Secure Client Platforms for Remote Internet Voting

(1)

Technische Universit¨

at Darmstadt

Department of Computer Science Cryptography and Computer Algebra

Prof. Dr. Johannes A. Buchmann

Diploma Thesis

Secure Client Platforms for Remote Internet

Voting

Author : Johannes Clos Advisor : Axel Schmidt

(2)

(3)

Erkl¨arung

Ehrenw¨ortliche Erkl¨arung

Hiermit versichere ich, die vorliegende Diplomarbeit ohne Hilfe Dritter und nur mit den angegebenen Quellen und Hilfsmitteln angefertigt zu haben. Alle Stellen, die aus den Quellen entnommen wurden, sind als solche kenntlich gemacht worden. Diese Arbeit hat in gleicher oder ähnlicher Form noch keiner Prüfungsbehörde vorgelegen.

Darmstadt, den 14.02.2008

(4)

(5)

List of Tables

7.1 Neﬀ’s voting scheme - Source: modiﬁed from [KSW05] . . . 57 7.2 Possible sequence for an adoption of Chaum’s scheme to RIV - Source:

modified from [KSW05] . . . 62 7.3 Protocol sequence of Prêt à Voter . . . 67 7.4 Comparison of the evaluated voter-verifiable voting schemes . . . 77

(8)

(9)

List of Figures

2.1 Categorization of voting schemes - Source: modified from [Sta05] . . . 6 3.1 Categorization of vote classes - Source: modified from [VK06] . . . . 15 4.1 Functioning of a single mixnet server - Source: modified from [Wag06] 22 4.2 Decryption mixnet - Source: modified from [Wag06] . . . 23 4.3 Audition of teller i - Source: modified from [CRS04] . . . 24 7.1 Representation of a verifiable choice - Source: modified from [KSW05] 55 7.2 The parity cell patterns - Source: [BR03] . . . 60 7.3 Possible combinations of bit patterns - Source: modified from [Cha04] 60 7.4 Bit patterns of the transparency layers, resulting image - Source:

mod-ified from [Sta05] . . . 61 7.5 The filled in ballot - Source: modified from [RP05] . . . 66 7.6 Outline of the voting process - Source: modified from [CRS04] . . . . 67 7.7 Layers of the onion - Source: modified from [CRS04] . . . 69 7.8 Anonymizing mix with n tellers - Source: modified from [CRS04] . . . 69 7.9 Ballot structure and layout of the board - Source: modified from [Cha07] 72 7.10 Filled in ballot and obtained verification information - Source:

modi-fied from [Cha07] . . . 72 7.11 Auditing the tally - Source: modified from [Cha07] . . . 74 8.1 Example for a trusted platform - Source: modified from [ASSV06] . . 86 8.2 Chain of Trust - Source: [Stu07] . . . 87

(10)

(11)

1 Introduction

1.1 Motivation

The creation of the internet funded a wide range of ideas on how to increase the effi-ciency of the democratic1 _{systems. In this context the term e-democracy is commonly} used. It includes the subjects of e-government which stand for modernization and simplification of administration processes supposedly leading to higher efficiency and transparency in the public sector2_{. But as a matter of fact the settings of e-democracy} lie beyond the typical applications discussed in the context of e-government. Effec-tively the borders are set by the respective corpus of legislation of modern democracies [BN02]. With the introduction of digital signatures3 _{the ambitious project of}_Remote

Internet Voting (RIV) seemed to be within reach. The term translates to the reform of our current voting procedures due to the rapid growth of computer usage and promises such as higher voters’ participation and a reduction of the cost of elections4_. On the other side the possible risks must not be underestimated. The necessity of 1

(Greek: demos = people, kratein = to govern) government of the people, by the people and for the people

2

A good example for the implementation for e-government techniques is to be found in the European country of Estonia. After the establishment of an infrastructure that guarantees free internet usage to every citizen in 1999 services were introduced to create methods of interaction between citizens and their government, e.g. a website was created to give citizens the possibility to post statements and proposals for new laws and directives, vote for them, and direct them to the administration. Furthermore the nationwide enrollment of a public key infrastructure was set up through the distribution of an identification card that includes a chip to ensure the secure storage of private keys. Hereby binding digital signatures were effectively enabled giving people the possibility to sign and submit official documents from their computer.

3

In 2001 the EU-Directive 1999/93/EC [Hof07] found its realization in German law. Binding digital signatures now represent a legal equivalent to traditional signatures.

4

Currently many countries suffer from a decreasing participation during traditional elections. Low turnout being a problem for the legitimation of democratic systems, the idea occurred to reduce people’s personal cost for participation. Remote voting makes it more comfortable for the voter to cast a ballot. That is one of the reasons why many people see Remote Internet Voting as a big chance for democratic systems in general (especially in participative democracies with a high number of elections and referendums). This leads to the widespread opinion that countries could miss a chance if they do not amend their electoral law through adding the feature of RIV. Fearing they could fall behind, it is often overseen that current systems do not fulfill the requirements of a strict interpretation of the electoral law.

(12)

1 Introduction

the voters’ trust in the election system and its acceptance cannot be stressed enough. As the act of voting has to be regarded as the core of democracy (it represents the most general and simple form of public participation, a fundamental prerequisite of all democratic systems) all attempts of a reform have to be classiﬁed as critical and the discussion accompanying a possible introduction of RIV needs to be lead with the sum of all technical and social arguments taken into consideration.

1.2 Objective of the Paper

While a lot of actions have been taken to enhance voting protocols in order to make them more secure, the technical devices used as interfaces between a voter and the voting protocol have not yet received enough attention. This thesis deals with the issue of insecure client computers used as voting platforms. Currently it represents one of the major obstacles against RIV. Therefore it sketches RIV, describes its most common cryptographic techniques and evaluates its usage in Estonia, Switzerland, the Netherlands, Great Britain and the USA. Subsequently, the thesis picks up the experiences and analyzes the structure of personal computers commonly used as client machines, as well as their risks. Besides exposing the problem, possible ways to make the platforms more reliable, thus trustworthy, are described. As possible security enhancements for voting platforms consist of detective as well as preemptive mecha-nisms, both mechanisms will be presented. Furthermore, by estimating the complex adaptation of these mechanisms, it is tried to give an evaluation of the diﬀerent proposals. In the end, an implementation is recommended which seems to be most promising for the attempt to make client machines a more secure entity.

