Proceedings of the 38th Hawaii International Conference on System Sciences - 2005

The Role of the Election Commission in Electronic Voting Alexander Prosser, Robert Krimmer, Robert Kofler, Martin Karl Unger Research Group E-Voting.at Vienna University of Economics and Business Administration Nordbergstrasse 15, A-1090 Vienna, AUSTRIA {alexander.prosser | robert.krimmer | robert.kofler | martin.unger} @wu-wien.ac.at Abstract In this paper the control possibilities of an Election Commission in an Electronic Voting process are described and technical solutions are presented. Decisions in the committee need not be made unanimously, rather arbitrarily defined quora are supported.

1. Introduction Since the beginning of the big Internet boom in the 1990's a lot has been discussed how to use information technology in public administration. Still it became clear in a very early stage that experiences made in the ebusiness field cannot be attributed to public administration in the same manner. In this way the term "electronic government" evolved as a new name for the field of public information systems. In Europe the electronic government movement is hyped and by politicians it is often mistaken solely for the IT-enabled support of administrative tasks in the government1. This leaves out a complete field of interaction between the citizens and government – the area of democratic processes, especially elections. Therefore the definitions of term electronic government include these processes as well. Scholl for example defines in [33] electronic government as, "the use of information technology to support government operations, engage citizens, and provide government services" which includes not only electronic administration but also electronic participation by citizens. This differentiation can also be found in Europe where Reinemann and von Lucke [36] where they distinguish E-Workflows and E-Democracy. Furthermore von Lucke and Reinemann define E-Democracy2 as the 1

For the opinion of MP's of the Austrian Federal National council see the explorative study in [AsFr04] 2 For an introduction in research on electronic democracy see the European Science Foundation funded research project TED "towards electronic democracy", an introductory description can be found at http://infodoc.escet.urjc.es/ted/, accessed on 2004-05-30.

electronic representation of the democratic processes, which Parycek and Seeboeck devide in three subprocesses [26], (i) information acquisition, (ii) formation of an opinion and (iii) the decision itself. Electronic Democracy therefore contains two aims – the field of E-Participation (decision preparation, therefore consisting of process (i) and (ii)) and the field of E-Voting (decision making, therefore process (iii)). For applications in the Internet one can distinguish them from their level of technical complexity. Combining these one can develop an E-Democracy application framework. This framework follows an approach developed by the EU Forum E-Democracy working group [22] where they match the political processes with the technical complexity. Political Process

EVoting

(iii) Decision

(ii) Formation of an opinion

(i) Information acquisition

E-Mail

Chat

Websites

0 Information

UniBidirectional

Trans- Technical actional complexity

Figure 1: E-Democracy Application Framework This results in four application types that are depicted in figure 1: (i) websites as information provision for citizens, (ii) E-Mail communication with politicians as unidirectional as communication is asynchronous, (iii) chats with politicians as discussion takes place at the same time, and finally (iv) E-Voting where a decision is ultimately made. Especially about the last form, the electronic decision making, is in big discussions. Besides the highly controversial SERVE project in the USA (for a security analysis of SERVE see [27]), the introduction of EVoting is part of many projects in Europe, i.e. in

0-7695-2268-8/05/$20.00 (C) 2005 IEEE

1

Proceedings of the 38th Hawaii International Conference on System Sciences - 2005

Switzerland [34], Germany [11; 12], Austria [28], Belgium [6], the Netherlands [24], Estonia [35], Spain [30], United Kingdom [22; 23] or Ireland [5]. In mid of 2004 the Council of Europe was discussing a legal and technical standardization recommendation on e-voting [4].

2. E-Voting in General So far, the systems used in the different countries differ in great detail from one another. Still the forms of electronic voting can be distinguished in two totally different forms by the presence of an Election Commission at the point of time of voting. These forms are (i) Presence Voting and (ii) Remote Voting. These leads to four different forms of voting3 when combined with electronic methods as depicted in figure 2. Forms of Voting

Electronic

Conventional

Electronic Machine Voting

Internet

For the implementation of an Election Commission in E-Voting, one has to offer control in all three phases of the election. In the pre-election phase the commission has to control the eligibility of the voter if she is entitled to vote. In the election phase itself, it must be guaranteed that only the eligible voter is able to fill out the ballot sheet. In the post election phase no one must be able to see or count the ballot sheet before the election is closed. In an electronic system it further has to be checked that the administrators of the system have no possibility of fraudulent actions. In the following we will show how to technically guarantee the fulfillment of these presented tasks of the Election Commission.

