Electronic Voting Machine-On Line by kashish.JMIT


									Electronic Voting (On-line)
 Electronic transactions over public and
  private networks  an integral part of
  our life.
 In a democratic society, there is a need
  for a system so that citizens exercise
  their democratic rights and vote
 with accuracy, privacy, and security.
 Any such system must be simple, easily
  accessible, and trustworthy.
   Development of Simple and secure on-
    line Internet based voting (election)

Information Security Services
 and cryptographic primitives
 Confidentiality (encryption algorithms)
 Data integrity (hash functions)
 Entity authentication, identification, Access
  Control (passwords, c-r protocols, digital
  certificates, biometrics)
 Non-repudiation (Preventing the denial of
  previous commitments or actions) (digital
  signatures, PKI, timestamps)
EVP showcase application using all of the above
   Voting System in Democratic Environment
   Based on Voter’s rights,
   Population (no. of voters),
   Geography (distribution of voters),
   Constraints (of completing election in
    stipulated time period)
   Very complex problem
   Election Authorities – for manageable
    Administration (use huge man power)
   Restrictions on Voters
   Participation?? (not satisfactory)
 Specific Issues to be addressed:
  (mobility), (anonymity), secrecy,
 Protocol should satisfy expectations of
  voters and simplify administration of
 TRUST???

       Automating Elections
 The primary function of a voting system is to
  capture voter’s choices reliably and to count
  them accurately.
 Voting Booths and Ballot Papers (traditional
 Postal Ballots (increased Mobility)
 Direct Recording Equipment (Quick tally),
  kiosk systems with touch screens to be used
  in polling stations (ease), EVM in India

             On-line solution
 Web Benefits – one source of information can
  serve users all over the world, at the level of
  details they need and only given access rights
 On-line solution offers 
 Simplicity, Secrecy, Anonymity, Mobility,
Quick set-up (reusable), Accurate and Speedy
 Low cost

      Internet based Elections
   Voting on a website (or by e-mail), the central
    tallying point collecting the votes

   Involves interaction between the human voter and
    the computer system connected through
    communication network(s).

 Some Doubts by voter!!
 Is my vote recorded correctly?
 Does the system know who I am and how I have
 Could someone manipulate the votes?
 Less Trust??

     Essential Requirements
Democracy, Simplicity and Mobility:
All eligible citizens must be able to use voting
    rights and cast a vote from anywhere by
    convenient and simple means (no extra skills
    to be usable).
Confidentiality and Anonymity:
It should not be possible to find out how any
    voter (or group) has voted. A ballot cannot
    be linked back to the voter who cast it.
    Similarly, It should not possible to infer the
    prognosis during the course of the election.
      Requirements (Cont.)
Accuracy: No voter should be able to vote
  more than once (or number of times he is
  entitled to). No vote must become invalid due
  to predictable technical problems or lost on
  its way to the Counting authority
  (Completeness) A cast vote cannot be altered
  or deleted without being detected. The whole
  system should work robustly, even if failures
  occur like loss of Internet communication

Verifiability: Each voter can verify that his/her
 vote is properly counted.
       Requirements (Cont.)
Transparency: Fraud by the voter, any
  outsider or election authorities can be easily
  detected and prevented. If a voter decides
  not to cast his/her vote, no party can take
  advantage of this.

Flexibility: The system should be configurable
  for many different election scenarios and
  compatible with multiple system platforms.

            Important Issues
   How can a person be identified (and
    his/her credentials checked) in the
    voting process and yet be able to cast
    an anonymous vote?

 Independent verification by voter or
  universal verification by third party
  without leaving any trail
 How to detect of fraud? (and preventive
There are two fundamental issues in any e-voting system:
1.    The registration process during which the voter is
   identified unambiguously
2.    The voting process where the voter is anonymous

How can a person be identified unequivocally and his/her
  credentials checked in the voting process and yet be
  able to cast an anonymous vote? Any e-voting protocol
  has to solve this central issue [Kofler 2003].

