BE1021435B1 - METHOD FOR MANAGING AN ELECTRONIC VOTE - Google Patents

Abstract

Method for managing electronic voting which comprises authenticating the voter, in particular making use of an elD; the allocation to the voter of a ballot paper; generating a token that anonymizes the voter data and is presented to him; sending the token to a voting system dissociated from the authentication system, extracting the data to produce the ballot; recording and confirming the submission of the vote in the voting system, taking the confirmation back into the token, and sending it back to the voter; return the token to the authentication system, link the confirmation to the identity of the voter; record the validation in the token, and send it back to the voter.

Description

METHOD FOR MANAGING AN ELECTRONIC VOTE

The present invention relates to a method for managing an electronic vote comprising: an authentication step comprising: - connecting to an authentication system an electronic means, in particular an elD, held by an elector and making it possible to provide first data which identify the elector - provide and read the first data and perform an authentication process of the elector using the first data; - give the voter the ballot (s) to use during the vote. Authentication is the verification of a person's identity. Authentication is known and practiced in various fields of application in which it is essential to ensure the identity of the person, for example in banking transactions or in different voting systems that use electronic means. Authentication is for example carried out using a codeword specific to the person to be authenticated and which is formed by a PIN or a fingerprint of the person.

Voting methods other than traditional voting methods using paper ballots have been proposed to overcome, for example, the disadvantages of producing, distributing and collecting ballot papers. Traditional voting methods require a great organizational and logistical effort, as well as the availability of a large number of human resources.

Some so-called hybrid voting methods, which use paper and electronic means, have been proposed to offer voters the opportunity, for example, to choose between a paper ballot or an electronic ballot. This so-called hybrid vote also offers the possibility, for example, to offer the voter paper ballots, but to use electronic means for the counting system. This is to facilitate the counting of votes and to reduce counting errors and working time. Other solutions including online e-voting methods have been proposed to provide voters with the opportunity to vote remotely, that is to say that the voter should no longer move to polling stations. However, in these solutions, the security and reliability constraints of the voting method and the voting system must be respected to avoid fraud or the manipulation of the vote.

The voting methods proposed are often expensive, require a lot of effort for their implementation and are difficult to implement. This is not only because it is difficult to break the habits of institutions and voters, but also because it is also difficult to convince them to accept and use new voting systems and methods. In addition, the integrity of the election must be guaranteed by providing the necessary infrastructure for a vote and by ensuring its reliability and validity to increase its credibility and to encourage voter turnout.

These known methods often have numerous reliability flaws in terms of hardware and software because they have security and transparency deficiencies. They also present major flaws in the task of ensuring the voter's anonymity and ensuring that the counted votes correspond to the number of voters and voters who voted and who actually had the right to vote.

There is therefore a need to ensure that we propose a method for managing electronic voting based on electronic voting that is reliable and valid. A method capable of solving the paradox of identifying, or even authenticating, the voter at the same time as anonymizing the elector's choice. That is to say, the voting method must identify, or even authenticate, voters to ensure that the voter who comes to the vote is a voter admitted to participate in the vote. Just as it must, if necessary, also check whether the elector has already voted or not, before allowing him to vote so that a duplication of votes can not occur. The identification and / or the authentication must also make it possible to obtain the attributes proper to the elector, this for example to present him the ballots which concern him according to the vote to which he has the right to participate. The voting method allows the elector to be given the ballot (s) corresponding to the vote to be cast, in particular in the language and electoral division of the elector, so that the elector can vote in the ballot where he is admitted and he is able to read the ballots. On the other hand, the method of electronic voting must guarantee the reliability of the voting system and the validity of the voting method while preserving the anonymity of the voter and his vote. That is, the vote cast can not be associated with the elector so that it is possible during the voting process and after the vote is recorded to trace for whom the elector vote, draw the voter's choice. The purpose of the invention is to propose a method for managing a valid and reliable electronic vote while guaranteeing the anonymity of the elector's choice. To this end, the method according to the invention comprises the steps of: generating a token that anonymously resumes a set of data comprising second data of the elector produced from the first data and comprising third data necessary for a production of one or several voting ballots allocated, and make the generated token available to the elector; - send the token to a voting system dissociated from the authentication system; - Extract from the token, through the voting system, the third data necessary for the production of the ballot (s); - produce on the basis of the third data the ballot (s) to be given to the elector and which corresponds to the voting; - present to the elector the ballot (s) produced; - after receiving one or more votes from the voter, register at least temporarily in the voting system the vote (s) issued by the authenticated voter; - confirm the vote (s) submitted in the voting system, enter in the token the confirmation that the vote has been submitted, and return the token to the elector; - return the token to the authentication system> - link, through the authentication system, the confirmation of the vote (s) submitted and included in the token, to the identity of the voter to validate that the elector to vote; and - register in the token, via the authentication system, that the elector has voted, and inform the elector of the registration of his vote.