3.1 Pre-Election

Postal

Voting

Voting Presence of Election Commission

Figure 2: Forms of Voting Leitold distinguishes in [21] three phases in an election, namely (i) Pre-Election, (ii) Election and (iii) Post-Election. In a conventional (non-electronic) election the Election Commission is active during the first and the last phase, with the tasks to unambiguously identify the eligible voter and to guarantee that only eligible voters are participating in the election. In the end they also count the votes. The Election Commission usually consists of members of the strongest political parties of the last election. This guarantees an equal interest in not privileging one other's party. This allows the voters to build up trust in the correct final results as all political interests were represented in the counting. In electronic voting it is also very important to represent an election commission as it is very hard for the 3

3. Technical Solutions to Implement an Election Commission in Electronic Voting

Voting

Traditional

0

voters to follow the electronic processes and thereby trust in the results. This is why implementing a possibility for the Election Commission to guarantee the correct result is of crucial importance.

In the following electronic voting (e-voting) equals remote voting by electronic means.

In the pre-election phase it is not enough that the person wanting to vote is identified and checked against the register. It must also be guaranteed that the administration of the registration server is not able to hand out multiple voting eligibilities to one. A protection against this can be provided with the algorithm developed by Prosser et.al. in [16]. In this two-phased algorithm, voters can register an arbitrary period of time before election day; since the ballot sheet is not handed out upon registration, voters can register even at a time when the list of candidates is not complete yet. As the first step the voter generates a random token t and prepares it for the blind signature, adds a text where she applies for e-voting and signs: V S priv (blinded (t ), " I want to vote electronically") . The

message is encrypted with R ’s public key and sent to the first server R V K pub S priv (blinded (t ), " I want to vote electronically") , which verifies the voter’s credentials by resolving the public signature key of the voter. If the voter is entitled to vote, the first server signs t blindly giving σ R (blinded (t ) ) . The first server stores the electronic application and strikes the voter off the conventional voter’s register. Also σ R (t ) is stored; if the original signed token is lost and the voter re-applies for another token, the first server will always respond with the original σ R (t ) to avoid the issue of multiple tokens. A similar process is repeated with the second server: The voter issues a second token τ , blinds it and obtains the

[

0-7695-2268-8/05/$20.00 (C) 2005 IEEE

]

2

Proceedings of the 38th Hawaii International Conference on System Sciences - 2005

blindly signed σ T (τ ) . This is required as it is the only way to make a collusion of the first server server and the ballot box server useless, as they always need the blind signature authentication of the second server as well in order to forge a vote. At the end of the registration phase, the voter holds two authentication tokens and her constituency information c [t ,σ R (t ),τ ,σ T (τ ), c] , both tokens are needed to cast a vote on election day. To permit fullest control of the Election Commission over the registration servers, each member could be assigned an own registration server. As this would imply performance and time constraints using two servers would be the best solution.

3.2 Election and Post-Election Phase For the traditional most important process in the Election and Post-Election phase, the correct counting of the votes and prohibiting anyone from opening the ballot sheets before the end of the election are most important. In [29] a method was implemented, where the submitted votes were asymmetrically encrypted by the voter client using public keys supplied by the election committee, where each committee member retains the private key part. Only when the ballot box is “opened” by the election committee, the private keys are provided by the committee members and the votes are accessible. Hence, nobody including the election server administration has access to the encrypted ballot sheets. It requires, however, all private keys to be supplied correctly by the committee members, which means that all decisions in the committee have to be made unanimously. Also, it gives every member the opportunity to sabotage the election by supplying no or a fake private key. Also simple accidents of committee members or loss of storage media may result in the ballot sheets to be inaccessible and hence lost. In the following we present an algorithm that enables the Election Commission to fulfill all their tasks within the limits of the law, i.e. that a) Nobody outside the committee is to know any of the private keys of the committee until the opening of the ballot box. b) No committee member knows the private keys of any other committee members used for encrypting the votes until the opening of the ballot box. c) Any pre-defined quorum of the election committee can open the ballots. d) A group of members short of the quorum even by one member only shall have a non-realistic chance in deciphering what a valid quorum may decipher. e) No committee member is able to sabotage the process by supplying fake keys.

