US20070189519A1 - Detecting compromised ballots - Google Patents

Detecting compromised ballots Download PDF

Info

Publication number
US20070189519A1
US20070189519A1 US11/512,072 US51207206A US2007189519A1 US 20070189519 A1 US20070189519 A1 US 20070189519A1 US 51207206 A US51207206 A US 51207206A US 2007189519 A1 US2007189519 A1 US 2007189519A1
Authority
US
United States
Prior art keywords
ballot
encrypted
confirmation
voter
computer system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/512,072
Inventor
C. Neff
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US09/816,869 external-priority patent/US6950948B2/en
Application filed by Individual filed Critical Individual
Priority to US11/512,072 priority Critical patent/US20070189519A1/en
Publication of US20070189519A1 publication Critical patent/US20070189519A1/en
Priority to US11/950,334 priority patent/US20080172333A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C13/00Voting apparatus
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3013Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the discrete logarithm problem, e.g. ElGamal or Diffie-Hellman systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/46Secure multiparty computation, e.g. millionaire problem
    • H04L2209/463Electronic voting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution

Definitions

  • the present invention is directed to the fields of election automation and cryptographic techniques therefor.
  • FIG. 1 is a high-level block diagram showing a typical environment in which the facility operates.
  • FIG. 2 is a block diagram showing some of the components typically incorporated in at least some of the computer systems and other devices on which the facility executes.
  • FIG. 3 is a flow diagram showing steps typically performed by the facility in order to detect a compromised ballot.
  • a software facility for detecting ballots compromised by malicious programs (“the facility”) is provided.
  • the approach employed by the facility is unique in that it does not make any attempt to eliminate, or prevent the existence of malicious software on the voting computer. Instead, it offers a cryptographically secure method for the voter to verify the contents of the voter's ballot as it is received at the vote collection center, without revealing information about the contents (ballot choices) to the collection center itself. That is, the vote collection center can confirm to the voter exactly what choices were received, without knowing what those choices are. Thus, the voter can detect any differences between the voter's intended choices, and the actual choices received at the vote collection center (as represented in the transmitted voted ballot digital data). Further, each election can choose from a flexible set of policy decisions allowing a voter to re-cast the voter's ballot in the case that the received choices differ from the intended choices.
  • the ballot consists of a single yes or no question.
  • the challenge then is to have the voter secretly communicate the voter's choice—yes or no—to the vote collection center, and then further confirm that what was actually received at the vote collection center was exactly what the voter intended.
  • the facility informs the voter of this fact.
  • An electronic vote representation is used to represent the contents of the voter's ballot. Suitable electronic vote representations include those described in the patent applications identified in the related application section.
  • Ballot Construction A set of cryptographic “election parameters” are agreed upon by election officials in advance of the election start, and made publicly known by wide publication or other such means. These parameters include encryption group, generator, ElGamal public key, and decision encoding scheme. Most commonly these consist of:
  • Directed vote corruption is the act of changing a “yes” vote to a “no” vote, or a “no” vote to a “yes” vote.
  • Undirected vote corruption is the act of changing from a “valid” vote (“yes” or “no”) to an “invalid” vote.
  • the following steps will detect directed vote corruption in the simple ballot setting of the previous section. They rely on the intractability of the Diffie-Hellman Problem described in A. M. Odlyzko, Discrete logarithms in finite fields and their cryptographic significance , Advances in Cryptology—EURO-CRYPT '84, Lecture Notes in Computer Science, Springer-Verlag, 1984.
  • the computer operated by voter V i submits the encrypted decision as before, optionally signing the encrypted decision using a private key of this voter.
  • the vote collection center generates two values K i ⁇ Z p and ⁇ i ⁇ Z q randomly and independently. These values are generated on a per voter basis, and kept secret from all but the collection center. They may be generated in advance of the election.
  • the length of the data is generally shorter, thus enabling the voter to read and compare fewer characters.
  • the vote collection center does not know what value is, or should be, displayed, since the vote data it received was strongly encrypted. However, it does know:
  • the voter can now check the validity of the vote received by contacting the vote collection center though some secure communication channel, such as telephone, fax, or surface mail.
  • some secure communication channel such as telephone, fax, or surface mail.
  • the voter verifies that the confirmation string the voter saw displayed by the voter's computer is consistent with both the voter's intended choice and this confirmation dictionary.
  • Any inconsistency indicates that some sort of unexpected behavior has occurred on the voter's computer, or in transmission, and corrective action should be taken.
  • an individual voter's ballot can be removed from the ballot box and resubmitted.
  • the exact procedure for voter corrective action is a matter of policy, and may involve some form of voter protest, followed by a resubmission of the ballot in a controlled, secure environment. Alternatively, the voter may be allowed a few attempts from a remote computer before being forced to go to a controlled environment to resubmit.
  • the essential cryptographic foundation of this protocol is that the voter's computer, or malicious software running on it, cannot (for well chosen—i.e., randomly chosen—m y and m n ) compute the complementary confirmation string, i.e., compute K i m n ⁇ i from K i m y ⁇ i (or visa versa). This is because doing so requires computing (m n /m y ) ⁇ i (or visa versa), and the only information available to aid in this task is h ⁇ i . In short, the malicious software would have to solve an instance of the Diffie-Hellman Problem.
  • the voter's computer can submit (X i ,Y i h y ) for any chosen ⁇ Z q . This will have the effect of transforming a valid vote into an invalid one.
  • the computer receives the encrypted vote confirmation, it can follow the protocol to compute K i h ⁇ i m ⁇ i .
  • the validity proof constructed by the voter proves to the vote collection center that, (X i ,Y i ), the encrypted decision (ballot) received from voter V i , is either an encryption of m y or an encryption of m n without revealing any information about which of these values it is.
  • Methods for constructing validity proofs of this type can be found in U.S. patent application Ser. No. 09/535,927, as well as R. Cramer, I. Damgard, B. Schoenmakers, Proofs of partial knowledge and simplified design of witness hiding protocols , Advances in Cryptology, CRYPTO '94, Lecture Notes in Computer Science, pp. 174-187, Springer-Verlag, Berlin, 1994, which is hereby incorporated by reference in its entirety.
  • the validity proof proves that the received encrypted ballot is valid, which is exactly what is needed to prevent the undetected, undirected vote corruption of the previous section.
  • the malicious software may try an undirected vote corruption as before, but it will not be able to supply the required validity proof, and thus will be detected even before the encrypted vote confirmation is returned to the voter.
  • the secret value confirmation protocol itself detects directed vote corruption.
  • n elements from Z q , ⁇ 1 , . . . , ⁇ n , independently and at random. These are assigned, in sequence, as the corresponding response values to each allowable answer, resulting the specific decision encoding scheme.
  • step 5 the voter can now compare the displayed string against the voter's confirmation dictionary (obtained by one of the various modes described there).
  • the confirmation dictionary for voter V i would consist of the following table laid out in any reasonable format: a 1 h(C i1 ) a 2 h(C i2 ) M M a n h(C in )
  • Some electronic election protocols include additional features, such as:
  • This example assumes an election protocol that encodes voter responses (answers) as a single ElGamal pair.
  • some embodiments of the facility incorporate the homomorphic election protocol described in U.S. patent application Ser. No. 09/535,927. In that protocol, a voter response is represented by multiple ElGamal pairs.
  • the confirmation dictionary used in this example is easily modified to either display a concatenation of the respective confirmation strings, or to display a hash of the sequence of them.
  • the jurisdiction must first agree on the election initialization data. This at least includes: the basic cryptographic numerical parameters, a ballot (i.e. a set of questions and allowable answers, etc.), and a decision encoding scheme. (It may also include additional data relevant to the particular election protocol being used.)
  • the ballot collection center (or agency) generates random, independent ⁇ i and K i for each voter, V i . If the confirmation dictionary is to be sent after vote reception, these parameters can be generated, on a voter by voter basis, immediately after each voted ballot is accepted. Alternatively, they can be generated in advance of the election. In this example, the ballot collection agency has access to these parameters both immediately after accepting the voted ballot, and immediately before sending the respective voter's confirmation dictionary.
  • each voter, V obtains, and authenticates, the election initialization data, described above. It can be obtained by submitting a “ballot request” to some ballot server.
  • the jurisdiction may have some convenient means to “publish” the election initialization data—that is, make it conveniently available to all voters.
  • V is able to determine that the expected response is the standard encoding of a particular sequence of two distinct data elements. These are (in their precise order):
  • Voter V (or more precisely, V's computer) must prove that one of the following conditions hold
  • V encodes these elements, in sequence, as defined by the standard encoding format.
  • the resulting sequences form V's voted ballot.
  • V may also digitally sign this voted ballot with his private signing key.
  • the resulting combination of V's voted ballot, and his digital signature forms his signed voted ballot.
  • each voter transmits his (optionally signed) voted ballot back to the data center collecting the votes.
  • Each voter confirmation dictionary is computed by the vote collection center, since, as described above, it is the entity which has knowledge of the voter specific values of ⁇ and K.
  • FIGS. 1-3 illustrate certain aspects of the facility.
  • FIG. 1 is a high-level block diagram showing a typical environment in which the facility operates.
  • the block diagram shows several voter computer systems 110 , each of which may be used by a voter to submit a ballot and verify its uncorrupted receipt.
  • Each of the voter computer systems are connected via the Internet 120 to a vote collection center computer system 150 .
  • the facility transmits ballots from the voter computer systems to the vote collection center computer system, which returns an encrypted vote confirmation.
  • the facility uses this encrypted vote confirmation to determine whether the submitted ballot has been corrupted. While preferred embodiments are described in terms in the environment described above, those skilled in the art will appreciate that the facility may be implemented in a variety of other environments including a single, monolithic computer system, as well as various other combinations of computer systems or similar devices connected in various ways.
  • FIG. 2 is a block diagram showing some of the components typically incorporated in at least some of the computer systems and other devices on which the facility executes, such as computer systems 110 and 130 .
  • These computer systems and devices 200 may include one or more central processing units (“CPUs”) 201 for executing computer programs; a computer memory 202 for storing programs and data while they are being used; a persistent storage device 203 , such as a hard drive for persistently storing programs and data; a computer-readable media drive 204 , such as a CD-ROM drive, for reading programs and data stored on a computer-readable medium; and a network connection 205 for connecting the computer system to other computer systems, such as via the Internet.
  • CPUs central processing units
  • a computer memory 202 for storing programs and data while they are being used
  • a persistent storage device 203 such as a hard drive for persistently storing programs and data
  • a computer-readable media drive 204 such as a CD-ROM drive, for reading programs and data stored on a computer-readable medium
  • FIG. 3 is a flow diagram showing steps typically performed by the facility in order to detect a compromised ballot.
  • the facility may perform a set of steps that diverges from those shown, including proper supersets and subsets of these steps, reorderings of these steps, and steps of sets in which performance of certain steps by other computing devices.
  • the facility encodes a ballot choice selected by the voter in order to form a ballot.
  • the facility encrypts this ballot.
  • the encrypted ballot is an ElGamal pair, generated using an election public key and a secret maintained on the voter computer system.
  • the facility optionally signs the ballot with a private key belonging to the voter.
  • the facility constructs a validity proof that demonstrates that the encrypted ballot is the encryption of a ballot in which a valid ballot choice is selected.
  • the facility transmits the encrypted, signed ballot and the validity proof to a vote collection center computer system.
  • step 321 the facility receives this transmission in the vote collection center computer system.
  • step 322 the facility verifies the received validity proof.
  • step 323 if the validity proof is successfully verified, then the facility continues with 324 , else the facility does not continue in step 324 .
  • step 324 the facility generates an encrypted confirmation of the encrypted ballot. The facility does so without decrypting the ballot, which is typically not possible in the vote collection center computer system, where the secret used to encrypt the ballot is not available.
  • step 325 the facility transmits the encrypted confirmation 331 to the voter computer system.
  • step 341 the facility receives the encrypted vote confirmation in the voter computer system.
  • step 342 the facility uses the secret maintained on the voter computer system to decrypt the encrypted vote confirmation.
  • step 343 the facility displays the decrypted vote confirmation for viewing by the user.
  • step 344 if the displayed vote confirmation is translated to the ballot choice selected by the voter by a confirmation dictionary in the voter's possession, then the facility continues in step 345 , else the facility continues in step 346 .
  • step 345 the facility determines that the voter's ballot is not corrupted, whereas, in step 346 , the facility determines that the voter's ballot is corrupted. In this event, embodiments of the facility assist the user in revoking and resubmitting the voter's ballot.

