Secure Client Platforms for Remote Internet Voting

Transcription

1 Technische Universität Darmstadt Department of Computer Science Cryptography and Computer Algebra Prof. Dr. Johannes A. Buchmann Diploma Thesis Secure Client Platforms for Remote Internet Voting Author : Johannes Clos Advisor : Axel Schmidt Date of submission : February 14, 2008

2

3 Erklärung Ehrenwörtliche Erklärung Hiermit versichere ich, die vorliegende Diplomarbeit ohne Hilfe Dritter und nur mit den angegebenen Quellen und Hilfsmitteln angefertigt zu haben. Alle Stellen, die aus den Quellen entnommen wurden, sind als solche kenntlich gemacht worden. Diese Arbeit hat in gleicher oder ähnlicher Form noch keiner Prüfungsbehörde vorgelegen. Darmstadt, den Johannes Clos iii

4

5 Contents 1 Introduction Motivation Objective of the Paper Outline Fundamentals of Voting Definitions Election Electoral System Voting Scheme Voting in Germany Voting Machines Absentee Voting Remote Internet Voting Definition Protection Goals E-Voting versus E-Commerce Cryptographic Techniques Requirements for Communication Channels Anonymous Channel Untappable Anonymous Channel Public Bulletin Board Building Blocks of RIV Threshold Encryption Mixnets Blind Signature Schemes Homomorphic Encryption Current Employment of RIV Europe CyberVote Project Council of Europe s Recommendations v

6 Contents 5.2 Country Reports Switzerland Estonia The Netherlands Great Britain United States Discussion Secure Platform Problem Characteristics of the Platform Malicious Software Trojan Horses Viruses Internet Worms Mobile Code Effects on RIV Counteractive Measures Methods of error detection Test Ballots Voter-Verifiable Voting Protocols Neff s Voting Scheme Chaum s Visual Crypto Scheme Ryan s Prêt à Voter Scheme Chaum s Scantegrity Scheme Evaluation of detection methods Methods of error prevention Trusted Hardware Devices and Voting-CDs Code Voting Multiple Casts Trusted Computing Discussion of the presented methods Conclusion 91 Bibliography 95 A Abbreviations 103 vi

7 List of Tables 7.1 Neff s voting scheme - Source: modified from [KSW05] Possible sequence for an adoption of Chaum s scheme to RIV - Source: modified from [KSW05] Protocol sequence of Prêt à Voter Comparison of the evaluated voter-verifiable voting schemes vii

8

9 List of Figures 2.1 Categorization of voting schemes - Source: modified from [Sta05] Categorization of vote classes - Source: modified from [VK06] Functioning of a single mixnet server - Source: modified from [Wag06] Decryption mixnet - Source: modified from [Wag06] Audition of teller i - Source: modified from [CRS04] Representation of a verifiable choice - Source: modified from [KSW05] The parity cell patterns - Source: [BR03] Possible combinations of bit patterns - Source: modified from [Cha04] Bit patterns of the transparency layers, resulting image - Source: modified from [Sta05] The filled in ballot - Source: modified from [RP05] Outline of the voting process - Source: modified from [CRS04] Layers of the onion - Source: modified from [CRS04] Anonymizing mix with n tellers - Source: modified from [CRS04] Ballot structure and layout of the board - Source: modified from [Cha07] Filled in ballot and obtained verification information - Source: modified from [Cha07] Auditing the tally - Source: modified from [Cha07] Example for a trusted platform - Source: modified from [ASSV06] Chain of Trust - Source: [Stu07] ix

10

11 1 Introduction 1.1 Motivation The creation of the internet funded a wide range of ideas on how to increase the efficiency of the democratic 1 systems. In this context the term e-democracy is commonly used. It includes the subjects of e-government which stand for modernization and simplification of administration processes supposedly leading to higher efficiency and transparency in the public sector 2. But as a matter of fact the settings of e-democracy lie beyond the typical applications discussed in the context of e-government. Effectively the borders are set by the respective corpus of legislation of modern democracies [BN02]. With the introduction of digital signatures 3 the ambitious project of Remote Internet Voting (RIV) seemed to be within reach. The term translates to the reform of our current voting procedures due to the rapid growth of computer usage and promises such as higher voters participation and a reduction of the cost of elections 4. On the other side the possible risks must not be underestimated. The necessity of 1 (Greek: demos = people, kratein = to govern) government of the people, by the people and for the people 2 A good example for the implementation for e-government techniques is to be found in the European country of Estonia. After the establishment of an infrastructure that guarantees free internet usage to every citizen in 1999 services were introduced to create methods of interaction between citizens and their government, e.g. a website was created to give citizens the possibility to post statements and proposals for new laws and directives, vote for them, and direct them to the administration. Furthermore the nationwide enrollment of a public key infrastructure was set up through the distribution of an identification card that includes a chip to ensure the secure storage of private keys. Hereby binding digital signatures were effectively enabled giving people the possibility to sign and submit official documents from their computer. 3 In 2001 the EU-Directive 1999/93/EC [Hof07] found its realization in German law. Binding digital signatures now represent a legal equivalent to traditional signatures. 4 Currently many countries suffer from a decreasing participation during traditional elections. Low turnout being a problem for the legitimation of democratic systems, the idea occurred to reduce people s personal cost for participation. Remote voting makes it more comfortable for the voter to cast a ballot. That is one of the reasons why many people see Remote Internet Voting as a big chance for democratic systems in general (especially in participative democracies with a high number of elections and referendums). This leads to the widespread opinion that countries could miss a chance if they do not amend their electoral law through adding the feature of RIV. Fearing they could fall behind, it is often overseen that current systems do not fulfill the requirements of a strict interpretation of the electoral law. 1

