EP2382606B1 - Verifiable electronic voting method - Google Patents

Verifiable electronic voting method Download PDF

Info

Publication number
EP2382606B1
EP2382606B1 EP08875902.2A EP08875902A EP2382606B1 EP 2382606 B1 EP2382606 B1 EP 2382606B1 EP 08875902 A EP08875902 A EP 08875902A EP 2382606 B1 EP2382606 B1 EP 2382606B1
Authority
EP
European Patent Office
Prior art keywords
voting
choices
random
voter
choice
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP08875902.2A
Other languages
German (de)
French (fr)
Other versions
EP2382606A1 (en
Inventor
Fatih Tiryakioglu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Scientific and Technological Research Council of Turkey TUBITAK
Original Assignee
Scientific and Technological Research Council of Turkey TUBITAK
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Scientific and Technological Research Council of Turkey TUBITAK filed Critical Scientific and Technological Research Council of Turkey TUBITAK
Publication of EP2382606A1 publication Critical patent/EP2382606A1/en
Application granted granted Critical
Publication of EP2382606B1 publication Critical patent/EP2382606B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C13/00Voting apparatus

Definitions

  • the present invention defined in the method of independent claim 1, allows a voter to verify that the votes she cast were properly counted while maintaining vote anonymity. Anonymity and transparency are balanced such that voters have proofs showing the votes they cast are properly counted, but the same proofs are meaningless to the others. In this way, transparency is succeeded without exposing voter privacy. While voters cast their votes, for example in a voting machine, a witness is required to verify that the vote is counted properly. A witness proving voter privacy is implemented by using a voter superiority over the voting system. This strength is used to solve transparency-anonymity problem: Voting system can't guess next step of the voter, and when all steps are revealed, it is not allowed the system to get back.
  • Voters present a random choice from a predetermined set of random choices together with each voting choice in the voting process, and she expects an algorithm output as a proof of including voting choices and random choices of the voting choices. After receiving algorithm output, she presents all random choices of each possible choice, and gets the random choices from the voting system as she presents. Because the voting system can not know random choices of the other possible choices, a possible malware code in the system can not dare to change voting choices of the voter. If it dares and the random choices of the not intended voting choices it selects is not as the random choices of the not intended voting choice entered following to receiving the algorithm output by the voter, then this illegal modification is revealed. The possibility of reveal increases exponentially, as the voting system's illegal modified votes increase.
  • Algorithm output is an output of a cryptographic algorithm getting inputs that comprises voting choices and random choices of the voting choices and using a secret.
  • the voting choices of the voters can't be computed by using the algorithm output without knowing the secret.
  • the secret can be an input text, the algorithm, key, or a combination of them. Key is preferably used as a secret because of its strength against brute-force attacks.
  • Algorithm output and random choices of possible choices got by voter during the vote casting are also made public for future verification.
  • Voter compares her algorithm output and random choices of possible choices with the ones made public, and if they are same she ensures for proper counting of her vote.
  • Voting center verifies and evaluates the votes by using public parameters that comprise algorithm output and random choices of possible choices and secret. Illegal processes are revealed by the voting center, if any. Beside the voting center, a trusted third party that gets secrets from the voting center can be used for verification of the voting results.
  • the present invention allows a voter to verify that the votes she cast were properly counted while maintaining vote anonymity.
  • the system 5 may be implemented as shown in FIG. 1 .
  • the system 5 includes voting machines 10 which are located in voting precincts. While there are three voting machines in the FIG. 1 , any number of voting machines can be provided.
  • Each voting machine comprises a human-machine interface 15, a processing unit 20, local databases 25 and 30.
  • Human-machine interface 15 provides communication and data transfer with the environment.
  • Processing unit 20 is generally responsible for running electronic voting method and specifically runs an algorithm which uses secret S.
  • Local database 25 holds verification texts of voters.