Abstract

A facility for discerning corruption of an electronic ballot is described. The facility sends from a first computer system to a second computer system an encrypted ballot that reflects a ballot choice selected by a voter. The facility then sends a confirmation from the second computer system to the first computer system, which serves to convey the decrypted contents of the encrypted ballot as received at the second computer system, and which is generated without decrypting the encrypted ballot. In the first computer system, the facility uses the confirmation to determine whether the decrypted contents of the encrypted ballot as received at the second computer system match the ballot choice selected by the voter.

Description

    CROSS REFERENCE TO RELATED APPLICATIONS
  • This application is a continuation of U.S. patent application Ser. No. 10/038,752, filed Dec. 31, 2001, now U.S. Pat. No. 7,099,471 issued Aug. 29, 2006, which claims the benefit of U.S. Provisional Application No. 60/270,182 filed Feb. 20, 2001, and U.S. patent application Ser. No. 10/038,752 is a continuation-in-part of each of U.S. patent application Ser. No. 09/534,836, filed Mar. 24, 2000; U.S. patent application Ser. No. 09/535,927, filed Mar. 24, 2000; and U.S. patent application Ser. No. 09/816,869 filed Mar. 24, 2001. Each of these applications is incorporated by reference in its entirety.
    • TECHNICAL FIELD
  • The present invention is directed to the fields of election automation and cryptographic techniques therefor.
    • BACKGROUND
  • The problems of inaccuracy and inefficiency have long attended conventional, manually-conducted elections. While it has been widely suggested that computers could be used to make elections more accurate and efficient, computers bring with them their own pitfalls. Since electronic data is so easily altered, many electronic voting systems are prone to several types of failures that are far less likely to occur with conventional voting systems.
  • One class of such failures relates to the uncertain integrity of the voter's computer, or other computing device. In today's networked computing environment, it is extremely difficult to keep any machine safe from malicious software. Such software is often able to remain hidden on a computer for long periods of time before actually performing a malicious action. In the meantime, it may replicate itself to other computers on the network, or computers that have some minimal interaction with the network. It may even be transferred to computers that are not networked by way of permanent media carried by users.
  • In the context of electronic secret ballot elections, this kind of malicious software is especially dangerous, since even when its malicious action is triggered, it may go undetected, and hence left to disrupt more elections in the future. Controlled logic and accuracy tests (“L&A tests”) monitor the processing of test ballots to determine whether a voting system is operating properly, and may be used in an attempt to detect malicious software present in a voter's computer. L&A tests are extremely difficult to conduct effectively, however, since it is possible that the malicious software may be able to differentiate between “real” and “test” ballots, and leave all “test” ballots unaffected. Since the requirement for ballot secrecy makes it impossible to inspect “real” ballots for compromise, even exhaustive L&A testing may prove futile. The problem of combating this threat is known as the “Client Trust Problem.”
  • Most existing methods for solving the Client Trust Problem have focused on methods to secure the voting platform, and thus provide certainty that the voter's computer is “clean,” or “uninfected.” Unfortunately, the expertise and ongoing diligent labor that is required to achieve an acceptable level of such certainty typically forces electronic voting systems into the controlled environment of the poll site, where the client computer systems can be maintained and monitored by computer and network experts. These poll site systems can still offer some advantages by way of ease of configuration, ease of use, efficiency of tabulation, and cost. However, this approach fails to deliver on the great potential for distributed communication that has been exploited in the world of e-commerce.
  • Accordingly, a solution to the Client Trust Problem that does not require the voting platform to be secured against malicious software, which enables practically any computer system anywhere to be used as the voting platform, would have significant utility.
    • BRIEF DESCRIPTION OF DRAWINGS
  • FIG. 1 is a high-level block diagram showing a typical environment in which the facility operates.
  • FIG. 2 is a block diagram showing some of the components typically incorporated in at least some of the computer systems and other devices on which the facility executes.
  • FIG. 3 is a flow diagram showing steps typically performed by the facility in order to detect a compromised ballot.
    • DETAILED DESCRIPTION
  • A software facility for detecting ballots compromised by malicious programs (“the facility”) is provided. The approach employed by the facility is unique in that it does not make any attempt to eliminate, or prevent the existence of malicious software on the voting computer. Instead, it offers a cryptographically secure method for the voter to verify the contents of the voter's ballot as it is received at the vote collection center, without revealing information about the contents (ballot choices) to the collection center itself. That is, the vote collection center can confirm to the voter exactly what choices were received, without knowing what those choices are. Thus, the voter can detect any differences between the voter's intended choices, and the actual choices received at the vote collection center (as represented in the transmitted voted ballot digital data). Further, each election can choose from a flexible set of policy decisions allowing a voter to re-cast the voter's ballot in the case that the received choices differ from the intended choices.
  • A. The Simplest Secret Value Confirmation Setting
  • In order to understand the key cryptographic protocol that makes secret value confirmation possible, we first describe a simplified embodiment of the facility. In accordance with this embodiment, the ballot consists of a single yes or no question. The challenge then is to have the voter secretly communicate the voter's choice—yes or no—to the vote collection center, and then further confirm that what was actually received at the vote collection center was exactly what the voter intended. In other words, if a “yes” vote was somehow changed to a “no” vote, or a “no” vote was somehow changed to a “yes” vote, the facility informs the voter of this fact.
  • An electronic vote representation is used to represent the contents of the voter's ballot. Suitable electronic vote representations include those described in the patent applications identified in the related application section.
  • 1. Ballot Construction: A set of cryptographic “election parameters” are agreed upon by election officials in advance of the election start, and made publicly known by wide publication or other such means. These parameters include encryption group, generator, ElGamal public key, and decision encoding scheme. Most commonly these consist of:
      • (a) The encryption group: A large prime, p.
      • (b) The generator: An integer (or, technically, an integer residue class) g∈Zp, which has prime multiplicative order q, with the property that q is a multiplicity 1 divisor of p−1.
      • (c) The ElGamal public key: Another integer residue class, h∈<g>. That is, h=gs for some integer value of s.
      • (d) The decision encoding scheme: A partition of <g> into “yes”, “no” and “invalid” group elements. That is, <g>=Sy∪Sn∪Si, where the Sy,Sn,Si are pairwise disjoint subsets of <g>—the “yes” messages, “no” messages, and “invalid” messages respectively.
        However, other groups and elements can be used. In particular, the facility may be implemented using Elliptic Curves rather than Zp groups.
  • 2. Vote Submission: Each voter encrypts the voter's decision, “yes” or “no”, as an ElGamal pair, (Xi,Yi)=(gα,hαm), where α∈Zq is chosen randomly by the voter, m∈Sy if the voter wishes to choose “yes” and m∈Sn if the voter wishes to choose “no”. Any other message (i.e., m ∈Si) is considered invalid. This encrypted value is what is digitally signed by the voter, and then transmitted to the vote collection center. For now, we will consider a simple decision encoding scheme in which Sy={Gy}, Sn={Gn}, and Si=<g>−{Gy,Gn}. However, with obvious small modifications, the discussion that follows applies equally well to more general settings.
  • If the voter was computing these values himself—say with pencil and paper—this protocol would essentially suffice to implement a secret-ballot, universally verifiable election system. (Depending on the tabulation method to be used, some additional information, such as a voter proof of validity may be necessary.) However, since the voter only makes choices through a user interface, it is in many cases unrealistic to expect him/her to check the actual value of the bits sent and compare them to the voter's intent. In short, malicious software can ignore voter intent and submit a “no” vote when the voter specified “yes”, or submit a “yes” vote when the voter specified “no”.
  • B. Creating a Secret Value Confirmation
  • We differentiate two types of vote corruption, directed and undirected.
  • Directed vote corruption is the act of changing a “yes” vote to a “no” vote, or a “no” vote to a “yes” vote. Undirected vote corruption is the act of changing from a “valid” vote (“yes” or “no”) to an “invalid” vote. The following steps will detect directed vote corruption in the simple ballot setting of the previous section. They rely on the intractability of the Diffie-Hellman Problem described in A. M. Odlyzko, Discrete logarithms in finite fields and their cryptographic significance, Advances in Cryptology—EURO-CRYPT '84, Lecture Notes in Computer Science, Springer-Verlag, 1984.
  • 1. The computer operated by voter Vi submits the encrypted decision as before, optionally signing the encrypted decision using a private key of this voter.
  • 2. The vote collection center generates two values Ki∈Zp and βi∈Zq randomly and independently. These values are generated on a per voter basis, and kept secret from all but the collection center. They may be generated in advance of the election.
  • 3. The vote collection center computes the values
    Wi=KiYi β i =Kihαa i β i mβ i   (1)
    Ui=hβ i   (2)
    and returns them to the voter's computer. Wi and Ui are together known as the “encrypted vote confirmation.”
  • 4. The voter's computer, knowing the secret αi can compute Wi/Ui α i =Kimβ i . It then displays this value to the voter. In some embodiments, the facility displays a hash of this value to the voter, rather than the value itself.
  • When displaying the hash, the length of the data is generally shorter, thus enabling the voter to read and compare fewer characters.
  • The vote collection center does not know what value is, or should be, displayed, since the vote data it received was strongly encrypted. However, it does know:
      • (a) If the voter voted “yes”, the value Kimy β i should be displayed,
      • (b) If the voter voted “no”, the value Kimn β i should be displayed,
      • (c) If the voter voted any invalid value, a value other than these two should be displayed.
  • 5. The voter can now check the validity of the vote received by contacting the vote collection center though some secure communication channel, such as telephone, fax, or surface mail. By sending a request containing
      • (a) The voter's voter id.
      • (b) Optionally, a short PIN (4-5 digits typically suffice) to prevent the malicious software from masquerading remotely as the voter. the voter can obtain from the vote collection center a “confirmation dictionary” indicating the two possible values the voter should have seen displayed depending on how the voter voted, such as “If you voted ‘yes’ , your confirmation string should be ‘xyz . . .’ and if you voted ‘no’, your confirmation string should be ‘abc. . . .’” In some embodiments, the confirmation dictionary is supplied to the voter in advance of the election. For example, the unique confirmation dictionary for each voter could be sent through the postal mail as part of a “voter information packet.” (Note that absentee ballots are delivered to voters through the postal mail.)