     Steps in e-voting system
 1. Registration of voters (unique VoterID against an
  e-mail address or public-key or some other
  credentials after appropriate physical verification of
 2.    Distribution of ballots (from election web-site or
  by individual e-mail)
 3. Authentication of voters (through digitally signed
  votes or by PIN or by Smartcard or by token or by
  blinding) by verifying their signatures against VoterID
 4. Confidentiality of vote through the use of
  symmetric key and/or public key encryption,
  Anonymity to voters by some mechanism
 5. Collection of votes (validated by authority)
 6.   Fair counting and result publishing
 7. Independent or universal verification
E-voting Systems -- proposals
 Use of Multiple agency – Registrar,
  Collector, Distributor, Mixer, Matcher,
  CA etc. (Chum, Cohen, Cramer, Cranor,
 Use of Blind signatures (Fujioka, Dini)
 Use of IC cards (Jan), smart cards,
  digital signatures and temporary tokens
  (Riera, Ibrahim)

   In postal ballot, the voter has to register
    before the elections and cast vote within a
    given timeframe from anywhere. The vote
    is sent to the election authorities by postal

 Electronic Ballot Box (EBB) is used in
  Brazilian elections. It is based on PC
  motherboard with small keypad and a LCD
  display, which shows messages and
  candidate’s pictures.
 It uses IDEA algorithm for encrypting vote
  which is sent to a Computing center [Jacobi
 the anonymity of voter relies on the
  honesty of trustworthy authentication
  center. However, it cannot make voters
  feel confident.
 [Chaum 1988]

 To take the “honest authority” assumption
  away some schemes ([Cohen 1985],
  [Cramer1996]) divide the authentication
  center into two parts, however it again relies
  on a faithful organization to conduct the
 In order to solve this problem, [Harn 1991],
  proposed scheme with “blind signature”
  where a malicious voter cannot cheat the
  system and a malicious authority cannot
  figure out what any individual cast.
   [Fujioka 1992] proposed a voting protocol using
    cryptographic techniques of blind signature[1] and
    anonymous communication channels. This protocol
    uses central facilities to administrate election and
    count votes. It consists of voters and three central
    facilities called registrar, validator, and tallier.
    [1]  Blind signatures allow a document to be signed without
    revealing its contents. The effect is analogous to placing a
    document and a sheet of carbon paper inside an envelope. If
    somebody signs the outside of the envelope, they also sign the
    document on the inside of the envelope. The signature remains
    attached to the document, even when it is removed from the
    envelope. Here, a voter is required to get the signature of a
    validator when he votes. The validator signs the blinded ballot
    after verifying the voter. Voter checks the integrity of the
    validated ballot and sent it to the tallier.
 To prevent ineligible voters from voting and
  eligible voters from casting multiple votes,
  the Central Tabulating Facility requires voter
  a password, PIN or digital certificate.
 [Jan 1995-2] proposed a voting protocol using
  IC Cards with a signature of Authentication
  Center on every card. IC card is used to
  authenticate the voter. It uses ElGamal public
  key crypto system.
            Riera’s Protocol

 [Riera 1998] proposed an uncoercible verifiable
  electronic voting protocol.
 The strength of the protocol relies on the use of
  tamper-resistant smart cards which are able to
  keep some information secret even to the owner. It
  also uses TTP – trusted third party.
 Once the smart card is activated, a secret and
  authentic communication is established between
  smart card (on behalf of voter) and the collecting
          Receipt Free Protocol
   Smart-card generates a key, use it for encrypting
    vote, and sends it to the collecting center after
    appropriate verification.
   It destroys this key after the execution of protocol.
    The voter does not know this key.
   Vote remains secret until collection center
    receives the symmetric key used for encryption.
    Receipt-free systems are uncoercible. Obviously
    if the voter does not obtain any proof of the vote
    cast, there is no possibility of third party to coerce
    the voter with certainty of success.
   Here, the receipt is only providing proof that voter
    has actually voted; it has no use for coercer.       25
             Design goals
   Voter’s expectations
·     Simplicity in registration and voting
·     Mobility (Location independence) and
·     Secrecy, Accuracy
·     Verifiability
·     Transparency and quick detection of fraud

               Design goals
   Administrator’s goals
·     Quick setup and easy administration - Automated
  accurate registration process (with unique VoterIDs)
·   Ballot generation and distribution
·   Authentication (of legitimate voters)
·   Accurate and timely result
·   Easy detection of fraud
Robust system and Safety against disruption attacks

 Uses public key (cryptography) infrastructure
 Two agency protocol – Authenticator, Counter
 Registration can be done prior to actual
  voting (verifying voters’ identity and the
  eligibility criteria). Registration authority
  creates a list of registered voters. Machine-
  readable Ids, public keys are added to this list
  and handed over to Authenticator.

   expression   S<k> (<document>)           to denote
    <document> digitally signed by using the key <k>;

   expression  E<k>   (<document>)        to   mean
    <document> encrypted with key <k>;

   S<k1> (E<k2> (<document>)) denotes <document>
    encrypted with key <k2> and digitally signed with

           Security Analysis
 Confidentiality, Anonymity, and Verifiability:
 The vote is encrypted using Counter’s public key, so it
  becomes secret. As vote is signed by the voter, The
  Authenticator can verify that the vote has come from
  a registered voter and is his only vote.
 Authenticator removes the ID before sending votes
  to Counter. Therefore a decrypted valid vote cannot
  be linked to a particular voter by the Counter.
  Counter has only RN and choices, which cannot be
  linked to any individual.
 Because of the use of random number RN, the voter
  can independently verify that his vote is accounted
  properly in published result (sorted list of RNs under
  each contestant).