12 1 Introduction the voters trust in the election system and its acceptance cannot be stressed enough. As the act of voting has to be regarded as the core of democracy (it represents the most general and simple form of public participation, a fundamental prerequisite of all democratic systems) all attempts of a reform have to be classified as critical and the discussion accompanying a possible introduction of RIV needs to be lead with the sum of all technical and social arguments taken into consideration. 1.2 Objective of the Paper While a lot of actions have been taken to enhance voting protocols in order to make them more secure, the technical devices used as interfaces between a voter and the voting protocol have not yet received enough attention. This thesis deals with the issue of insecure client computers used as voting platforms. Currently it represents one of the major obstacles against RIV. Therefore it sketches RIV, describes its most common cryptographic techniques and evaluates its usage in Estonia, Switzerland, the Netherlands, Great Britain and the USA. Subsequently, the thesis picks up the experiences and analyzes the structure of personal computers commonly used as client machines, as well as their risks. Besides exposing the problem, possible ways to make the platforms more reliable, thus trustworthy, are described. As possible security enhancements for voting platforms consist of detective as well as preemptive mechanisms, both mechanisms will be presented. Furthermore, by estimating the complex adaptation of these mechanisms, it is tried to give an evaluation of the different proposals. In the end, an implementation is recommended which seems to be most promising for the attempt to make client machines a more secure entity. 1.3 Outline We start with a definition of some important electoral terms leading to a historical description of electoral laws and the voting system currently being used in Germany. Hereby the reader is supposed to get a general idea of the current situation and the development so far. Afterwards the terms Absentee Voting and Voting Machines will be explained to a deeper extent, since the first one represents an already being used remote voting system whereas the latter describes an alternate type of electronic voting that currently causes quite a stir. These two terms are introduced with the intention of giving a clear boundary definition. After a clarification of the terms Remote and Electronic Voting the reader is introduced to RIV and the prior is distinguished from the topic of the thesis. In this context the protection goals are listed and the fundamental differences between Electronic Commerce and Electronic Voting are discussed. Among others the most important cryptographic techniques used in 2

13 1.3 Outline voting protocols are Mixnets, Homomorphic Functions and Blind Signatures. These will be explained in chapter 4 that also deals with specific communication channels. But while RIV is still a fairly new topic enclosing a lot of unfinished construction sites it has already been used several times for real-life elections and thereby lost a little bit from its cutting-edge character. In the next chapter, an overview of countries is given that support such programs, or have run pilots or binding elections over the internet, to present a picture of how widely spread this election type is. Additionally there is a detailed description of the kind of elections RIV is currently used for. Furthermore, the succeeding discussion summarizes the lessons learned from practical implementation so far. Since the infrastructure is the internet which, by itself, is highly insecure, the usage of cryptographic protocols is fundamental to guarantee the correct functioning of every single element of the digital election (registration, voting, tallying and most definitely recounting). So far many efforts have been made to provide secure communication. Nevertheless, there is one big threat remaining, due to the fact that client computers are highly insecure. Today s personal computers run standard operating systems and software while users often are not skilled enough to maintain their computers in a sufficient way. Therefore there is a high chance that voters browsers (or other software, potentially including their operating system) may be compromised and may thus not behave as the user wishes it to (even while deceiving the user into thinking that it is). Generally speaking it has to be assumed that the voting platform is open for all kinds of malicious software (malware) hidden in a piece of software that the user is unaware of, since detection is based on old definitions in a malware dictionary (if detection is used at all) and the actions taken to secure the system are mostly reactive. Since the weakness can be exploited automatically on a large scale it is considered as the Achilles heel of RIV. As a consequence the software could possibly interfere with the voting act by showing the voter a fake ballot and sending a ballot filled in with the intruder s choice to the election authority. Malware also threatens other protection goals. An attacker could for example follow up on how someone casts a vote. Additionally the voter can be hindered from casting a vote at all. Consequently insecure platforms result in jeopardizing the voting principals when a ballot is cast from them. Highly sophisticated Trojan horses and worms possess this ability. Appearing in stealth mode they can run without being recognized by common virus detection systems. Thereby it becomes evident that a typical computer user is not able to realize whether such code runs on his PC or not. As an entry point to the principal topic the flaw is described more detailed. While examining the risks of insecure voting clients, the clients have to be distinguished by type because a voting client could be any service access device ranging from personal computers to personal digital assistance devices, or even cellular phones. Since voting clients cover a broad bandwidth in technical specification and in their ways of connecting to the internet, different kinds of attacks might be possible. The 3