  • 6. The voter verifies that the confirmation string the voter saw displayed by the voter's computer is consistent with both the voter's intended choice and this confirmation dictionary.
  • 7. Any inconsistency indicates that some sort of unexpected behavior has occurred on the voter's computer, or in transmission, and corrective action should be taken. In many electronic voting schemes, an individual voter's ballot can be removed from the ballot box and resubmitted. The exact procedure for voter corrective action is a matter of policy, and may involve some form of voter protest, followed by a resubmission of the ballot in a controlled, secure environment. Alternatively, the voter may be allowed a few attempts from a remote computer before being forced to go to a controlled environment to resubmit.
  • The essential cryptographic foundation of this protocol is that the voter's computer, or malicious software running on it, cannot (for well chosen—i.e., randomly chosen—my and mn) compute the complementary confirmation string, i.e., compute Kimn β i from Kimy β i (or visa versa). This is because doing so requires computing (mn/my)β i (or visa versa), and the only information available to aid in this task is hβ i . In short, the malicious software would have to solve an instance of the Diffie-Hellman Problem.
  • C. An Attack on the Previous Protocol
  • As noted, malicious software cannot conduct directed vote corruption without the corruption being detected and later corrected. However, the basic version of the protocol outlined above in some cases may allow undirected vote corruption to go undetected as in the following scenario.
  • 1. Instead of submitting (Xi,Yi) as the voter intends, the voter's computer can submit (Xi,Yihy) for any chosen γ∈Zq. This will have the effect of transforming a valid vote into an invalid one. When the computer receives the encrypted vote confirmation, it can follow the protocol to compute Kihγβ i mβ i .
  • 2. Were it to display this value, the voter would notice a problem, since it would not match the confirmation dictionary. However, since the malicious software generated, and knows γ, and also knows hβi from the encrypted confirmation it received, it can compute (hβi )γ=hγβi . By division, it can then compute right value Kimβ i —i.e., the one to match the voter's confirmation dictionary—and display it, thereby fooling the voter. Of course, invalid votes will be detected at tabulation time, but this will usually be too late for corrective action to be taken. Embodiments of the facility guard against such an undirected attack by employing a voter validity proof as discussed in the next section.
  • D. Counter Attack—Voter Validity Proof
  • The validity proof constructed by the voter proves to the vote collection center that, (Xi,Yi), the encrypted decision (ballot) received from voter Vi, is either an encryption of my or an encryption of mn without revealing any information about which of these values it is. Methods for constructing validity proofs of this type can be found in U.S. patent application Ser. No. 09/535,927, as well as R. Cramer, I. Damgard, B. Schoenmakers, Proofs of partial knowledge and simplified design of witness hiding protocols, Advances in Cryptology, CRYPTO '94, Lecture Notes in Computer Science, pp. 174-187, Springer-Verlag, Berlin, 1994, which is hereby incorporated by reference in its entirety. Thus, the validity proof proves that the received encrypted ballot is valid, which is exactly what is needed to prevent the undetected, undirected vote corruption of the previous section. The malicious software may try an undirected vote corruption as before, but it will not be able to supply the required validity proof, and thus will be detected even before the encrypted vote confirmation is returned to the voter. As already noted, the secret value confirmation protocol itself detects directed vote corruption.
  • The validity proofs can be extended to more general sets of response options than simple “yes/no”. As a result, the facility is able to prevent the attack of section C in the more general case as well. The resulting protocol for the general case is as follows.
  • 1. Ballot Construction: The encryption group, generator, and ElGamal public key are all created as usual. However, the decision encoding scheme needs to be chosen carefully. For simplicity, let us assume that there is only one question on the ballot. (If there are multiple questions, the facility performs the steps that follow independently for each of the individual questions.) Let α1, . . . ,αn be the set of allowable answers. For example, these could be α1=‘George Bush’, α2=‘Al Gore’, α3=‘Ralph Nader’, and α4=‘I abstain’. Note that in this example, n=4.
  • The jurisdiction, or other entity responsible for creating the ballot, must select n elements from Zq1, . . . ,μn, independently and at random. These are assigned, in sequence, as the corresponding response values to each allowable answer, resulting the specific decision encoding scheme. In the example, this means that the digital blank ballot publicly specifies that
      • a vote for ‘George Bush’ should be submitted as (gα,hαμ1), i.e., an encryption of μ1,
      • a vote for ‘Al Gore’ should be submitted as (gα,hαμ2), i.e., an encryption of μ2,
      • a vote for ‘Ralph Nader’ should be submitted as (gα,hαμ3), i.e., an encryption of μ3,
      • an abstention should be submitted as (gα,hαμ4), i.e., an encryption of μ4,
  • 2. Vote Submission:
      • (a) The computer operated by voter Vi submits an encrypted ballot on behalf of voter Vi as before, denoted as (Xi,Yi)=(gα i ,hα i μ) for some value μ∈<g> and αi∈Zq.
      • (b) The computer operated by voter Vi also constructs a validity proof, Pi, as indicated above, in order to prove that μ∈{μ1, . . . ,μn}, without revealing any more information about its specific value.
      • (c) The computer operated by voter Vi then submits both Pi and the encrypted vote, (Xi,Yi) to the vote collection center.
      • (d) Before accepting the encrypted ballot, the vote collection center first checks the proof, Pi. If verification of Pi fails, corruption has already been detected, and the vote collection center can either issue no confirmation string, or issue a random one.
      • (e) Assuming then that verification of Pi succeeds, the vote collection center computes the values, Wi and Ui as in section B, steps 2 and 3, and returns these to the computer operated by voter Vi.
      • (f) As in section B, the computer operated by voter Vi can compute C=Wi/Ui α i , and display this string (or a hash of it) to the voter.
  • (g) As in section B, step 5, the voter can now compare the displayed string against the voter's confirmation dictionary (obtained by one of the various modes described there). In general, the confirmation dictionary for voter Vi would consist of the following table laid out in any reasonable format:
    a1 h(Ci1)
    a2 h(Ci2)
    M M
    an h(Cin)
      •  where h is the election's public (i.e., published) hash function, and Cij=Kiμj μ i .
      • (h) Since the μi were chosen randomly and independently, any software (in particular, malicious software) can only display the confirmation string corresponding to the μ that was submitted or, obviously, an invalid confirmation string—it can not compute any other valid confirmation string without solving the Diffie-Hellman problem. Thus, if a μ different from the one intended by the voter is submitted, the confirmation string displayed will not match the correct confirmation string in the dictionary, and the voter will be able to detect corruption. In the case of detected corruption, corrective action can be taken as described above.
  • In order to more completely describe the facility, an example illustrating the operation of some of its embodiments is described hereafter.
  • The following is a detailed example of a Secret Value Confirmation exchange. In order to maximize the clarity of the example, several of the basic parameters used—for example, the number of questions on the ballot, and the size of the cryptographic parameters—are much smaller than those that would be typically used in practice. Also, while aspects of the example exchange are discussed below in a particular order, those skilled in the art will recognize that they may be performed in a variety of other orders.
  • Some electronic election protocols include additional features, such as:
      • voter and authority certificate (public key) information for authentication and audit
      • ballot page style parameters
      • data encoding standards
      • tabulation protocol and parameters
        As these features are independent of the Secret Value Confirmation implementation, a detailed description of them is not included in this example.
  • This example assumes an election protocol that encodes voter responses (answers) as a single ElGamal pair. However, from the description found here, it is a trivial matter to also construct a Secret Value Confirmation exchange for other election protocols using ElGamal encryption for the voted ballot. For example, some embodiments of the facility incorporate the homomorphic election protocol described in U.S. patent application Ser. No. 09/535,927. In that protocol, a voter response is represented by multiple ElGamal pairs. The confirmation dictionary used in this example is easily modified to either display a concatenation of the respective confirmation strings, or to display a hash of the sequence of them.
  • The jurisdiction must first agree on the election initialization data. This at least includes: the basic cryptographic numerical parameters, a ballot (i.e. a set of questions and allowable answers, etc.), and a decision encoding scheme. (It may also include additional data relevant to the particular election protocol being used.)
  • Cryptographic Parameters
      • Group Arithmetic: Integer multiplicative modular arithmetic
      • Prime Modulus: p=47
      • Subgroup Modulus: q=23
      • Generator: g=2.
      • Public Key: h=gs where s is secret. For sake of this example., let us say that h=g12=7.
        Ballot
      • One Question
        • Question 1 Text: Which colors should we make our flag? (Select at most 1.)
        • Number of answers/choices: 4
          • Answer 1 Text: Blue
          • Answer 2 Text: Green
          • Answer 3 Text: Red
          • Answer 4 Text: I abstain
  • Decision Encoding Scheme
    Choice Response Value
    Blue  9 (μ1)
    Green 21 (μ2)
    Red 36 (μ3)
    I abstain 17 (μ4)
  • At some point, before issuing a confirmation and before distributing the voter confirmation dictionaries, the ballot collection center (or agency) generates random, independent μi and Ki for each voter, Vi. If the confirmation dictionary is to be sent after vote reception, these parameters can be generated, on a voter by voter basis, immediately after each voted ballot is accepted. Alternatively, they can be generated in advance of the election. In this example, the ballot collection agency has access to these parameters both immediately after accepting the voted ballot, and immediately before sending the respective voter's confirmation dictionary.
  • Sometime during the official polling time, each voter, V, obtains, and authenticates, the election initialization data, described above. It can be obtained by submitting a “ballot request” to some ballot server. Alternatively, the jurisdiction may have some convenient means to “publish” the election initialization data—that is, make it conveniently available to all voters.
  • From the election initialization data, V is able to determine that the expected response is the standard encoding of a particular sequence of two distinct data elements. These are (in their precise order):
    • Choice Encryption A pair of integers (X, Y) with 0<X, Y<47 indicating (in encrypted form) the voter's choice, or answer. For the answer to be valid, it must be of the form, (X, Y)=(2α, 7αμ), where 0<α<23 and μ∈{9, 21, 36, 17}.
    • Proof of Validity A proof of validity showing that (X, Y) is of the form described in the choice encryption step above. (In this example, we shall see that this proof consists of 15 modular integers arranged in specific sequence.)
  • For the sake of this example, let us assume that V wishes to cast a vote for “Green”.
      • 1. V generates α∈Z23 randomly. In this example, α=5. Since the encoding of “Green” is 21, V's choice encryption is computed as
        (X,Y)=(25,75×21)=(32,24)  (3)
        • This pair is what should be sent to the vote collection center. The potential threat is that V's computer may try to alter these values.