The fact that the authentication system is dissociated from the voting system makes it possible to resolve the paradox of authenticating the voter and anonymizing the election made by the voter. After the authentication step the token begins to play a determining role. The token is the means that makes the method a reliable and valuable method. The token anonymously repeats the second and third data of the voter, that is to say the data necessary for the voter to make his vote in the vote in which he participates and therefore with the ballot (s) corresponding votes. These second data are produced from the first data that identify the elector, they can be for example, the age of the elector and the postal code number where he or she lives, which will allow to direct him to the voting corresponding to it; for example, according to his municipality, he will have the right to vote in the corresponding communal vote. The information of the ballot (s) which are attributed to the voter according to the corresponding vote is included in the token in the form of the third data. This information allows, for example, that the ballot (s) corresponding to the municipality where the elector lives are presented to him and, therefore, the voter can recognize them without problem.

The token allows a flow of data between the authentication system and the voter, and between the voter and the voting system. The token only circulates through the elector between the authentication system and the voting system, so that the two systems are dissociated. This allows the voting system does not know the identity of the voter who submits his vote; and on the other hand that the authentication system does not know the content of the voter's vote. Once the token circulates the data that is stored in it is anonymized.

After obtaining the token comprising the second and third data, the voting system extracts the third data, and produces the ballot (s) corresponding to vote (s) it then presents to the voter. Thus, the voter can express his vote.

The voting system registers the vote, confirms that the vote is well submitted and resumes this confirmation in the token. The token, through the elector, then returns to the authentication system.

The authentication system links the confirmation of the submission of the vote that is included in the token to the identity of the voter to validate that the voter has voted. The authentication system records in the token validation and informs the voter that his vote is recorded.

This token, conveyed through the elector, exists while an authentication session and a polling session are open. If one or both sessions are interrupted this token is canceled and the elector must restart the method from the beginning, that is to say it must reconnect its electronic means to the authentication system. The token does not circulate in the voting system if the voter is not identified, or even authenticated. The course of the method depends on the existence of the token and it is unique for each elector and for each session.

Authentication is understood as the verification of voter identification. The identification of the elector is based on data identifying the elector which can for example be prerecorded in a memory of the electronic means, in particular elD of the elector, by a third authority who is for this purpose competent. These data are verified, that is to say, authenticated to ensure that the person who comes to the vote is the person who has thus identified and that person has the right to vote. This makes it possible to increase the credibility of the vote by guaranteeing its validity and reliability, and thus, favoring the confidence of voters in the ballot.

In particular, according to one embodiment of the method according to the invention, a verification step using the first authenticated data is performed to check the presence of the voter in a list or lists of voters predetermined (s), the electronic voting management method being interrupted if the elector is not present in the list or lists. In some votes, a predetermined list of electors allows voters to be signed to check that an elector can not vote twice in a single voting session. This list or lists also facilitates the identification of the elector, which may allow for a double check or a check verification.

Advantageously, if the method according to the invention is interrupted during one of the steps, the token is canceled. The token is the key that opens, carries and closes a voting session. This requires that in case of interruption of the voting session, the token disappears, it is canceled. An elector who wants to vote, after an interruption of the voting session, must start again from the beginning of the method; that is to say since the authentication of the voter followed by the anonymization of his data. Thus, the identification of the elector and the anonymity of his vote is guaranteed. The token is generated specifically for the active voting session, so the token must remain active throughout the voting process so that the only person who can vote with this token is the voter to whom the token has been awarded.

In particular, according to one embodiment of the method according to the invention, the content of the token is produced using a binary representation which has a cryptographic form obtained by a homomorphic encryption technique which modifies the cryptographic form without altering its content. Homomorphic encryption techniques make it possible to change the cryptographic form of the token in order to encrypt the anonymous data. Thus, these data are no longer readable outside the authentication system and the voting system, and therefore, they can not be traceable.

In particular, according to one embodiment of the method according to the invention, the token is produced by a server, in particular a MemCache server, having two secure inputs, one accessible by the authentication system, the other accessible. by the voting system. A MemCache is a cache server system, allowing storage in RAM that forms the volatile memory of the server. This volatile memory ensures that the use of the token can not leave a physical trace as it would be recorded in a permanent physical medium. This memory expires in a predetermined amount of time, which can be a few minutes, the time to vote, and so the token can not then be traced.

The MemCache server has two secure entries, one accessible by the authentication system, the other accessible by the voting system. This server is addressable by two distinct identifiers indistinctly, an identifier for the authentication system and another identifier for the voting system. This allows the dissociation of the authentication server and the voting server. Thus, the authentication server and the voting server can access the token, avoiding to establish a link between them.

The method is performed in a virtual space isolated from the outside world, that is to say in a secure environment. The communication between the authentication system and the voter, and between the voting system and the voter, are secure sessions or communications. Once the authentication and voting sessions are open and the token circulates, the information, the data is anonymized, encrypted and transported in secure communications, ensuring that the method to manage the electronic voting can only very difficult. to be manipulated.