1.3 Outline

We start with a definition of some important electoral terms leading to a historical description of electoral laws and the voting system currently being used in Germany. Hereby the reader is supposed to get a general idea of the current situation and the development so far. Afterwards the termsAbsentee Voting andVoting Machines will be explained to a deeper extent, since the first one represents an already being used remote voting system whereas the latter describes an alternate type of electronic voting that currently causes quite a stir. These two terms are introduced with the intention of giving a clear boundary definition. After a clarification of the terms

Remote and Electronic Voting the reader is introduced to RIV and the prior is dis-tinguished from the topic of the thesis. In this context the protection goals are listed and the fundamental diﬀerences between Electronic Commerce and Electronic Voting are discussed. Among others the most important cryptographic techniques used in

(13)

1.3 Outline

voting protocols areMixnets, Homomorphic Functions and Blind Signatures. These will be explained in chapter 4 that also deals with speciﬁc communication channels. But while RIV is still a fairly new topic enclosing a lot of unﬁnished construction sites it has already been used several times for real-life elections and thereby lost a little bit from its cutting-edge character. In the next chapter, an overview of countries is given that support such programs, or have run pilots or binding elections over the internet, to present a picture of how widely spread this election type is. Additionally there is a detailed description of the kind of elections RIV is currently used for. Fur-thermore, the succeeding discussion summarizes the lessons learned from practical implementation so far.

Since the infrastructure is the internet which, by itself, is highly insecure, the us-age of cryptographic protocols is fundamental to guarantee the correct functioning of every single element of the digital election (registration, voting, tallying and most definitely recounting). So far many efforts have been made to provide secure commu-nication. Nevertheless, there is one big threat remaining, due to the fact that client computers are highly insecure. Today’s personal computers run standard operating systems and software while users often are not skilled enough to maintain their com-puters in a sufficient way. Therefore there is a high chance that voters’ browsers (or other software, potentially including their operating system) may be compromised and may thus not behave as the user wishes it to (even while deceiving the user into thinking that it is). Generally speaking it has to be assumed that the voting platform is open for all kinds of malicious software (malware) hidden in a piece of software that the user is unaware of, since detection is based on old definitions in a malware dictionary (if detection is used at all) and the actions taken to secure the system are mostly reactive. Since the weakness can be exploited automatically on a large scale it is considered as theAchilles heel of RIV. As a consequence the software could possibly interfere with the voting act by showing the voter a fake ballot and sending a ballot filled in with the intruder’s choice to the election authority. Malware also threatens other protection goals. An attacker could for example follow up on how someone casts a vote. Additionally the voter can be hindered from casting a vote at all. Consequently insecure platforms result in jeopardizing the voting principals when a ballot is cast from them. Highly sophisticated Trojan horses and worms possess this ability. Appearing in stealth mode they can run without being recognized by common virus detection systems. Thereby it becomes evident that a typical computer user is not able to realize whether such code runs on his PC or not.

As an entry point to the principal topic the flaw is described more detailed. While examining the risks of insecure voting clients, the clients have to be distinguished by type because a voting client could be any service access device ranging from personal computers to personal digital assistance devices, or even cellular phones. Since voting clients cover a broad bandwidth in technical specification and in their ways of connecting to the internet, different kinds of attacks might be possible. The

(14)

1 Introduction

discussion will show how the clients diﬀer from each other but will concentrate on personal computer usage for the subsequent chapters.

In order to notice and prevent attacks on voting clients some of the most promising methods are evaluated. The strategies that promise to secure voting clients during RIV include the following.

Voter-verifiable protocols focus on the issue of non-reliable voting systems. In

this context the principles of protocol designs for non-reliable voting machines (Neﬀ, Chaum) and enhancements to optical scan voting (Ryan, Chaum) are explained. Subsequently it is shown to which extent each of them is suitable for a transfer onto a possible usage within RIV and which changes have to be applied.

Code sheets and test ballots, introduced by Opplinger in [Opp02], provide an

interesting possibility to prevent automatic election fraud. Therefore sheets with special codes for each election choice are distributed via a secure channel (e.g. letter post). If each ballot paper is unique a possible intruder cannot fake a ballot, since changing it would presume one knows the mapping between the codes and the election candidates. On the other hand test ballots provide an easy way of testing the proper functioning of the voting system.

The idea behindmultiple casts as introduced by Volkamer and Grimm in [VG06]

does not provide client security. It rather makes up for its absence. By admit-ting repetitive votes a later cast vote could overwrite a previous one which might have been cast coerced or from a hijacked platform. It is obvious that multiple casts must prohibit multiple votes of the same person. It will be shown how this feature could be implemented and discussed whether it fulﬁlls the principle of equality.

Trusted Computing as presented by Alkassar et al. in [ASSV06] is another way

to ensure client safety. The chapter gives insight into the basic functioning of Trusted Computing and shows how it can enhance RIV in a way that turns voting clients providing the necessary hardware into veriﬁable machines. The conclusion of the work provides an analysis of the presented methods. This should answer the question as to what extent they present possible solutions to the attacks that appear through the usage of PCs as voting platforms for RIV. Addition-ally, these methods are reviewed concerning some associated social aspects. Trying to reach the goal of secure client platforms the conclusion closes with an attempted outlook for the utilization of remote internet elections in the nearer future.

(15)

2 Fundamentals of Voting

In the first part of this chapter voting is conceptualized by giving the definitions for an election, an electoral system and a voting scheme. Afterwards the development of voting in Germany is explained. Thereby two important innovations to the electoral practice consisting of remote and electronic voting represented by absentee voting and direct recording electronics are highlighted. Both constitute important changes to the electoral law in Germany. By going into the details it is intended to define the characteristics of different voting schemes in contrast to each other. This is particularly important because electronic and remote voting show two of the main characteristics of RIV.

2.1 Definitions

2.1.1 Election

Elections can be deﬁned as the democratic method to appoint people to entities of representation and executive positions [Noh07]. Their usage ’may well be the best possible approximation to popular control of government that can be achieved in modern, industrialized mobile mass society’ [Mil72]. In this context the citizens in a given society periodically have to answer the question who should be selected to govern for a period of time. Elections serve the purpose to obtain accurate data rep-resenting a set of participants’ answers to this question. In eﬀect one vote can be seen as a single participant’s answer to this question in its physical representation. It con-sists of a selection, generally from a predetermined set of answers, called candidates. But, depending on the set of rules that regulates the election, the selection can also be independent of a default list. This is also known as a write-in vote. Ballots are groups of questions combined into a certain structure. Each question of an election is refered to as a single race. The electoral law includes legal requirements that organize elections. For example it consists of legal requirements that regulate the eligibility of participants in an election. Every person entitled to participate is called a voter.

(16)

2 Fundamentals of Voting

2.1.2 Electoral System

An electoral system includes the mode by which the voter can express a political preference and of how the vote is translated into decisions regarding the occupation of mandates and the composition of representative conventions. In case of parliamen-tary elections an electoral system translates the data of votes by specific measures into parliamentary seats. In a narrow interpretation it regulates this process by lo-calizing constituencies, defining the rules of candidature as well as vocalization and committing to the accounting of votes [Noh07]. In a wider interpretation it can also affect matters of the voting scheme. Majority and proportional vote are commonly referenced as two examples for different electoral systems.