3.3 The Protocol The schemes presented by Shamir [32], Blakely [3], Beutelsbacher et.al. [2], Alon et.al. [1] Kersten [15] presuppose that the original secret is known at some stage – at least to the person constructing the polynomial curve around or the hyperplanes. In the present application this is to be avoided: At no stage prior to the committee’s (quorum) decision to open the ballot box shall the secret keys of the individual members leave their respective domain. A number of threshold signature schemes have been suggested in the literature, for RSA-based [31] as well as for ElGamal/Diffie-Hellman [10], [9] signatures. Even though they have primarily been suggested for distributing signature keys, particularly in the RSA system, it is possible to adapt them to distributed decryption keys as well (s. [10] for DSS with general application), however, the aim of repetitive use of the signature keys is not an issue in this application. Such distributed signature protocols have been suggested by Desmedt and Frankel [7] based on the RSA scheme, a very elegant extension using Lagrange interpolation can be found in [8]. Gennaro et al. suggested dealer-based schemes based on RSA and ElGamal signatures [12],[13], which rely on a central dealer or verifier, resp., which would not be appropriate here, even if the algorithm could hide the secret to the central dealer, as the election committee should also function when any member is absent. No member may have the possibility to obstruct the committee. On the other hand, the dishonest use of the keys in the signature (here: encoding) phase itself (cf. [20], [25]) is not an issue, as the use of the keys is outside the responsibility of the election committee. The proposed protocol is as follows: Denote i a committee member in an election committee of M members, and Q the quorum that is necessary to open the ballot sheet. 0 < Q ≤ M . The algorithm assumes that there is an election committee server (ECS) run on behalf and under the control of the election committee. It can be assumed that the ECS is only accessible to the committee members, but this does not constitute a requirement for the protocol.

Preparation Stage (1) Each committee member

i creates an asymmetric key

(di , ei , ni ) publishing the modulus, (ei , ni ) , on the ECS. pair

0-7695-2268-8/05/$20.00 (C) 2005 IEEE

external key and the The moduli meet the

3

Proceedings of the 38th Hawaii International Conference on System Sciences - 2005

constraints ni < ni +1 , d i < ni 4 and d M < n1 . Members are ranked in increasing order by their published moduli. This coordination is compatible with decentralized key generation, as the moduli are published anyway and the above conditions can be checked by every member. (2) d i remains within the domain of each committee member, stored on a secure media; it is also assumed that key generation happens in a tamper-prove environment (e.g., a smart card). (3) Each member i computes one or several cik according to: (3.1) All quorum combinations of members without repetition are established and listed in the ECS. Their

§M · number is ¨¨ ¸¸ ; denote each of them q k ; it represents a ©Q¹ quorum that may make a valid decision to open the ballot sheets. (3.2) Each combination q k is randomly assigned to one of the committee member i , who is not member of q k ; every member is at least assigned one such combination, who uses the generally known public keys and moduli e j , n j of all j ∈ qk ordered by the size of the

(

)

respective modulus to sequentially encrypt his deriving the

d i thereby

cik value(s), which is/are then published on

the ECS. (4) Each member i has a number of “challenge tokens” t , which she may use to challenge another member j ’s

c jk to supply his secret d j . Once d j is supplied, it can

(

)

be checked whether (i) e j , d j , n j form a valid key pair,

c (ii) the jk originally supplied by j can be recomputed according to the public keys ek ∀k ∈ qk and checked. If

j

either identity cannot be re-established, must have cheated; if both identities can be established, it is proven that j acts according to the rules (cf. Proposition 2). (5) If a member had to supply the secret key d , he creates a new key pair and re-computes the

cik assigned

to him according to steps (1) to (3), whereupon the next round of challenges may happen. Assignment of challenges may also be subject to a random selection.

(6) All (ei , ni ) are delivered5 together with the voting software on election day and are consecutively used to code the ballot sheets. Hence, the ballot sheets BS stored on the ballot box server(s) are encoded as

((BS

e1

mod n1

))

... e M

mod nM .

Opening Stage (7) BS are decoded after the election closed, either unanimously or after a quorum decision in the committee (cf. Proposition 1). The obvious solution for Step (3) would be to encrypt each d i with all combinations of Q keys of the members

of

M ' = M \ {i} ,

which

is

§ M − 1· (M − 1)! . This, however, could be ¨¨ ¸¸ = © Q ¹ ( M − 1 − Q)!Q! difficult to manage in larger committees; in the case of a committee of 11 with a quorum of 5 it would be