14 1 Introduction discussion will show how the clients differ from each other but will concentrate on personal computer usage for the subsequent chapters. In order to notice and prevent attacks on voting clients some of the most promising methods are evaluated. The strategies that promise to secure voting clients during RIV include the following. Voter-verifiable protocols focus on the issue of non-reliable voting systems. In this context the principles of protocol designs for non-reliable voting machines (Neff, Chaum) and enhancements to optical scan voting (Ryan, Chaum) are explained. Subsequently it is shown to which extent each of them is suitable for a transfer onto a possible usage within RIV and which changes have to be applied. Code sheets and test ballots, introduced by Opplinger in [Opp02], provide an interesting possibility to prevent automatic election fraud. Therefore sheets with special codes for each election choice are distributed via a secure channel (e.g. letter post). If each ballot paper is unique a possible intruder cannot fake a ballot, since changing it would presume one knows the mapping between the codes and the election candidates. On the other hand test ballots provide an easy way of testing the proper functioning of the voting system. The idea behind multiple casts as introduced by Volkamer and Grimm in [VG06] does not provide client security. It rather makes up for its absence. By admitting repetitive votes a later cast vote could overwrite a previous one which might have been cast coerced or from a hijacked platform. It is obvious that multiple casts must prohibit multiple votes of the same person. It will be shown how this feature could be implemented and discussed whether it fulfills the principle of equality. Trusted Computing as presented by Alkassar et al. in [ASSV06] is another way to ensure client safety. The chapter gives insight into the basic functioning of Trusted Computing and shows how it can enhance RIV in a way that turns voting clients providing the necessary hardware into verifiable machines. The conclusion of the work provides an analysis of the presented methods. This should answer the question as to what extent they present possible solutions to the attacks that appear through the usage of PCs as voting platforms for RIV. Additionally, these methods are reviewed concerning some associated social aspects. Trying to reach the goal of secure client platforms the conclusion closes with an attempted outlook for the utilization of remote internet elections in the nearer future. 4

15 2 Fundamentals of Voting In the first part of this chapter voting is conceptualized by giving the definitions for an election, an electoral system and a voting scheme. Afterwards the development of voting in Germany is explained. Thereby two important innovations to the electoral practice consisting of remote and electronic voting represented by absentee voting and direct recording electronics are highlighted. Both constitute important changes to the electoral law in Germany. By going into the details it is intended to define the characteristics of different voting schemes in contrast to each other. This is particularly important because electronic and remote voting show two of the main characteristics of RIV. 2.1 Definitions Election Elections can be defined as the democratic method to appoint people to entities of representation and executive positions [Noh07]. Their usage may well be the best possible approximation to popular control of government that can be achieved in modern, industrialized mobile mass society [Mil72]. In this context the citizens in a given society periodically have to answer the question who should be selected to govern for a period of time. Elections serve the purpose to obtain accurate data representing a set of participants answers to this question. In effect one vote can be seen as a single participant s answer to this question in its physical representation. It consists of a selection, generally from a predetermined set of answers, called candidates. But, depending on the set of rules that regulates the election, the selection can also be independent of a default list. This is also known as a write-in vote. Ballots are groups of questions combined into a certain structure. Each question of an election is refered to as a single race. The electoral law includes legal requirements that organize elections. For example it consists of legal requirements that regulate the eligibility of participants in an election. Every person entitled to participate is called a voter. 5