2.1.3 Voting Scheme

As described in [Sta05] voting schemes are commonly refered to as protocols that define the procedure which turns cast votes into a final tally. As a result the term can also be interpreted as any method that can successfully manage an election. Doing so, voting schemes can be differentiated by their technical nature. On the one hand traditional voting schemes are schemes such as ordinary paper ballots, mechanical recording machines and punch-card ballots. Absentee voting as described in Chapter 2.2.2 is seen as a traditional voting scheme as well. By contrast electronic voting schemes use electronic devices to conduct an election. Direct recording electronic

machines as introduced in Chapter 2.2.1 and RIV as presented in Chapter 3 can be classiﬁed as such. The categorization of speciﬁc voting schemes can be seen in Figure 2.1. Voting Schemes Traditional Voting Electronic Voting Paper Ballots Mechanical Recording Machines Remote E−Voting Poll Station E−Voting Absentee Voting Internet Voting DRE Machines

(17)

2.2 Voting in Germany

The ﬁrst use of paper ballots to conduct an election appears to have been in Rome in 139 BCE. Nevertheless many forms of voting have been practiced since then. We will now give an overview of the electoral system in Germany followed by the main aspects related to the development of electoral law.

In addition to the elections for the European Parliament Germany has parliamen-tary elections of universal kind for the Bundestag (the state parliament), in each of its federal states, and for the parliaments of cities, counties and boroughs. Further-more direct elections are practiced for the appointment of district administrators and mayors (local elections).

Altogether the operation of elections is organized by the electoral laws that can be found in the Constitution, Bundeswahlgesetz (federal election law) and Bun-deswahlordnung (federal electoral regulations on the national level and similar laws on the state level). Thereby the electoral system of Germany includes personalized proportional representation which is a mix between proportional representation and majority vote with the proportional component being the overall decisive factor. Half of the members of the Bundestag are elected through a majority vote (one candidate for each electoral district). At the same time the citizens can use their second vote for a party of their choice. The overall strength of parties represented in the Bun-destag exclusively results from the number of nationwide cast second votes [vP03]. The parliamentary elections are carried out in obedience to the principles named in the German Constitution (Art. 38 GG). These require the elections to be

universal: No citizen should be excluded from her right to vote.

direct: No intermediates, e.g. deputies, are assigned to vote in someone else’s

name.

free: Neither governmental nor any other coercion is allowed. This should

assure a free choice between competing parties.

equal: All voters have the same amount of votes which are equal in weight. secret: The voter’s decision, represented by a voter marking his choice on a

ballot, is conﬁdential. Open and public votes are invalid.

Unlike other countries (e.g. Belgium, Luxembourg) the electoral law of Germany doesn’t commit the citizens to vote (compulsory voting). The possibility to vote is rather seen as a basic right. It is usually controlled by a speciﬁc voting district where the citizen is registered. Therefore eligible voters are listed in special registers maintained by the local authorities.

Besides parliamentary elections Germany knows a variety of non-parliamentarian elections, amongst others for workers’ councils, universities’ boards and governing

(18)

boards of social security institutions. The decision-making abilities of these boards are altogether very limited. This is the main reason for less strict requirements during these elections.

Before the principles of democratic elections (as named above) became widely ac-cepted there were a number of different electoral laws. Prussia, for example, intro-duced a three-class system of voting in 1849, where the voting population was divided into three groups with a different weighting of votes. The allocation to a certain group depended on the citizen’s income and the taxes he paid. The election was conducted in public and oral and by these means was not secret. Furthermore it was indirect since electoral deputies were elected. In 1918 it was abandoned. Universal female suffrage was, similar to universal manhood suffrage, established in a step-by-step process.

Taking a look at the history of voting shows that the situational context and formal design of how we vote has always been a controversial topic. Electoral regulations tend to influence who votes, how we vote and also affects the outcome of elections. Indications for this not only exist within the central questions of electoral law in the 19th century (whether or not open or secret elections should be conducted and, if at all, votes should be counted equally). Historic examples reach from the conse-quences of ostracism1 _{in ancient Greece to}_{viva voce}2 _{in medieval England and USA} and the permission of voting machines in Scandinavia in 1950’s. Electoral laws are rarely neutral. Instead they always favor certain actors and discriminate others. Each amendment of electoral laws led to political rejections and changed the voting behav-ior. But even though new benchmarks of political and technical development came up within the past hundred years the typical way of how elections are conducted has hardly changed since the last reformation of electoral laws. With the introduction of polling booths and theAustralian Ballot3_{, the system of voting in which voters mark} their choices in privacy on uniform ballots, printed and distributed by the government or designate their choices by some other secret means, the evolution of the voting act seems to have found its climax [Dom07]. The usage of paper and pen, counting of votes by hand and voting in the domestic voting district are still best practice. But despite the stability the electoral law highly depends on the changing political and constitutional developments. Between 1956 and 2002 the German electoral law was modified by 34 amendments that document the continuing need for changes4_{. Some}

1

Aristotle claims Cleisthenes was responsible for the institution of ostracism. It allowed the citizens to send a fellow citizen into temporal exile if he was getting too powerful. The term ostracism was derived fromostrakon, the Greek word for a piece of broken pottery on which the citizens wrote the name of their candidate. [Car07].

2

Viva voce describes the practice of voting by publicly calling one’s election choice during a con-vention of voters [Jon03].

3

Victoria and South Australia were the first states to introduce ballot secrecy in 1856.

4

(19)

of them are of great importance such as the introduction of the absentee vote in 1956 and voting machines in 1975. While absentee voting lowers the personal cost the governmental operation of voting machines tries to simplify and speed up the tally-ing process. The combination of both, an automated counttally-ing and more comfortable vote cast clearly points in the direction of RIV.

2.2.1 Voting Machines

Voting machines are usually the first thing that comes to one’s mind when hearing the term electronic voting. Basically RIV and voting machines have in common that they both make usage of electronic devices (terminals) as an interface between voter and ballot. Voting machines can be defined as being standalone technical devices used to define ballots, to cast and especially to count votes, and possibly to produce some audit trail information - all done by a single machine. The first machines were mechanical but nowadays it is common to use electronic voting devices. Voting ma-chines are most often referenced as mama-chines withdirect recording electronic (DRE). After the election they produce a tabulation of the voting data stored in a remov-able memory component (and eventually as printed copy). Elections for the German Bundestag and for the European Parliament are only legal if conducted with ’stand-alone’-devices. That is to say voting machines can only be part of a local network at the polling station. They can’t be connected to a countrywide network where the election results are sent to a central tallying server [oG07c].