  • Voter V (or more precisely, V's computer) must prove that one of the following conditions hold
      • 1. (X, Y)=(2α, 7α×9) i.e. choice (vote cast) is “Blue”
      • 2. (X, Y)=(2α, 7α×21) i.e. choice (vote cast) is “Green”
      • 3. (X, Y)=(2α, 7α×36) i.e. choice (vote cast) is “Red”
      • 4. (X, Y)=(2α, 7α×17) i.e. choice (vote cast) is “I abstain”
        for some unspecified value of α without revealing which of them actually does hold.
  • There are a variety of standard methods that can be used to accomplish this. See, for example, R. Cramer, I. Damg{dot over (a)}rd, B. Schoenmakers, Proofs of partial knowledge and simplified design of witness hiding protocols, Advances in Cryptology—CRYPTO '94, Lecture Notes in Computer Science, pp. 174-187, Springer-Verlag, Berlin, 1994. The Secret Value Confirmation technique used by the facility works equally well with any method that satisfies the abstract criteria of the previous paragraph. While details of one such validity proof method are provided below, embodiments of the facility may use validity proofs of types other than this one.
  • Validity Proof Construction:
  • (In what follows, each action or computation which V is required to perform is actually carried out by V's computer.)
      • 1. V sets α2=α=5.
      • 2. V generates ω2RZ23, r1, r3, r4 RZ23, S1, S3, S4 RZ23 all randomly and independently. For this example we take
        ω2=4
        r1=16, r3=17, r4=21
        s1=12, s3=4 , s4=15  (4)
      • 3. V computes corresponding values
        a 1 =g r 1 X −s 1 =216×3211=4
        a2=gw 2 =24=16
        a 3 =g r 3 X −s 3 =217×3219=6
        a 4 =g r 4 X −s 4 =221×328=9  (5)
        b 1 =h r 1 (Y/9)−s 1 =716×(24/9)11=18
        b2=hw 2 =74=4
        b 3 =h r 3 (Y/36)−s 3 =717−(24/36)19=1
        b 4 =h r 4 (Y/17)−s 5 =721×(24/17)8=7  (6)
      • 4. V uses a publicly specified hash function H to compute c ∈Z23 as
        c=H({X, Y, a i , b i})1<i <4  (7)
      •  Since many choices of the hash function are possible, for this example we can just pick a random value, say
        c=19.  (8)
      •  (In practice, SHA1, or MD5, or other such standard secure hash function may be used to compute H.)
      • 5. V computes the interpolating polynomial P(x) of degree 4−1=3. The defining properties of P are
        P(0)=c=19
        P(1)=s1=12
        P(3)=s3=4
        P(4)=s4=15  (9)
        • P(x)=Σj=0 3zjxj is computed using standard polynomial interpolation theory, to yeild:
          P(x)=x 3+20x 2+18x+19  (10)
        • or
          z0=19z1=18
          z2=20z3=1  (11)
      • 6. V computes the values
        s2 =P(2)=5
        r 2 = 2 w 2 +a 2 S 2=4+5×5=6  (12)
      • 7. V's validity proof consists of the 12 numbers
        {ak, bk, rk}k=1 6  (13)
      •  and the three numbers
        {zk}k=1 3  (14)
      •  in precise sequence. (z0 need not be submitted since it is computable from the other data elements submitted using the public hash function H.)
  • Having computed the required choice encryption, (X, Y), and the corresponding proof of validity, V encodes these elements, in sequence, as defined by the standard encoding format. The resulting sequences form V's voted ballot. (In order to make the ballot unalterable, and indisputable, V may also digitally sign this voted ballot with his private signing key. The resulting combination of V's voted ballot, and his digital signature (more precisely, the standard encoding of these two elements) forms his signed voted ballot.) Finally, each voter transmits his (optionally signed) voted ballot back to the data center collecting the votes.
  • As described above, the voter specific random parameters for V (β and K) are available at the vote collection center. In this example, these are
    β=18K=37  (15)
  • When the voter's (optionally signed) voted ballot is received at the vote collection center, the following steps are executed
      • 1. The digital signature is checked to determine the authenticity of the ballot, as well as the eligibility of the voter.
      • 2. If the signature in step 1 verifies correctly, the vote collection center then verifies the proof of validity. For the particular type of validity proof we have chosen to use in this example, this consists of
        • (a) The public hash function H is used to compute the value of P(0)=z0
          z 0 =P(0)=H({X, Y, a i , b i}i=1 4)=19  (16)
        •  (Recall that the remaining coefficients of P, z1, z2, z3, are part of V's (optionally signed) voted ballot submission.)
        • (b) For each 1<j<4 both sides of the equations
          a j =g r j x −P(j)
          b j =h r j (y jj)−P(j)  (17)
        •  are evaluated. (Here, as described above, the μj are taken from the Decision Encoding Scheme.) If equality fails in any of these, verification fails. This ballot is not accepted, and some arbitrary rejection string (indication) is sent back to V.
      • 3. Assuming that the previous steps have passed successfully, the reply string (W, U) is computed as
        W=KY β=37×2489
        U=h β=718=42  (18)
      •  This sequenced pair is encoded as specified by the public encoding format, and returned to V.
      • 4. V's computer calculates
        C=W/U α=9/(42)5=18  (19)
      •  and displays this string to V. (Alternatively, the protocol may specify that a public hash function is computed on C and the resulting hash value displayed. In this example, C, itself is displayed.) If V's computer attempted to submit a choice other than “Green”, the value of C computed above would be different. Moreover, the correct value of C can not be computed from an incorrect one without solving the DifFie-Hellman problem. (For the small values of p and q we have used here, this is possible, however, for “real” cryptographic parameters, V's computer would unable to do this.) Thus, if V's computer has submitted an encrypted ballot which does not correspond to V's choice, there are only two things it can do at the point it is expected to display a confirmation. It can display something, or it can display nothing. In the case that nothing is displayed, V may take this as indication that the ballot was corrupted. In the case that something is displayed, what is displayed will almost certainly be wrong, and again, V may take this as indication that the ballot was corrupted.
      • 5. V now compares the value of C displayed to the value found in V's confirmation dictionary corresponding to the choice, “Green” (V's intended choice). At this point, V may have already received his confirmation dictionary in advance, or may obtain a copy through any independent channel. An example of such a channel would be to use a fax machine. If the displayed value does not match the corresponding confirmation string in the confirmation dictionary, corruption is detected, and the ballot can be “recast” in accordance with election specific policy.
  • Each voter confirmation dictionary is computed by the vote collection center, since, as described above, it is the entity which has knowledge of the voter specific values of α and K. For the case of the voter, V, we have been considering, the dictionary is computed as
    Choice Confirmation String
    “Blue” C1 = Kμ1 β = 37 × 918 = 16
    “Green” C2 = Kμ2 β = 37 × 2118 = 18
    “Red” C3 = Kμ3 β = 37 × 3618 = 36
    “I abstain” C4 = Kμ4 β = 37 × 1718 = 8
  • FIGS. 1-3 illustrate certain aspects of the facility. FIG. 1 is a high-level block diagram showing a typical environment in which the facility operates. The block diagram shows several voter computer systems 110, each of which may be used by a voter to submit a ballot and verify its uncorrupted receipt. Each of the voter computer systems are connected via the Internet 120 to a vote collection center computer system 150. Those skilled in the art will recognize that voter computer systems could be connected to the vote collection center computer system by networks other than the Internet, however. The facility transmits ballots from the voter computer systems to the vote collection center computer system, which returns an encrypted vote confirmation. In each voter computer system, the facility uses this encrypted vote confirmation to determine whether the submitted ballot has been corrupted. While preferred embodiments are described in terms in the environment described above, those skilled in the art will appreciate that the facility may be implemented in a variety of other environments including a single, monolithic computer system, as well as various other combinations of computer systems or similar devices connected in various ways.
  • FIG. 2 is a block diagram showing some of the components typically incorporated in at least some of the computer systems and other devices on which the facility executes, such as computer systems 110 and 130. These computer systems and devices 200 may include one or more central processing units (“CPUs”) 201 for executing computer programs; a computer memory 202 for storing programs and data while they are being used; a persistent storage device 203, such as a hard drive for persistently storing programs and data; a computer-readable media drive 204, such as a CD-ROM drive, for reading programs and data stored on a computer-readable medium; and a network connection 205 for connecting the computer system to other computer systems, such as via the Internet. While computer systems configured as described above are preferably used to support the operation of the facility, those skilled in the art will appreciate that the facility may be implemented using devices of various types and configurations, and having various components.
  • FIG. 3 is a flow diagram showing steps typically performed by the facility in order to detect a compromised ballot. Those skilled in the art will appreciate that the facility may perform a set of steps that diverges from those shown, including proper supersets and subsets of these steps, reorderings of these steps, and steps of sets in which performance of certain steps by other computing devices.
  • In step 301, on the voter computer system, the facility encodes a ballot choice selected by the voter in order to form a ballot. In step 302, the facility encrypts this ballot. In some embodiments, the encrypted ballot is an ElGamal pair, generated using an election public key and a secret maintained on the voter computer system. In step 303, the facility optionally signs the ballot with a private key belonging to the voter. In step 304, the facility constructs a validity proof that demonstrates that the encrypted ballot is the encryption of a ballot in which a valid ballot choice is selected. In step 305, the facility transmits the encrypted, signed ballot and the validity proof to a vote collection center computer system.
  • In step 321, the facility receives this transmission in the vote collection center computer system. In step 322, the facility verifies the received validity proof. In step 323, if the validity proof is successfully verified, then the facility continues with 324, else the facility does not continue in step 324. In step 324, the facility generates an encrypted confirmation of the encrypted ballot. The facility does so without decrypting the ballot, which is typically not possible in the vote collection center computer system, where the secret used to encrypt the ballot is not available. In step 325, the facility transmits the encrypted confirmation 331 to the voter computer system.
  • In step 341, the facility receives the encrypted vote confirmation in the voter computer system. In step 342, the facility uses the secret maintained on the voter computer system to decrypt the encrypted vote confirmation. In step 343, the facility displays the decrypted vote confirmation for viewing by the user. In step 344, if the displayed vote confirmation is translated to the ballot choice selected by the voter by a confirmation dictionary in the voter's possession, then the facility continues in step 345, else the facility continues in step 346. In step 345, the facility determines that the voter's ballot is not corrupted, whereas, in step 346, the facility determines that the voter's ballot is corrupted. In this event, embodiments of the facility assist the user in revoking and resubmitting the voter's ballot.
  • It will be appreciated by those skilled in the art that the above-described facility may be straightforwardly adapted or extended in various ways. While the foregoing description makes reference to preferred embodiments, the scope of the invention is defined solely by the claims that follow and the elements recited therein.