16 2 Fundamentals of Voting Electoral System An electoral system includes the mode by which the voter can express a political preference and of how the vote is translated into decisions regarding the occupation of mandates and the composition of representative conventions. In case of parliamentary elections an electoral system translates the data of votes by specific measures into parliamentary seats. In a narrow interpretation it regulates this process by localizing constituencies, defining the rules of candidature as well as vocalization and committing to the accounting of votes [Noh07]. In a wider interpretation it can also affect matters of the voting scheme. Majority and proportional vote are commonly referenced as two examples for different electoral systems Voting Scheme As described in [Sta05] voting schemes are commonly refered to as protocols that define the procedure which turns cast votes into a final tally. As a result the term can also be interpreted as any method that can successfully manage an election. Doing so, voting schemes can be differentiated by their technical nature. On the one hand traditional voting schemes are schemes such as ordinary paper ballots, mechanical recording machines and punch-card ballots. Absentee voting as described in Chapter is seen as a traditional voting scheme as well. By contrast electronic voting schemes use electronic devices to conduct an election. Direct recording electronic machines as introduced in Chapter and RIV as presented in Chapter 3 can be classified as such. The categorization of specific voting schemes can be seen in Figure 2.1. Voting Schemes Traditional Voting Electronic Voting Paper Ballots Mechanical Recording Machines Remote E Voting Poll Station E Voting Absentee Voting Internet Voting DRE Machines Figure 2.1: Categorization of voting schemes - Source: modified from [Sta05] 6

17 2.2 Voting in Germany 2.2 Voting in Germany The first use of paper ballots to conduct an election appears to have been in Rome in 139 BCE. Nevertheless many forms of voting have been practiced since then. We will now give an overview of the electoral system in Germany followed by the main aspects related to the development of electoral law. In addition to the elections for the European Parliament Germany has parliamentary elections of universal kind for the Bundestag (the state parliament), in each of its federal states, and for the parliaments of cities, counties and boroughs. Furthermore direct elections are practiced for the appointment of district administrators and mayors (local elections). Altogether the operation of elections is organized by the electoral laws that can be found in the Constitution, Bundeswahlgesetz (federal election law) and Bundeswahlordnung (federal electoral regulations on the national level and similar laws on the state level). Thereby the electoral system of Germany includes personalized proportional representation which is a mix between proportional representation and majority vote with the proportional component being the overall decisive factor. Half of the members of the Bundestag are elected through a majority vote (one candidate for each electoral district). At the same time the citizens can use their second vote for a party of their choice. The overall strength of parties represented in the Bundestag exclusively results from the number of nationwide cast second votes [vp03]. The parliamentary elections are carried out in obedience to the principles named in the German Constitution (Art. 38 GG). These require the elections to be universal: No citizen should be excluded from her right to vote. direct: No intermediates, e.g. deputies, are assigned to vote in someone else s name. free: Neither governmental nor any other coercion is allowed. This should assure a free choice between competing parties. equal: All voters have the same amount of votes which are equal in weight. secret: The voter s decision, represented by a voter marking his choice on a ballot, is confidential. Open and public votes are invalid. Unlike other countries (e.g. Belgium, Luxembourg) the electoral law of Germany doesn t commit the citizens to vote (compulsory voting). The possibility to vote is rather seen as a basic right. It is usually controlled by a specific voting district where the citizen is registered. Therefore eligible voters are listed in special registers maintained by the local authorities. Besides parliamentary elections Germany knows a variety of non-parliamentarian elections, amongst others for workers councils, universities boards and governing 7

18 2 Fundamentals of Voting boards of social security institutions. The decision-making abilities of these boards are altogether very limited. This is the main reason for less strict requirements during these elections. Before the principles of democratic elections (as named above) became widely accepted there were a number of different electoral laws. Prussia, for example, introduced a three-class system of voting in 1849, where the voting population was divided into three groups with a different weighting of votes. The allocation to a certain group depended on the citizen s income and the taxes he paid. The election was conducted in public and oral and by these means was not secret. Furthermore it was indirect since electoral deputies were elected. In 1918 it was abandoned. Universal female suffrage was, similar to universal manhood suffrage, established in a step-by-step process. Taking a look at the history of voting shows that the situational context and formal design of how we vote has always been a controversial topic. Electoral regulations tend to influence who votes, how we vote and also affects the outcome of elections. Indications for this not only exist within the central questions of electoral law in the 19th century (whether or not open or secret elections should be conducted and, if at all, votes should be counted equally). Historic examples reach from the consequences of ostracism 1 in ancient Greece to viva voce 2 in medieval England and USA and the permission of voting machines in Scandinavia in 1950 s. Electoral laws are rarely neutral. Instead they always favor certain actors and discriminate others. Each amendment of electoral laws led to political rejections and changed the voting behavior. But even though new benchmarks of political and technical development came up within the past hundred years the typical way of how elections are conducted has hardly changed since the last reformation of electoral laws. With the introduction of polling booths and the Australian Ballot 3, the system of voting in which voters mark their choices in privacy on uniform ballots, printed and distributed by the government or designate their choices by some other secret means, the evolution of the voting act seems to have found its climax [Dom07]. The usage of paper and pen, counting of votes by hand and voting in the domestic voting district are still best practice. But despite the stability the electoral law highly depends on the changing political and constitutional developments. Between 1956 and 2002 the German electoral law was modified by 34 amendments that document the continuing need for changes 4. Some 1 Aristotle claims Cleisthenes was responsible for the institution of ostracism. It allowed the citizens to send a fellow citizen into temporal exile if he was getting too powerful. The term ostracism was derived from ostrakon, the Greek word for a piece of broken pottery on which the citizens wrote the name of their candidate. [Car07]. 2 Viva voce describes the practice of voting by publicly calling one s election choice during a convention of voters [Jon03]. 3 Victoria and South Australia were the first states to introduce ballot secrecy in The vast majority of these amendments dealt with administrative topics such as the customization 8