This MemCache server is a possible technique for implementing the invention to obtain a token and an anonymization method in which homomorphic encryption techniques are not available or viable. This alternative may be favorable because the homomorphic encryption techniques require computing power higher than what exists in traditional computer equipment, so this alternative allows traditional computer equipment to be used and an investment in specialized infrastructure with power of higher calculation is not necessary.

Another advantage of this MemCache server alternative is that it can solve some of the clarity concerns that may be present when using complex encryption techniques.

Advantageously, in the method according to the invention, the token is at least temporarily stored in a first secure memory of a server that is part of the authentication system when it is processed in the authentication system. The security of the token in the server is made by a third party and the authentication system accesses the anonymized information included in the token during the duration of the transaction that is assigned to it, in the authentication session, independently of the system of authentication. vote. Thus, the steps of the method corresponding to the authentication are dissociated from the steps corresponding to the vote. Securing the server is done from the physical location where the server is hosted, through the hardware to the operating system and then application layers.

Advantageously, in the method according to the invention, the token is at least temporarily stored in a second secure memory of a server forming part of the voting system when it is processed in the voting system. The security of the token in the server is made by a third party, and the voting system accesses the anonymized information included in the token for the duration of the transaction that is assigned to it independently of the authentication system. Therefore, the voting steps are dissociated from the authentication steps.

Advantageously, in the method according to the invention, the token is at least temporarily stored in a third memory made available to the voter, when the token is presented to the voter. This third memory provides a convenient option for temporarily storing the token data, which may be for example a laptop, a USB key, or a mobile device.

Advantageously, in the method according to the invention, the content of the token can be read at any time during the execution of the method, and when the token does not take over the data entered either during the authentication step or when of one of the steps of said method, the token is canceled. The voter can see the to and fro of the token between the steps performed in the authentication system and the steps performed in the voting system. That is to say, it is he who can receive the token either from the authentication system or the voting system, and he can therefore, at any time, interrupt, arbitrate, audit the various stages of the process. the method.

Preferably, in the method according to the invention, the first data stored in the memory contained in an electronic chip of an electronic card held by the voter, in particular the elD, in particular the electronic identity card, is used. Belgian, to identify the voter. The use of this card, for example, means that the personal data directly enabling the identification of the voter can not be manipulated by the voter.

Advantageously, in the method according to the invention, the first data used to store the voter is used to store the memory contained in a smart card with or without a label, or a SIM card used in a GSM or Smartphone, or a key. in an RFID or NFC chip, either a smart USB key or a custom made smart card. These physical media make data such as electronic certificates, the PKI system, to authenticate the voter. These physical media are used to store the data that contains the first data that identifies the voter, and allow either to directly authenticate the voter or to do it indirectly using these first identification data and then go check other attributes identity, which may be in other data sources than the chip.

Preferably, in the method according to the invention, one reads in the electronic chip during the authentication step either personal data directly allowing the identification of the voter, or data such as electronic certificates allow to authenticate the voter, that is, data specific to the chip for initiating an identification or authentication of the voter. This allows a large choice of data that allow the identification and authentication of the voter.

Advantageously, in the method according to the invention, the step of recording at least temporarily in the voting system the vote (s) issued by the authenticated voter is carried out either in voting machines or in a dematerialized electronic voting system, in particular the web, service software, mobile applications, or voting applications in social networks. This allows a large choice of communication for the implementation of the method.

Preferably, in the method according to the invention, the step of the connection to the voting system is performed either locally, or remotely, or online, or in polling stations, either by internet or intranet. This allows the method to be implemented in different ways and according to circumstances. Therefore, the method can be implemented either simultaneously locally, ie for present voters, and remotely, that is for remote voters who are not present locally. For example, a general meeting of shareholders with shareholders present in the room and other shareholders being abroad. Or, a vote in which Belgians in Belgium vote in the polling stations and Belgians living abroad vote via the remote web.

Advantageously, in the method according to the invention, the authentication step is performed on the basis of pre-recorded data by a third authority. The authenticity of the prerecorded data, the first data that identifies the elector, is guaranteed, and neither the administrators of the election system, nor the voters, nor the voting service provider have access to the data to manipulate it. The invention will now be described in more detail with the aid of the drawings which illustrate a preferred embodiment of the method for managing an electronic vote. In the drawings: Figure 1 shows a diagram of the environment in which voting takes place, consisting of three sections: a section for preparing and configuring an election, a section for managing an electronic vote, and a section for processing the results of voting. the election before, during and after the vote; FIG. 2 illustrates a diagram that presents the method for managing an electronic vote according to the invention by highlighting the dissociation of the authentication system and the voting system, and the role played by the voter in the resolution of the paradox of authenticate the elector and anonymize the election; and Figure 3 shows an example of implementation of the token flow between the authentication system, the voter and the voting system.

In the drawings the same reference has been assigned to the same element or a similar element.

A dematerialized voting system making it possible to carry out the method according to the invention does not require the deployment or installation of a particular infrastructure forming part of the voting system, that is to say that for its implementation it is not necessary to stock up on particular equipment. This system can be realized from. In other ways, for example, voters can vote in a conventional polling station or in a kiosk set up for this purpose, or they can vote through a network such as the intranet, or online using the internet.

