An Anonymous Electronic Voting Protocol for ... - Semantic Scholar

An Anonymous Electronic Voting Protocol for Voting Over The Internet

Indrajit Ray Indrakshi Ray Department of Computer and Information Science University of Michigan-Dearborn Email: indrajit, iray @umich.edu Natarajan Narasimhamurthi Department of Electrical and Computer Engineering University of Michigan-Dearborn Email: [email protected] Abstract In this work we propose a secure electronic voting protocol that is suitable for large scale voting over the Internet. The protocol allows a voter to cast his or her ballot anonymously, by exchanging untraceable yet authentic messages. The protocol ensures that (i) only eligible voters are able to cast votes, (ii) a voter is able to cast only one vote, (iii) a voter is able to verify that his or her vote is counted in the final tally, (iv) nobody, other than the voter, is able to link a cast vote with a voter, and (v) if a voter decides not to cast a vote, nobody is able to cast a fraudulent vote in place of the voter. The protocol does not require the cooperation of all registered voters. Neither does it require the use of complex cryptographic techniques like threshold cryptosystems or anonymous channels for casting votes. This is in contrast to other voting protocols that have been proposed in the literature. The protocol uses three agents, other than the voters, for successful operation. However, we do not require any of these agents to be trusted. That is, the agents may be physically co-located or may collude with one another to try to commit a fraud. If a fraud is committed, it can be easily detected and proven, so that the vote can be declared null and void. Although we propose the protocol with electronic voting in mind, the protocol can be used in other applications that involve exchanging an untraceable yet authentic message. Examples of such applications are answering confidential questionnaire anonymously or anonymous financial transactions. Keywords: Security, Voting, Auction, Protocols, Internet

Contact Address:

Dr. Indrajit Ray Department of Computer and Information Science University of Michigan-Dearborn Dearborn, MI 48188 Phone: (313) 593-1793, Fax: (313) 593-9967 Email: [email protected]

An Anonymous Electronic Voting Protocol For Voting Over The Internet

An Anonymous Electronic Voting Protocol For Voting Over The Internet Abstract In this work we propose a secure electronic voting protocol that is suitable for large scale voting over the Internet. The protocol allows a voter to cast his or her ballot anonymously, by exchanging untraceable yet authentic messages. The protocol ensures that (i) only eligible voters are able to cast votes, (ii) a voter is able to cast only one vote, (iii) a voter is able to verify that his or her vote is counted in the final tally, (iv) nobody, other than the voter, is able to link a cast vote with a voter, and (v) if a voter decides not to cast a vote, nobody is able to cast a fraudulent vote in place of the voter. The protocol does not require the cooperation of all registered voters. Neither does it require the use of complex cryptographic techniques like threshold cryptosystems or anonymous channels for casting votes. This is in contrast to other voting protocols that have been proposed in the literature. The protocol uses three agents, other than the voters, for successful operation. However, we do not require any of these agents to be trusted. That is, the agents may be physically co-located or may collude with one another to try to commit a fraud. If a fraud is committed, it can be easily detected and proven, so that the vote can be declared null and void. Although we propose the protocol with electronic voting in mind, the protocol can be used in other applications that involve exchanging an untraceable yet authentic message. Examples of such applications are answering confidential questionnaire anonymously or anonymous financial transactions.

1 Introduction Voting can be time consuming, inconvenient as well as expensive, specially when the voters and voting administrators are geographically distributed. With the rapid expansion of the Internet, electronic voting appears to be a less expensive alternative to the conventional paper voting. Electronic voting overcomes the problem of geographic distribution of the voters as well as vote administrators. It also reduces the chances of errors in the voting process. However, in order that electronic voting replace conventional mechanisms, it must provide the whole range of features that conventional voting does. Further, due to the inherent lack of security in the Internet, electronic voting systems need to be carefully designed. Otherwise such systems become more susceptible to fraud than conventional systems. In this work we propose a secure electronic voting protocol that is suitable for large scale voting over the Internet. Secure electronic voting requires the exchange of untraceable yet authentic messages. Over the past few years quite an amount of work has been done in this area. Broadly two different approaches have been proposed: 1. approaches that rely on complex encryption schemes to cast a ballot [1, 7, 8, 9, 11, 14] (Note: all security protocols use some form of encryption technology; these protocols make use of complex technology that are not widely prevelant.) 2. approaches that rely on the existence of an anonymous channel [2, 6, 10, 12, 15, 17, 18, 19] that is used to cast the ballot as an untraceable message. The protocol we propose, does not require any complex cryptographic schemes like the ones in item 1 above. Our protocol is similar to the protocols proposed in [10, 12]; however, unlike these protocols, we do not use any 1 of 18