10! = 252 combinations of encrypting each d i with a 5! 5! sequence of Q = 5 public keys. The above version is more parsimonious and takes into account that each quorum has to only access one single additional key in order to move on to deciphering the next key. Criteria a) and b) in the Introduction are clearly met, the d i of all election committee members remain strictly private. Let us discuss the remaining criteria. Proposition 1: Any quorum Q of the committee can access the BS. Step 3 of the above Algorithm assigns one encrypted d i

to every possible combination

qk of committee members

that constitute a valid quorum and do not contain member i . Hence, qk can access the secret key of a member, who does not belong to

qk . Since this is valid at every step, all

secret keys will eventually be available. As to requirement d), if a group of members short of a valid quorum collude, the key is at least as difficult to break as a single RSA signature, as at least one key would be missing; e.g., with M=5 and Q=3, d1 would be

(

e

encoded to d1 2 mod n2

)

e3

mod n3

) mod n e4

4

; if 3 and

e2 1

4 collude, the code would still be d mod n2 , which corresponds to usual single-key encryption. As to requirement e), the following proposition holds:

Voting Stage 4

A condition, which should hold for well-formed key pairs anyway, as the values for d and e should avoid extremes.

5

A possible method may be real-time key resolution from a defined server by the voting software.

0-7695-2268-8/05/$20.00 (C) 2005 IEEE

4

Proceedings of the 38th Hawaii International Conference on System Sciences - 2005

Proposition 2: The verification proposed in Step (4) is complete and sound. Completeness: The protocol requires member i to (i)

create a correct RSA key pair

(ei , di , ni ) and to correctly

communicate public exponent and modulus to the ECS, (ii) to use the published e j of a quorum q k assigned to him to encode his private key. Step (4) directly proves the fist point by verifying whether d i matches the public key part published by the member. Since the e j remain the same for re-computation of the encoded d i , also this part can be verified. Soundness: If i ’s private key fails to meet the above criteria, the question arises whether anybody else’s manipulations could be responsible for the mismatch. There are two possibilities: (i) Another (or several other) committee member j : Given the published e j it is i ’s sole responsibility to compute the consecutive

e

di j mod n j using the RSA

key member i himself generated. (ii) The administrator of the ECS or a third party; points of interference are (iia) the key generation (which was assumed to happen in a secure environment), (iib) key transmission and storage on the server. This may be corrupted, particularly by the server administration, however, the public key parts are published and hence, can be checked by every committee member.

4. Resume Using both solutions with multiple registration servers in the pre-election phase and implementing a procedure to encrypt all ballot sheets and decrypt it using a process that allows for quorum decisions the Election Commission can control the whole voting process. With this distributed control features the Election Commissions members do not have to trust one single server administrator but can audit the whole election process.

5. References [1] Alon, N., Galil, Z., Yung, M.: Dynamic re-sharing verifiable secret sharing against a mobile adversary. Proceedings European Symposium on Algorithms 1995, pp. 523-537 [2] Beutelspacher, A., Rosenbaum, U.: Projektive Geometrie. Vieweg, 1992 [3] Blakley, R.: Safeguarding cryptographic keys. FIPS Conference Procedings 48(1979), pp. 313-317

[4] Council of Europe: Multidisciplinary Ad Hoc Group of Specialists on legal, operational and technical standards for e-enabled voting (IP1-S-EE), Strassbourg, 2004. Report available at http://www.coe.int/t/e/ integrated_projects/democracy/02_Activities/02_evoting/, accessed on 2004-04-07. [5] Commission on Electronic Voting: Secrecy, Accuracy and Testing of the Chosen Electronic Voting System. Dublin, 2004. Available at http://www.cev.ie/ htm/report/V02.pdf, accessed on 2004-04-01. [6] Delwit, P. ; Kulahci, E. ; Pilet, J-B.: Vote électronique et participation politique en Belgique: Presentation at the Belgian Parliament in December 2003. Available at http://www.belspo.be/belspo/home/publ/index_fr.stm, accessed on 2004-04-20. [7] Desmedt, Y., Frankel, Y.: Shared Generation of authenticators of signatures“. Advances in Cryptology – CRYPTO 91, 1992, pp. 457-469 [8] De Santis, A., Desmedt, Y., Frankel, Y., Yung, M.: How to share a function securely. 26th ACM Symposium on the Theory of Computing, 1994, pp. 522-533 [9] Diffie, W., Hellman, M.E.: New Directions in Cryptography. IEEE Trans. Inf. Theory, 6(1976), pp. 644654 [10] ElGamal, T.: A Public Key Cryptosystem and a Signature Scheme based on Discrete Logarithms. IEEE Trans. Inf. Theory, 31(1985), pp. 469-472 [11] Feldman, P., Micali, S.: An Optimal Algorithm for Synchronous Byzantine Agreement. ACM Symp. on Theory of Computing 1988, pp. 148-161 [12] Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust Threshold DSS Signatures. Proceedings of Eurocrypt 96; LNCS 1070, 1996, pp. 354-371 [13] Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust and Efficient Sharing of RSA Functions, manuscript, 1996 [14] Jefferson, D., Rubin, A., Simons, B., Wagner, D.: A Security Analysis of the Secure Electronic Registration and Voting Experiment. Washington, 2004. Available at http://www.servesecurityreport.org/paper.pdf accessed on 2004-05-16. [15] Kersten, A.G.: Shared Secret Schemas aus Geometrischer Sicht. Mitteilungen aus dem mathematischen Seminar Giessen, 208, 1992 [16] Kofler, R., Krimmer, R., Prosser, A.: Electronic Voting: Algorithmic and Implementation Issues. 36th Hawaiian International Conference on System Sciences, Big Island, Hawaii, 2003. [20] Langford, S.: Threshold DSS signatures without a trusted party. LNCS 963 Proc. Crypto 91, SpringerVerlag, pp. 397-409 [21] Leitold, H.: Security in Electronic Voting. Presentation at Austrian Ministry of Foreign Affairs, available at http://www.bmaa.gv.at/up-media/ 344_A%2008-%20e-voting%20security%20%20Leitold.ppt, accessed on 2004-05-23.