Figure 1 illustrates the general diagram of the environment in which voting takes place. It shows the three sections A, B and C which are part of this environment and which allow a vote to take place in a reliable and valid way. The environment includes a first section A said section to prepare and configure a vote, includes a second section B said section to manage an electronic vote, and a third section C said section to process the results of the vote. This general diagram allows us to situate in this environment section B to manage an electronic vote which is the heart of the invention presented here.

The administrators of the dematerialized voting system are the actors who intervene in section A to prepare and configure a voting. This section A is dedicated to the preparation, organization and logistics of the corresponding voting. The voting conditions and rules may require the establishment of the predetermined list (s) with the names or particular data of the candidates for the vote, and the list (s) 4 of voters corresponding to the vote. In other cases, like a poll, voting does not require a predetermined list (s). The number and the names of the administrators 8 who receive the keys 5 to access the counting of the vote or voting is fixed by the law or by the persons who order (s) the voting. These keys can be passwords or any other mechanism allowing the sharing of a secret between several administrators. As for example a "threshold cryptography" algorithm in which N among M keys are at the minimum necessary to reconstitute a secret which allows itself to decipher the key which was used to encrypt the urns, and thus to decipher them, guaranteeing that the Voting results can not be handled by administrators 8.

Voting means any activity for which the choice of participants, voters or shareholders is expressed by means of a vote, for example national elections, communal elections, a referendum, a survey, a consultation, etc.

The second section B describes in detail the management of the electronic vote. In general, this second section B is dedicated to the voting session itself by guaranteeing the voter's authentication and the anonymity of his vote. The pillars of this second section B are the authentication system 1, the voter 2, and the voting system 3. The latter comprises two main units, a first unit 30 which includes a second secure memory of a server that is part of of the voting system 3, and a second unit which comprises another secure memory of the server forming part of the voting system 3 which corresponds to or to the ballot box (s) 31.

The last section of the system described is the third section C to obtain the results of the voting. This third section C is dedicated to guarantee the transparency of the vote count. Once the elector 2 has voted and his vote is stored at least temporarily in the voting system 3, the voting system 3 confirms to the voter 2 that his vote was taken into account in the vote. And then, this vote and all the other votes of the electors 2 are recorded in the corresponding ballot box (es). The ballot box (s) 31 save (s) the recorded votes, so that the votes are ready for counting by electronic means 7, which greatly decreases, or even can eliminate in its entirety, the counting errors. In addition, it allows to reduce the working time, while keeping the anonymity of the voters 2. That is to say that the urn (s) 31 is or are secured (s) and sealed (s) by various electronic means 7 including the electronic signature that guarantees the integrity of the content, the proof of source of the seal, a time stamp of the seal and levels of encryption to guarantee confidentiality. These last three properties have the effect of preserving the ballot boxes 31 and their contents before and after the counting, the retention of each individual ballot paper; this allows for as much recount as necessary in case of control or disputes. To access the counting of the ballot and to present the results of the voting, the administrators 8 who have received one of the keys 5 meet and by bringing together at least N among M keys find the key to decipher the ballot box (s) 31, to open them for counting, and then obtain and organize the election information to present it to the interested parties.

The second section B for managing an electronic vote according to the method according to the invention is based as mentioned on three pillars: the authentication system 1, the voter 2 and the voting system 3. The method involves these different pillars in the different steps that are performed in a secure environment and connection. The connection is doubly secure, that is to say at the level of the exchanged messages that are encrypted, and at the level of the transport / communication channel which is itself encrypted, the data circulating between these pillars are also secure. The security is for example achieved by encrypting and / or anonymizing in a volatile memory the data that circulates between these pillars. Thus, any message exchanged between the voter 2 and the authentication system 1, and between the voter 2 and the voting system 3, is encrypted end-to-end and / or anonymized in a volatile memory, to be resumed. in a token, throughout the voting process. The encryption or encryption algorithm used is chosen to guarantee confidentiality of the messages or data exchanged and also allows authentication.

The authentication system 1 comprises a first secure memory in a first secure server, which is part of the authentication system 1. The voting system 3 comprises a second secure memory in a second secure server, which is part of the voting system. 3. During the voting session, elector 2 accesses a third memory that is also secure. The security of the servers, memories and connections is carried out by a third authority which is preferably independent from the vote in order to guarantee the transparency of the voting.

The third memory that is used by the elector 2 contains first protected data whose access is also protected by certified information, such as for example the electronic signature of the elector 2 or the electronic signature of a third party who has done the same. 2. Thus, this certified information available to the elector 2 can be stored for example in his browser or in an application of his Smartphone. This means that the voter 2 can open the voting session that corresponds to him from his own mobile phone or from his own laptop, which makes the polling environment easy for the user to access. 2. The implementation The dematerialized voting system concerns both voting machines and dematerialized electronic voting systems such as the web, by using service software, mobile applications or voting applications in social networks. This system can be used locally, remotely, online, polling stations, internet, intranet, etc.