anonymous channel. Anonymous channels are not easy to set up and adds substantial complexity to the protocol. Moreover the protocols in [10, 12] suffer from a flaw (we identify this in Section 2), that prevents these protocols from ensuring anonymity of the voter. Vote casting in our protocol is similar to a guest ftp session, except that the session is encrypted. The session may, at best, be traced back to an IP address but cannot be linked with a voter. That way we ensure the anonymity of the voter. We use three vote administering agents – a ballot distributor, a certifying authority and a vote compiler. We do not require any of these agents to be trusted. The agents may be physically co-located or may collude with one another to commit a fraud. The protocol cannot, strictly speaking, prevent a fraud. However, it ensures that if a fraud is committed, the fraud can be detected easily and proven; the vote can then be declared null and void. In this regard, it is better than traditional (non electronic, that is) election systems that rely on a number of trusted parties who have the capability to conspire to change the outcome of the election or reveal the way particular voters voted, without fear of getting caught. Additionally, our protocol provides the voter the guarantee that his or her vote has been counted in the final tally. Traditional election schemes do not provide this guarantee. The rest of the paper is organized as follows: In section 1.1 we summarize a set of necessary conditions for secure voting protocols that have been identified in the literature. Section 2 discusses some of the related work in electronic voting schemes. We discuss how our protocol compares with similar approaches. Section 3 presents the protocol. Section 4 provides an analysis of the protocol both in the absence and presence of fraud. Finally section 5 concludes the paper by outlining some of the limitations of the protocol which we plan to address in future works.

1.1 Necessary conditions that an electronic voting protocol must satisfy Researchers have identified a set of necessary conditions that need to be satisfied by any secure electronic voting protocol [10]: 1. Accuracy (a) It is not possible for a cast vote to be altered. (b) It is not possible for an invalid vote to be counted in the final tally. (c) Each voter should have the guarantee that his/her ballot is counted in the final tally. 2. Democracy (a) Only a registered (that is eligible) voter can cast a vote. (b) Each eligible voter should be able to cast one and only one vote. 3. Privacy No entity involved in the voting process can link a cast ballot to the voter who cast it. 4. Verifiability Each voter can verify independently that his or her vote has been counted correctly. We identify an additional property which we call Un-authorized Proxy and is defined as follows: 2 of 18


5. Un-authorized Proxy If a voter decides not to cast his/her ballot, no party involved in the protocol should be able to take advantage and cast a forged ballot. This scenario is different from the case when a voter abstains from voting; for the latter the voter casts a ballot but indicates that he/she is abstaining. We show that our protocol satisfies all of the above properties without requiring any complex cryptographic techniques or anonymous channels for vote casting. To our knowledge no other voting protocol can make such a claim.

2 Related Work A number of electronic voting protocols have been proposed over the last few years. These can be broadly divided into two types: 1. approaches that rely on complex encryption schemes to cast a ballot [1, 7, 8, 9, 11, 14]. Note all security protocols use some form of encryption technology; these particular protocols use complex technologies that are not widely prevelant – for example zero-knowledge protocols and threshold cryptosystems. 2. approaches that rely on the existence of an anonymous channel [2, 6, 10, 12, 15, 17, 18, 19] that is used to cast the ballot as an untraceable message. In the following we review some of these electronic voting protocols.

2.1 Protocols using complex cryptographic techniques DeMillo and Merritt [11] propose an electronic voting protocol based on mutiple encipherments of a voter’s vote using two public keys of every other voter. Their protocol requires the cooperation of all registered voters. If any voter abstains or decides not to co-operate then the entire scheme fails. To recover the entire protocol has to be restarted. Thus this scheme, although ensuring the privacy of the voters, is suitable for “board-room voting” scenarios and not for large scale voting. Our protocol, on the other hand, does not suffer from such a problem. The schemes proposed by Cohen and Fischer [7], Benaloh and Young [1], and Cramer et al. [8, 9] are quite similar to each other. They use complex zero-knowledge techniques to achieve anonymity of the voter. The protocols in [7, 1] are based on higher degree residue encryption. Additionally, the protocol in [7] provide anonymity to the voter based on the assumption that the election administrator is trusted. The protocol in [1] improves upon the scheme in [7] by distributing the portions of the cast ballots over a number of tallying authorities. This extension offers more privacy protection. However, the problem of both are that they involve complex and high computational overheads that they may not be readily available. The approach proposed by Cramer et al. [8] improves the efficiency of the underlying zero-knowledge protocol by using discrete logarithm encryption. A ballot that will be cast by a voter is considered a secret. The voter sends a verifiable share of the secret ballot to each vote compiling authority. Each authority checks the validity of the received share. The authorities count the votes independently and send the partial results to a

3 of 18


central authority. The latter puts the partial results together to get the final result. Each vote compiling authority gets only one piece of a vote and does not know anything about the vote itself. The central authority only gets aggregate results from the vote compiling authorities and cannot know the votes themselves, only the results. Thus privacy of the voters are ensured. The problem of this approach is the computation involved in the scheme and the communication overhead involved. A second problem is that voters can only vote yes/no to a fixed question. The approach in [9] improves upon that of [8] by optimising the computational overhead. Iversen [14] proposes a scheme based on the concept of probabilistic privacy homomorphishm [13] and requires communication between the voters and the candidates being voted for. The scheme does not require the cooperation among the voters and ensures that no subset of voters can disrupt the voting. It preserves the privacy of the voters against any proper subset of candidates, administrators and dishonest voters. However, the scheme is computationally intensive and the communication overhead is prohibitively high when the number of voters is large. Thus the scheme is not suitable for large scale election over the Internet. Moreover the protocol is not suitable for opinion polls where the concept of an entity similar to a candidate does not exist. Our protocol, on the other hand, is fairly general in nature; we do not make any assumption about the nature of the vote. We do not suffer from a performance degradation when the number of voters is large.