Claims (50)

1. A method in a data processing system for discerning corruption of an electronic ballot, comprising:
in a voter computer system:
receiving a ballot choice selected by a voter from among a set of valid ballot choices;
encoding the received ballot choice in a ballot;
encrypting the ballot;
constructing a validity proof proving that the encrypted ballot corresponds to a valid ballot choice;
sending the encrypted ballot and the validity proof to a vote collection center computer system;
in the vote collection center computer system:
receiving the encrypted ballot and validity proof;
verifying the validity proof;
only if the validity proof is successfully verified:
without decrypting the encrypted ballot, generating an encrypted vote confirmation of the encrypted ballot;
sending the encrypted vote confirmation to the voter computer system;
in the voter computer system:
receiving the encrypted vote confirmation;
decrypting the encrypted vote confirmation to obtain a vote confirmation;
displaying the obtained vote confirmation; and
if a confirmation dictionary in the user's possession does not translate the displayed vote confirmation to the ballot choice selected by the voter, determining that the ballot has been corrupted.
2. The method of claim 1 wherein the encoding comprises selecting a value having a predetermined correspondence to the selected ballot choice.
3. The method of claim 1 wherein the encrypting is performed using an election public key.
4. The method of claim 1 wherein encrypting the ballot comprises generating an ElGamal pair representing the ballot.
5. The method of claim 1, further comprising signing the encrypted ballot with a private key of the voter before sending the encrypted ballot to the vote collection center computer system.
6. The method of claim 1 wherein the vote collection center computer system sends the encrypted vote confirmation to the voter computer system via a first communication channel, further comprising, in the vote collection center computer system, sending the confirmation dictionary to the voter via a second communications channel distinct from the first communications channel.
7. The method of claim 6 wherein the confirmation dictionary is sent in response to a request from the voter.
8. The method of claim 7 wherein the request includes one or more identifiers associated with the voter.
9. The method of claim 6 wherein the confirmation dictionary is sent without being requested by the voter.
10. The method of claim 6 wherein individual confirmation dictionaries are sent to each of a plurality of voters including the voter.
11. The method of claim 1, further comprising applying a hash function to the decrypted vote confirmation before it is displayed, and wherein it is determined that the ballot has been corrupted if the confirmation dictionary in the user's possession does not translate the displayed hashed decrypted vote confirmation to the ballot choice selected by the voter.
12. A computer-readable medium whose content cause a data processing system to discern corruption of an electronic ballot by:
in a voter computer system:
receiving a ballot choice selected by a voter from among a set of valid ballot choices;
encoding the received ballot choice in a ballot;
encrypting the ballot;
constructing a validity proof proving that the encrypted ballot corresponds to a valid ballot choice;
sending the encrypted ballot and the validity proof to a vote collection center computer system;
in the vote collection center computer system:
receiving the encrypted ballot and validity proof;
verifying the validity proof;
only if the validity proof is successfully verified:
without decrypting the encrypted ballot, generating an encrypted vote confirmation of the encrypted ballot;
sending the encrypted vote confirmation to the voter computer system;
in the voter computer system:
receiving the encrypted vote confirmation;
decrypting the encrypted vote confirmation;
displaying the decrypted vote confirmation; and
if a confirmation dictionary in the user's possession does not translate the displayed decrypted vote confirmation to the ballot choice selected by the voter, determining that the ballot has been corrupted.
13. A method in a data processing system for discerning corruption of an electronic ballot, comprising, in a voting node:
using a secret maintained in the voting node to encrypt a ballot value selected by a voter;
sending the encrypted ballot value to a vote collection point;
receiving, in response to sending the encrypted ballot, an encrypted vote confirmation;
using the secret maintained in the voting node to decrypt the encrypted vote confirmation; and
displaying the decrypted vote confirmation, such that the displayed vote confirmation may be compared to an expected vote confirmation for the ballot value selected by the voter to determine whether the electronic ballot has been corrupted.
14. The method of claim 13, further comprising:
before displaying the decrypted vote confirmation, using a hash function to transform the decrypted vote confirmation into a smaller hash output value.
15. The method of claim 13 wherein encrypting the ballot value comprises generating an ElGamal pair representing the ballot value.
16. The method of claim 15 wherein the ElGamal pair is generated by evaluating the expressions gαand hαm, where p is prime; g ∈Zp, which has prime multiplicative order q, with the property that q is a multiplicity 1 divisor of p−1; h ∈<g>; α∈Zq is chosen randomly at the voting node; and m is the ballot value.
17. The method of claim 15 wherein the ElGamal pair is generated by evaluating the expressions αg and αh+m, where g and h are both elements of an elliptic curve group, ε, of prime order q and α∈Zq is chosen randomly at the voting node, and m is the ballot value.
18. The method of claim 13 wherein applying the secret maintained in the voting node to determine whether the encrypted vote confirmation reflects receipt of the ballot value selected by the voter at the vote collection point comprises:
determining the ballot value corresponding to the encrypted ballot value received at the vote collection point by evaluating the expression Wi/Ui α i , where αi is the secret maintained in the voting node, and Wi, and Ui together comprise the encrypted vote confirmation; and
comparing the determined ballot value to the ballot value selected by the voter.
19. The method of claim 13, further comprising sending to the vote collection point a validity proof proving that the encrypted ballot value corresponds to a valid ballot value.
20. The method of claim 19 wherein the validity proof is a non-interactive proof of validity.
21. A computer-readable medium whose contents cause a voting node to discern corruption of an electronic ballot by:
using a secret maintained in the voting node to encrypt a ballot value selected by a voter;
sending the encrypted ballot value to a vote collection point;
receiving, in response to sending the encrypted ballot, an encrypted vote confirmation; and
applying the secret maintained in the voting node to the encrypted vote confirmation to determine whether the secret value confirmation reflects receipt of the ballot value selected by the voter at the vote collection point.
22. The computer-readable medium of claim 21 wherein the applying comprises:
using the secret maintained in the voting node to decrypt the encrypted vote confirmation; and
displaying the decrypted vote confirmation, such that the displayed vote confirmation may be compared to an expected vote confirmation for the ballot value selected by the voter to determine whether the electronic ballot has been corrupted.
23. The computer-readable medium of claim 21 wherein the contents of the computer-readable medium further cause the voting node to send to the vote collection point a validity proof proving that the encrypted ballot value corresponds to a valid ballot value.
24. One or more computer memories collectively containing a voter security data structure, the data structure containing one or more secrets usable both (a) to encrypt an encoded ballot for transmission to a ballot collection point, and (b) to decrypt an encrypted ballot confirmation received from the ballot collection point, which indicates the contents of the ballot as received at the ballot collection point.
25. One or more computer memories collectively containing a ballot data structure, the ballot data structure comprising:
an encrypted ballot choice formed by encrypting one of a plurality of valid ballot choices selected by a voter in a voter computer system;
a proof of validity that demonstrates that the encrypted ballot choice constitutes an encryption of one of the plurality of valid ballot choices without indicating which of the plurality of valid ballot choices the encrypted ballot choice constitutes an encryption of; and
an encrypted ballot confirmation generated in response to the receipt in a ballot collection center computer system of the encrypted ballot choice and proof of validity.
26. The computer memories of claim 25 wherein the encrypted ballot choice is an ElGamal pair.
27. The computer memories of claim 25 wherein the memories are directly accessible by the voter computer system.
28. The computer memories of claim 25 wherein the memories are directly accessible by the ballot collection center computer system
29. A method in a data processing system for discerning corruption of an electronic ballot, comprising, in a ballot receiving node:
receiving an encrypted ballot value from a ballot sending node, the encrypted ballot value being encrypted from a ballot value based on a voter selection using a secret not available in the ballot receiving node;