An authentication step initializes the method according to the invention, that is to say the identification of the voter 2 by first data that identify it, and the verification of these data via the system of authentication. Authentication 1.

As shown in FIG. 2, in a first step of the authentication step, an elector 2 connects to the authentication system 1 by connecting the authentication system 1 with an electronic means that allows this system to resume. first data that identifies it.

This electronic means may be a medium comprising a memory and capable of preventing the copying of the first identification data contained in the memory, which, in practice, is generally done through apparatus of cryptographic media such as a chip cryptographic system with integrated PKI system based on a pair of asymmetric keys certified; a unique password generation authentication calculator with time link, based on a prerecorded symmetric key; or, an authentication calculator using challenge-response mechanisms with temporal link, based on a prerecorded symmetric key.

Alternatively, this electronic means may be a medium that guarantees that the user consents to the transaction, thus requiring, on the one hand, the existence of a support apparatus obtained during a registration procedure, for example a card to chip such as an electronic identity card or a SIM card or elD; on the other hand information transmitted to the user 2 during this recording phase, for example a PIN code, or information derived from the user 2 during this recording phase as a biometric data item . This electronic means then allows access to first data that identify the voter.

According to another alternative, this electronic means can also be a support delivered to the voter 2 through a registration procedure face to face, thus ensuring that the voter 2 is the person who took possession of the support and zero other person. This registration procedure includes verifying the identity of the elector 2 through the verification of the authentic sources issued to the elector 2 by the competent authorities, and finally the registration of the elector 2, in the registers of the elector. registration authority, that is, a third authority in the election.

Alternatively, this electronic means may be a support delivered to the elector 2 by a third authority, that is to say independent of the dematerialized voting system, and recognized as reliable by the community making use of this medium, and of which no may de facto not call into question credibility, in particular through certain risks of collusion between the recording authority of the apparatus and the operator of the voting system 3, for example an electronic identity card or other form elD issued by a municipality, a SIM card issued by a telecommunication operator, a bank card issued by a financial institution, etc.

Finally, this electronic means can be a support for accessing authentic sources, and for collecting or checking the attributes of identities required. These authentic sources can be in various forms such as a signed and certified file included in the support itself, or a certified online service made available by the issuing authority, the support. Or require more or less complex protection scenarios to access these identity attributes as a PIN check to access the file to a series of strong authentication to access an online service.

Whatever the embodiment used for the electronic means, the latter will provide first data that identify the voter. The first data will then be read when applying the method of managing a vote according to the invention.

The anonymous token technique described can take many forms; ideally, we will favor the cryptographic form which consists in encrypting the data to be exchanged and making use of homomorphic encryption techniques to change the form in which the data are presented and thus avoid any traceability without altering the content of the data in order to guarantee reliability. However, because the aforementioned homomorphic encryption techniques require computing power higher than that generally exists in traditional computer equipment, the concept of anonymous token can alternatively be implemented using the MemCache J server with two inputs. A MemCache system allows storage in volatile data memory. Other techniques capable of achieving the same objective are obviously applicable.

A two-input MemCache J server is a pure volatile memory server with no disk or log files and functions as a database from which each input data or data group expires and thus permanently disappears from memory without leaving a trace, after a few minutes, and is addressable by two distinct identifiers indistinctly.

Specifically and using the MemCache J server, as shown in Figure 3, an elector 2 will launch the creation of the anonymous token he will be the only one to know the two identifiers J # abc and J # xyz that can address the server J. Next, the identifier corresponding to each of the servers, that of the authentication system 1 and that of the voting system 3, will be communicated to the server J to enable it to access the token. Access to the token is always through the elector and it is not possible for the servers of the authentication and voting system to communicate directly with each other or to exchange their respective identifiers with each other. This would indeed make it possible to trace the transactions by another actor than the voter 2 who is the only one able to make the link.

After the voter 2 has connected to the authentication system 1, the authentication session S # ABC opens, and the authentication system 1 will process the first data identifying the voter 2 to begin the process. authentication of the elector 2 with the aid of these first data and, where appropriate, using a coded word specific to the elector. And then, to conclude the authentication of the voter, the authentication system 1 will check with these first data the identity of the voter 2. Then, the authentication system 1 will extract the first data of the second data, that is to say, the parameters necessary to enable the voting system 3 to give the voter 2 the ballot (s) corresponding to his voting according to the vote to which he has the right to participate.

Alternatively, the voter 2 can connect to a third server J, as shown in Figure 3 by the dotted line, before starting the authentication step. This connection can be done either directly or through an access card such as a credit card, a SIM card or an electronic identity card. When the voter 2 has connected to the third server J it is the latter who will create the token will have firstly a first identifier J # abc which will allow the authentication system 1 to communicate with the third server J, and secondly a second identifier J # xyz that will allow the voting system 3 to communicate with the third server J. After creation of the token produced by the third server J, the token will be transmitted under the control of the voter 2, c through it, the authentication system 1 to start the authentication process.