  • Local database 30 holds candidate information which will be displayed in the human-machine interface. Prior to polls, candidate information is loaded to each local database 30 of the voting machines 10 separately from a central database 40 of voting center 35 by a central authority.
  • FIG. 2 is a flowchart showing the electronic voting method.
  • the method may be implemented in a system 5 shown in the FIG. 1 .
  • the method begins at step 100.
  • a voter is authorized to cast vote in a voting machine 10.
  • step 105 voter faces a user interface for selecting voting choices in the human-machine interface 15.
  • the user interface may be implemented as 300 shown in the FIG. 3 .
  • all candidates or choices 310 are presented.
  • Each candidate or choice has a set of random choices 320 whose number and names are determined by a voting authority.
  • voter must have determined random choices of each candidate or choice except random choices of the voting choices. Random choices of the voting choices must have been determined up to this step.
  • Random choice determination of the voter may be performed on a paper 400 like in the FIG. 4 .
  • the choices 410 are shown in the first column, and the random choices 420 of the choices 410 are shown in rows for each choice.
  • the voter's random choices in the FIG. 4 are red, green, green, red, blue, green for mayor choice, and green, blue for yes/no choice, respectively.
  • voter selects voting choices together with random choices of the voting choices which are determined prior to that. For example, if she chooses "Mehmet Camlibel" and "Yes" as shown in the FIG.
  • voting machine receiving voter's voting choices and random choices of the voter's voting choices, processes a cryptographic algorithm using a secret.
  • Algorithm's input comprises voter's voting choices and random choices of the voter's voting choices and the algorithm produces output.
  • the number of process/processes may be one or more than one. For example, there may be one process receiving "Mehmet ⁇ amlibel", “green”, “Yes”, “green” or two processes, one of them receiving "Mehmet Camlibel", “green” and the other receiving "Yes", “green”, etc.
  • the processes, being more than one may be independent or cascaded to each other as one's output is inputted to the other. In all conditions, it is guaranteed to input all voting choices and random choices of the voting choices and to receive output independent of the number of the process/processes and the output/outputs.
  • voting choices and random choices of the voting choices should be able to be guessed or determined by using algorithm output/outputs and the other known input parameters if the secret is known. Beside these, voting choices and random choices can be symbolized with different elements when inputting to the algorithm. For example, enumeration of the voting choices and the random choices can be performed. But the rule of the substitution must be public.
  • Algorithm's input can include an id determined by voter, voting machine, or both of them if a user friendly verification process is desired in the verification step. Algorithm's input may also include voting machine id which assures varying algorithm outputs across voting machines. Algorithm's input may include any optional data as long as voter's voting choices and random choices of the voter's voting choices are assured to be in the input parameters.
  • the algorithm makes use of a secret in the processing.
  • the secret may be a key, a text inputted to the algorithm or the algorithm itself. It is preferably a key because of its strength against brute-force attacks trying to determine voting choices by using algorithm output/outputs and the other known input parameters. The point is that voting choices and random choices of the voting choices can't be determined by using only algorithm, algorithm outputs and the other known parameters, but also a secret is required.
  • step 115 the voter receives algorithm output and she makes sure it to be not changed in coming steps.
  • step 120 the voter enters all random choices of all possible choices to the voting system. This entrance may be performed by entering an optical paper 400 in FIG. 4 to an optic scanner of the voting machine.
  • step 125 the voter receives random choices of all possible choices just entered.
  • This receiving together with the algorithm output, received in step 115 can be named verification text of the voter.
  • the verification text and the other optional parameters is given to the voter for future verification by the voter. They may be given to the voter on a paper 500 in FIG. 5 .
  • FIG. 5 In the FIG.
  • step 130 the voter compares entered and received random choices.
  • step 135 she approves the voting if they are the same. If they are not the same, she rejects the voting and voting process ends with failure.
  • the voter informs the officer for the incompatibility by showing her receiving.