According to the promoters of voting machines the benefits include a higher accu-racy, faster results, lower costs, easier voting for disabled people and the elimination of invalid votes. Problematic is the fact that the usage of voting machines puts important steps of the voting procedure inside a black box. Thereby the positive aspect of having a public verifiable election is eliminated. Most people cannot re-construct what happens to the votes inside the machine and how the results are calculated. The integrity of an election highly depends on the proper functioning of the devices and their security against manipulation. Everybody has to rely on the ability of experts who test the source code and analyze the components. In Ger-many the law for voting machines regulates the procedure of accreditation [oJ07]. It assigns the National Metrology Institute providing Scientific and Technical Services (Physikalisch-Technische Bundesanstalt) with its duty to control the compliance of the following requirements:

correct implementation of the voting process secure storage of cast ballots

guarantee of privacy

(20)

correct counting of cast ballots usability of the machines

secure and long-lasting construction security in case of malfunction

insensitivity against mechanical, climatic and electro-magnetic environmental

inﬂuences

However, the institute does its testing only on a sample machine. All others are distributed by the vendor directly. A further point of criticism is caused by the fact that recounting of electronically cast votes is often not practicable due to the lack of voter verifiable paper trails (VVPT). The lack of transparency is another disadvantage. While traditional elections allow the voters to observe the tallying process DRE so far does not oﬀer this feature. This illustrates a serious problem of DREs especially looking at real-life deﬁciencies throughout elections like the ones during the elections for the US-presidency in 2004. The result of Florida included an electronic miscount of 18.000 votes [Kru07]. So far methods of audition are not intended by most voting machine producers. We will cover this topic to a deeper extent during Chapter 7.

Recently DREs have continually failed to provide the standard of a trustworthy voting system. A security check of electronic voting machines by computer scientists of the University of California uncovered more than a dozen security risks throughout all tested machines. A team of experts was assigned by the California election super-visor with the investigation of eight already used and certified e-voting-systems from market-leading companies (such as Diebold, ES&S, Hart Intercivic and Sequoia). The scientists uncovered severe security problems and required massive system-updates on hardware and software prior to a possible recertification. In a decision issued in August 2007 the Secretary of State withdrew the certification of all vendors for the time being [oS07]. Other countries have completely abandoned the usage of voting machines. In 2006 Italy already stopped all ongoing projects with voting machines due to irregularities discovered during its parliamentary elections at the beginning of the year [Zie06]. The most recent decision was taken in the Netherlands. After the Dutch group ’Wij vertrouwen stemcomputers niet’ and the German ’Chaos Com-puter Club’ published alarming facts that showed how easy it is to reconfigure the machine by exchanging the Erasable Programmable Read Only Memory (EPROM)5 the dutch government was in doubt whether voting machines could be safely used. An appointed commission was supposed to investigate this topic. Amongst other things the authors of the final report criticized the lacking of VVPT in a final report and

5

Since the EPROM stores the voting software, this attack illustrated the infiltration of a voting system with a manipulated software. If designed properly, this software has the potential to effect the counting without election officials noticing.

(21)

advised to reconsider the ’Regulations for approval of voting machines 1997’. There-after the Secretary for the Interior immediately announced that the certiﬁcation will be withdrawn [Com07a].

2.2.2 Absentee Voting

While talking about remote internet elections absentee voting is sometimes used as a reference. This is because both are conducted in a remote way. Supporters of an absentee vote argument with its smooth introduction and the high acceptance within the population. At the same time opponents fear the reinforcement of problems related to the loss of privacy.

Traditionally the deﬁnition of an absentee vote is that it is cast by a citizen who is unable vote at his regular polling place on an election day. As a result it is independent of time and location of the presence demanding election using a ballot box. Since the postal way takes its time absentee voting can also be referred to as voting in advance. Absentee voting was established in Germany in 1956 with the introduction of the federal election law and ﬁrstly used during the Bundestag elections in 1957 [Jes03]. The voter is required to apply for the absentee vote after receiving the polling card. But the ballot paper will only be sent to citizens who

1. cannot be in the voting district on the day of election due to important reasons. 2. moved to another voting district after the time period of electoral registration

has started.

3. cannot attend the election due to professional reasons, illness, high age or phys-ical problems.

Since these reasons are not checked anybody may proclaim that this is the case. Absentee voting as a deviation from the strict requirements of the personal election is interpreted by the Federal Constitutional Court (FCC) as a thorough hole of this principle. But at the same time it considers it as being consistent with the consti-tution. In the decisions of the FCC concerning absentee voting in 1967 and in the second judgment 1981 the possibility of absentee voting was strengthened. For groups of people who cannot attend on election day due to reasons as stated above should exist the possibility of an absentee vote if they can be accredited. Nevertheless, the absentee ballot should remain the exception [Feh07].

The decisions of the FCC took place at a point in time where just a little portion of voters (1957: 4,9 %, 1980: 13 %) preferred this procedure. But the percentage of absentee voters increased steadily: 1998 the percentage was 16 and in 2002 almost

(22)

every ﬁfth eligible voter made use of it. In large cities like e.g. Munich (31 %) and Hamburg (28 %) it cannot be called an exception anymore [Ker04].

During the previous chapter the terms election, electoral system and voting scheme were deﬁned. In addition they were applied to Germany by giving some background information about held elections, amendments of the electoral law and thereby af-fected voting schemes. As demonstrated the biggest impact on voting was caused by amendments of the electoral law that included absentee voting and DRE machines in the process. Illustrating the characteristics of these systems revealed hints that yield in the direction of a stronger application of RIV in the future.

(23)

3 Remote Internet Voting

In this chapter RIV is defined by assembling its different elements. They are described before the details of inevitably required protection goals are addressed. While e-commerce and online-banking became widely accepted in our society many people tend to believe that if they are possible RIV must be possible, too. This prejudice is clarified in sequence.

3.1 Definition

RIV combines the characteristics of electronic, online and remote voting schemes. The main diﬀerence between traditional and electronic voting (e-voting) consists of the respective underlying scheme. E-voting scenarios map the process of voting onto digital technology. Technologies are DRE machines (voting machines, optical scanners and voting pens) and RIV. The phases of digital voting scenarios are quite similar to the traditional approach. In the preparation phase voter and candidate lists need to be prepared, ballots have to be designed and the according infrastructure is set up. The next phase consists of registration where voters are obliged to register and proof their identity before being admitted for voting. This procedure is optionally and its details depend on the election law of a country. During the voting period voters cast their ballots after authenticating themselves. In the end the votes are counted, the tally is prepared and ﬁnally published.

Per deﬁnition the usage of voting terminals connected to a network as well as the casting of votes that are transferred to another computer where they are stored and counted is called online voting [oG07b]. It represents a specialization of e-voting. In reference to [Ins01] three diﬀerent groups ofonline voting are distinguished depending on where the voting terminals are located:

Poll site-voting system: The terminal is located in a safe environment like a polling station. In contrast to voting machines the terminal sends the results to a server for further counting. Since polling stations are staﬀed the voting terminals used here are administrated.