After the authentication process has been performed the necessary attributes generated by the authentication system 1 to allow the subsequent allocation of the ballot (s) are transmitted to the third server J either directly or by the 2. In the case where the attributes are directly transmitted to the third server J, the voter 2 is informed that the attributes are transmitted to the third server J.

In the embodiment where the voter first connects to the authentication system 1, the authentication operation first takes place, and when the voter 2 has been authenticated, he is informed and the token is produced by the third server J.

For example, Mr. GIO connects his Belgian elD card to the authentication system 1 to open an S # ABC authentication session. The Belgian elD map of Mr GIO contains, among other things, as the first data pre-recorded by the Belgian authority, visible information such as, for example, his identification number of the National Register of natural persons, his surname and first name, his nationality and sex , the date and place of his birth, and his picture. The authentication system 1 reads from this data, as well as from the data that are not visible on the elD card of Mr. GIO, for example, his address and his certificate of identity and signature, those he has need to perform authentication. This allows the system 1 to verify that the person who connects his elD card is Mr. GIO. Mr. GIO is well registered and admitted to the X vote. The authentication system 1 will extract from Mr. GIO's elD card the first data, for example his surname, first name, date of birth and his address. From these data, second data, for example, the municipality where Mr. GIO lives and therefore the official language of his commune will be included in a J # abc token. These attributes are necessary so that the J # abc token containing this information is processed in the voting system so that in a later step of the method, it is able to assign to Mr. GIO the ballot for the X vote and in French, since Mr. GIO is French-speaking and Bulletin X is his commune. Then, at this stage of the method, a voting session S # XYZ opens for Mr. GIO to vote.

Another option that allows Mr. GIO to open a voting session may be when Mr. GIO opens an S # ABC authentication session with his Belgian elD card by authenticating himself with a PIN or a password for which he is the only one to know him. Once Mr. GIO is authenticated, Mr. GIO is informed and he can open a S # XYZ voting session. The admission of an elector 2 to a vote depends on the conditions of the voting. The eligibility of elector 2 is determined by certain voting attributes necessary to determine that elector 2 is eligible for voting. These attributes are not the same if the vote in question is a national vote, or a vote or investigation within a company, or a vote at a meeting of shareholders of a company. Scheduled lists may be provided at the time of the organization of the voting to revise the eligibility of an elector 2.

The token that is processed by the authentication system 1 repeats anonymously, a set of data comprising second data of the elector 2 produced from the first data and includes third data necessary for the production of the bulletin (s) ( s) Voting Award (s).

This token is an access key, it is made available to the elector and opens the door to the data and attributes related to this elector 2 and which are necessary for the vote. Likewise, he opens and closes a voting session. This token is preferably used only once, if a problem arises during the vote, for example a loss of the web connection, the token is canceled, which means that the voter 2 must then start the whole process again. from the beginning, that is to say since the authentication step. The content of the token can be read at any time, and when the token does not take over the data entered either during the authentication step or during any of the steps of the method, the token will be canceled. The cancellation of the token is the expiration of the period of time during which the token exists.

This token does not allow on the basis of its content to customize the voter 2, which means that the token takes anonymized data. Once the token returns anonymously to the data set of voter 2, the data set at this stage of the method is the second and third data, it is presented to elector 2 so that he can vote. The voter will then send the token to the voting system 3, which is dissociated from the authentication system 1. For the voting system 3 to record and process the token, it is preferable that the token pass through the voter 2 who transmits it to the voting system 3.

The voting system 3 makes it possible to guarantee that each vote submitted to the voting system 3 will be taken into account, and secretly; that is to say, to guarantee the transparency of the ballot boxes 31 and the anonymity of the elector's choice 2. The voting system 3 makes it possible to always allow the voter 2 to submit his vote. This means, for example, that an elector 2 who possesses the attributes required for the corresponding election must, in all cases, be able to access the voting system 3, including in the extreme cases of loss of the authentication medium. On the other hand, an elector 2 who does not possess the required attributes can not in any case access the voting system 3, even in the extreme cases of attempted recovery: of the authentication medium of another voter; and therefore can not in any case submit a vote.

The voting system 3 makes it possible to guarantee that an elector 2 can only vote once and only once. This means, for example, that an elector 2 can authenticate itself on the authentication system 1 as many times as he wishes, or present the token several times, but that his vote can only be registered one and only once. Elector 2 must be informed of his voting status when connected 10. Once an elector 2 has confirmed his vote, he can not reopen the voting session and change his vote.

The voting system 3 including the urns unit 31, makes it possible to guarantee the transparency of the ballot boxes 31. This means that only the votes submitted by the voters 2 having the required attributes will be taken into account and that it is impossible for the votes to be filled. votes of other voters 2 who do not have the attributes can be taken into account. Only one and only one vote per elector 2 will actually be taken into account. The technique called urn stuffing should be ideally impossible and in any case detectable.