  • step 140 if approving realizes, all receiving are recorded to the local database of the voting machine, and vote casting for the voter ends with success.
  • the voter also gets all receiving which may be like paper 500 in FIG. 5 .
  • step 120 if the random choices of the voting choices are entered again, which is usual in the optical paper implementation, the voting process may be ended with failure or may continue in normal flow depending on the voting authority's decision on method implementation. If the method is implemented as the voting process to end with failure, when the incompatibility happens in step 120, i.e. the random choices of the voting choices entered in the user interface 300 in FIG. 3 in step 105 does not fit into the random choices of the voting choices on the paper 400 in FIG. 4 in step 120, the vote casting ends with failure. If the method is implemented as the voting process to continue, when the incompatibility happens in step 120, i.e. the random choices of the voting choices entered in the user interface 300 in FIG.
  • voting interface warns the voter for this incompatibility. If the voter accepts the incompatibility, the vote casting may be still valid, but there must be a sign of incompatibility, but not in detail as which one does not fit to which one, in the verification text which is received by the voter and stored in local database. If she does not accept the incompatibility, the vote casting ends with failure. In failure, all voting process must start from very beginning because of the disclosure of the random choices.
  • the local database may be implemented as the table 600 shown in FIG. 6 .
  • each row 610 contains information related to one voter.
  • the sequence of the voters is preferably random, and the table preferably does not contain voting time and additional information threating voter anonymity if maximum degree of vote-voter anonymity is required.
  • the data on the local databases of the voting machines is transferred to the central database 40 of the voting center 35 in FIG. 1 . Transferring of the information can be on-line or off-line. For enhanced security, the data is preferably copied from the local database to a storage in off-line, then the data can be transferred to the voting center in on-line. This ensures of not getting out any intentional or non-intentional information that will threaten vote anonymity from the voting machine.
  • Making public of database on each voting machine can be performed by each voting machine locally, by the voting center globally after the transfer, or both locally and globally.
  • Evaluation and declaration of results can be performed by the voting center globally, or by both the voting center globally and each voting machine locally.
  • Evaluation means determining all voting choices from each voting machine's database which comprises algorithm outputs, random choices of all candidates/choices, and the other known parameters of each voter by using the secret of each voting machine. For the evaluation, the secret is required.
  • the voting machine may also count votes simply during the polls, and the counts may be used in the local declaration without evaluation of the results.
  • results are not basic, but evaluation of results by the voting center is required for certain results.
  • the stored data and the voting results of each voting machine are made public globally by the voting center or globally by the voting center and locally by each voting machine after the polling is closed. The declaration of the stored data and the results of each voting machine is visualized in FIG. 1 .
  • the secrets of the algorithms can be generated in the voting machines locally, or they can be generated in voting center, and distributed to each voting machine. In the later case, the secrets are stored in voting center. If the secrets are generated in the voting machines, they are transferred to the voting center prior to evaluation of results. But the confidentiality of the secrets must be guaranteed during the transfer. Voting machines do not expose the secrets, they preferably zeroize the secrets after the polls are closed and the confidentiality of the secrets is realized for the transfer if transfer is required.
  • the data collected from the local databases is made public.
  • voting center evaluates votes and verifies the proper casting of votes by using data collected from the databases of voting machines. Beside these, a trusted third party can repeat the verification and evaluation of votes by using the secrets received confidentially from the voting center. And finally, the secrets of some or all voting machines may be disclosed for public evaluation and verification of votes.
  • the verifications, verification and evaluation by the voting center, verification by the voters and verification by a trusted third party are shown in FIG. 1 .