 Non-reusability, Completeness and Soundness:
Case I. A valid voter sends repeated / multiple votes.
 Authenticator maintains marked ID list and discards
  duplicates. Authenticator maintains a list of voters
  who have voted, and counts the number of receipts
  sent back to voters (useful for tallying with Counter;
  this should equal the total number of votes counted.)
Case II. An outsider (invalid voter) sends a vote.
   Authenticator’s checklist (prepared through a proper
    registration process) contains public keys against
    registered (valid) IDs. Outsiders cannot sign on other
    voter’s behalf, so any fraudulent vote can be easily
    detected and rejected.
   Case III. Voter tries to send vote directly to the Counter.
    Counter only accepts votes that are forwarded by Authenticator.
    (“A” signs every vote with his private key before forwarding it to

   Case IV. Authenticator drops vote (after publishing ID).
    If the voter doesn’t see his RN in final tally and complains. His
    receipt (signed by “A”) can be verified and decrypted. This will
    prove any guilt on the part of the Authenticator.

   Case V. Authenticator forwards votes in the name of absentee
    “A” is required to list (publish) IDs of all voters who exercised
    their vote. Voters who did not vote, and see their IDs listed on
    web-site, can challenge “A” to produce a copy of their original
    ballot (or receipt sent).

   Case VI. Counter drops votes.
    Voter can detect it while examining result published by “C”, and
    challenge it. He has a receipt to protect him.

   Case VIII. Counter “manufactures” a new vote.
    “A” has published and marked total number of voters who have
    voted. “A” has signed receipt of no. of votes forwarded to “C”.

There is a remote possibility that a few voters may choose the
  same RN. The probability of this can be made as low as
  required by choosing an adequately long RN.

The code of the software performing the role of counter,
  authenticator and registrar are open for inspection. Any
  authorized inspection team can verify that only the approved
  source code determines the operation of the counter. By
  recompiling the source, and comparing hash digests of the
  resulting executable (with the executable actually used during
  the counting process).
   In elections involving a large number of
    voters, one may wish to avoid downloading
    any client software supporting complex PKI
   In fact, it is difficult to expect that every voter
    would have a digital signature capability.
   We have a very simplified model that requires
    only use of e-mail/web.
   Each voter is given ID and set of keys.
   Ballot -- picked up from election website.

                 Protocol steps
   1. Start voting phase: Registrar activates voting phase so that
    voter can obtain ballot from given web site.
   2. Vote: The Voter prepares a vote by making his choices,
    carries out manual encryption by modulo-10 addition of the
    corresponding key to each numeric text field, and
    communicates his encrypted choice to the Anonymizer.
   3. Collection of votes: Anonymizer strips off voter’s e-mail ID
    and sends vote to the Counter.
   4. Counter publishes VoterIDs (for those who have already
    voted) time to time.
    5. Registrar stops voting phase. Registrar sends <keys,
    VoterID> list to the Counter.
   6. Counting and result publishing: Counter applies appropriate
    keys for VoterIDs, reads votes and corresponding secret
    numbers, counts and publishes the election result in tabular
   7. Verification: Voter independently verifies his vote by checking
    his secret number listed under appropriate candidate            36
Published on the Web
4 . VoterID list of those
who have voted (updated
                                    Published on the Web
                                    6. RESULT
                                    Giving the number of votes earned by
                                    each candidate and       listing all the RN’s
                                    used by those voting for him, in sorted

                              5. Voter ID, Keys
                              (after voting phase
                              is over) Sent by the
                                     Registrar to         REGISTRAR
     Vote Forwarding


                                           1 . Voter ID, Key   k 1 , Key k 2
  3 . Voter ID, Encrypted
  Vote (X 1 ), Encrypted Secret
  Number (X 2) Sent by Voter to


                   2 . Encrypts vote - using Key k1 and
                   encrypts a randomly selected secret
                        number (SN) using Key k2.
   VoterID given by Registrar (6 character alphanumeric –
   Key k1 (4 digit key = 2911) and Key k2 (6 digit key = 210894)
    given by registrar
   voter chooses candidate 03 for one position and candidate 23
    for another position; in the convention used here, the vote
    becomes 0323.
   This is added by carry-less addition with key k1, 0323 + 2911 =
   Secret Number chosen by voter (6 digit, 123456)
   Similarly, the secret number chosen by the voter added using
    carry-less addition with key k2, 123456 + 210894 = 333240.
   The vote sent out by voter is <A1TU80, 2234, 333240>.
   In other words, encryption operation is done by k1 and k2

