voting is mandatory. South Africa saw its second democratic election in June 1999
administered in part through a network of computers linking polling stations in remote villages and
townships to a central headquarters in Pretoria. A number of local councils in the UK used
touchscreen computers at the polling stations in their May 2000.
7
Another political example of i-voting was the US Reform Party in 1996 which used it, along with
mail-in voting to select its presidential candidate. I-voting has also taken place for private
elections within a variety of business and trade organisations such as PricewaterhouseCoopers,
Boeing and the MSF in the UK, along with Universities and online groups such as the Internet
Corporation for Names and Numbers (ICANN).
8
See Gibson, R. 2002. ‘Elections Online: Assessing Internet Voting in Light of the Arizona
Democratic Primary.’ Political Studies Quarterly. Winter 2001/02. 116(4)
9
‘UK tests e-voting system in local elections.’ europemedia.net 08/02/02.
www.europemedia.net/shownews.asp?ArticleID=8278
10
Ashley, Jackie. ‘Cook plans to make UK first to vote on internet’ The Guardian. 07/01/02
www.guardian.co.uk/print/0,3858,4330373,00.html
11
Tempest, Matthew. ‘Reformers sceptical of online voting.’ The Guardian 07/01/02
www.guardan.co.uk/Archive/Article0,4273,4330711,00.html
12
‘Cross Culture’ by Simon Parker. The Guardian April 30, 2003 (Society section) p.2-3
13
‘Government told not to rush voting online’ europemedia.net 02/08/02
www.europemedia.net/shownews.asp?ArticleID=11852
14
Gibson, R. K. (2005) “Internet voting the European Parliament elections: Problems and
Prospects.” In The European Union and E-Voting: Addressing the European Parliament’s Internet
Voting Challenge. (eds.) Alexander H. Trechsel and Fernando Mendez. Oxon, UK: Routledge:
pp.29-59
15
For further details see ,http://www.eucybervote.org>
16
For further details see <http://www.instore.gr/evote>
17
‘Germany considers internet voting.’ europemeda.net 04/05/02
www.europemedia.net/shownews.asp?ArticleID=3106
18
‘50% of population believe online voting will become a reality’ europemedia.net 30/08/02
www.europemedia.net/shownews.asp?ArticleID=12329
75
76
19
Workshop on e-Voting and e-Government in the UK
03/09/04 Available on http://www.dmeurop.com/default.asp?ArticleID=2983 Accessed on
20/02/06.
20
‘Virtual election of Riga Mayor to take place today on Delfi portal.’ europemedia.net 07/03/01
http://www.europemedia.net/shownews.asp?ArticleID=1789; ‘Estonia pulll off nationwide Net
voting’ 17/10/05. Available at
<http://news.com.com/Estonia+pulls+off+nationawide+Net+voting/2100-1028_3_59898115.html>
Accessed 20/02/06
21
‘2002 elections to gauge the future for e-voting’ europemedia.net 17/10/02 Available at
<www.europemedia.net/shownews.asp?ArticleID=13166> Accessed on 19/06/02
22
‘U.S. Expands Overseas Online Voting Experiment’ washingtonpost.com July 20 2003: p.A04.
Available at <www.washingtonpost.com> Accessed on 21 July 2003
23
‘A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE)’ by
D. Jefferson, Aviel Rubin, Barbara Simon and David Wagner. Available at
http://www.servesecurityreport.org; See ‘Electronic voting ‘insecure’ say researchers’ by Robert
Lemos, 23/07/03. Available at
http://news.zdnet.co.uk/business/management/0,39020654,21238179,00htm>. Accessed on
20/02/06.
24
‘Government has ‘no timetable’ for e-voting’ by Andy McCue. ZDNet News 16/02/06 Available
at <http://news.zdnet.co.uk/internet/0,390202369,39252528,00.htm> Accessed on 20/02/06.
25
See Derek Dictson and Dan Ray, “The Modern Democratic Revolution: An Objective Survey of
Internet-Based Elections.” (SecurePoll.com, The Internet Voting Portal: Bryan, Texas, 2000). For
further information see the authors’ web-site www.securepoll.com.
26
Models adapted from the California Internet Voting Task Force Report ‘A Report on the
Feasability of Internet Voting.’ (op.cit) p.14. This adaptation first appeared in Gibson (2001/2)
Political Science Quarterly 116(4): 566.
27
European Commission Press Release “Vote in Total Confidence Via the Internet.” 13/10/2000.
For further details see www.eucybervote.org
28
Wintour, Patrick. ‘Hi-tech voting aims to raise turnout.’ The Guardian. 23/11/01.
www.guardian.co.uk/internetnews/story/0,7369,60427,00.html. Ashley, Jackie. ‘Cook plans to
make UK first to vote on internet’ The Guardian. 07/01/02
www.guardian.co.uk/print/0,3858,4330373,00.html.