Description

    BACKGROUND
  • It is difficult to provide transparency and anonymity in electronic voting systems. Using paper trails for verification seems to be like paper based classic voting method and it does not solve verification problem completely. Such voting systems are disclosed in prior art document US 2008/0135632 A1 . Voters want transparent electronic voting systems. But this should not result in vote buying. Electronic voting methods should be also user friendly and easy to understand. Secure, transparent, voter verifiable and anonymity based electronic voting methods are required for future electronic voting systems.
    • BRIEF DESCRIPTION OF INVENTION
  • The present invention defined in the method of independent claim 1, allows a voter to verify that the votes she cast were properly counted while maintaining vote anonymity. Anonymity and transparency are balanced such that voters have proofs showing the votes they cast are properly counted, but the same proofs are meaningless to the others. In this way, transparency is succeeded without exposing voter privacy. While voters cast their votes, for example in a voting machine, a witness is required to verify that the vote is counted properly. A witness proving voter privacy is implemented by using a voter superiority over the voting system. This strength is used to solve transparency-anonymity problem: Voting system can't guess next step of the voter, and when all steps are revealed, it is not allowed the system to get back. Voters present a random choice from a predetermined set of random choices together with each voting choice in the voting process, and she expects an algorithm output as a proof of including voting choices and random choices of the voting choices. After receiving algorithm output, she presents all random choices of each possible choice, and gets the random choices from the voting system as she presents. Because the voting system can not know random choices of the other possible choices, a possible malware code in the system can not dare to change voting choices of the voter. If it dares and the random choices of the not intended voting choices it selects is not as the random choices of the not intended voting choice entered following to receiving the algorithm output by the voter, then this illegal modification is revealed. The possibility of reveal increases exponentially, as the voting system's illegal modified votes increase. Algorithm output is an output of a cryptographic algorithm getting inputs that comprises voting choices and random choices of the voting choices and using a secret. The voting choices of the voters can't be computed by using the algorithm output without knowing the secret. The secret can be an input text, the algorithm, key, or a combination of them. Key is preferably used as a secret because of its strength against brute-force attacks.
  • Algorithm output and random choices of possible choices got by voter during the vote casting are also made public for future verification. Voter compares her algorithm output and random choices of possible choices with the ones made public, and if they are same she ensures for proper counting of her vote. Voting center verifies and evaluates the votes by using public parameters that comprise algorithm output and random choices of possible choices and secret. Illegal processes are revealed by the voting center, if any. Beside the voting center, a trusted third party that gets secrets from the voting center can be used for verification of the voting results.
    • BRIEF DESCRIPTION OF DRAWINGS
    • FIG. 1 depicts a block diagram of a voting system that can implement the voting method.
    • FIG. 2 depicts the flowchart of the voting method.
    • FIG. 3 depicts a user interface on which a voter may enter voting choices and the random choices of the voting choices.
    • FIG. 4 depicts an optic paper that may be used for entering random choices of all possible choices to the voting system.
    • FIG. 5 depicts a paper that may be received by the voter for voter verification.
    • FIG. 6 depicts a look-up table on the voting machine that comprises verification texts of the voters.
    DETAILED DESCRIPTION
  • The present invention allows a voter to verify that the votes she cast were properly counted while maintaining vote anonymity. The system 5 may be implemented as shown in FIG. 1 . The system 5 includes voting machines 10 which are located in voting precincts. While there are three voting machines in the FIG. 1 , any number of voting machines can be provided. Each voting machine comprises a human-machine interface 15, a processing unit 20, local databases 25 and 30. Human-machine interface 15 provides communication and data transfer with the environment. Processing unit 20 is generally responsible for running electronic voting method and specifically runs an algorithm which uses secret S. Local database 25 holds verification texts of voters. Local database 30 holds candidate information which will be displayed in the human-machine interface. Prior to polls, candidate information is loaded to each local database 30 of the voting machines 10 separately from a central database 40 of voting center 35 by a central authority.
