Page 109 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 109
A Modular Voting Architecture (“Frog Voting”)
or whatever is appropriate for this form of Frog), and the voter’s choices are
displayed to the voter. The voter is asked to confirm that these are indeed her
choices. If they are not, the voter’s Frog is returned to her unaltered so that she
may return to the vote-entry station. 101
The second function is vote signing. The Frog is digitally signed–a cryp-
tographic digital signature of the voter’s choices is made by the vote-casting
equipment and entered into the Frog. The digital signature key is unique to that
vote-signing equipment. It identifies the machine being used and authenticates
the vote as having come from that machine. Different machines use different
keys. The signature does not identify the voter in any way.
The third function is vote copying. The equipment makes an electronic digital
copy of the signed vote. This copy will be communicated later on to the recording
system.
The fourth function is vote sealing. The Frog is “sealed” or frozen so that no
further changes may be made to the information it contains. With an electronic
memory card Frog, a fuse might be blown that disables further writing. With
paper, sealing might be more difficult to do and might have to be omitted,
although laminating the ballot might serve the same purpose.
The fifth function is Frog capture. The Frog is taken hostage and saved as part
of the audit trail.
5 Vote Recording
When the election is closed, the vote-casting equipment transmits the electronic
copies of the votes, including initialization data and digital signature, to the
recording system. Each vote-casting machine displays the number of votes it has
signed and transmitted, which is recorded by the election officials. The Frog-
initialization machines also display the number of Frogs they have initialized;
these numbers are also recorded.
The recording system makes all votes and associated counts publicly avail-
able. The votes might, for example, be posted on the Web. Anyone can check
the consistency of the counts, verify the digital signatures on the votes, and
add up the totals to see who has won each race. We believe that this form of
“universal verifiability” greatly enhances security and improves confidence in the
result. Universal verifiability of all votes is possible today on all systems except
lever machines and several models of DREs. Until recently, Los Angeles County,
California created an electronic copy of all ballots cast-the actual image of the
punch cards. The ballots could be publicly inspected.
6 Specific Examples of Frogs
The separation between vote capture and vote casting allows incredible flexibility
in the system. Frogs can be created and cast at the polling places as is currently
done. Frogs might also be created remotely and then recorded at a recording or
polling place.