19 2.2 Voting in Germany of them are of great importance such as the introduction of the absentee vote in 1956 and voting machines in While absentee voting lowers the personal cost the governmental operation of voting machines tries to simplify and speed up the tallying process. The combination of both, an automated counting and more comfortable vote cast clearly points in the direction of RIV Voting Machines Voting machines are usually the first thing that comes to one s mind when hearing the term electronic voting. Basically RIV and voting machines have in common that they both make usage of electronic devices (terminals) as an interface between voter and ballot. Voting machines can be defined as being standalone technical devices used to define ballots, to cast and especially to count votes, and possibly to produce some audit trail information - all done by a single machine. The first machines were mechanical but nowadays it is common to use electronic voting devices. Voting machines are most often referenced as machines with direct recording electronic (DRE). After the election they produce a tabulation of the voting data stored in a removable memory component (and eventually as printed copy). Elections for the German Bundestag and for the European Parliament are only legal if conducted with standalone -devices. That is to say voting machines can only be part of a local network at the polling station. They can t be connected to a countrywide network where the election results are sent to a central tallying server [og07c]. According to the promoters of voting machines the benefits include a higher accuracy, faster results, lower costs, easier voting for disabled people and the elimination of invalid votes. Problematic is the fact that the usage of voting machines puts important steps of the voting procedure inside a black box. Thereby the positive aspect of having a public verifiable election is eliminated. Most people cannot reconstruct what happens to the votes inside the machine and how the results are calculated. The integrity of an election highly depends on the proper functioning of the devices and their security against manipulation. Everybody has to rely on the ability of experts who test the source code and analyze the components. In Germany the law for voting machines regulates the procedure of accreditation [oj07]. It assigns the National Metrology Institute providing Scientific and Technical Services (Physikalisch-Technische Bundesanstalt) with its duty to control the compliance of the following requirements: correct implementation of the voting process secure storage of cast ballots guarantee of privacy of the voting districts. 9

20 2 Fundamentals of Voting correct counting of cast ballots usability of the machines secure and long-lasting construction security in case of malfunction insensitivity against mechanical, climatic and electro-magnetic environmental influences However, the institute does its testing only on a sample machine. All others are distributed by the vendor directly. A further point of criticism is caused by the fact that recounting of electronically cast votes is often not practicable due to the lack of voter verifiable paper trails (VVPT). The lack of transparency is another disadvantage. While traditional elections allow the voters to observe the tallying process DRE so far does not offer this feature. This illustrates a serious problem of DREs especially looking at real-life deficiencies throughout elections like the ones during the elections for the US-presidency in The result of Florida included an electronic miscount of votes [Kru07]. So far methods of audition are not intended by most voting machine producers. We will cover this topic to a deeper extent during Chapter 7. Recently DREs have continually failed to provide the standard of a trustworthy voting system. A security check of electronic voting machines by computer scientists of the University of California uncovered more than a dozen security risks throughout all tested machines. A team of experts was assigned by the California election supervisor with the investigation of eight already used and certified e-voting-systems from market-leading companies (such as Diebold, ES&S, Hart Intercivic and Sequoia). The scientists uncovered severe security problems and required massive system-updates on hardware and software prior to a possible recertification. In a decision issued in August 2007 the Secretary of State withdrew the certification of all vendors for the time being [os07]. Other countries have completely abandoned the usage of voting machines. In 2006 Italy already stopped all ongoing projects with voting machines due to irregularities discovered during its parliamentary elections at the beginning of the year [Zie06]. The most recent decision was taken in the Netherlands. After the Dutch group Wij vertrouwen stemcomputers niet and the German Chaos Computer Club published alarming facts that showed how easy it is to reconfigure the machine by exchanging the Erasable Programmable Read Only Memory (EPROM) 5 the dutch government was in doubt whether voting machines could be safely used. An appointed commission was supposed to investigate this topic. Amongst other things the authors of the final report criticized the lacking of VVPT in a final report and 5 Since the EPROM stores the voting software, this attack illustrated the infiltration of a voting system with a manipulated software. If designed properly, this software has the potential to effect the counting without election officials noticing. 10