The jam is avoided by the fact that the ballot box accepts only one ballot attached to a token that has been processed by the authentication system 1. Only one ballot is admitted per chip, which prevents write several ballots in the ballot box corresponding to a given token. In addition, any ballot that contains more candidate choices than defined by the configured voting rules will be a ballot excluded from the count and indicated in a report generated at the end of the voting.

The voting system 3 ensures the secrecy of the vote. Which means that only the elector 2 knows the content of his vote. And that under no circumstances may an actor other than the voter 2 be able to relate the content of the vote of an elector 2 to the voter 2 himself; except the elector 2 who knows of course the content of his vote.

In practice, the voting system 3 extracts from the set of anonymized data included in the token the third data necessary for producing the ballot (s). The ballot (s) corresponding to the election is or are produced on the basis of the third data; and it is or they are presented (s) 40 to the voter 2 authenticated. Thus, the elector 2 receives the blank ballot (s) corresponding to him (ent) according to the election to which he has the right to participate. And for example, according to the attributes determined by the reading of the second and third data which allows him to receive the bulletin (s) in the language that corresponds to the language of the election and accepted by his municipality. The voter 2 votes and sends 50 the token which includes the information of his vote in the voting system 3. The voting system 3 records at least temporarily the vote (s) issued by the voter 2 authenticated.

Following our example and Figures 2 and 3, Mr. GIO using for example his mobile, as a third memory, and connecting to the authentication system 1 with its session S # secure ABC he has authenticated. To that end, he connected to a secure web environment that asked him for example his National Registry Number or a password. Mr. GIO typed his National Registry number, after his authentication the authentication system 1 puts the token J # abc at his disposal This token includes firstly the second data necessary to know that he is admitted to the vote X and that he is for example French-speaking, and on the other hand the third data for him to be allocated the ballot of the vote X. Then, Mr. GIO sends the token to the voting system 3 via the voting session S # XYZ. The voting system 3 extracts from the token the third data that makes it possible to produce the ballot. Mr. GIO will then be able to see on his mobile phone the ballot paper XM GIO sees the list of candidates who correspond to the X voting, that is to say the ballot for the X vote in French, and sees for example the name of the three candidates Mr ZAP, Mrs BEA and Mr TIS. Mr. GIO makes his election, he votes for Mr. ZAP, who considers is the best option to run his commune, by selecting the box provided for this purpose in the ballot displayed on his screen. If necessary, Mr. GIO will be asked to confirm his vote. When Mr GIO has then typed in his voting session S # XYZ the option to send, record, his vote, the status that corresponds to Mr ZAP will be included in the J # xyz token. The token J # xyz is then sent and registered at least temporarily in the voting system 3.

After the voting system 3 has recorded the vote made by the voter 2, the voting system 3 confirms 60 to the voter the submission of the vote (s) in the voting system 3, and resumes the confirmation of the vote. vote in the token. Once the token resumes the confirmation it is returned to the elector 2. If necessary the elector will send (70) the token in the authentication system, still in the session S # ABC, to close this session . The elector will then be informed (80) that the S # ABC session is closed.

Once elector 2 receives confirmation that his or her vote is recorded in ballot box 31, the counting of votes and the presentation of the results are carried out, that is to say the third section C of the electronic voting system. Mr. GIO is happy to have voted and his vote will be taken in the count of the X vote. He closes the voting session S # XYZ by disconnecting and the token J # xyz is thus canceled. By registering his vote Mr. GIO cancels the token and at that moment both sessions are closed.

If Mr GIO changes his mind and would like to reopen the S # ABC authentication session and the S # XYZ voting session to change his vote, this is no longer possible, because once his vote is validated he will not there is more change possible. Which means that if Mr GIO has clicked on the option to send his vote he can not reopen the voting session S # XYZ. In case Mr. GIO would like to change his mind and vote for Ms. BEA he should follow the method from the beginning, since the authentication step. Thus, he must reconnect his Belgian elD card to the authentication system 1. This will read the first data and will identify that it is Mr GIO, but the second and third data will not occur. The authentication system 1 has detected that Mr GIO has already registered a vote. So Mr. GIO reads on his cell that the voting session can not be opened by what he has already voted. This guarantees the transparency of the voting system 3 and the ballot boxes 31.

The communication between the authentication system 1, the voter 2 and the voting system 3, as already mentioned, is achieved through secure sessions. To do this, quite standard session management mechanisms are used. They consist in the generation of a session cookie by the server at the beginning of the session which it communicates to the voter 2. They also include the systematic forwarding of the same session cookie by the voter 2 at each connection to the same server to ensure the reliability and continuity of exchanges.

It should be noted that at no time are these session cookies exchanged with other parties and these cookies are destroyed either after a certain period of inactivity at the server or when the application is closed. voter level 2.

Figure 3 allows to visualize a practical example of possible implementation: the circulation of the token and to deepen the explanation described above and with the example of Mr. GIO. Thus, it is recalled that for questions of anonymity and secrecy of the vote at no time the servers of the authentication system 1 and the voting system 3 do not communicate directly with each other; they will not be able to communicate through the elector 2 by exchanging an anonymous token whose form, binary representation, will change through the different exchanges so as to make traceability impossible, except for the voter 2 him -even.