  • FIG. 2 is a flowchart showing the electronic voting method. The method may be implemented in a system 5 shown in the FIG. 1 . The method begins at step 100. A voter is authorized to cast vote in a voting machine 10. In step 105, voter faces a user interface for selecting voting choices in the human-machine interface 15. The user interface may be implemented as 300 shown in the FIG. 3 . In the user interface 300, all candidates or choices 310 are presented. Each candidate or choice has a set of random choices 320 whose number and names are determined by a voting authority. Not later than step 120, preferably prior to voting process for convenience, voter must have determined random choices of each candidate or choice except random choices of the voting choices. Random choices of the voting choices must have been determined up to this step. Random choice determination of the voter may be performed on a paper 400 like in the FIG. 4 . In the FIG. 4 , the choices 410 are shown in the first column, and the random choices 420 of the choices 410 are shown in rows for each choice. The voter's random choices in the FIG. 4 ., for example, are red, green, green, red, blue, green for mayor choice, and green, blue for yes/no choice, respectively. In the user interface 300 in the FIG. 3 , voter selects voting choices together with random choices of the voting choices which are determined prior to that. For example, if she chooses "Mehmet Camlibel" and "Yes" as shown in the FIG. 3 , she also enters "green" for "Mehmet Camlibel" and "green" for "Yes" due to prior determination shown in the FIG. 4 . Following the selection of voting choices and random choices of them, she casts vote. Vote casting may be implemented by a Cast button as shown in FIG. 3 . In step 110, voting machine, receiving voter's voting choices and random choices of the voter's voting choices, processes a cryptographic algorithm using a secret.
  • Algorithm's input comprises voter's voting choices and random choices of the voter's voting choices and the algorithm produces output. The number of process/processes may be one or more than one. For example, there may be one process receiving "Mehmet Çamlibel", "green", "Yes", "green" or two processes, one of them receiving "Mehmet Camlibel", "green" and the other receiving "Yes", "green", etc. The processes, being more than one, may be independent or cascaded to each other as one's output is inputted to the other. In all conditions, it is guaranteed to input all voting choices and random choices of the voting choices and to receive output independent of the number of the process/processes and the output/outputs. The point here is that, all voting choices and random choices of the voting choices should be able to be guessed or determined by using algorithm output/outputs and the other known input parameters if the secret is known. Beside these, voting choices and random choices can be symbolized with different elements when inputting to the algorithm. For example, enumeration of the voting choices and the random choices can be performed. But the rule of the substitution must be public.
  • Algorithm's input can include an id determined by voter, voting machine, or both of them if a user friendly verification process is desired in the verification step. Algorithm's input may also include voting machine id which assures varying algorithm outputs across voting machines. Algorithm's input may include any optional data as long as voter's voting choices and random choices of the voter's voting choices are assured to be in the input parameters.
  • The algorithm makes use of a secret in the processing. The secret may be a key, a text inputted to the algorithm or the algorithm itself. It is preferably a key because of its strength against brute-force attacks trying to determine voting choices by using algorithm output/outputs and the other known input parameters. The point is that voting choices and random choices of the voting choices can't be determined by using only algorithm, algorithm outputs and the other known parameters, but also a secret is required.
  • In step 115, the voter receives algorithm output and she makes sure it to be not changed in coming steps. After receiving algorithm output/outputs, but not before that, in step 120, the voter enters all random choices of all possible choices to the voting system. This entrance may be performed by entering an optical paper 400 in FIG. 4 to an optic scanner of the voting machine. Then, in step 125, the voter receives random choices of all possible choices just entered. This receiving together with the algorithm output, received in step 115, can be named verification text of the voter. The verification text and the other optional parameters is given to the voter for future verification by the voter. They may be given to the voter on a paper 500 in FIG. 5 . In the FIG. 5 , the algorithm output 510, the random choices 520 together with optional parameters, which are voter id 530 and voting machine id 540, are shown. In step 130, the voter compares entered and received random choices. In step 135, she approves the voting if they are the same. If they are not the same, she rejects the voting and voting process ends with failure. The voter informs the officer for the incompatibility by showing her receiving. In step 140, if approving realizes, all receiving are recorded to the local database of the voting machine, and vote casting for the