21 2.2 Voting in Germany advised to reconsider the Regulations for approval of voting machines Thereafter the Secretary for the Interior immediately announced that the certification will be withdrawn [Com07a] Absentee Voting While talking about remote internet elections absentee voting is sometimes used as a reference. This is because both are conducted in a remote way. Supporters of an absentee vote argument with its smooth introduction and the high acceptance within the population. At the same time opponents fear the reinforcement of problems related to the loss of privacy. Traditionally the definition of an absentee vote is that it is cast by a citizen who is unable vote at his regular polling place on an election day. As a result it is independent of time and location of the presence demanding election using a ballot box. Since the postal way takes its time absentee voting can also be referred to as voting in advance. Absentee voting was established in Germany in 1956 with the introduction of the federal election law and firstly used during the Bundestag elections in 1957 [Jes03]. The voter is required to apply for the absentee vote after receiving the polling card. But the ballot paper will only be sent to citizens who 1. cannot be in the voting district on the day of election due to important reasons. 2. moved to another voting district after the time period of electoral registration has started. 3. cannot attend the election due to professional reasons, illness, high age or physical problems. Since these reasons are not checked anybody may proclaim that this is the case. Absentee voting as a deviation from the strict requirements of the personal election is interpreted by the Federal Constitutional Court (FCC) as a thorough hole of this principle. But at the same time it considers it as being consistent with the constitution. In the decisions of the FCC concerning absentee voting in 1967 and in the second judgment 1981 the possibility of absentee voting was strengthened. For groups of people who cannot attend on election day due to reasons as stated above should exist the possibility of an absentee vote if they can be accredited. Nevertheless, the absentee ballot should remain the exception [Feh07]. The decisions of the FCC took place at a point in time where just a little portion of voters (1957: 4,9 %, 1980: 13 %) preferred this procedure. But the percentage of absentee voters increased steadily: 1998 the percentage was 16 and in 2002 almost 11

22 2 Fundamentals of Voting every fifth eligible voter made use of it. In large cities like e.g. Munich (31 %) and Hamburg (28 %) it cannot be called an exception anymore [Ker04]. During the previous chapter the terms election, electoral system and voting scheme were defined. In addition they were applied to Germany by giving some background information about held elections, amendments of the electoral law and thereby affected voting schemes. As demonstrated the biggest impact on voting was caused by amendments of the electoral law that included absentee voting and DRE machines in the process. Illustrating the characteristics of these systems revealed hints that yield in the direction of a stronger application of RIV in the future. 12

23 3 Remote Internet Voting In this chapter RIV is defined by assembling its different elements. They are described before the details of inevitably required protection goals are addressed. While e- commerce and online-banking became widely accepted in our society many people tend to believe that if they are possible RIV must be possible, too. This prejudice is clarified in sequence. 3.1 Definition RIV combines the characteristics of electronic, online and remote voting schemes. The main difference between traditional and electronic voting (e-voting) consists of the respective underlying scheme. E-voting scenarios map the process of voting onto digital technology. Technologies are DRE machines (voting machines, optical scanners and voting pens) and RIV. The phases of digital voting scenarios are quite similar to the traditional approach. In the preparation phase voter and candidate lists need to be prepared, ballots have to be designed and the according infrastructure is set up. The next phase consists of registration where voters are obliged to register and proof their identity before being admitted for voting. This procedure is optionally and its details depend on the election law of a country. During the voting period voters cast their ballots after authenticating themselves. In the end the votes are counted, the tally is prepared and finally published. Per definition the usage of voting terminals connected to a network as well as the casting of votes that are transferred to another computer where they are stored and counted is called online voting [og07b]. It represents a specialization of e-voting. In reference to [Ins01] three different groups of online voting are distinguished depending on where the voting terminals are located: Poll site-voting system: The terminal is located in a safe environment like a polling station. In contrast to voting machines the terminal sends the results to a server for further counting. Since polling stations are staffed the voting terminals used here are administrated. Kiosk e-voting system: The terminals are computers/atm-like machines with special hardware and are situated at fixed locations (e.g. kiosks, libraries). For 13

24 3 Remote Internet Voting this reason the system does not provide the same convenience as the cast of a remote vote. The machines are not under permanent staff-control but they are assumably protected against the problems that voters private computers have (for example insufficient prevention of attacks through a lack of security mechanisms) because the software that runs on kiosk systems is most likely unaccessible. The configuration is provided by administrators instead. Remote Internet Voting System: This type of system allows voters to cast their votes from any computer or digital device connected to the internet or to a private network, typically from home or at work. Devices such as personal digital assistants, personal computers, mobile phones and even game machines could be used to access these systems. Remote voting is characterized by the fact that voters do not have to visit a special location to cast a vote. Instead voters get the possibility to vote from wherever they are. This lowers the personal cost for the voter 1. But to make this possible a reliable communication channel is required. Absentee voting is the traditional application and uses postal mail for its purpose. The internet offers different communication channels. Regardless of the channel, remote systems demand from the voter to vote in a responsible way that eliminates coercion and guarantees privacy. It is safe to say that in the context of online voting poll-site voting does not represent a remote voting system. The kiosk e-voting system partly shows characteristics of a remote system, but only RIV distinguishes clearly enough from presence voting. A categorization of the named voting systems by the terms presence and distance voting is shown in Figure The cost factor that might be reduced is the time and effort that it takes to go to the electoral office and cast a vote in person. However, there are other cost factors involved in electoral participation, most noteworthy among them being the time and effort that it takes to acquire subjectively sufficient information to cast a ballot. Those other costs seem to remain unaffected by e-voting [Sch02] 14