29
‘Cross Culture’ by Simon Parker. The Guardian April 30, 2003 (Society section) p.2
30
Phillip Green, Chief Electoral Commissioner for the Australian Capital Territory (ACT)
“Elections and Technology – implications for the future.” Paper presented at the Conference on
Electoral Research: The Core and the Boundaries, (Adelaide, Australia, 1999), 6
31
‘In the service of democracy’ 2002 A consultation paper on a policy for electronic democracy.
HM Government and UK Online. Available at <http://www.edemocracy.gov.uk/downloads/eDemocracy-Policy.doc> Accessed on August 18, 2003.
32
For recent statistics on net usage worldwide see the NUA website www.nua.org
33
‘A Report on the Feasability of Internet Voting’ California Internet Voting Task Force, January
2000. www.ss.ca.gov/executive/ivote/; ‘Report of the National Workshop on Internet Voting:
Issues and Research Agenda ‘ Internet Policy Institute, March 2001. www.internetpolicy.org;
‘Elections in the 21st century: from paper ballot to e-voting.’ The Report of the Independent
Commission on Alternative Voting Methods. February 2002. Electoral Reform Society, UK.
www.electoral-reform.org.uk.
34
‘Cross Culture’ by Simon Parker. The Guardian April 30, 2003 (Society section) p.2. The report
‘Implementing electronic voting in the UK’ was commissioned by the former Department for
Transport, Local Government and the Regions (DTLR) and published in May 2002. It is available
for download at
<http://www.odpm.gov.uk/stellent/groups/odpm_localgov/documents/page/odpm_locgov_605188.
hcsp
35
Kim Alexander and David Jefferson, “Internet voting: Proceed cautiously”
(http://www.sjmercury.com/premium/opinion/columns/e-voting.htm), 16 May, 2000.
36
‘The rise in voter apathy is damaging to the health of democracy” by Wendy Grossman, 13 May
2002. Electrical register Available at
National e-Science Centre 27th–28th February 2006
<http://new.independent.co.uk/digital/features/story.jsp?story=294585> Accessed on 14 May
2002.
37
Ted Anthony, “A Vote for Old Fashioned Ballots.”
(http://www.dailynews.yahoo.com/h/ap/200000311/el/one_voter_s_view_1.html), 11 March, 2000.
38
Schum, Richard M. ‘Internet Voting: Its Perils and Promise’ In Voting in the Information Age:
The Debate over Technology. p.47 The Democracy Online Project.
www.democracyonline.org/taskforce/booklet/p41_schum.pdf p.39
39
‘Report of the National Workshop on Internet Voting: Issues and Research Agenda ‘ Internet
Policy Institute. (op.cit) p.29
40
Bimber, Bruce (1998) ‘The Internet and Political Transformation: Populism, Community, and
Accelerated Pluralism’ Polity Vol. XXXI (1): 133-160.
77
78
Workshop on e-Voting and e-Government in the UK
Transformations Needed for Electoral Change
Roy Hill
Opt2Vote
Abstract
The traffic light approach by government in its quest to follow its
electoral modernisation programme causes difficulty to the providing local
authority, the commercial suppliers and to the electorate.
Since the Great Reform Act of 1832 there have been few changes to
the Representation of the People Acts and until 2000 voting practices and
procedures have remained largely unaltered. It is only in the last 6 years
or so that major changes have been considered and are beginning to be
introduced.
What are the Drivers for Change? What are the problems in achieving
them? Is the problem in making progress due to elector perception and
mistrust in vote security or is genuinely through a lack of confidence in
the available solutions?
Roy is the Director of Research and Innovation of OPT2VOTE, and
he will discuss the government’s approach and difficulties being met.
OPT2VOTE is a company that was established in 2002/03 to provide
the solutions for e-enabled voting. In 2003 it provided three of the epilots and was the first company to provide voting opportunities using
Interactive Digital Television with Sky Active.
The company is one of a very few number who solely specialise in
providing voting solutions and an offer local authorities the full range of
voting options in a genuine multi-channel approach.
National e-Science Centre 27th–28th February 2006
ELECTRONIC AND ATHENIAN DEMOCRACY
PAUL COCKSHOTT
1. VOTING
MACHINES
We are used to the notion that the Greeks pioneered almost everything: Philosophy,
abstract maths, steam engines, computers [7], Fig 1.1. But it comes as a surprise to hear
that they also invented voting machines. I would suggest that the machinery they used was
based on certain scientific principles that have since been almost forgotten. In many ways
their machinery was more advanced as a representative mechanism than what we use today.
In the museum of the Agora in Athens there are the remains of ancient voting machines
the kleroterion. Made of marble they had columns with narrow slots for tokens or cards[2],
(Fig 1.2).