2.2 Protocols relying on anonymous channels Chaum had been one of the first researchers to propose an electronic voting protocol. The protocol proposed in [3] uses digital pseudonyms for the voters to conceal their identities. Also it uses an anonymous channel based on the mix-net approach to cast a vote. The cast votes are forwarded via a sequence of mix agents each of which rearranges all incoming messages before forwarding them to the next mix agent and to the final destination. However, the protocol does not guarantee that the identity of the voters cannot be traced; this is because the underlying assumption of the mix-net approach is that at least one of the mix agents is trusted. Chaum proposes a second protocol in [6] that provides complete anonymity to the identities of the voters. The anonymous channel used in this protocol is based on the dc-net approach. However, this protocol suffers from the problem that a single voter can disrupt the voting process; the protocol can detect this but needs to be restarted to recover from the disruption. The protocol proposed by Boyd [2] is based on a multiple key encipherment scheme and relies on an anonymous channel to cast the vote anonymously. The scheme ensures that votes cannot be forged and that privacy of the voters is not compromised. However, a major shortcoming is that the vote administrator can substitute spurious votes of its choice in the final tally. Our protocol does not suffer from the problem of spurious votes; neither does it need anonymous channels. Nurmi et al. [16] propose two protocols – the Two Agency Protocol and the One Agency Protocol. In the first protocol a validator ensures that only eligible voters can vote and a vote compiler collects the votes and publishes the results. The validator issues identification tags to each voter. The voter votes using the tags and not their identities. The problem with this protocol is that the validator can trace a vote back to the voter and, if the vote compiler colludes with the validator, the privacy of the voter is compromised. Also if some voters do

4 of 18


not vote, the vote compiler and validator may collude to cast spurious votes. In the One Agency Protocol [16] the vote compiler itself distributes the tags using an “all-or-nothing disclosure of secrets” protocol. The protocol is quite complex and requires the communication of the voters among themselves. This solves the collusion problem inherent in the Two Agent Protocol. However, it does not solve the problem of the vote compiler casting spurious votes against those voters who receive tags but decide not to cast a vote. The protocol proposed by Fujioka et al. [12] uses “blind signatures” [4, 5] and anonymous channels to ensure privacy of the voter. Our protocol is close to this protocol and so we discuss this in some detail. In this protocol the voter prepares a filled ballot, encrypts it with a secret key, and blinds it using a random number. The voter then signs the blinded ballot and sends it to a validator. The validator first verifies that the signature belongs to a registered voter who has not yet voted, then signs it and returns it to the voter. The voter removes the blinding factor to get a ballot that is signed by the validator. The voter then sends the resultant signed encrypted ballot to a vote compiler via an anonymous channel. The vote compiler checks the signature on the encrypted ballot. If the ballot is valid, the vote compiler places it on a list that is published at the end of the voting. Voters are then able to verify that their ballots are on the list. Once verified, the voters send the vote compiler the decryption keys necessary to open their ballots – again via anonymous channels. The vote compiler uses these keys to decrypt the ballots and add the votes to the election tally. After the election the vote compiler publishes the decryption keys along with the encrypted ballots so that voters may independently verify the election results. The authors of [12] claim that the use of anonymous channels ensure the privacy of the voter. However, note that the encrypted ballot that is cast by the voter contains the voter’s signature that allows the voter to identify its ballot in the published list. Thus any entity that can verify the voter’s signature is able to link a voter to a cast ballot and anonymity of the voter is not ensured. A second major drawback is that all registered voters must cast their votes and no voters can abstain. If a voter abstains then the validator and vote compiler can collude to cast spurious votes in the final tally. These spurious votes cannot be detected. A third problem of the protocol is that every voter needs to be involved in the voting process till the end of the voting phase. This is because a voter cannot submit his decryption key until after the voting phase is over. The Sensus protocol proposed in [10] is based on the protocol proposed by Fujioka et al. The Sensus protocol overcomes the last two problems of Fujioka’s protocol: the voter may submit the decryption key immediately after receiving a receipt from the vote compiler about the encrypted ballot; if a voter decides to abstain, the voter indicates so in the vote. However, if a voter behaves irresponsibly and decides not to cast an “abstain” ballot, then this knowledge can be exploited by collusion of the validator and vote compiler to cast spurious ballots. Park et al. [19] uses anonymous channels for vote casting. Pfitzmann [21] has shown several possible schemes how the anonymity of the scheme of Park et al. [19] can be broken. Juan and Lei [15] proposes a secure electronic voting protocol that uses threshold cryptosystems [20] to preserve the fairness of the candidates’ campaign and the voter’s ability to verify his vote in the final tally. The protocol proposed is quite complex in terms of cryptographic computations and requires anonymous channels for vote casting. Okamoto proposes two protocols [17, 18] with the objective of preventing vote buying. These protocols ensure that after a voter casts his vote, the voter does not possess any evidence to prove that he voted a particular 5 of 18


way – a property known as receipt-free. The protocol in [17] uses anonymous channel to cast a vote. However the protocol suffers from the drawback that a voter can be coerced by a candidate to vote a particular way. Among the two protocols in [18] one requires the existence of an untappable channel. The other requires the existence of a voting booth which is a physical apparatus for a voter in which the voter can interactively and secretly communicate with a second party. This is a strong assumption and may not be widely acceptable. Our protocol is directly comparable to the work by Fujioka et al. [12] and the Sensus protocol [10]. However, we ensure that the voter can in no way be linked to a cast ballot, unless the voter himself cooperates. A major advantage of our protocol is that we do not require any anonymous channel to cast the vote. The drawback of anonymous channels is that they either require complex cryptographic techniques or require the involvement of mix agents, at least one of which must be trusted. In our protocol we do not need any trusted party. A third advantage is that even if we have an irresponsible voter who decides not to cast an “abstain” ballot, no administering agent involved will be able to take advantage of this fact.