Kiosk e-voting system: The terminals are computers/ATM-like machines with spe-cial hardware and are situated at ﬁxed locations (e.g. kiosks, libraries). For

(24)

3 Remote Internet Voting

this reason the system does not provide the same convenience as the cast of a remote vote. The machines are not under permanent staff-control but they are assumably protected against the problems that voters’ private computers have (for example insufficient prevention of attacks through a lack of security mechanisms) because the software that runs on kiosk systems is most likely unaccessible. The configuration is provided by administrators instead.

Remote Internet Voting System: This type of system allows voters to cast their votes from any computer or digital device connected to the internet or to a private network, typically from home or at work. Devices such as personal digital assistants, personal computers, mobile phones and even game machines could be used to access these systems.

Remote voting is characterized by the fact that voters do not have to visit a special location to cast a vote. Instead voters get the possibility to vote from wherever they are. This lowers the personal cost for the voter1_{. But to make this possible a reliable} communication channel is required. Absentee voting is the traditional application and uses postal mail for its purpose. The internet oﬀers diﬀerent communication channels. Regardless of the channel, remote systems demand from the voter to vote in a responsible way that eliminates coercion and guarantees privacy. It is safe to say that in the context of online voting poll-site voting does not represent a remote voting system. The kiosk e-voting system partly shows characteristics of a remote system, but only RIV distinguishes clearly enough from presence voting. A categorization of the named voting systems by the terms presence and distance voting is shown in Figure 3.1.

1

’The cost factor that might be reduced is the time and effort that it takes to go to the electoral office and cast a vote in person. However, there are other cost factors involved in electoral participation, most noteworthy among them being the time and effort that it takes to acquire subjectively sufficient information to cast a ballot. Those other costs seem to remain unaffected by e-voting’ [Sch02]

(25)

3.2 Protection Goals

Presence Voting Distance Voting Traditional

Voting

Electronic Voting

Voting through polling box Mechanical Recording Machines

Absentee voting

DRE Machines

Networked Voting Machine (voting at polling station)

Kiosk e−voting system

Remote Internet Voting

Figure 3.1: Categorization of vote classes - Source: modiﬁed from [VK06]

For RIV generic computers serve as voting platforms by running some kind of voting software plus various other possibly insecure software on top of a more or less stable operating system. Chapter 7 talks about the platform’s structure and the resulting security problems. It is obvious that these problems are beyond the control of electoral administrators. Naturally they aﬀect the security required by the guidelines of electoral laws that remain a prerequisite for RIV as well as for all other possible types of voting used during elections.

3.2 Protection Goals

In order to assure the political election principles mentioned before RIV needs to achieve a variety of protection goals. The following security requirements for remote internet voting systems are the most important ones for the further course of this thesis [SP06]:

Eligibility: It is necessary that only valid voters are eligible to vote. The

pre-determined criteria for eligibility depends on the election law of each country. The voting system has to verify the voter’s validity and ensure that each entity can cast only a permitted number of votes.

Anonymity: Anonymous voting achieves privacy and prevents the

identiﬁca-tion of a voter from his vote. As a pre-condiidentiﬁca-tion it has to prohibit the trace-ability between vote and voter.

Coercion resistance: A voting system is deﬁned as coercion resistant if it is

infeasible for a voter to cooperate with a coercer and prove to him that he voted in a certain way, abstained from voting, or disclose his secret keys.

(26)

Accuracy: Accuracy requires the voting system to be error-free. Theefore the

voters’ ballots have to be cast as intended and counted as cast during tallying. Modiﬁed, duplicated or erased votes are not tolerable.

Robustness: The voting scheme has a limit of tolerance by which minor

tech-nical errors can be tolerated.

Correctness: Every valid vote, no matter how it was cast, has to be included

in the ﬁnal tally and counted correctly (of course only if it is not a repeated vote).

Verifiability (universal and individual): The voters’ trust in a voting

sys-tem is a prerequisite for the acceptance of the results. Creating trust in the integrity of a voting system requires an independent verification along each translation step of the election. Universal verifiability requires that anyone is able to verify the correctness of the voting process and its result, whereas in-dividual verifiability convinces each voter that his personal vote was correctly recorded.

Usability: The design of a voting system has to consist of intuitively and easily

usable interfaces and needs to render a usage possible for handicapped persons. In the course of this thesis it can be seen that insecure voting platforms especially affect the goals of anonymity, accuracy, coercion resistance and correctness. For this reason and the additional goal of transparency during the election voting systems strongly benefit through verifiability. Nevertheless receipt freeness additionally plays an important role because individual verifiability usually comes along with receipts.

Receipt freeness: The voter has to be prohibited from gaining certain

infor-mation (refered to as a receipt) that might be used by him to prove his voting decision to an attacker or coercer.

To be consistent with legal principles all of the requirements have to hold during the entire election, including voting clients, the communication channel and voting servers. While the single requirements are achievable, there is no protocol up to date that fully meets all the said requirements at once.

Obviously some of the named requirements seem to be at odds with each other. For example it is not obvious how anonymity and veriﬁability can be achieved at the same time. [Smi05] shows how some of the desires are simultaneously achievable while seemingly being incompatible.

In order to realize safe voting schemes clearly deﬁned rules of communication be-tween the involved entities ensure the treatment of requirements. Voting protocols play this role by making use of standardized guidelines regarding syntax, semantics and synchronization of the data transfer. The least ambiguity threatens the cor-rectness of the entire election. The fundamental cryptography of voting protocols

(27)

3.3 E-Voting versus E-Commerce

exceeds the one of traditional communication protocols since its requirements are signiﬁcantly stronger. The cryptographic primitives are explained in Chapter 4. Al-together research on protocols has reached a stage where important requirements like correctness, robustness, anonymity, coercion resistance and veriﬁability are possible.

3.3 E-Voting versus E-Commerce

Today ﬁnancial transactions to the amount of millions of dollars are made via the internet. It is a common and widespread opinion that it should be also possible to use the same medium for digital voting as well. Thereby it is often overseen that digital voting and digital commerce show fundamental diﬀerences. For this reason it does not make sense to transfer the feasibility of e-commerce onto remote e-voting. There are several reasons for this (see [Riv02] for more details):

Financial transactions are performed online, but there is always a separate

oﬄine process for checking them and for correcting any errors detected (the buyer typically gets a transaction receipt). Since this is not the case for e-voting so far, the prevention of fraud and error, while having no chance of retroactive correction, has to be guaranteed.

Electronic commerce includes the possibility to dispute a transaction if

some-thing did not work correctly. With e-voting in contrast there is always a deadline that has to be met. Disputing an election requires many objections commonly settled in court.

Concerning electronic commerce, the involved parties can be identiﬁed by

trans-action records. This is substantially different from electronic voting where the cast of a ballot should in no way identify the voter, as this violates the voter’s privacy and anonymity. Furthermore, this would subject them to coercion. The profile of an attacker in the electoral scenario is much different from such in e-commerce. People that aim at making some quick cash by manipulating transactions certainly have to be skilled. But their profile is definitely lower compared to some foreign power with its intelligence apparatus and serious funding. They are motivated by the ability to change the outcome without anyone noticing. Among others the adversaries of an election system are foreign governments with powerful interests at home and abroad.