generating from the encrypted ballot value an encrypted secret value confirmation that indicates to those in possession of the secret used to encrypt the encrypted ballot value the ballot value to which the received encrypted ballot value corresponds; and
sending the encrypted secret value confirmation to the ballot sending node,
such that the encrypted secret value confirmation may be used in the ballot sending node to determine if the encrypted ballot value received at the ballot receiving node corresponds to the ballot selection made by the voter.
30. The method of claim 29 wherein the secret value confirmation is generated without decrypting the encrypted ballot value.
31. The method of claim 29 wherein the secret value confirmation is sent to the ballot sending node via a first communication channel, further comprising sending to the ballot sending node a confirmation dictionary via a second communication channel distinct from the first communication channel, the confirmation dictionary translating from various possible secret value confirmations to the ballot values to which they correspond.
32. The method of claim 29 wherein the encrypted secret value confirmation is encrypted in such a manner that, in the ballot sending node, given the encrypted secret value confirmation corresponding to a selection other than the voter selection, it is intractable to generate a decrypted secret value confirmation corresponding to the voter selection.
33. A ballot receiving node for discerning corruption of an electronic ballot, comprising:
a receiver that receives an encrypted ballot value from a ballot sending node, the encrypted ballot value being encrypted from a ballot value derived from a selection made by a voter using a secret not available in the ballot receiving node;
a confirmation generation subsystem that generates from the encrypted ballot value an encrypted secret value confirmation that indicates to those in possession of the secret used to encrypt the encrypted ballot value the ballot value to which the received encrypted ballot value corresponds; and
a transmitter that sends the encrypted secret value confirmation to the ballot sending node.
34. One or more generated data signals collectively conveying a ballot response data structure containing an encrypted ballot confirmation generated in response to the receipt at a ballot collection point of a ballot cast by a voter, the encrypted ballot confirmation, when decrypted on behalf of the voter, indicating a voting selection made by the voter in the cast ballot as received at the ballot collection point.
35. The data signals of claim 34 wherein the ballot received at the ballot collection point is encrypted, and wherein the encrypted ballot confirmation is generated without decrypting the encrypted ballot.
36. The data signals of claim 34 wherein the encrypted ballot confirmation, when decrypted, yields a value that, if the ballot received at the ballot collection point is uncorrupted, matches a value listed in a confirmation dictionary for the voting selection made by the voter.
37. A method in a data processing system for discerning corruption of an electronic ballot, comprising:
sending an encrypted ballot from a first computer system to a second computer system, the encrypted ballot reflecting a ballot choice selected by a voter;
sending a confirmation from the second computer system to the first computer system, the confirmation serving to convey the decrypted contents of the encrypted ballot as received at the second computer system, the confirmation being generated without decrypting the encrypted ballot; and
in the first computer system, displaying the confirmation, so that the voter can determine whether the decrypted contents of the encrypted ballot as received at the second computer system match the ballot choice selected by the voter.
38. The method of claim 37 wherein the confirmation sent from the second computer system to the first computer system is encrypted in such a manner that its decryption by the second computer system is infeasible.
39. The method of claim 37 wherein the confirmation sent from the second computer system to the first computer system is encrypted in such a manner that its decryption by the second computer system is impossible.
40. The method of claim 37, further comprising sending from the first computer system to the second computer system a validity proof proving that the encrypted ballot sent from the first computer system to the second computer system reflects a valid ballot choice without identifying the reflected ballot choice.
41. The method of claim 40 wherein the confirmation is sent from the second computer system to the first computer system only if the validity proof sent from the first computer system to the second computer is verified to prove that the encrypted ballot sent from the first computer system to the second computer system reflects a valid ballot choice.
42. A computer-readable medium whose contents cause a data processing system to discern corruption of an electronic ballot by:
sending an encrypted ballot from a first computer system to a second computer system, the encrypted ballot reflecting a ballot choice selected by a voter;
sending a confirmation from the second computer system to the first computer system, the confirmation serving to convey the decrypted contents of the encrypted ballot as received at the second computer system, the confirmation being generated without decrypting the encrypted ballot; and
in the first computer system, displaying the confirmation, so that the voter can determine whether the decrypted contents of the encrypted ballot as received at the second computer system match the ballot choice selected by the voter.
43. The computer-readable medium of claim 42 wherein the contents of the computer-readable medium further cause the data processing system to send from the first computer system to the second computer system a validity proof proving that the encrypted ballot sent from the first computer system to the second computer system reflects a valid ballot choice without identifying the reflected ballot choice.
44. The computer-readable medium of claim 43 wherein the confirmation is sent from the second computer system to the first computer system only if the validity proof sent from the first computer system to the second computer is verified to prove that the encrypted ballot sent from the first computer system to the second computer system reflects a valid ballot choice.
45. A method in a voting computing system for detecting the compromise of an electronic ballot sent to a ballot collection point, comprising:
receiving from the ballot collection point an encrypted confirmation of the contents of an encrypted ballot received at the ballot collection point; and
using a secret maintained on the voting computer system to decrypt and display the confirmation to the voter,
such that the voter may compare the displayed confirmation to a confirmation expected by the voter based on a ballot choice selected by the voter to determine whether the electronic ballot was compromised.
46. A computer-readable medium whose contents cause a voting computing system to detect the compromise of an electronic ballot sent to a ballot collection point by:
receiving from the ballot collection point an encrypted confirmation of the contents of an encrypted ballot received at the ballot collection point; and
using a secret maintained on the voting computer system to decrypt and display the confirmation to the voter,
such that the voter may compare the displayed confirmation to a confirmation expected by the voter based on a ballot choice selected by the voter to determine whether the electronic ballot was compromised.
47. A method in a ballot collection computer system for detecting the compromise of an electronic ballot, comprising:
receiving the electronic ballot, the electronic ballot containing an encrypted ballot choice;
determining that the received encrypted ballot choice is not accompanied by a valid validity proof that proves that the encrypted ballot choice constitutes the encryption of one of a plurality of permissible ballot choices; and
in response to so determining, determining that the generated first ballot has been compromised.
48. The method of claim 47 wherein no validity proof is received for the encrypted ballot choice.
49. The method of claim 47 wherein a validity proof is received along with the encrypted ballot choice, and the combination of validity proof and encrypted ballot fail a verification operation performed by the vote collection computer system,
where the verification operation is constructed explicitly to determine whether the encrypted ballot is an encryption of at least one of the valid ballot responses.
50. A ballot collection computer system for detecting the compromise of an electronic ballot, comprising:
means for receiving the electronic ballot, the electronic ballot containing an encrypted ballot choice;
means for determining that the received encrypted ballot choice is not accompanied by a valid validity proof that proves that the encrypted ballot choice constitutes the encryption of one of a plurality of permissible ballot choices; and
means for, in response to so determining, determining that the generated first ballot has been compromised.
US11/512,072 2000-03-24 2006-08-29 Detecting compromised ballots Abandoned US20070189519A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US11/512,072 US20070189519A1 (en) 2000-03-24 2006-08-29 Detecting compromised ballots
US11/950,334 US20080172333A1 (en) 2000-03-24 2007-12-04 Detecting compromised ballots