voter ends with success. The voter also gets all receiving which may be like paper 500 in FIG. 5 . Beside these, in step 120, if the random choices of the voting choices are entered again, which is usual in the optical paper implementation, the voting process may be ended with failure or may continue in normal flow depending on the voting authority's decision on method implementation. If the method is implemented as the voting process to end with failure, when the incompatibility happens in step 120, i.e. the random choices of the voting choices entered in the user interface 300 in FIG. 3 in step 105 does not fit into the random choices of the voting choices on the paper 400 in FIG. 4 in step 120, the vote casting ends with failure. If the method is implemented as the voting process to continue, when the incompatibility happens in step 120, i.e. the random choices of the voting choices entered in the user interface 300 in FIG. 3 in step 105 does not fit into the random choices of the voting choices on the paper 400 in FIG. 4 in step 120, voting interface warns the voter for this incompatibility. If the voter accepts the incompatibility, the vote casting may be still valid, but there must be a sign of incompatibility, but not in detail as which one does not fit to which one, in the verification text which is received by the voter and stored in local database. If she does not accept the incompatibility, the vote casting ends with failure. In failure, all voting process must start from very beginning because of the disclosure of the random choices.
  • This process is repeated for all voters during the polls. After the polls are closed, verification texts and the other optional parameters of all voters are in the local database 25 in FIG. 1 . The local database may be implemented as the table 600 shown in FIG. 6 . In the FIG. 6 , each row 610 contains information related to one voter. The sequence of the voters is preferably random, and the table preferably does not contain voting time and additional information threating voter anonymity if maximum degree of vote-voter anonymity is required.
  • After the polls are closed, the data on the local databases of the voting machines is transferred to the central database 40 of the voting center 35 in FIG. 1 . Transferring of the information can be on-line or off-line. For enhanced security, the data is preferably copied from the local database to a storage in off-line, then the data can be transferred to the voting center in on-line. This ensures of not getting out any intentional or non-intentional information that will threaten vote anonymity from the voting machine. Making public of database on each voting machine can be performed by each voting machine locally, by the voting center globally after the transfer, or both locally and globally.
  • Evaluation and declaration of results can be performed by the voting center globally, or by both the voting center globally and each voting machine locally. Evaluation here means determining all voting choices from each voting machine's database which comprises algorithm outputs, random choices of all candidates/choices, and the other known parameters of each voter by using the secret of each voting machine. For the evaluation, the secret is required. The voting machine may also count votes simply during the polls, and the counts may be used in the local declaration without evaluation of the results. However these results are not basic, but evaluation of results by the voting center is required for certain results. The stored data and the voting results of each voting machine are made public globally by the voting center or globally by the voting center and locally by each voting machine after the polling is closed. The declaration of the stored data and the results of each voting machine is visualized in FIG. 1 .
  • The secrets of the algorithms can be generated in the voting machines locally, or they can be generated in voting center, and distributed to each voting machine. In the later case, the secrets are stored in voting center. If the secrets are generated in the voting machines, they are transferred to the voting center prior to evaluation of results. But the confidentiality of the secrets must be guaranteed during the transfer. Voting machines do not expose the secrets, they preferably zeroize the secrets after the polls are closed and the confidentiality of the secrets is realized for the transfer if transfer is required.
  • After the polls are closed, the data collected from the local databases is made public. Each voter finds her receiving got from voting machines during the voting process from the data made public. If she finds the receiving as is, she can make sure of proper counting of her vote. On the other hand, voting center evaluates votes and verifies the proper casting of votes by using data collected from the databases of voting machines. Beside these, a trusted third party can repeat the verification and evaluation of votes by using the secrets received confidentially from the voting center. And finally, the secrets of some or all voting machines may be disclosed for public evaluation and verification of votes. The verifications, verification and evaluation by the voting center, verification by the voters and verification by a trusted third party are shown in FIG. 1 .