3 The Voting Protocol 3.1 Cryptographic mechanisms used by the protocol We assume that the following cryptographic functionalities are available: 1. Hard-to-invert permutations: We assume that there is permutation, P of a finite set of numbers whose inverse is not easy to compute, i.e. given P x , the task of determining x is hard. For example, P could be a discrete exponentiation – v ax mod p where p is a large prime number and a is an integer less than p with the property that for every number n between 1 and p-1 inclusive, there is a power k of a such that ak n mod p. Computing the inverse of P is as hard as computing discrete logarithms. 2. Signature on messages: Suppose that a message m has to be signed by an entity. The signed message is a transformation of m, s m which can only be generated by the signing entity. However, any party can verify the signature on s m using publicly available information. For signature the signing agent uses its private key and the signature verifier uses the corresponding public key. 3. Encryption of messages: We assume that all messages are encrypted with the recepient’s public key while in transit. The encryption is sufficiently strong that nobody can decrypt it without the appropriate key. 4. Digest of messages: We assume that all messages are accompanied by a message digest generated over the entire message. A cryptographically strong one way hash function is used to produce the digest. The digest ensures the integrity of messages in transit. 5. Blind signatures: Suppose that a message m has to be signed by an entity, but without the signer knowing the contents of the message. Then the generator of m should be able to (a) randomize m so that the signer can not determine m, 6 of 18


(b) obtain the signature on the randomized message, (c) undo the randomization to obtain the signature on the original message. Chaum has shown how to implement such blind signatures based on integer factorization [4, 5]. The scheme, briefly, is as follows: Suppose Alice has a message m that she wishes to have signed by Bob. Alice does not want Bob to learn anything about m. Let n e be Bob’s public key and n d be his private key. Alice generates a random value r such that gcd r n 1 and sends x r e m mod n to Bob. The value x is “salted” (or “blinded”) by the random value r (the “salt”); hence Bob can derive no useful information from it. Bob returns the signed value t xd mod n to Alice. Since xd re m d rmd mod n, Alice can obtain the true signature s of m by computing s r 1t mod n. In what follows, we shall refer to the randomization step as “salting” the message, and the final step that undoes the randomization as “un-salting” the message.

3.2 Protocol description The voting protocol employs three administering agents for successful operation: 1. A ballot distributor – BD. The job of the ballot distributor is to prepare blank ballots and distribute one to each voter. 2. A certifying authority – CA. The certifying authority certifies that a ballot that is cast, has been cast by a registered voter and that a voter has cast one and only one ballot. 3. A vote compiler – VC. Each filled ballot cast by a voter is delivered to the vote compiler. The vote compiler tallies the votes and announces all the relevant statistics pertaining to this voting process. We do not require that these agents be trusted. In other words, the three agents may be co-located or may collude with each other to perpetrate fraud. If a fraud is suspected, then the protocol ensures that the fraud can be proven. In that case the vote can be declared null and void. We assume that if any of these agents collude with one or more voters, they will be able to cast a single vote corresponding to each voter they collude with. In this case the voter will not be able to cast a second vote. That is, if a voter decides to collude he/she will jeopardize his/her vote only. This scenario is similar to voting by proxy and is not considered a fraud. We use the following notation in the description of the protocol. 1. X – the identity of an agent involved in the voting protocol. Can be either the voter, V, the ballot distributed, BD, the certifying authority, CA, or the vote compiler, VC. 2. Xe – agent X’s public key. 3. Xd – agent X’s private key.

7 of 18


4. M – a message. 5. h(M) – a digest of the message M. 6. [m,Xe ] – an entity m encrypted with X’s public key, where X is the recipient of m. 7. [m,Xd ] – an entity m signed with X’s private key, where X is the originator of m. We now discuss the protocol in details. The protocol proceeds in five distinct phases: 1. Voting initiation 2. Blank ballot distribution 3. Voter certification 4. Vote casting 5. Vote counting Before the voting process can be initiated by the voter, the voter must register with some voter registration authority. This authority prepares a list of registered voters from all people who have expressed a willingness to vote by verifying the identity of such people. The authority then issues a certificate for each such registered voter that contains the voter’s identity and public key. This registration process is ouside the scope of our voting protocol. Figure 1 shows the sequence of steps and agents involved at each step in the protocol. We use a dashed line in the figure in step 4 to point out that the vote casting is a process similar to uploading to a site – that is the identity of the voter is not provided in the message – unlike the other steps. In the following we discuss each step in more details.