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
US53592700A 2000-03-24 2000-03-24
US53483600A 2000-03-24 2000-03-24
US27018201P 2001-02-20 2001-02-20
US09/816,869 US6950948B2 (en) 2000-03-24 2001-03-24 Verifiable, secret shuffles of encrypted data, such as elgamal encrypted data for secure multi-authority elections
US10/038,752 US7099471B2 (en) 2000-03-24 2001-12-31 Detecting compromised ballots
US11/512,072 US20070189519A1 (en) 2000-03-24 2006-08-29 Detecting compromised ballots

Related Parent Applications (4)

Application Number Title Priority Date Filing Date
US53483600A Continuation-In-Part 1999-08-16 2000-03-24
US53592700A Continuation-In-Part 1999-08-16 2000-03-24
US09/816,869 Continuation-In-Part US6950948B2 (en) 2000-03-24 2001-03-24 Verifiable, secret shuffles of encrypted data, such as elgamal encrypted data for secure multi-authority elections
US10/038,752 Continuation US7099471B2 (en) 2000-03-24 2001-12-31 Detecting compromised ballots

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US73448107A Continuation 2000-03-24 2007-04-12

Publications (1)

Publication Number Publication Date
US20070189519A1 true US20070189519A1 (en) 2007-08-16

Family

ID=46278638

Family Applications (3)

Application Number Title Priority Date Filing Date
US10/038,752 Expired - Fee Related US7099471B2 (en) 2000-03-24 2001-12-31 Detecting compromised ballots
US11/512,072 Abandoned US20070189519A1 (en) 2000-03-24 2006-08-29 Detecting compromised ballots
US11/950,334 Abandoned US20080172333A1 (en) 2000-03-24 2007-12-04 Detecting compromised ballots

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US10/038,752 Expired - Fee Related US7099471B2 (en) 2000-03-24 2001-12-31 Detecting compromised ballots

Family Applications After (1)

Application Number Title Priority Date Filing Date
US11/950,334 Abandoned US20080172333A1 (en) 2000-03-24 2007-12-04 Detecting compromised ballots

Country Status (1)

Country Link
US (3) US7099471B2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090080645A1 (en) * 2005-05-27 2009-03-26 Nec Corporation Integrated shuffle validity proving device, proof integrating device, integrated shuffle validity verifying device, and mix net system
WO2009088907A2 (en) * 2008-01-04 2009-07-16 E-Government Consulting Group, Inc. System and method for secure voting
US20190019366A1 (en) * 2017-07-17 2019-01-17 AO Kaspersky Lab System and method of determining ballots of voters collected with the aid of electronic balloting

Families Citing this family (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8554607B2 (en) * 2001-03-13 2013-10-08 Science Applications International Corporation Method and system for securing network-based electronic voting
US7044375B2 (en) * 2002-07-22 2006-05-16 Anthony Scott Web based voting tracking and reporting system
US7784684B2 (en) * 2002-08-08 2010-08-31 Fujitsu Limited Wireless computer wallet for physical point of sale (POS) transactions
US7801826B2 (en) 2002-08-08 2010-09-21 Fujitsu Limited Framework and system for purchasing of goods and services
US7606560B2 (en) * 2002-08-08 2009-10-20 Fujitsu Limited Authentication services using mobile device
US7822688B2 (en) * 2002-08-08 2010-10-26 Fujitsu Limited Wireless wallet
JP2004165976A (en) * 2002-11-13 2004-06-10 Japan Information Technology Co Ltd System, method, and program for timing encryption/decryption
US7054829B2 (en) * 2002-12-31 2006-05-30 Pitney Bowes Inc. Method and system for validating votes
US7877605B2 (en) * 2004-02-06 2011-01-25 Fujitsu Limited Opinion registering application for a universal pervasive transaction framework
EP1571777A1 (en) * 2004-03-02 2005-09-07 France Telecom Electronic voting process using fair blind signatures
US20050269406A1 (en) * 2004-06-07 2005-12-08 Neff C A Cryptographic systems and methods, including practical high certainty intent verification, such as for encrypted votes in an electronic election
US20090144135A1 (en) * 2004-07-27 2009-06-04 Andreu Riera Jorba Methods for the management and protection of electoral processes, which are associated with an electronic voting terminal, and operative module used
WO2006114452A1 (en) * 2005-04-26 2006-11-02 Scytl Secure Electronic Voting, S.A. Auditable method and system for generating a verifiable record of votes that is suitable for electronic voting
GB0617379D0 (en) * 2006-09-04 2006-10-11 Het Nl Kanker I Digital polling system and method
US8061589B2 (en) 2006-10-20 2011-11-22 Barry Cohen Electronic voting system
US20090072031A1 (en) * 2007-09-13 2009-03-19 Cardone Richard J method for paper-free verifiable electronic voting
US20090072030A1 (en) * 2007-09-13 2009-03-19 Cardone Richard J System for paper-free verifiable electronic voting
US20090076891A1 (en) * 2007-09-13 2009-03-19 Cardone Richard J System for electronic voting using a trusted computing platform
EP2246823A4 (en) * 2007-11-26 2011-06-01 Scytl Secure Electronic Voting S A Method and system for the secure and verifiable consolidation of the results of election processes
US8145520B2 (en) * 2008-07-31 2012-03-27 International Business Machines Corporation Method and system for verifying election results
WO2012135359A2 (en) * 2011-03-28 2012-10-04 Everyone Counts, Inc. Systems and methods for remaking ballots
US8843389B2 (en) 2011-06-24 2014-09-23 Everyone Counts, Inc. Mobilized polling station
US10505801B2 (en) 2016-06-03 2019-12-10 Hart Intercivic, Inc. System and method for identifying and recovering stranded voting ballots
US10438433B2 (en) 2016-06-30 2019-10-08 Hart Intercivic, Inc. System and method for electronic voting network having physical port blockers
RU2747450C2 (en) 2019-09-30 2021-05-05 Акционерное общество "Лаборатория Касперского" System and method of voting in electronic voting system
RU2760440C2 (en) 2020-02-26 2021-11-25 Акционерное общество "Лаборатория Касперского" System and method for counting votes in electronic voting system
US11361606B1 (en) 2020-11-29 2022-06-14 Oren Zbeda Tamper resistant public ledger voting system

Citations (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4774665A (en) * 1986-04-24 1988-09-27 Data Information Management Systems, Inc. Electronic computerized vote-counting apparatus
US5278753A (en) * 1991-08-16 1994-01-11 Graft Iii Charles V Electronic voting system
US5400248A (en) * 1993-09-15 1995-03-21 John D. Chisholm Computer network based conditional voting system
US5495532A (en) * 1994-08-19 1996-02-27 Nec Research Institute, Inc. Secure electronic voting using partially compatible homomorphisms
US5521980A (en) * 1993-08-02 1996-05-28 Brands; Stefanus A. Privacy-protected transfer of electronic information
US5610383A (en) * 1996-04-26 1997-03-11 Chumbley; Gregory R. Device for collecting voting data
US5682430A (en) * 1995-01-23 1997-10-28 Nec Research Institute, Inc. Secure anonymous message transfer and voting scheme
US5708714A (en) * 1994-07-29 1998-01-13 Canon Kabushiki Kaisha Method for sharing secret information and performing certification in a communication system that has a plurality of information processing apparatuses
US5717759A (en) * 1996-04-23 1998-02-10 Micali; Silvio Method for certifying public keys in a digital signature scheme
US5864667A (en) * 1995-04-05 1999-01-26 Diversinet Corp. Method for safe communications
US5875432A (en) * 1994-08-05 1999-02-23 Sehr; Richard Peter Computerized voting information system having predefined content and voting templates
US5878399A (en) * 1996-08-12 1999-03-02 Peralto; Ryan G. Computerized voting system
US5970385A (en) * 1995-04-13 1999-10-19 Nokia Telcommunications Oy Televoting in an intelligent network
US6021200A (en) * 1995-09-15 2000-02-01 Thomson Multimedia S.A. System for the anonymous counting of information items for statistical purposes, especially in respect of operations in electronic voting or in periodic surveys of consumption
US6081793A (en) * 1997-12-30 2000-06-27 International Business Machines Corporation Method and system for secure computer moderated voting
US6092051A (en) * 1995-05-19 2000-07-18 Nec Research Institute, Inc. Secure receipt-free electronic voting
US6250548B1 (en) * 1997-10-16 2001-06-26 Mcclure Neil Electronic voting system
US6317833B1 (en) * 1998-11-23 2001-11-13 Lucent Technologies, Inc. Practical mix-based election scheme
US6523115B1 (en) * 1998-02-18 2003-02-18 Matsushita Electric Industrial Co., Ltd. Encryption device, decryption device, encryption method, decryption method, cryptography system, computer-readable recording medium storing encryption program, and computer-readable recording medium storing decryption program which perform error diagnosis
US6550675B2 (en) * 1998-09-02 2003-04-22 Diversified Dynamics, Inc. Direct vote recording system
US20030190046A1 (en) * 2002-04-05 2003-10-09 Kamerman Matthew Albert Three party signing protocol providing non-linkability
US6769613B2 (en) * 2000-12-07 2004-08-03 Anthony I. Provitola Auto-verifying voting system and voting method
US6845447B1 (en) * 1998-11-11 2005-01-18 Nippon Telegraph And Telephone Corporation Electronic voting method and system and recording medium having recorded thereon a program for implementing the method
US20090080645A1 (en) * 2005-05-27 2009-03-26 Nec Corporation Integrated shuffle validity proving device, proof integrating device, integrated shuffle validity verifying device, and mix net system