We are used to hearing of voting machines in the US. Their use in recent elections has
been controversial. What is surprising is that voting machine technology is so old. The
greater surprise comes from realising how they worked. They were not used to vote for
candidates, but to randomly select the voters themselves[8, 5] to stand on the council or
boule of the polis, or for the dikastai or jury. There were no candidates.
It appears that citizens went up to the machine and inserted their id card. Once the
columns were full, the Archon1 operated the crank, and was served up either a black or a
white marble. On the basis of the colour entire rows of cards were either rejected, or those
with the retained cards were selected to be on the jury or city council.
1
This is usually translated as magistrate, but is only a magistrate in the Roman Republican sense, so the
translation just transposes one ancient institution onto another.
F IGURE 1.1. Antykera device, an ancient Greek computer, reproduced
from [7].
79
80
Workshop on e-Voting and e-Government in the UK
F IGURE 1.2. A reconstruction of the kleroterion
F IGURE 1.3. Bronze voters id card used in a kleroterion.
At this point some officials were given allotment tokens of pottery 2 with the office and
details painted on prior to firing. The tokens were then broken in half. It is assumed that one
half was retained by the selected official as a token of office. The other half was retained
by the archons as proof against counterfeiting. Only the original and its stub, when brought
together would match exactly. Note the similarity of this to the tallia divinda used by the
British treasury for tax raising and accounting prior to the 19th century[9].
Figure 1.3 shows one of the id cards used in the machines. The card was retained by the
archon when a citizen was alloted to office. They only got to get paid if they fulfilled the
duty at which point they could recover the card.
2. I NSTITUTIONS
OF CLASSICAL DEMOCRACY
The machinery was arguably a much more scientific and accurate representative mechanism than we currently have. It ensured that the council was a statistically representative
sample of the citizen body.
Contrast that with our parliaments which, on grounds of gender, class and race are
grossly unrepresentative of the voters. Aristotle [1], argued that there were three key principles to democracy
2
Ostraca.
National e-Science Centre 27th–28th February 2006
(1) The sovereign assembly of the citizens which decides major questions.The first
and most characteristic feature of demokratia was rule by the majority vote of
all citizens. This was generally by a show of hands at a sovereign assembly or
eklesia. The sovereignty of the demos was not delegated to an elected chamber
of professional politicians as in the parliamentary system. Instead the ordinary
people, in those days the peasantry and traders, gathered together en masse to
discuss, debate and vote on the issues concerning them.
(2) There was no government as such, instead the day to day running of the state was
entrusted to a council of officials drawn by lot. The council had no legislative
powers and was responsible merely for enacting the policies decided upon by the
people.
(3) The last important institution were the peoples law courts or dikasteria. These
courts had no judges, instead the dicasts acted as both judge and jury. The dicasts
were chosen by lot from the citizen body, using a sophisticated procedure of voters
tickets and allotment machines, and once in court decisions were taken by ballot
and could not be appealed against. It was regarded by Aristotle that control of the
courts gave the demos control of the constitution.
He further argued that states based on elections rather than lot were not democracies but
aristocracies, He said the principle of deliberate selection results in rule by the wealthier
and better educated candidates. The distinguishing feature of democracy was that the poor
actually ruled the state. Aristotle, describing the democracies of his day was quite explicit
about the fact that democracy meant rule by the poor.
Countering the argument that democracies simply meant rule by the majority he gave
the following example: "Suppose a total of 1,300; 1000 of these are rich, and they give no
share in office to the 300 poor, who are also free men and in other respects like them; no
one would say that these 1300 lived under a democracy" (Politics 1290). But he says this is
an artificial case, "due to the fact that the rich are everywhere few, and the poor numerous."
As a specific definition he gives: " A democracy exists whenever those who are free
and are not well off, being in a majority, are in sovereign control of the government, an
oligarchy when control lies in the hands of the rich and better born, these being few".
2.1. British System aristocratic in Aristotle’s terms. The current electoral system descends from the practice of electing knights of the shire - election of minor aristocrats to
Commons alongside the major ones in the Lords.
The commons remains aristocratic in Aristotle’s terms, due to its preponderance of
lawyers and businessmen. Arguably there was no alternative in 19th century when reforms
began. Now options open up.
3. M ODERN
OPTIONS
With modern technology the original principles of democracy can be restored. If people
can vote electronically on Big Brother, they could also do so on critical national questions
as the citizens did in Athens
Examples:
• Peace or war,
• level of national budget,
• levels of taxation.
3.1. Terms of choice. There is a need for protocols for questions to be put to the vote, and
for structure of questions. For example: Should Education Spending
(1) go up 1%
(2) stay the same
(3) go down 1%
81
82
Workshop on e-Voting and e-Government in the UK
The average vote gives a definite real valued answer for the change in expenditure 3. Integrated over a number of years it allows a gradual adjustment of the national budget in line
with popular desires.
3.2. Lot and Lords Reform. Consider Lords reform; could one not have the Lords replaced by an Athenian style boule of citizens drawn randomly to serve for a year. The
technology for this is in large measure already installed in the lottery machines put in place
by Camelot.
There is much controversy over the biometric id cards proposed by the Home Office. If
such cards were used in conjunction with the lottery to allow you be be a Lord or Lady for
a year, then they might be seen as a means of controlling the government, rather than being
feared as the reverse.
Of course this would mean that lots of otherwise poor lottery contestants would become
Lords, but that’s democracy for you.
R EFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
Aristotle ,The Politics, also The Athenian Constitution.
J. D. Bishop,The Cleroterium, The Journal of Hellenic Studies, Vol. 90. (1970), pp. 1-14.
Allin Cottrell, Paul Cockshott, Alternativen aus dem Rechner, Papyrosa Verlag, Koln, 2006.
Allin Cottrell, Paul Cockshott, Reflections on Economic Democracy, Research in Political Economy, Vol. 22,
Pages 217-258, 2004.
M. Finley, Democracy Ancient and Modern, Rutgers University Press, 1973.
G.E.M. de Ste.Croix , The Class Struggle in the Ancient Greek World
D.J. de Solla Price, An Ancient Greek Computer, Scientific American, June 1959, 60-67.
G.E.M. de Ste.Croix , The Class Struggle in the Ancient Greek World
R. Wray, The Neo Chartalist Approach to Money, working paper 10, Center for Full Employment and Price
Stability, 2000.
U NIVERSITY OF G LASGOW, D EPARTMENT OF C OMPUTING S CIENCE
E-mail address: wpc@dcs.gla.ac.uk
3The assumption in the above is that the measure of education spending is expressed in an inflation proof
unit of account such as the number of hours that the average person would have to work to pay the educational
taxes[3, 4].
Keynote Presentation 2
Edging Towards Modernisation of
the Electoral Process in Scotland.
Jeff Hawkins
Biography
Jeff Hawkins has worked in Scottish Local Government for over 30 years after graduating from Glasgow University with a degree in Modern and Economic History. Since 1996
he has been the Director of Central Services of East Renfrewshire Council, a unitary authority providing the full range of local government services for the area. When East
Renfrewshire Council was established in 1996 he was appointed as Returning Officer.
Prior to that time, he has held the positions of Depute Returning Officer or Principal
Organising Assistant in every election, bye-election and referendum which were held
in Scotland between 1978 and 1996. He is Chair of SOLAR’s Election Working Group.
SOLAR is the Society of Lawyers and Administrators in Scotland. In that capacity, he
has represents SOLAR on a number of national working groups, including the current
Steering Group which has been set up to oversee preparations for the combined elections in 2007. In addition, he has substantial election experience abroad having acted
as a monitor all over the Balkans, Georgia and as far afield as Madagascar. He is due to
go to the Ukraine next month to monitor the parliamentary elections there.
Jeff is married to Anne and has a 19 year old daughter, Katie. His spare time is devoted to cycling, football (he is a fan of Kilmarnock Football Club) and languages. He is
currently studying Mandarin at evening classes.
83
84
Workshop on e-Voting and e-Government in the UK
Panel Discussion 2
Is e-Voting part of e-Democracy?
Participants
• Ella Smith (International Teledemocracy Centre)
85
86
Workshop on e-Voting and e-Government in the UK
Workshop Attendees
Mr Abdullah Alshehry
Dr Jeremy Bryans
Dr Paul Cockshott
Dr Ishbel Duncan
Mr Colin Fraser
Prof Rachel Gibson
Mr Andrew Gumbel
Mr Tom Hawthorn
Mr Roy Hill
Mr Raed Kanaan
Dr Przemyslaw Kubiak
Prof Miroslaw Kutylowski
Dr James McKinna
Ms Ann Noisseir
Mr Wolter Pieters
Dr Karen Renaud
Prof Peter Ryan
Dr Mark Ryan
Dr Hervé Sibert
Ms Ella Smith
Mr Ben Smyth
Mr Tim Storer
Dr Nigel Thomas
Mr Bob Watt
Mr Filip Zagorski
DeMontFort University
Newcastle University
University of Glasgow
University of St Andrews
Napier University
University of Leicester
The Independent
The Electoral Commission
OPT2VOTE
De Montfort University
Wroclaw University of Technology
Wroclaw University of Technology
University of St Andrews
University of Strathclyde
Radboud University Nijmegen
University of Glasgow
University of Newcastle
University of York
France Telecom
Napier University
University of Birmingham
University of St Andrews
University of Newcastle
University of Essex
Wroclaw University of Technology
87
88
Workshop on e-Voting and e-Government in the UK
Published by the University of St Andrews 2006.