8 of 18


5 vote counting

ng

VC

vo

te

ca

sti

4

3b voter certification

V bl

an

k

CA

3a voter certification

ba

2

llo

td

vo

ist

g

tin

1

rib

ut

io

n

io

at

iti

in

n

BD

Figure 1: Protocol execution sequence

3.2.1

Voting Initiation

1. V

BD: V, voter certificate

The protocol starts with the voter authenticating to the ballot distributor BD. The voter sends the certificate issued by the registering authority. The certificate contains the voter’s identity as well as public key. Once the voter is authenticated as a registered voter, BD signs a digest of the voter’s certificate and sends it back to the voter with a blank ballot. 3.2.2

Blank ballot distribution

1. BD

V: [ y,[h(y),BDd ] ,Ve ], [h(voter certificate),BDd ]

The blank ballot is a message of two fields (i) the ballot serial number field, y and (ii) BD signed digest of the ballot serial number, [h(y),BDd ]. The ballot distributor, BD, generates a unique serial number, y, for every voter and creates a list of ballot serial numbers and voter identities. This is the list of the blank ballots issued and will be published by BD at the end of the voting. BD sends the ballot encrypted with the voter’s public key.

9 of 18


When the voter receives the message, the voter makes sure that the blank ballot has not been tampered with during transit, including that nobody has put an identifying mark within the blank ballot. The voter then retrieves the serial number, y, from the message received. 3.2.3

Voter certification

1. V

CA: [ m [r,CAe ],[h(m [r,CAe ]),Vd ],V ,CAe ], [ V, voter-certificate, [h(voter-certificate),BDd ] ,CAe ]

m is a voter mark generated by the voter. 2. CA

V: [ [ m [r,CAe ] ,CAd ] ,Ve ]

Using the serial number, y, the voter creates a voter mark, m, as follows: The voter pads y with a fixed length random number to obtain a number x. The voter then computes a hard to invert permutation, m, of x. The value, m, is the voter mark. Note that since the serial number y is unique for every voter the voter mark is unique to every voter. However from the voter mark it is not possible to obtain the serial number y and hence impossible to identify the voter. The voter then salts the voter mark with a random number, r, to get the salted voter mark m [r,CA e ] (as outlined in section 3.1). The voter also computes a digest of the salted voter mark and signs the digest. The voter encrypts the salted voter mark and the signed digest of the salted voter mark with CA’s public key and sends these to CA. Accompanying this message the voter also sends the voter certificate and the signed digest of the voter certificate that it received from BD - both encrypted by CA’s public key. CA first makes sure that the voter is a registered voter by verifying the BD validated certificate for the voter that is accompanying the vote. CA also makes sure that the voter has not submitted earlier, another salted voter mark to sign. Since the vote cast by the voter later on will be accompanied by the voter mark, this step effectively ensures that the voter casts one and only one vote. By verifying the voter’s signature on the digest of salted voter mark, CA also makes sure that the voter mark has not been tampered with in transit. CA then signs the salted voter mark, and returns it to the voter encrypted with the voter public key. The certifying authority keeps a copy of the salted voter mark, signed by the voter, together with the identity of the voter, to be published at the end of the voting. The voter “un-salts” the signed salted voter mark and obtains CA’s signature on the voter mark. The voter makes sure that certifying authority has not put any identifying mark on the voter mark. 3.2.4

Vote casting

1. V

Public FTP site: [

2. Public FTP site 3. VC

VC: [

vote,[m,CAd ] ,h(vote,[m,CAd ]) ,VCe ]

vote,[m,CAd ] ,h(vote,[m,CAd ]) ,VCe ]

Public FTP site: [h(vote,[m,CAd ]),VCd ]

4. Public FTP Site

V: [h(vote,[m,CAd ]),VCd ] 10 of 18


The voter now prepares a fixed length message of a pre-determined format (the format is announced to all voters prior to voting initiation) and indicates his or her vote as the message’s content. The voter appends his signed voter mark, [m,CAd ] to this message (signed by CA) and creates a message digest of the vote and the signed voter mark. Recall that it is not possible to recover the serial number from the voter mark, so it is not possible to identify the voter by the voter mark. The voter then encrypts the three with VC’s public key and, after waiting for a random amount of time, uploads the same onto a publicly uploadable ftp site announced by the vote compiler, VC. The mechansim used to upload does not associate, in any manner, the voter’s identity with the uploaded material – for example an anonymous/guest ftp mechanism. Periodically, VC downloads cast votes from this ftp site. VC makes sure that the cast vote has not been tampered with during the upload by the voter or download by itself. Next VC checks that it has not received this voter mark before. VC then signs the digest of the vote and the voter-mark and uploads them to the public place. Some time later the voter retrieves this signed digest from the public place. This guarantees that VC has received the voter’s vote. 3.2.5

Vote counting

No vote is accepted after the voting period comes to an end at a predetermined time. At the end of the voting period each of the three agents, BD, CA and VC publishes the following: 1. BD publishes the number of blank ballots issued and the serial numbers of the blank ballots together with the identity of the voters to which they were issued. The number of blank ballots must be greater than or equal to the number of votes received but less than or equal to the number of registered voters. 2. CA publishes the set of salted voter marks received from the voter, their digests signed by the voters and the corresponding salted voter marks signed by CA, indexed by the identity of the voters. The number of such items should be greater than or equal to the votes cast but must be less than or equal to the number of blank ballots issued by BD. Note that, although it cannot be established by any entity other than the voter, for every vote that is cast there should be one and exactly one salted signed voter mark with CA. 3. VC publishes all the votes together with the corresponding voter marks indexed by the digest of the vote and voter mark. VC announces the relevant voting statistics that it computed. A voter who wants to have the guarantee that his or her vote is counted in the final tally, makes sure that his or her vote is present in the list of published votes. If a fraud is suspected, an independent monitoring authority, not associated with the voting process, is invoked to validate the voting. If no fraud is suspected then the independent authority can certify the votes and declare the vote complete.

