Page 112 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 112
S. Bruck, D. Jefferson, and R.L. Rivest
104
anonymous element in the list of votes cast. The election officials and voters
must have strong reason to believe that the vote-casting equipment does not, at
the last instant, change the voter’s vote just before it is cast.
For this reason, we feel that the vote-casting equipment should be totally
“open source”–the software for such a machine should be publicly available.
The procedures for ensuring that the equipment actually contains the published
software should be public and followed by the election officials. Such machines
should be very rigorously evaluated during certification. A county may buy sev-
eral vote-casting machines for each precinct, from different manufacturers.
This division of equipment into two parts may thus solve a problem in the
industry: allowing manufacturers to protect some intellectual property (the code
for the vote-capture systems) while ensuring that the most security-critical por-
tions are open-source, heavily reviewed, and highly trustworthy.
Note that the vote-casting equipment does exactly the same thing for each elec-
tion: it merely displays the contents of the Frog, gets the voter’s final approval,
digitally signs the contents of the Frog, and makes a copy of everything. It does
not need to know anything about the particular election being run (although it
will use an election-specific digital signature key); the voter is herself taking re-
sponsibility for final approval. It does not even have the ability to change a user’s
vote, if the user does not approve it; that is the function of vote-capture. (Of
course, we expect that some voters may not bother to read the final confirmation
screen carefully; that is their choice. Indeed, we do not expect there are likely to
be problems at this stage, although some voters may change their minds at the
last instant or they may realize that they forgot to vote in some contest.)
The election officials can take the vote-casting equipment out of the closet,
initialize it with the cryptographic signing key it is to use, and then power it on.
Of course, a voter should not be allowed to use the vote-casting equipment
unless she has been identified as an eligible voter who has not previously voted.
Some physical control of the voters at the polling place is necessary. Conceivably
one could authenticate the voters at the vote-casting station, but then the issues
of ballot style, language, etc. may not get handled properly, and it seems more
awkward to have problems arise at this late stage if there have been problems
with the voter’s registration from the beginning of the process.
The use of digital signatures is an important and critical part of this design.
Anyone who could forge digital signatures could forge votes. The cryptographic
digital signature keys need to be carefully managed. A reasonable extension of
the basic AMVA design would allow the vote-casting machinery to simultane-
ously use several signature modules (e.g., each on its own memory card), so that
each cast vote is signed by all modules. In addition to the basic signature module
supplied by an election official, there may be signature modules supplied by each
political party. Requiring several signatures on a vote makes it much harder for
a single individual to surreptitiously “borrow” the equipment and forge signed
votes. The parties would keep a careful eye on their signature modules, not sup-
plying them until just before the election and retrieving them as soon as the
election was over.
