A robust new e-voting security model using anonymous public key certificates

Most electronic voting solutions have so far been complex and correspondingly difficult for regulators to validate. The full scale of the problem was revealed by independent testing in California and the subsequent high profile de-certification of several voting machines in that state in August 2007. We propose a robust new security model based on public key technology and smartcards. Highly tamper resistant digital signatures and public key certificates protect both the ballots and individual voters’ electoral enrolment. The solution can be deployed on a variety of modern smartcards with built in cryptographic processors, the likes of which are widespread in Asia, Europe and the US. Each ballot cast would be unique and anonymous, unable to be replayed, nor modified. Each voter could only vote once. The security model, based on mature public key infrastructure standards, is simple. It is therefore inexpensive to implement yet straightforward to independently validate and certify. Introduction and background World wide experience of electronic voting to date has almost universally raised concerns about the quality and security of the underlying technologies and information systems. At best, e-voting systems have been criticised as lacking transparency. For instance, the Open Rights Group in its critical review of recent trials of e-voting in the United Kingdom1 commented that “E-voting is a ‘black box system’, where the mechanisms for recording and tabulating the vote are hidden from the voter. This makes public scrutiny impossible, and leaves statutory elections open to error and fraud” —[1]. At its worst, e-voting has been described as a “fiasco” for what some argue is a demonstrably disappointing standard of software engineering [2]. Following Britain’s local government internet voting pilots of May 2007, the United Kingdom Electoral Commission concluded that “the level of risk placed on the availability and integrity of the electoral process was unacceptable. There are clearly wider issues associated with the underlying security and transparency of these e-voting solutions ... which need to be addressed” [3]. The commission went on to strongly recommend a central process for testing and approving e-voting solutions. One of the first places to attempt such a process was the state of California. After mixed experiences with commercial off-theshelf e-voting solutions, the Secretary of State there initiated a “top-to-bottom” review of no fewer than four products, culminating in the high profile and unprecedented de-certification of all of them, in August 2007 [4]. Despite the challenges and the recent apparent setbacks, we should still strive for secure electronic voting and, ultimately, trustworthy Internet based e-voting. 1 For more background on the United Kingdom trials, refer to the UK Electoral Commission website www.electoralcommission.org.uk. A robust new e-voting security model using anonymous public key certificates Copyright © 2007 Lockstep Technologies Pty Ltd 2 Lockstep e-voting solution PREPRINT (2.2).doc The important potential benefits include: — improved voter turnout — better availability and efficiency for absentee voting2 — reduced cost by avoiding the need for special voting equipment, which needs to be archived and/or maintained between elections. While the focus of this paper is political elections, we should also remember that the medium of the Internet is ideal for a range of other polling and survey activities, such as opinion polling, deliberative polling, citizen initiated referenda, and company board elections. The demand for Internet based election and polling solutions is set to grow strongly. Emerging standards for e-voting While many critiques have been recently published (see e.g. [1], [2], [3] and [5]), perhaps the most elaborate and comprehensive attempt to standardise the requirements for e-voting has been that of the US National Institute of Standards and Technology’s Voluntary Voting System Guidelines (VVSG) [6]. With respect to the security model of e-voting, there are two particularly significant requirements set down by NIST. The first such requirement is for Software Independence, meaning that “an undetected error or fault in the voting system’s software is not capable of causing an undetectable change in election results”. NIST requires that all voting systems must be “software independent” in order to conform to the VVSG. A crucial feature of our anonymous certificate based e-voting solution is that it is decoupled from the voter’s PC platform software, and is purely reliant on the compact secure firmware of a smartcard, which is far more amenable to independent verification. The reality of intrinsically insecure e-voting software – or to put it more optimistically, 2 Providing defence force personnel with the capacity to vote when on duty overseas has been a special policy goal of Australia and the United States, amongst other nations, in recent years. the reality that software can probably not be proven to be secure; see The nature of the software engineering challenge below – led NIST and other analysts to further mandate the feature of Voter Verifiability. The NIST guidelines require that all voting systems include “a vote-capture device that uses independent voter-verifiable records (IVVR). IVVR can be audited independently of the voting system software but do not necessarily have to be paper-based” (emphasis added) [6]. The design we propose here provides for a redundant, tamper-resistant soft copy of one’s ballot to be retained privately on a smartcard, from where it can be retrieved and checked at any time. The nature of the software engineering challenge So why has developing robust e-voting systems been such a struggle? From first principles, we really should expect difficulty when marrying mission and security critical applications to commercial operating system platforms. Complex fat client software is always hard to test, and fundamentally may be impossible to fully verify. Software quality professionals are familiar with the tenet that “Finding all errors in a large system is generally held to be impossible ... or else highly demanding and extremely expensive” [5]. It becomes especially prohibitive to manually inspect application code when its design makes it dependent on operating system code for its security functions; this is the case with almost all commercial software. Not only are many thousands, even millions of lines of code involved; it is not unusual for operating system vendors to keep details of their own software secret , in the interests of intellectual property protection. Such restrictions can be tolerated in most business applications, but with e-voting the social stakes are enormously greater. A robust new e-voting security model using anonymous public key certificates Copyright © 2007 Lockstep Technologies Pty Ltd 3 Lockstep e-voting solution PREPRINT (2.2).doc Cryptographer and security expert Ron Rivest has written specifically on the evoting challenge: There is a fundamental problem we must face when trying to design remote electronic voting systems: the ‘secure platform problem.’ Cryptography is not the problem. ... The problem is interfacing the voter to the cryptography. Almost all proposed cryptographic voting protocols assume that a voter ... has a secure computing platform that will faithfully execute her portion of the