25 3.2 Protection Goals Traditional Voting Electronic Voting Presence Voting Voting through polling box Mechanical Recording Machines DRE Machines Networked Voting Machine (voting at polling station) Distance Voting Absentee voting Remote Internet Voting Kiosk e voting system Figure 3.1: Categorization of vote classes - Source: modified from [VK06] For RIV generic computers serve as voting platforms by running some kind of voting software plus various other possibly insecure software on top of a more or less stable operating system. Chapter 7 talks about the platform s structure and the resulting security problems. It is obvious that these problems are beyond the control of electoral administrators. Naturally they affect the security required by the guidelines of electoral laws that remain a prerequisite for RIV as well as for all other possible types of voting used during elections. 3.2 Protection Goals In order to assure the political election principles mentioned before RIV needs to achieve a variety of protection goals. The following security requirements for remote internet voting systems are the most important ones for the further course of this thesis [SP06]: Eligibility: It is necessary that only valid voters are eligible to vote. The predetermined criteria for eligibility depends on the election law of each country. The voting system has to verify the voter s validity and ensure that each entity can cast only a permitted number of votes. Anonymity: Anonymous voting achieves privacy and prevents the identification of a voter from his vote. As a pre-condition it has to prohibit the traceability between vote and voter. Coercion resistance: A voting system is defined as coercion resistant if it is infeasible for a voter to cooperate with a coercer and prove to him that he voted in a certain way, abstained from voting, or disclose his secret keys. 15

26 3 Remote Internet Voting Accuracy: Accuracy requires the voting system to be error-free. Theefore the voters ballots have to be cast as intended and counted as cast during tallying. Modified, duplicated or erased votes are not tolerable. Robustness: The voting scheme has a limit of tolerance by which minor technical errors can be tolerated. Correctness: Every valid vote, no matter how it was cast, has to be included in the final tally and counted correctly (of course only if it is not a repeated vote). Verifiability (universal and individual): The voters trust in a voting system is a prerequisite for the acceptance of the results. Creating trust in the integrity of a voting system requires an independent verification along each translation step of the election. Universal verifiability requires that anyone is able to verify the correctness of the voting process and its result, whereas individual verifiability convinces each voter that his personal vote was correctly recorded. Usability: The design of a voting system has to consist of intuitively and easily usable interfaces and needs to render a usage possible for handicapped persons. In the course of this thesis it can be seen that insecure voting platforms especially affect the goals of anonymity, accuracy, coercion resistance and correctness. For this reason and the additional goal of transparency during the election voting systems strongly benefit through verifiability. Nevertheless receipt freeness additionally plays an important role because individual verifiability usually comes along with receipts. Receipt freeness: The voter has to be prohibited from gaining certain information (refered to as a receipt) that might be used by him to prove his voting decision to an attacker or coercer. To be consistent with legal principles all of the requirements have to hold during the entire election, including voting clients, the communication channel and voting servers. While the single requirements are achievable, there is no protocol up to date that fully meets all the said requirements at once. Obviously some of the named requirements seem to be at odds with each other. For example it is not obvious how anonymity and verifiability can be achieved at the same time. [Smi05] shows how some of the desires are simultaneously achievable while seemingly being incompatible. In order to realize safe voting schemes clearly defined rules of communication between the involved entities ensure the treatment of requirements. Voting protocols play this role by making use of standardized guidelines regarding syntax, semantics and synchronization of the data transfer. The least ambiguity threatens the correctness of the entire election. The fundamental cryptography of voting protocols 16