0-7695-2268-8/05/$20.00 (C) 2005 IEEE

5

Proceedings of the 38th Hawaii International Conference on System Sciences - 2005

[22] Macintosh, A.: Working Group 4 to the European Commission, Brussels, 2003. Available at http://www.euforum.org/summit/docs/WG4e-democracyFINAL%20RESULTS.doc accessed on 2004-04-07. [23] Macintosh, A., Xenakis, A.: Procedural Security in Electronic Voting. Presented at 37th Hawaiian International Conference on System Sciences, Big Island, Hawaii 2004. [24] Oostveen, A., Van den Besselaar: E-democracy, Trust and Social Identity: Experiments with E-voting technologies. Forthcoming 2004. [25] Otten, D.: Forschungsgruppe Internetwahlen. Osnabrück 2004. Available at http://www.internetwahlen.de, accessed on 2004-04-07. [26] Parycek, P., Seeboeck, W.: Elektronische Demokratie: Chancen und Risiken für Gemeinden. In: Prosser, A., Krimmer, R.: E-Democracy: Technologie, Recht und Politik, OCG publication #174, Vienna, 2003. [27] Pratchett, L.: The Implementation of Electronic Voting in the United Kingdom. London, 2004. Available at http://www.dca.gov.uk/elections/e-voting/pdf/evoting.pdf, accessed on 2004-04-07. [28] Prosser, A., Kofler, R., Krimmer, R., Unger, M.: EVoting Test to the Austrian Federal Presidency Election, Working Paper 2/2004 of the WU Vienna Institute for Information Systems, Vienna, 2004. [29] Prosser, A., Kofler, R., Krimmer, R.: Deploying Electronic Democracy for Public Corporations. In: Traunmüller, R. (ed.): Electronic Government, LNCS

2739(2003), pp. 234- [12] Research Group W.I.E.N.: Voting in Electronic Networks, Berlin, 2004. Available at http://www.forschungsprojekt-wien.de, accessed on 200404-07. [30] Riera, A.: The SCYTL E-Voting Project. Madrid, 2004. Available at http://www.scytl.com, accessed on 2004-04-05. [31] Rivest, R., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public Key Kryptosystems. Comm. ACM, 21(1978), pp. 120-126 [32] Shamir, A.: How to share a secret. Comm. ACM, 22 (1979), pp. 612-613 [33] Scholl, J.: E-government: A Special Case of ICTenabled Business Process Change. 36th Hawaiian Conference of System Sciences, Big Island, Hawaii, 2003. [34] Swiss Federal Chancellerie, Report on Electronic Voting from 2002-01-09. Available at http://www.admin.ch/ch/d/egov/ve/index.html, accessed on 2004-04-20. [35] The Estonian National Electoral Committee: General Description of the E-Voting System, Tallinn, 2004. Available at http://www.vvk.ee/elektr/docs/Yldkirjelduseng.pdf, accessed on 2004-04-04. [36] von Lucke, J., Reinermann, H.: Speyerer Definition von Electronic Government, 2004. Available at http://foev.dhv-speyer.de/ruvii accessed on 2004-04-28.

0-7695-2268-8/05/$20.00 (C) 2005 IEEE

6