(28)

En route to a definition of the term RIV this chapter explained the character-istics of remote, electronic and online voting schemes. Similar to absentee voting the voting process is uncontrolled regarding the enforcement of privacy during RIV. Importantly, the private voting platforms of a RIV system are uncontrolled as well. In this context the protection goals were defined. In order to achieve secure client machines anonymity, accuracy, correctness, coercion resistance and verifiability are of particular interest. Finally the fundamental differences between remote e-voting and e-commerce were pointed out.

(29)

4 Cryptographic Techniques

The voter’s anonymity and authenticity are important protection goals during vot-ing. But anonymity is far from being a standard feature while communicating over the internet. An eavesdropper can for example reveal the origin of electronic cor-respondence by observing the internet traﬃc and correlating it with the originating IP-address. Later on, the identity of the originator can be determined by tracing back the IP to an individual user. However, voting protocols rely on the anonymity of the voter. In this respect, this chapter deﬁnes some requirements for the communi-cation channel before the functioning of important cryptographic measures for their achievement is illustrated. These are mixnets, homomorphic encryption and blind signatures. For a better understanding of these measures some knowledge of the ba-sic cryptographic principles (public key cryptography, hashes, digital signatures etc.) is advised. For a detailed explanation the reader is refered to [Buc04].

4.1 Requirements for Communication Channels

4.1.1 Anonymous Channel

The characteristic of an anonymous channel is that it guarantees anonymous commu-nication. Voting scenarios especially require anonymous voters. In eﬀect, the recipi-ent of a casted vote cannot detect the idrecipi-entity of its sender. Methods for achieving this type of communication will be illustrated in the following chapter. As noted by [Rja02] it is important that an anonymous channel does not have to be untappable.

4.1.2 Untappable Anonymous Channel

In contrast to the prior a further requirement is added here. This is the physical security of the transmission of a message. As a result no one should be capable of in-tercepting the transmission of a message and of sharing the content of a message with a third party. In practice, the implementation of untappable anonymous channels is

(30)

4 Cryptographic Techniques

hard because it would require perfect secrecy1_.

4.1.3 Public Bulletin Board

Generally an electronic bulletin board is a possibility to make information publicly readable. In the context of RIV it enables different forms of verification. If a voting protocol’s definition requires proofs of correctness to be posted on a bulletin board, everyone might double-check if their votes were cast as intended. But while everybody can read the postings it is important that write access is exclusively given to certain registered and authorized users. These users can write to an assigned personal area whereas the deletion of previous postings is prohibited. Besides universal verification, bulletin boards enable access control (before information is posted in the user’s area it is verified) and provide communication channels between participants. If used for voting schemes bulletin boards typically display the information through the usage of web servers.

4.2 Building Blocks of RIV

4.2.1 Threshold Encryption

Threshold encryption describes a possibility to reconstruct a secret from the shared knowledge of several participants in a fault-tolerant way. Doing so one can lower the probability of an unauthorized person gaining access to sensible information because there is no need in trusting a single person. As described by Shamir in [Sha79] threshold encryption can be very helpful in the management of cryptographic keys. On this account it is an important measure to assure a more robust tallying process for RIV.

According to Shamir a (t, n) threshold scheme is required to divide the secret data D inton shares D1, . . . , Dn such that

1. the knowledge of any t or more pieces Di, where i ∈ 1. . . n, makes D easily

computable.

2. knowledge of any t−1 or fewer Di pieces leaves D completely undetermined

(in the sense that all its possible values are equally likely). 1

LetM be the set of plaintexts, K the set of keys and C the set of ciphertexts. An encryption scheme E _: M _→ C _{is unconditional secure (perfect secure) if} P₍m_|c_{) =} P₍m_{) holds for all} m_∈M _{and all}c_∈C _{and if the probability distribution of the keyspace is of equal distribution}

(31)

4.2 Building Blocks of RIV

The threshold factor t determines the smallest number of shares necessary for the reconstruction. The cooperation of t participants is suﬃcient to reconstruct the secret whereas less than t of the shared secret carriers have no chance to obtain any relevant information about the secret. As a result the choice of the parameterst and n determines the strength of the system.

It is assumed that the definition of a polynomial of degree n requires n+ 1 points. In order to share a secret S with a (t, n) threshold scheme it is necessary to produce n shares. The first step consists of choosing t−1 coefficients

a1, a2, . . . , at−1.

The secret S is considered to be a number and used as the coeﬃcient a0. Next the polynomial can be built as

f(x) =a0+a1x+a2x2+· · ·+at−1xt −₁

.

Now the shares that are given to the participants can be calculated by constructingn points of the polynomial. Using the valuesi= 1, . . . , nthese are retrieved as (i, f(i)). For the reconstruction of the secret any subset of t of these pairs are suﬃcient to determine the coeﬃcients of the polynomial by interpolation.

4.2.2 Mixnets

Mixnet-schemes as presented by Chaum [Cha81] are intended to establish anonymity for the originator of a message. Besides the establishment of an untraceable email sys-tem mixnets can be used for achieving anonymization of web traffic. For anonymous channels the purpose of achieving anonymity during RIV is of particular importance. We will now explain the functioning of a simple mixnet-scheme and enhance it with encryption functionality. For proofing the correctness of mixnets a survey of verifiable mixnets is added.

The goal of a mixnet scheme during RIV is to create anonymity for the voter. Under normal circumstances messages sent over the internet contain information about their origin. Mixnets reshape the communication between sender and receiver to make it unlinkable. The idea is straightforward and can be described by an analogy. Let’s imagine ten people putting boxes of the same size, color and weight into an intransparent bag. Next, it is laced up and shaken with the boxes still being inside. It is clear that afterwards no one can tell which box belongs to whom. A mixnet works very similar by re-ordering a batch of received messages. In order to prevent unique messages from being recognized, all messages have to be transferred into uniform appearance ﬁrst. To this end, short messages are stuﬀed with random bits until they reach a certain length. Larger messages have to be divided into shorter fragments.

(32)

Additionally the messages are encrypted. Otherwise sender and receiver could be identified by simply looking at the headers of the messages. Next, the batch is shuffled randomly by a mix. If a proper permutation of the received input2 _{is applied} before resending the output the first step is taken. Now the output batch differs from the incoming in order of appearance of the elements (Figure 4.1). Additionally the elements of the batch cannot be distinguished. That way an adversary who observes the communication cannot reveal the identity of the messages.

m1 m2 m3 m4 m5 m6 m2 m4 m1 m6 m5 m3

Figure 4.1: Functioning of a single mixnet server - Source: modiﬁed from [Wag06]

But so far the reached anonymity depends only on one single mix. This is not satisfying because the permutation can be easily annulled by a corrupt mix-operator. To avoid the possibility of revealing the mapping between input and output further mixes are needed to form a mixnet. This helps to maintain the original goal of anonymity while not having to trust a single entity. In consequence a chain of several servers is needed.