11 of 18


4 Analysis of the Voting Protocol 4.1 In the Absence of Fraud We first show that, in the absence of any fraud or collusion among the different entities, the voting protocol satisfies the set of five necessary conditions that were identified in section 1.1. 1. Accuracy is ensured as follows. When the votes are published at the end of the voting, a voter can identify his/her vote by the voter mark. The voter can create a digest of the vote,CA-signed voter-mark pair as published by VC. It must match the h(vote,[m,CAd ]) that was sent by the voter during vote casting. If it does not, the voter will claim fraud. Assuming no fraud, a vote can be invalid for two reasons (i) it has been cast by an ineligible voter or (ii) an eligible voter has voted more than once. BD makes sure that ineligible voters do not get a blank ballot. BD also signs a digest of the voter certificate. Later the voter has to present his voter certificate and the signed digest of the certificate to CA when the voter tries to get the salted voter mark signed. These two together guarantee that an ineligible voter is not able to cast a vote. Further, each cast ballot is linked to a signed voter mark. When CA signs a salted voter mark it makes sure that it does not sign two salted voter mark from the same voter. Also each voter mark corresponds to one and only one voter and each voter mark is unique. The latter is true because the seed that is used to generate the voter mark is the unique serial number, y, that has been provided by BD together with a random number generated by the voter. The voter mark guarantees that two cast votes are not erroneously attributed to the same voter. Finally, the vote compiler, VC receives a cast vote with the signed voter mark; it signs the digest of the vote and the signed voter mark. VC’s signature on the digest ensures that VC cannot claim later that it did not receive a valid vote. When the votes are officially published, a voter will be able to identify his or her vote by the voter mark. These two together guarantee every voter that his/her vote is counted in the final tally. 2. Democracy is guaranteed because the accuracy property of the voting system ensures that there are no invalid votes from non- registered voters in the final tally and that there are no multiple votes from registered voters. 3. Privacy is provided to the extent that a cast ballot is not traceable back to a voter without the voter’s cooperation and that before a vote is cast, nobody other than the voter knows what the vote is. At every stage, till the vote is cast, the voter makes sure that none of the three agents has put an identification mark on his vote. When a voter casts a vote the only thing that can possibly be identified with the ballot is the IP address of the server that the voter used to cast the vote (the server can be thought to be like an open work station accessible bt everyone that wants to vote). This does not reveal the voter’s identity. Finally, although the voter mark generated by the voter contains the unique serial number,y, given by BD 12 of 18


to the voter, it is computationally infeasible to compute y from the voter mark (the computation is as hard as computing discrete logarithms). Also when the filled ballot is transferred to VC, it is encrypted (by VC’s public key) in transit. Thus only the voter knows about his vote till such time as the vote is cast. 4. Verifiability is ensured because at the end of the voting process all the cast ballots are published. Each voter can identify his/her vote by the voter mark. If the identified vote does not match the vote that the voter actually cast, a fraud is claimed. 5. Un-authorized Proxy is ensured as follows. For each voter mark received by VC with the cast vote, there exists one and only one salted voter mark with CA that is signed by an eligible voter. If required this correspondence can be established with the help of the voter. Also only a voter can have both the copies together. These two together ensures that even if a voter decides not to cast his or her vote, nobody will be able to take advantage of this fact and cast a fraudulent vote.

4.2 In the Presence of Fraud First we discuss the scenarios of possible frauds where a voter does not participate. Note that if no fraud has occurred then the following items exist at the end of the protocol. 1. B – A set of blank ballots that are generated by the ballot distributor. Only an authorized voter and BD can each legitimately have a copy of a blank ballot item at the end. A correct copy will contain a unique serial number together with BD’s signature on it – unless BD is colluding to commit a fraud. 2. S – The set of salted voter marks sent by authorized voters together with signed digests for each salted voter mark, signed by voters. Each voter has a copy of one Si S and CA also has the same copy. However, CA’s copy must have originated from an authorized voter – that is CA cannot forge one. 3. S – The set of salted voter marks signed by CA and returned to the voters. Each authorized voter has a S i S and CA has a copy of the same. Again, a Si cannot be forged because its digest needs to contain an authorized voter’s signature. 4. F – The set of final ballots cast by voters. Each voter has a copy of a Fi F and so does VC. A correct Fi contains CA’s signature on the voter mark. So unless both VC and CA collude, a legitimate, final ballot cannot be generated (that is one with CA’s signature on a voter mark). However, note that there exists a one-to-one correspondence between a Fi F , a Si S and a Si S , via the unique voter mark. If a fraud is suspected then only an authorized voter can produce all three together. Moreover, only the voter can demonstrate how the voter mark is generated from the seed or recovered from the salted voter mark. Let us now discuss each of the possible scenarios of collusion and see what are the possible counterfeit items that can be generated and used to commit a fraud.