Claims (7)

  1. An electronic voting method comprising:
    a. Receiving a voting choice related to a supported candidate and a random choice from a set of predetermined random choices, the received random choice being assigned to the received candidate choice, namely the voting choice, via a human-machine interface of a voting machine,
    b. generating an output of a cryptographic algorithm for performing encryption by the voting machine, wherein
    the cryptographic algorithm makes use of a secret,
    the inputs to the cryptographic algorithm comprising the voting choice and the random choice
    c. Printing the algorithm output on a paper receipt,
    d. Receiving a random choice for each candidate from the set of predetermined random choices assigned to each of the candidates via an optic scanner of the voting machine,
    e. Printing all of the random choices received in step (d) on the paper receipt,
    f. Waiting until the received random choices of step (d) are compared with the printed random choices of step (e) by a voter,
    g. Receiving approval of the voter if the received and printed random choices are the same or,
    h. Receiving rejection by the voter if the received and printed random choices are not the same and informing an officer of the incompatibility,
    i. if approved, storing data comprising a voter's verification text that is comprised of the algorithm output of step (b) and the random choices of step (d) in a local database of the voting machine, and providing the paper receipt to the voter,
    j. after the polls are closed, transferring the data on the local databases of the voting machines to a central database of a voting center and making the transferred data public,
    k. checking proper counting of the votes when the voters check their verification texts with the data made public,
    l. assuring proper counting of the votes by the voting center by verifying the proper casting of votes during evaluation of votes from the data collected from the databases of voting machines by using the stored data comprising the algorithm output, the random choices of step (d) and the secret of each voting machine on which a vote is cast.
  2. The electronic voting method according to claim 1, wherein if firstly entered random choice related to the voting choice in step (a) and lastly entered random choice related to the voting choice in step (d) are not the same, the voting process ends with failure or continues in normal flow depending on the voting authority's decision on method implementation.
  3. The electronic voting method according to claim 1, wherein the voting method is performed in all voting machines.
  4. The electronic voting method according to claim 1, wherein if a possible malware code in the system dares to change the voting choice of the voter, illegal modification/malware is revealed provided that when the voter enters random choices related to all possible candidate choices and if the random choice entered by the voter as to malware-related candidate choice is not same as the random choice chosen by the malware code and taken as an input for the cryptographic algorithm to produce algorithm output in the prior step to entering random choices related to all possible choices by the voter.
  5. The electronic voting method according to claim 1, wherein a trusted third party can perform the evaluation and verification of votes in the same way the voting center does by using the data stored in the voting machines containing information as to algorithm output and random choices of all possible choices peculiar to each voter as well as the secrets of the voting machines received confidentially from the voting center.
  6. The electronic voting method according to claim 5, wherein the voting results obtained in each of the voting machines through the verification of votes performed by both the voting center and the trusted third party are respectively compared with each other in order to ensure that the voting center and the trusted third party arrive at the same voting results in the same voting machines.
  7. The electronic voting method according to claim 1, wherein the evaluation and verification of votes can be publicly performed on some or all of the voting machines provided that the secrets of these voting machines are made public by the voting center, and the secrets coupled with the data stored in the voting machines comprising the algorithm output and random choices of all possible choices are used for the verification of votes.
EP08875902.2A 2008-12-23 2008-12-23 Verifiable electronic voting method Active EP2382606B1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2008/055521 WO2010073065A1 (en) 2008-12-23 2008-12-23 Verifiable electronic voting method

Publications (2)

Publication Number Publication Date
EP2382606A1 EP2382606A1 (en) 2011-11-02
EP2382606B1 true EP2382606B1 (en) 2019-02-13

Family

ID=41059956

Family Applications (1)

Application Number Title Priority Date Filing Date
EP08875902.2A Active EP2382606B1 (en) 2008-12-23 2008-12-23 Verifiable electronic voting method

Country Status (3)

Country Link
EP (1) EP2382606B1 (en)
ES (1) ES2728313T3 (en)
WO (1) WO2010073065A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10504314B2 (en) 2018-01-29 2019-12-10 Accenture Global Solutions Limited Blockchain-based anonymized cryptologic voting

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1046139B1 (en) * 1997-12-22 2007-05-23 Ian Way Voting system
US20050035199A1 (en) * 2002-04-11 2005-02-17 John Goci Voter interface for electronic voting system for the visually impaired
US20090144135A1 (en) * 2004-07-27 2009-06-04 Andreu Riera Jorba Methods for the management and protection of electoral processes, which are associated with an electronic voting terminal, and operative module used
FR2895552A1 (en) * 2005-12-28 2007-06-29 Nicolas Marchal Voting machine`s authenticated final results obtaining device for use in polling office, has double validation tactile key located on tactile screen of voting machine for permitting voter to ensure conformity of recording of vote
US7360702B2 (en) * 2006-02-16 2008-04-22 Pitney Bowes Inc. Verifiable voting system
US7516892B2 (en) * 2006-12-12 2009-04-14 Pitney Bowes Inc. Electronic voting system and method having confirmation to detect modification of vote count