There are n mixes in the mixnet, where πi is equivalent to a single mix with

i= 1, . . . , n.

π′

=π1◦π2◦...◦πn.

The resulting mixnetπ′

represents the n-fold concatenation of mixes. In the formula above ◦represents the concatenation of two mixes. It is obvious that the connection between input and output of the resulting mixnet can only be restored if every sin-gle server πi out of the n mix servers is corrupted and willing to reveal its secret

permutation.

Decryption mixnets require the participants to run a special software that encrypts the message that is supposed to be anonymized multiple times. The number and order of encryptions depends on the number of involved mixes and their sequence. Originally this is achieved by encrypting each message with the public keys of all mixes during an initial encryption phase. Then each mix ﬁrst partially decrypts and

2

For the functioning it is not important what the content of the communication is. For example it can consist of messages or HTTP-requests.

(33)

then mixes the messages it permutes. Mix by mix one layer of encryption is peeled off until the final mix restores the original cleartext. In Figure 4.2 the input of the mixnet consists of six messages, where each E(m) represents a multiple encrypted message. The intermediate mixes can neither see the plaintext nor the original sender and final receiver of the messages. All they learn is the address of the following mix. After the batch is finally processed by alln mixes the communication is anonymized. As a result the output batch does not correlate with the input batch anymore.

E(m1) E(m2) E(m3) E(m4) E(m5) E(m6) mx mx mx mx mx mx Mix 1 ... Mix n Mixnet

Figure 4.2: Decryption mixnet - Source: modiﬁed from [Wag06]

Withinre-encryption mixnets each mix mixes and additionally reencrypts its input before resending. The idea behind is the fact that without reencryption the resulting messages do not change. This makes it easy to recover the voter related to it. Our concern is an implementation for protocols of RIV where the tallying is conducted in the end. In between mixing and tallying the decryption has to take place. [RS06] explains how a re-encryption mixnet can be implemented by using a Threshold El-Gamal Cryptosystem where all authorities responsible for running the mixnet jointly generate the system parameters using a distributed key generation protocol. In the end, the encrypted ballot in the ﬁnal output can only be decrypted if all authorities participate in this.

Verifiable Mixnets

The integrity goal is that all plaintexts at the input of the mixnet yield the same decrypted ciphertexts at the output of the mixnet. To prove this goal a mixnet operator would have to reveal all of the secrets like practiced permutations and used keys. This would destroy the established anonymity that was just achieved by setting up the mixnet. To serve the original purpose while reaching veriﬁability without giving away the secrets one can make use of a zero-knowledge interactive proof (ZKIP) as presented in [Buc04, Wag06]. To show correct functioning every mix-server would have to participate in such a ZKIP to proof.

A ZKIP has the requirement that the veriﬁer does not know a secret the prover possesses. The goal of the prover is to convince the veriﬁer of his knowledge of the

(34)

secret without revealing it. The most important aspect of a ZKIP is that for the veriﬁer it can be mathematically proven not to have learned anything about the secret while becoming totally convinced of the prover’s knowledge of the secret. In practice, a ZKIP must have an eﬃcient run-time to be seriously considered.

One implementation of a ZKIP for mixnets is given through randomized partial checking. Based on the usage of two mixing rounds it is made possible to uncover half of the connections and still verify the correct functioning of the server. While going down the intermediate messages of each mixing server (represented by the middle column) the veriﬁer randomly chooses whether to uncover the left or the right mixing round. This procedure is illustrated in Figure 4.3. As a result, randomized partial checking allows to audit the server while maintaining the achieved anonymity. For a deeper discussion of randomized partial checking and veriﬁable mixnets the reader is refered to [JJR02] and [Che07].

Teller L L R L R L from Teller to Teller i−1 i+1 i

Figure 4.3: Audition of teller i - Source: modiﬁed from [CRS04]

4.2.3 Blind Signature Schemes

Conventional digital signatures succeed in creating secure authentication. After a message was signed a verifier can verify the signed message with the public key matching the private signature key. For successful verification of the signature the result needs to match the plaintext. Since this mechanism reveals the identity of the signer it is not ideal for a usage during RIV. As first mentioned by Fujioka et al. [FOO93], blind signatures make anonymous authenticity possible by including a couple of additional steps. An analogy can be seen in a message sealed in an envelope and additionally including a sheet of carbon paper. The originator puts the envelope into another envelope that is passed to a trustee with administrative functionality. The trustee takes off the outer envelope. The inner envelope has the address of the originator written on it. Thereby the trustee can decide whether the originator is eligible to be authenticated. If so, the trustee signs the envelope on the outside of the envelope. Of course, the carbon paper passes the signature down to the message. Since it is invisible what is inside, the signing of the message happens blindly. Afterwards the message is returned. After unblinding by removing

(35)

the envelope the sender gets a message signed by the trustee. Blinded signatures are the digital equivalent of this procedure. In the case of a voting scenario, the message is of course a ballot. It can now be ﬁlled out and returned to a tallier.

According to Chaum [Cha83] blind signatures require

A signing function s with a publicly known inverse s’ so that s

′

(s(x)) = x. Additionally it should not be possible to derive s from s’.

A blinding function b with an inverse b’ such that b

′

(s(b(x))) = s(x). It is important that b and b’ are only known to the originator. Furthermore, it is important that s and b(x) reveal nothing aboutx.

As one example, RSA can be used as a procedure for blind signatures. Traditionally, the RSA signature is built as follows

md _mod_n

where d is the secret factor, n the RSA module and m the plaintext message. The matching public factor is called e. The calculation of d and e requires that the following holds3_:

de ≡1 modn (4.1)

For a blind signature a random factor r (with r ∈ _Zn), is used that is a relative

prime ton. Therefore the greatest common divisor (gcd) of both has to be equal to one.

gcd(r, n) = 1

Next the blinding factor bf is calculated by taking r to the power of e.

bf =re

In order to blind the message the voter multiplies the message with the blinding factor.

m′

≡m·re _mod_n

Then the voter sends m’ to the signing authority, where it is signed with the corresponding private key.

3

(36)

s′

≡(m′

)d_mod_n

The resulting s’ is equivalent to the signed inner envelope. It is returned to the originator. To remove the envelope the voter multiplies s’ with the inverse of r.

s≡s′ ·r−₁

modn

The voter has now succeeded in obtaining the true signature s of m. As a result, the voter’s message has a signature the voter could not have constructed on his own because it is subject to the signer’s secret key d. The scheme’s security is subject to the hardness of factoring module n into its primes. The signature scheme isblind

since r is random. It does not allow the signer to learn about the message even if he can solve the underlying hard problems.