27 3.3 E-Voting versus E-Commerce exceeds the one of traditional communication protocols since its requirements are significantly stronger. The cryptographic primitives are explained in Chapter 4. Altogether research on protocols has reached a stage where important requirements like correctness, robustness, anonymity, coercion resistance and verifiability are possible. 3.3 E-Voting versus E-Commerce Today financial transactions to the amount of millions of dollars are made via the internet. It is a common and widespread opinion that it should be also possible to use the same medium for digital voting as well. Thereby it is often overseen that digital voting and digital commerce show fundamental differences. For this reason it does not make sense to transfer the feasibility of e-commerce onto remote e-voting. There are several reasons for this (see [Riv02] for more details): Financial transactions are performed online, but there is always a separate offline process for checking them and for correcting any errors detected (the buyer typically gets a transaction receipt). Since this is not the case for e- voting so far, the prevention of fraud and error, while having no chance of retroactive correction, has to be guaranteed. Electronic commerce includes the possibility to dispute a transaction if something did not work correctly. With e-voting in contrast there is always a deadline that has to be met. Disputing an election requires many objections commonly settled in court. Concerning electronic commerce, the involved parties can be identified by transaction records. This is substantially different from electronic voting where the cast of a ballot should in no way identify the voter, as this violates the voter s privacy and anonymity. Furthermore, this would subject them to coercion. The profile of an attacker in the electoral scenario is much different from such in e- commerce. People that aim at making some quick cash by manipulating transactions certainly have to be skilled. But their profile is definitely lower compared to some foreign power with its intelligence apparatus and serious funding. They are motivated by the ability to change the outcome without anyone noticing. Among others the adversaries of an election system are foreign governments with powerful interests at home and abroad. 17

28 3 Remote Internet Voting En route to a definition of the term RIV this chapter explained the characteristics of remote, electronic and online voting schemes. Similar to absentee voting the voting process is uncontrolled regarding the enforcement of privacy during RIV. Importantly, the private voting platforms of a RIV system are uncontrolled as well. In this context the protection goals were defined. In order to achieve secure client machines anonymity, accuracy, correctness, coercion resistance and verifiability are of particular interest. Finally the fundamental differences between remote e-voting and e-commerce were pointed out. 18

29 4 Cryptographic Techniques The voter s anonymity and authenticity are important protection goals during voting. But anonymity is far from being a standard feature while communicating over the internet. An eavesdropper can for example reveal the origin of electronic correspondence by observing the internet traffic and correlating it with the originating IP-address. Later on, the identity of the originator can be determined by tracing back the IP to an individual user. However, voting protocols rely on the anonymity of the voter. In this respect, this chapter defines some requirements for the communication channel before the functioning of important cryptographic measures for their achievement is illustrated. These are mixnets, homomorphic encryption and blind signatures. For a better understanding of these measures some knowledge of the basic cryptographic principles (public key cryptography, hashes, digital signatures etc.) is advised. For a detailed explanation the reader is refered to [Buc04]. 4.1 Requirements for Communication Channels Anonymous Channel The characteristic of an anonymous channel is that it guarantees anonymous communication. Voting scenarios especially require anonymous voters. In effect, the recipient of a casted vote cannot detect the identity of its sender. Methods for achieving this type of communication will be illustrated in the following chapter. As noted by [Rja02] it is important that an anonymous channel does not have to be untappable Untappable Anonymous Channel In contrast to the prior a further requirement is added here. This is the physical security of the transmission of a message. As a result no one should be capable of intercepting the transmission of a message and of sharing the content of a message with a third party. In practice, the implementation of untappable anonymous channels is 19

30 4 Cryptographic Techniques hard because it would require perfect secrecy Public Bulletin Board Generally an electronic bulletin board is a possibility to make information publicly readable. In the context of RIV it enables different forms of verification. If a voting protocol s definition requires proofs of correctness to be posted on a bulletin board, everyone might double-check if their votes were cast as intended. But while everybody can read the postings it is important that write access is exclusively given to certain registered and authorized users. These users can write to an assigned personal area whereas the deletion of previous postings is prohibited. Besides universal verification, bulletin boards enable access control (before information is posted in the user s area it is verified) and provide communication channels between participants. If used for voting schemes bulletin boards typically display the information through the usage of web servers. 4.2 Building Blocks of RIV Threshold Encryption Threshold encryption describes a possibility to reconstruct a secret from the shared knowledge of several participants in a fault-tolerant way. Doing so one can lower the probability of an unauthorized person gaining access to sensible information because there is no need in trusting a single person. As described by Shamir in [Sha79] threshold encryption can be very helpful in the management of cryptographic keys. On this account it is an important measure to assure a more robust tallying process for RIV. According to Shamir a (t, n) threshold scheme is required to divide the secret data D into n shares D 1,...,D n such that 1. the knowledge of any t or more pieces D i, where i 1...n, makes D easily computable. 2. knowledge of any t 1 or fewer D i pieces leaves D completely undetermined (in the sense that all its possible values are equally likely). 1 Let M be the set of plaintexts, K the set of keys and C the set of ciphertexts. An encryption scheme E : M C is unconditional secure (perfect secure) if P(m c) = P(m) holds for all m M and all c C and if the probability distribution of the keyspace is of equal distribution and a single key k exists for every plaintext m and ciphertext c such that E k (m) = c [Buc04]. 20