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None *

Also Published As

Publication number Publication date
ES2728313T3 (en) 2019-10-23
WO2010073065A1 (en) 2010-07-01
EP2382606A1 (en) 2011-11-02

Similar Documents

Publication Publication Date Title
US20200219351A1 (en) Vote authentication server, vote server and electronic voting system
KR102120882B1 (en) Block chain based contest system and method for contesting
KR101378285B1 (en) Electronic voting system and method
Khelifi et al. M-Vote: a reliable and highly secure mobile voting system
US11087578B2 (en) Voting booth, system, and methods of making and using same
KR102186029B1 (en) Electronic voting system using blockchain and electronic voting method using blockchain
US20100114674A1 (en) Auditable method and system for generating a verifiable vote record that is suitable for electronic voting
US20200226866A1 (en) System and method for hybrid model electronic voting
Sheela et al. E-voting system using homomorphic encryption technique
EP2382606B1 (en) Verifiable electronic voting method
US20230147564A1 (en) System And Method For Conducting A Publicly Auditable Election
RU2444063C1 (en) Voting method with high-reliability biometric protection of anonymity of voter
Chakraborty et al. Designing a biometric fingerprint scanner-based, secure and low-cost electronic voting machine for India
Salman et al. Development of Electronic Elections Systems: A Review
Salman et al. Analysis of the traditional voting system and transition to the online voting system in the republic of Iraq
Juma et al. Election results' verification in e-voting systems in Kenya: a review
Alvi et al. Classification of blockchain based voting: challenges and solutions
Nagar et al. Implementation of Blockchain for Fair polling System
KR102381028B1 (en) Electronic vote management system and method using block-chain
Averin et al. Review of e-voting systems based on blockchain technology
Krishnamoorthy et al. A Robust Blockchain Assisted Electronic Voting Mechanism with Enhanced Cyber Norms and Precautions
O’Meara Survey & Analysis of E-Voting Solutions
KR102430835B1 (en) Bolckchain e-voting system and manipulation method
Rajeshwari Role of technology in the development of smart and secure public voting systems–a review of literatures
Poddar et al. Incorporating advancements in voting strategies: A survey

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20110715

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20140917

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTG Intention to grant announced

Effective date: 20180712

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

Ref country code: AT

Ref legal event code: REF

Ref document number: 1096643

Country of ref document: AT

Kind code of ref document: T

Effective date: 20190215

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602008059003

Country of ref document: DE

REG Reference to a national code

Ref country code: CH

Ref legal event code: NV

Representative=s name: VALIPAT S.A. C/O BOVARD SA NEUCHATEL, CH

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20190213

REG Reference to a national code

Ref country code: EE

Ref legal event code: FG4A

Ref document number: E017509

Country of ref document: EE

Effective date: 20190529

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190213

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190513

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190613

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190213

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190213

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190213

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190213

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190513

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190514

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190613

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190213

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 1096643

Country of ref document: AT

Kind code of ref document: T

Effective date: 20190213

REG Reference to a national code

Ref country code: ES

Ref legal event code: FG2A

Ref document number: 2728313

Country of ref document: ES

Kind code of ref document: T3

Effective date: 20191023

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190213

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190213

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190213

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190213

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190213

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602008059003

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190213

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190213

26N No opposition filed

Effective date: 20191114

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190213

REG Reference to a national code

Ref country code: DE

Ref legal event code: R119

Ref document number: 602008059003

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190213

GBPC Gb: european patent ceased through non-payment of renewal fee

Effective date: 20191223

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200701

Ref country code: GB

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20191223

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20191223

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20191231

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20191223

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190213

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190213

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20081223

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: TR

Payment date: 20221108

Year of fee payment: 15

Ref country code: EE

Payment date: 20221124

Year of fee payment: 15

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: BE

Payment date: 20221213

Year of fee payment: 15

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: ES

Payment date: 20230105

Year of fee payment: 15

Ref country code: CH

Payment date: 20221229

Year of fee payment: 15