Because of (4.1) the correctness of the above assumptions can be shown: s≡s′ ·r−₁ ≡(m′ )d_·_r−₁ ≡md_·_rde_·_r−₁ ≡md_·_r_·_r−₁ ≡md_mod_n

As mentioned above, RSA relies on factoring being mathematically hard. New forms of computing as well as the ﬁnding of an easier mechanism to solve this problem might eventually make classic cryptographic mechanisms useless. For information about blind signature schemes based on the hardness of other problems the reader is refered to [Nau07]. Further information about implementing blind signatures can be obtained from [FOO93].

4.2.4 Homomorphic Encryption

Homomorphic encryption for anonymous voting was introduced by Benaloh [Ben87]. The basic concept is to publish the signed and encrypted ballots together with a proof of validity. After the verification of signature and proof an encrypted sum of all votes can be obtained by taking advantage of the homomorphic property. Afterwards, the final tally can be decrypted by the tallying server. This procedure effectively hides the contents of the original ballots while providing apublicly computable tally.

A homomorphism is the mapping between two algebraic structures (e.g. groups, rings or vector spaces) preserving the original structure. Several diﬀerent homomor-phisms are known. The most well-known is the group homomorphism with the basic rules as deﬁned below.

Let (G,⊕) and (H,⊗) be two groups. Now a function h : G→ H is needed such that for allu and v inG it holds that

(37)

h(u⊕v) =h(u)⊗h(v) .

From this property, one can deduce that h maps the identity element eG of G to

the identity element eH of H, and it also maps the Inverse of G to the Inverse of H

in the sense thath(u−1

) =h(u)−1

. Hence one can say that h ’is compatible with the group structure’.

As an example (R,+) and (R+,·) are chosen as our groups andex _{: (}

R,+)→(R+,·) as the function that transfersR into R+. Now the following equation has to hold.

∀u, v ∈R:

eu+v ₌_eu_·_ev

For the sake of completeness, two things have to be added: We have to show that the identity element exists in both groups and that the encryption maps the Inverse ofRto the Inverse ofR+. Here, the identity elementeR+ = 1 and the identity element

eR = 0 (since adding 0 and multiplying with 1 simply has no eﬀect for the members

of R and R+). 1. e0 ₌_e0_·_{1 =}_e0_·_e0_·_(e0₎−1 =e(0+0)_·_(e0₎−1 =e0_·_(e0₎−1 = 1 2. e(−_m₎ =e(−_m₎ ·em_·_(em₎−1 =e(−_m₊_m₎ ·(e0₎−1 =e0_·_(e0₎−1 = (e0₎−1

Now let M be the group of all plaintext messages (or ﬁlled-out ballots) with the group operation∗. AnalogousC is the group of all encrypted messages with the group operation•. An encryption scheme is called (∗,•)-homomorph if the following holds for all plaintexts m∈M, encryption functions E, keysk and encryptionsE(m)∈C.

∀m1, m2 ∈M :

E(m1∗m2) =E(m1)•E(m2)

The homomorphic encryption can be illustrated by using RSA as the encryption function.

For (M,·) letM be the set of plaintext messages. The group order here is|G|=n. Encryption with public key e transfers M into (C,·), the resulting set of encrypted messages. Again, m1, m2 ∈ M represent two plaintext messages with the matching encryptions c1, c2 ∈C:

(38)

Then the multiplication of the encrypted messages is an encryption of the multiplied plaintext messages:

c1·c2 =m1e_·_m2e _mod_n

During this example the operations of both groups are deﬁned as multiplication by components. Indeed can ⊕and ⊗be the same operation.

For election systems, a scheme where the encrypted votes are added is preferred. The main advantage of an additive homomorphism is the operational characteristic of the shortest runtime. See [Sch07b] for more details upon this.

The essence of this section was the definition of different communication chan-nels and the illustration of the most important cryptographic techniques that are used as building blocks for RIV. Mixnets as well as homomorphic encryption succeed to achieve anonymity in differing ways. Blind signatures follow a slightly different approach by providing anonymous authenticity. Further threshold encryption was proposed as a mechanism to make voting schemes more robust.

(39)

5 Current Employment of RIV

This chapter describes the most recent events in the context of adopting RIV for real elections. The ﬁrst part deals with happenings on the supranational level of the European Union such as the CyberVote Project and Council of Europe’s Recommen-dations for e-voting in general. The succeeding part will go into the details of national programs of RIV. We chose Estonia, Switzerland, the Netherlands and Great Britain because these countries already run more or less advanced programs. Additionally the United States were examined because they already acted as a pioneer in the con-text of voting machines. These countries will be looked at relating to reasons for introduction, type of elections during which RIV was used, applied voting protocols and gained experiences.

5.1 Europe

5.1.1 CyberVote Project

The CyberVote Project [Pro03a] was launched by the European Commission (EC) in September 2000. It was partially funded by the EC and aimed at demonstrating the possibility of fully verifiable online elections guaranteeing absolute privacy of the votes and using fixed and mobile internet terminals. The project’s objective was to contribute to the development of a democracy in Europe by enabling the use of a mod-ern electronic voting system. Another goal was to implement a trustworthy e-voting protocol which could be integrated to existing infrastructures for the identification of voters.

The CyberVote design was driven by solutions which had to allow the user au-thentication while guaranteeing the ballot’s secrecy, sanctity and integrity, on the one hand, as well as the voter’s freedom of expression, the user-friendliness and the acceptability of the system on the other hand.

The project was carried out by a consortium and involved partners from industry (EADS Matra Syst`emes & Information of France, Nokia Research Centre of Finland, British Telecommunications of the United Kingdom), universities (K.U.Leuven Re-search & Development of Belgium, Technische Universiteit Eindhoven of the

Secure Client Platforms for Remote Internet Voting

Technische Universit¨

at Darmstadt

Diploma Thesis

Secure Client Platforms for Remote Internet

Voting

Contents

List of Tables

List of Figures

1 Introduction

1.1 Motivation

1.2 Objective of the Paper

1.3 Outline

2 Fundamentals of Voting

2.1 Definitions

2.1.1 Election

2.1.2 Electoral System

2.1.3 Voting Scheme

2.2 Voting in Germany

2.2.1 Voting Machines

2.2.2 Absentee Voting

3 Remote Internet Voting

3.1 Definition

3.2 Protection Goals

3.3 E-Voting versus E-Commerce

4 Cryptographic Techniques

4.1 Requirements for Communication Channels

4.1.1 Anonymous Channel

4.1.2 Untappable Anonymous Channel

4.1.3 Public Bulletin Board

4.2 Building Blocks of RIV

4.2.1 Threshold Encryption

4.2.2 Mixnets

4.2.3 Blind Signature Schemes

4.2.4 Homomorphic Encryption

5 Current Employment of RIV

5.1 Europe

5.1.1 CyberVote Project