As in Figure 3, Mr. GIO creates a token in server J with two identifiers J # abc and J # xyz. Then, a J # abc token is produced having an identifier that allows Mr. GIO to communicate with the authentication system 1, and a J # xyz token is produced having another identifier that allows him to 3. So that Mr GIO can vote and register in the voting system at least temporarily his vote. Mr. GIO communicates with the authentication system 1 while the session S # ABC is open, after the authentication step already described in our example. Mr. GIO communicates with the voting system 3 while the session S # XYZ is open, during the voting step also already described. In this example of implementation, the voting system 3 can not read the token with the identifier J # abc, it can only read the data in the token with the identifier J # xyz. The authentication system 1 can not read the token with the identifier J # xyz, it can only read the data in the token with the identifier J # abc. Thus, the authentication system 1 is dissociated from the voting system 3. Mr GIO is authenticated, he can cast his vote, he can record his vote, and his choice remains anonymous.

Claims (14)

A method for managing an electronic vote comprising: an authentication step comprising: - connecting (10) to an authentication system (1) an electronic means, in particular an elD, held by an elector (2) and making it possible to provide first data stored in the memory contained in an electronic chip of an electronic card held by the voter (2), in particular the elD, more particularly the Belgian electronic identity card, which identify the voter (2 ); - provide and read the first data and perform a voter authentication process (2) using the first data; - give the elector (2) the ballot (s) to use during the vote; characterized in that said method also comprises the steps of: - generating (20) a token which anonymously resumes a set of data comprising second data of the voter (2) produced from the first data and comprising third data necessary for the production of an assigned ballot (s), and make the generated token available to the elector (2); sending (30) the token to a voting system (3) dissociated from the authentication system (1); - extract from the token, via the voting system (3), the third data necessary for the production of the ballot (s); - produce on the basis of the third data the ballot (s) to be given to the elector and which corresponds to the voting; - present (40) to the elector (2) the ballot (s) produced; - after receiving one or more votes from the voter (2), register (50) at least temporarily in the voting system (3) the vote (s) issued by the elector (2) authenticated; - confirm (60) the vote (s) submitted in the voting system (3), enter in the token the confirmation that the vote has been submitted, and return the token to the elector (2); - return (70) the token to the authentication system (1); - linking via the authentication system (1) the confirmation of the vote (s) submitted and included in the token, to the identity of the voter (2) to validate that the voter (2) voted ; and - registering (80) in the token, via the authentication system (1), which the voter (2) has voted, and informing the voter (2) of the recording of his vote. 2. Method according to claim 1, characterized in that the voter is authenticated using the first data and a coded word specific to the voter. 3. Method according to claim 1 or 2, characterized in that a verification step using the first data is performed to check the presence of the voter (2) in a list (s) of voters predetermined (s), the method of managing the electronic vote being interrupted if the voter (2) is not present in the list or lists. 4. Method according to one of claims 1 to 3, characterized in that if said method is interrupted during one of the steps, the token is canceled. 5. Method according to one of claims 1 to 4, characterized in that the content of the token is produced using a binary representation which has a cryptographic form obtained by a homomorphic encryption technique that modifies the cryptographic form without alter its content. 6. Method according to one of claims 1 to 4, characterized in that the token is produced by a server, in particular a MemCache server, having two secure inputs, one accessible by the authentication system (1), and the other accessible through the voting system (3). 7. Method according to one of claims 5 or 6, characterized in that the token is at least temporarily stored in a first secure memory of a server forming part of the authentication system (1) when it is processed in the authentication system (1). 8. Method according to one of claims 4 to 6, characterized in that the token is at least temporarily stored in a second secure memory of a server forming part of the voting system (3) when it is processed in the system of vote (3). 9. Method according to one of claims 1 to 8, characterized in that the token is at least temporarily stored in a third memory made available to the voter (2), when the token is made available to the user. elector (2). 10. Method according to one of claims 1 to 9, characterized in that the content of the token can be read by the voter (2) at any time during the execution of the method, and when the token does not resume the data introduced either during the authentication step or during one of the steps of said method, the token is canceled. 11. Method according to any one of the preceding claims, characterized in that read in the electronic chip during the authentication step is either personal data directly allowing the identification of the voter (2), or data such as electronic certificates make it possible to authenticate the voter (2), or data specific to the chip for initiating an identification or authentication procedure of the voter (2). 12. Method according to one of claims 1 to 11, characterized in that the step of recording (50) at least temporarily in the voting system (3) the vote (s) issued by the voter ( 2) authenticated is carried out either in voting machines, or in a dematerialized electronic voting system, in particular the web, a service software, mobile applications, or voting applications in social networks. 13. Method according to one of claims 1 to 12, characterized in that the step of the connection to the voting system is performed either locally, or remotely, or online, or in polling stations, or via the Internet, either intranet. 14. Method according to one of claims 1 to 13, characterized in that the authentication step is performed on the basis of pre-recorded data by a third authority.