              Example (Cont.)
 Encrypted Vote at C = <A1TU80, 2234, 333240>
 Details by R <ID, k1 k2> = <A1TU80, 2911, 210894>
 Counter reads the vote by carry less subtractions
 2234 – 2911 = 0323 (original choices)
 333240 – 210894 = 123456 (secret number)
Published Tabulated result for position#1 (say President)

Candidate02        Candidate03       Candidate11
ABC                XYZ               PQR
008312,            003478,           ….
                   123456,           ….
…….                204567,           ….
1412/31992         6770/31992        5892/31992        39
   Anonymity,         Confidentiality,       Transparency         and
   No election authorities (neither Registrar nor Counter) have
    enough information to link a ballot to a specific voter.
   Registrar has only knowledge of unique VoterID along with
    voter’s identification, and voter’s keys. However, vote is not
    submitted through “R”.
   Anonymizer cannot read the encrypted vote that passes
    through, as “A” has no knowledge of the keys.
   Counter has a knowledge of VoterID and corresponding vote
    but no idea about voter’s identification (i.e. e-mail address or
    any other information).
   Voter can independently verify that his vote has been counted
    properly, by looking for his secret number listed in appropriate
    candidate’s column.
   Counter periodically publishes a list of IDs of all voters who
    have exercised their vote on a public web site. Voters who did
    not vote, but see their IDs listed, can challenge authority.
   Accuracy, Completeness and Soundness:
   Ballot form is supplied only on presentation of VoterID and
    appropriate e-mail address. The VoterID is not publicly linked
    with a voter name or his email address.
   The Registrar supplies keys only to valid voters. IDs are passed
    to the counter along with respective keys without any e-mail
    address information.
   Invalid VoterIDs will be dropped by Counter, as they will not be
    present in the list supplied by the Registrar.
   Absentee voters can find their VoterIDs in the published list in
    case there is any misuse of their vote by someone else (say, the
    Registrar) and can complain. Only registrar can correctly supply
    VoterID and keys for absentee voters.
   Based on number of voters and no. of contestants, an
    appropriate VoterID length and key length can be chosen.

          Implementation issues
   A tool kit can be designed for quick setup and easy
    administration with user interfaces for registration, ballot
    generation and distribution, voting phase -- starting and
    stopping, and result publishing.
   Registrar and Counter use digital signatures and server Ids
    (certificates) for signing the content published on their web-
    sites. (Registrar, Counter, Anonymizer) modules run on three
    different machines under the control of independent authorities.
   The election web server, co-located with the Registrar module,
    using Apache web server, httpd and sendmail. CGI, PERL and
    shell scripts can be used for automated setup and handling of
    events. Remote administration is made feasible using procmailrc
    and JAVA telnet shell.
   A ballot and its hash code can be kept on secure and digitally
    certified web-site, so user can always check it before use.
    Similarly, program code for Counter and Registrar, its execution
    files for different platforms can be kept as certified copies with
    hash codes.
           Summary -- EVP
These simple, low cost, and adequately secure on-line
  election protocols satisfy the following essential
 1.   Anonymity of voters
 2.   Convenience and mobility of voters
 3.   Verifiability of the process by voters
 4. Quick set-up and speedy result publication
 5.   Accuracy in terms of
 a.   Errorless counting
 b.   No duplicate votes or third party votes
 c. Preventing manipulation by the authorities
  (Registrar and/or Counter)
Designing a comprehensive on-line electronic
  voting system and creating trust; confidence
  and acceptability in Internet based voting
  with very significant improvement -- in ease
  of conducting elections with user convenience
  Polls on demand (low cost and quick set up)

Supporting widespread usage of Internet with
  necessary security features

 On-line voting: Usable model of Web based
  election system with and without PKI
 Assumption – All voters are vigilant. (difficult)
 For Board meeting, opinion polls (workers,
  soldiers), Parliament voting – very useful

   State of the art – election systems –multiple
    channels for voting (viz. polling booth (both
    fixed and mobile), cell phone, fixed phone,
    specialized kiosk, postal ballot, on-line voting

                     Ref. Papers
   1. Patel D., Ramani S., A Secure Internet Voting
    Protocol, Information Security Solutions Europe,
    London, UK, 2001.

   2. Patel D., A Simple On-line Voting Scheme,
    Proceedings of 15th International Conference on
    Computer Communications, ICCC 2002, Mumbai,
    India, pages 591-600, 2002.


To top