13 of 18


4.2.1

Collusion involving BD and VC

If BD and VC collude they can produce the following: 1. A set of blank ballots – Bˆ – that can be proven as valid blank ballots because each of them contains BD’s signature. 2. A set of final filled ballots – Fˆ – with VC’s signature on the vote and a voter mark. However, no Fî Fˆ will contain CA’s signature unless CA is colluding. So these filled ballots are rejected as invalid filled ballots. Thus BD and VC by themselves cannot commit a fraud. 4.2.2

Collusion involving CA and VC

By colluding CA and VC can come up with the following: 1. A set of salted voter marks – Sˆ . 2. A set of salted voter marks that are signed by CA – Sˆ . There is a one to one correspondence between a Sî Sˆ and a Sˆ j Sˆ . 3. A set of final filled ballots – Fˆ – that contains CA’s signature on the voter mark as well as VC’s signature on the digest. However a Sî Sˆ will not contain a registered voter’s signature;Thus CA and VC by themselves does not have sufficient power to commit a fraud. 4.2.3

Collusion involving BD and CA

If BD and CA collude they can end up having the following: 1. A set of valid blank ballots – Bˆ . 2. A set of salted voter marks – Sˆ . 3. A set of salted voter marks that are signed by CA – Sˆ . There is a one to one correspondence between a Sî Sˆ and a Sˆ j Sˆ . 4. A set of final filled ballots – Fˆ – that has CA’s signature on the voter mark. By casting these in the proper manner, VC’s signature can be obtained on the final ballots at the proper places. This does not require the collusion of VC. But Sî and Sˆ j will not contain a registered voter’s signature. Although no Fî be fraudulent, if BD and CA uses some Fî to cast fraud votes then:

Fˆ

can be proven directly to

14 of 18


1. It is likely that the number of votes that will be counted will exceed the number of registered voters. BD and CA will not want to run that risk. 2. Even if they decide to run the risk, BD and CA cannot produce a Sî Sˆ and a Sî Sˆ corresponding to a Fî Fˆ , such that the Sî bear the signatures of an authorized voter and Sî is the salted version of Sî , without a voter claiming that his vote has not been counted. 4.2.4

Collusion involving BD, CA and VC

The only way fraud can occur is if BD, CA and VC collude together. Between the three of them they can generate the following: 1. A set of valid blank ballots – Bˆ . 2. A set of salted voter marks – Sˆ . 3. A set of salted voter marks that are signed by CA – Sˆ . There is a one to one correspondence between a Sî Sˆ and a Sˆ j Sˆ . 4. A set of final filled ballots – Fˆ – that has CA’s signature on the voter mark and VC’s signature on the digest of the vote and the voter mark. This is a stronger scenario than the one where only BD and CA collude. The reason is that a Fî Fˆ can substitute, in the final tally, one of the valid votes that an authorized voter has cast. Thus the trio do not run the risk that the number of votes in the final tally will exceed the number of authorized voters. However, if a valid vote is substituted, the original voter will not see his vote among the set of all votes when the votes are finally published. A fraud will be suspected. At that point the trio have to produce a Fî Fˆ and a Sî Sˆ and Sî Sˆ , such that the Sî and Sî bear the signatures of an authorized voter and such that the voter mark in Fî has been generated from the voter mark in Sî or Sî . 4.2.5

Collusion with the involvement of voters

The best a voter can contribute to any of the scenarios of fraud outlined above, is one copy of salted and filled ballot that contains the voter’s signature. However, this only changes the voter’s vote and that too with full knowledge of the voter. Thus this is equivalent to the voter voting by proxy and we do not consider it as a fraud. Also the voters cast their votes independent of each other. Thus, unless, all voters are colluding the voting process cannot be disrupted.

5 Conclusion In this work we present a secure electronic voting protocol that is suitable for large scale voting over the Internet. The protocol satisfies the core properties of secure voting systems – namely accuracy, democracy, privacy and 15 of 18


verifiability. Further the protocol ensures that if an eligible voter decides not to cast a vote (not the same as a voter choosing to abstain), nobody is able to cast a fraudulent vote in place of the voter – a property we call un-authorized proxy. The protocol is based on three vote administering agents which do not need to be trusted. The protocol does not require the cooperation of all registered voters. It does not need any special mechanism like a voting booth. It does not use any anonymous channel based on the Mixnet method for vote casting. Last but not the least, it does not use any complex cryptographic scheme that is not widely prevalent. One shortcoming of this voting protocol is that it does not address vote buying. To prevent vote buying, a voter should not be able to prove after casting a vote that he voted a particular way. In our protocol, each published ballot is associated with a voter generated voter mark; this allows the voter to prove that he voted a particular away. We are currently working on this issue. A second shortcoming is that we assume implicitly that a voter who gets a salted voter mark signed by the certifying authority always casts his vote. If this assumption is relaxed, then the knowledge can be exploited by BD, CA and VC to commit fraud. At the end of the voting, CA has a set, S of salted voter marks bearing the signatures of registered voters and VC has a set of cast ballots, R . The cardinality of R , R , is less than the cardinality of S , S . The protocol relies on a one-to-one correspondence between members of R and members of S . If CA has the knowledge that some voters who has a salted voter mark in S does not have a corresponding ballot in R then CA can fraudently generate a set of S R ballots and cast them. In this case the fraud cannot be detected. However, if we assume that we can suspect the fraud, then by the same reasoning as in section 4.2.4 we can prove the fraud. This is better than other similar protocols where even if such a fraud is suspected it cannot be proved. We are looking into ideas like anonymous commit protocols that can ensure that the two steps – voter getting a salted ballot signed and voter casting a ballot – either both execute successfully or none do.

References [1] J. Benaloh and M. Young. Distributing the Power of a Government to Enhance the Privacy of Voters. In Proc. of the 5th ACM Symposium on Principles of Distributed Computing, pages 52–62, August 1986. [2] C. Boyd. A New Multiple Key Cipher and an Improved Voting Scheme. In Advances in Cryptology – EUROCRYPT ’89, volume 434 of Lecture Notes in Computer Science, pages 617–625. Springer-Verlag, Berlin, 1989. [3] D. Chaum. Untraceable Electronic Mail, Return Addresses and Digital Pseudonyms. Communications of the ACM, 24(2):84–88, 1981. [4] D. Chaum. Blind Signatures for Untraceable Payments. In Advances in Cryptology – CRYPTO ’82, pages 199–203. Springer-Verlag, Berlin, 1983. [5] D. Chaum. Security Without Identification: Transaction Systems to Make Big Brother Obsolete. Communications of the ACM, 28(10):1030–1044, October 1985. 16 of 18


[6] D. Chaum. Elections with Unconditionally Secret Ballots and Disruption Equivalent to Breaking RSA. In Advances in Cryptology – EUROCRYPT ’88, volume 330 of Lecture Notes in Computer Science, pages 177–182. Springer-Verlag, Berlin, 1988. [7] J. D. Cohen and M. J. Fischer. A Robust and Verifiable Cryptographically Secure Election Scheme. In Proc. of the 26th IEEE Symposium on Foundations of Computer Science, pages 372–382. IEEE Computer Society, October 1985. [8] R. Cramer, M. Franklin, B. Schoenmakers, and M. Young. Multi-Authority Secret-Ballot Elections with Linear Work. In Advances in Cryptology – EUROCRYPT ’96, volume 1070 of Lecture Notes in Computer Science, pages 72–83. Springer-Verlag, Berlin, 1996. [9] R. Cramer, R. Gennaro, and B. Schoenmakers. A Secure and Optimally Efficient Multi-Authority Election Scheme. In Advances in Cryptology – EUROCRYPT ’97, volume 1233 of Lecture Notes in Computer Science, pages 103–118. Springer-Verlag, Berlin, 1997. [10] L. F. Cranor and R. K. Cytron. Design and Implementation of a Practical Security-Conscious Electronic Polling System. Technical Report WUCS-96-02, Dept. Of Computer Science, Washington University, January 1996. [11] R. DeMillo and M. Merritt. Protocols and Data Security. IEEE Computer, 16(2):39–54, 1983. [12] A. Fujioka, T. Okamoto, and K. Ohta. A Practical Secret Voting Scheme for Large Scale Elections. In Advances in Cryptology – AUSCRYPT ’92, volume 718 of Lecture Notes in Computer Science, pages 244–251. Springer-Verlag, Berlin, 1993. [13] K. R. Iversen. A Novel Probabilistic Additive Privacy Homomorphism. In Proc. of the International Conference on Finite Fields, Coding Theory and Advances in Communications and Computing, 1991. [14] K. R. Iversen. A Cryptographic Scheme for Computerized General Elections. In Advances in Cryptology – CRYPTO ’91, volume 576 of Lecture Notes in Computer Science, pages 405–419. Springer-Verlag, Berlin, 1992. [15] W. S. Juang and C. L. Lei. A Secure and Practical Electronic Voting Scheme for Real World Environments. IEICE Transaction on Fundamentals of Electronics, Communications and Computer Science, E80A(1):64–71, January 1997. [16] H. Nurmi, A. Salomaa, and L. Santean. Secret Ballot Elections in Computer Networks. Computer and Security, 36(10):553–560, 1991. [17] T. Okamoto. An Electronic Voting Scheme. In Proc. of the IFIP Workshop on Advanced IT Tools, pages 21–30. Chapman & Hall, 1996.

17 of 18


[18] T. Okamoto. Receipt-Free Electronic Voting Schemes for Large Scale Elections. In Proc. of Security Protocol Workshop – Paris, pages 25–35, 1997. [19] C. Park, K. Itoh, and K. Kurosawa. Efficient Anonymous Channel and All/Nothing Election Scheme. In Advances in Cryptology – EUROCRYPT ’93, volume 765 of Lecture Notes in Computer Science, pages 248–259. Springer-Verlag, Berlin, 1993. [20] T. P. Pedersen. A Threshold Cryptosystem Without a Trusted Party. In Advances in Cryptology – EUROCRYPT ’91, volume 547 of Lecture Notes in Computer Science, pages 522–526. Springer-Verlag, Berlin, 1991. [21] B. Pfitzmann. Breaking an Efficient Anonymous Channel. In Advances in Cryptology – EUROCRYPT ’94, volume 950 of Lecture Notes in Computer Science, pages 332–340. Springer-Verlag, Berlin, 1994.

18 of 18