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI86486C (en) 1990-08-27 1992-08-25 Tecnomen Oy FOERFARANDE FOER ATT ARRANGERA TELEROESTNINGEN PAO ETT SAEKERT SAETT.
US6029150A (en) 1996-10-04 2000-02-22 Certco, Llc Payment and transactions in electronic commerce system
JPH10257047A (en) 1997-03-12 1998-09-25 Oki Electric Ind Co Ltd Authentication system and public key management system
JP3874127B2 (en) 1997-04-10 2007-01-31 日本電信電話株式会社 Registration key duplication prevention device in authentication system
AU3922600A (en) 1999-03-25 2001-04-24 Votehere, Inc. Electronic voting scheme employing permanent ballot storage
US20020077885A1 (en) * 2000-12-06 2002-06-20 Jared Karro Electronic voting system
US20020077887A1 (en) * 2000-12-15 2002-06-20 Ibm Corporation Architecture for anonymous electronic voting using public key technologies
US6540138B2 (en) * 2000-12-20 2003-04-01 Symbol Technologies, Inc. Voting method and system
US8554607B2 (en) * 2001-03-13 2013-10-08 Science Applications International Corporation Method and system for securing network-based electronic voting

Patent Citations (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4774665A (en) * 1986-04-24 1988-09-27 Data Information Management Systems, Inc. Electronic computerized vote-counting apparatus
US5278753A (en) * 1991-08-16 1994-01-11 Graft Iii Charles V Electronic voting system
US5521980A (en) * 1993-08-02 1996-05-28 Brands; Stefanus A. Privacy-protected transfer of electronic information
US5400248A (en) * 1993-09-15 1995-03-21 John D. Chisholm Computer network based conditional voting system
US5708714A (en) * 1994-07-29 1998-01-13 Canon Kabushiki Kaisha Method for sharing secret information and performing certification in a communication system that has a plurality of information processing apparatuses
US5875432A (en) * 1994-08-05 1999-02-23 Sehr; Richard Peter Computerized voting information system having predefined content and voting templates
US5495532A (en) * 1994-08-19 1996-02-27 Nec Research Institute, Inc. Secure electronic voting using partially compatible homomorphisms
US5682430A (en) * 1995-01-23 1997-10-28 Nec Research Institute, Inc. Secure anonymous message transfer and voting scheme
US5864667A (en) * 1995-04-05 1999-01-26 Diversinet Corp. Method for safe communications
US5970385A (en) * 1995-04-13 1999-10-19 Nokia Telcommunications Oy Televoting in an intelligent network
US6092051A (en) * 1995-05-19 2000-07-18 Nec Research Institute, Inc. Secure receipt-free electronic voting
US6021200A (en) * 1995-09-15 2000-02-01 Thomson Multimedia S.A. System for the anonymous counting of information items for statistical purposes, especially in respect of operations in electronic voting or in periodic surveys of consumption
US5717759A (en) * 1996-04-23 1998-02-10 Micali; Silvio Method for certifying public keys in a digital signature scheme
US5610383A (en) * 1996-04-26 1997-03-11 Chumbley; Gregory R. Device for collecting voting data
US5878399A (en) * 1996-08-12 1999-03-02 Peralto; Ryan G. Computerized voting system
US6250548B1 (en) * 1997-10-16 2001-06-26 Mcclure Neil Electronic voting system
US6081793A (en) * 1997-12-30 2000-06-27 International Business Machines Corporation Method and system for secure computer moderated voting
US6523115B1 (en) * 1998-02-18 2003-02-18 Matsushita Electric Industrial Co., Ltd. Encryption device, decryption device, encryption method, decryption method, cryptography system, computer-readable recording medium storing encryption program, and computer-readable recording medium storing decryption program which perform error diagnosis
US6550675B2 (en) * 1998-09-02 2003-04-22 Diversified Dynamics, Inc. Direct vote recording system
US6845447B1 (en) * 1998-11-11 2005-01-18 Nippon Telegraph And Telephone Corporation Electronic voting method and system and recording medium having recorded thereon a program for implementing the method
US6317833B1 (en) * 1998-11-23 2001-11-13 Lucent Technologies, Inc. Practical mix-based election scheme
US6769613B2 (en) * 2000-12-07 2004-08-03 Anthony I. Provitola Auto-verifying voting system and voting method
US20030190046A1 (en) * 2002-04-05 2003-10-09 Kamerman Matthew Albert Three party signing protocol providing non-linkability
US20090080645A1 (en) * 2005-05-27 2009-03-26 Nec Corporation Integrated shuffle validity proving device, proof integrating device, integrated shuffle validity verifying device, and mix net system

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090080645A1 (en) * 2005-05-27 2009-03-26 Nec Corporation Integrated shuffle validity proving device, proof integrating device, integrated shuffle validity verifying device, and mix net system
US8009828B2 (en) * 2005-05-27 2011-08-30 Nec Corporation Integrated shuffle validity proving device, proof integrating device, integrated shuffle validity verifying device, and mix net system
WO2009088907A2 (en) * 2008-01-04 2009-07-16 E-Government Consulting Group, Inc. System and method for secure voting
US20090179071A1 (en) * 2008-01-04 2009-07-16 E-Government Consulting Group Inc. Systems and methods for secure voting
WO2009088907A3 (en) * 2008-01-04 2010-08-05 E-Government Consulting Group, Inc. System and method for secure voting
US8297506B2 (en) 2008-01-04 2012-10-30 E-Government Consulting Group, Inc. Systems and methods for secure voting
EP2645338A1 (en) * 2008-01-04 2013-10-02 E-Government Consulting Group, Inc. System and method for secure voting
US8613391B2 (en) 2008-01-04 2013-12-24 E-Government Consulting Group, Inc. System and method for secure voting
US8636211B2 (en) 2008-01-04 2014-01-28 E-Government Consulting Group, Inc. System and method for secure voting
US20190019366A1 (en) * 2017-07-17 2019-01-17 AO Kaspersky Lab System and method of determining ballots of voters collected with the aid of electronic balloting
CN109272631A (en) * 2017-07-17 2019-01-25 卡巴斯基实验室股份制公司 The system and method for determining the ballot paper of the voter collected by electronic voting

Also Published As

Publication number Publication date
US20020128978A1 (en) 2002-09-12
US7099471B2 (en) 2006-08-29
US20080172333A1 (en) 2008-07-17

Similar Documents

Publication Publication Date Title
US7099471B2 (en) Detecting compromised ballots
Joaquim et al. REVS–a robust electronic voting system
Haines et al. How not to prove your election outcome
US5495532A (en) Secure electronic voting using partially compatible homomorphisms
KR20080022306A (en) A verification method for operation of encryption apparatus andits application to electronic voting
Abe et al. Flaws in some robust optimistic mix-nets
Li et al. A taxonomy and comparison of remote voting schemes
US20060085647A1 (en) Detecting compromised ballots
Fouard et al. Survey on electronic voting schemes
WO2001020562A2 (en) Multiway election method and apparatus
EP1361693B1 (en) Handle deciphering system and handle deciphering method, and program
Gardner et al. Coercion resistant end-to-end voting
Araujo et al. A practical and secure coercion-resistant scheme for internet voting
Rodríguez-Henríquez et al. Yet another improvement over the Mu–Varadharajan e-voting protocol
US20030028423A1 (en) Detecting compromised ballots
Zwierko et al. A light-weight e-voting system with distributed trust
EP1371169A2 (en) Detecting compromised ballots
Haghighat et al. An efficient and provably-secure coercion-resistant e-voting protocol
WO2002067174A2 (en) Detecting compromised ballots
Culnane et al. Faster Print on Demand for {Prêt}{à} Voter
KR100556055B1 (en) Detecting compromised ballots
Dall'Olio et al. Voting with Designated Verifier Signature-Like Protocol.
Goulet et al. Surveying and improving electronic voting schemes
McMurtry Verifiable Vote-by-mail
Jivanyan et al. New Receipt-Free E-Voting Scheme and Self-Proving Mix Net as New Paradigm

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION