MXPA96003839A - System for the anonymous counting of items detained for statistical purposes, especially with respect to operations in electronic elvote or in studies of consumoperiodi - Google Patents

Abstract

The present invention relates to a system for the anonymous counting of information items for statistical purposes, especially with respect to operations in electronic voting or in frequent consumer surveys, characterized in that: - it includes a plurality of decision units, so minus one verification unit and at least one counting unit, these units are functionally and structurally separate and because each decision unit includes: means for producing a source information item unit and identity information unit selected from the decision unit and - means for encoding or encrypting the source information item, in such a way as to make it essentially undecipherable by the verification unit and decipherable by the counting unit, - the verification unit includes: - a file of the identities of the decision units, means to verify, upon receiving an incoming message, the identity of the decision unit from which this incoming message originates, and - means for collecting a derived message based on this incoming message, this derived message is an anonymous message essentially devoid of any decryptable identity information item by the counting unit , - the counting unit includes: - means to receive the messages derived from the verification unit and to process these messages in such a way to collect a statistic of the corresponding source information items, and - a file of the statistics thus compiled.

Description

SYSTEM FOR THE ANONYMOUS COUNT OF INFORMATION ITEMS FOR STATISTICAL PURPOSES. ESPECIALLY WITH RESPECT TO THE OPERATIONS IN THE ELECTRONIC VOTE OR IN CONSUMER STUDIES PERIOAD COS The invention relates to a system for the anonymous counting of information items for statistical purposes, which allows the anonymity of the processed information to be preserved in a secure manner with respect to unauthorized persons. A first application of such a system, as will be seen later, is related to statistical counting, more particularly systems for remote "electronic voting". In these systems, "it is often possible and still indispensable to preserve the anonymous nature of the vote (the principle of voting by" secret ballot "), while it is possible to verify the identity of a voter in such a way as to prevent any falsification of In addition, it is necessary to indicate to the voter that his vote has really been taken into account, this aspect is particularly important in the case of distance voting, because there may be difficulties of transmission or processing without the The possibility of detecting them on their own is another possible application that is related to systems for the remote consumption study, by means of a sampling system installed according to the user's specifications, in this case, it is essential to preserve a degree of confidentiality for prevent the possibility that the information related to the user, who is necessarily identified (for purposes of verification) during the transmission of the information, be kidnapped in order to obtain information about the habits, private life, etc., of the person from whom this information originates. The basic idea of the present invention is to divide, between two functionally and structurally separated units, the functions of verifying the identity and authenticity of the information source, on the one hand, from the functions to use this information, on the other hand , with secure data exchange between the various units involved in the transaction (especially by encryption or coding, acknowledgments, electronic signature and similar means, which are themselves known). In this way, the user unit (which will be referred to hereinbelow as the "counting unit") will process the anonymous information, the authenticity and consistency of which, however, will be true.

On the other hand, the other unit (which will be referred to hereinafter as the "verification unit") will provide the inspection of the information received from the voter or the consumer (which will be referred to as the "decision unit"). "later in the present) in a nominal manner, but without knowing the contents of the source of information or carrying out any counting or aggregation. Of course, in order to prevent some plagiarism of the data at the level of the links between the decision, verification and counting units, the transmissions will be advantageously cifrabies or codifiable, especially by known techniques such as public key cryptography, which in the present can be implemented with simple means such as microprocessors integrated in smart cards. More precisely, the system according to the invention is characterized: - because it includes a plurality of decision units, at least one verification unit and at least one counting unit, these units are functionally and structurally separated and - because each decision unit includes: means for producing a source information item to be counted and an identity information item that is selected from the decision unit, and means for encrypting or encoding the source information item in such a way as to return it essentially undecipherable by the verification unit and decipherable by the counting unit, - because the verification unit includes: - a file of the identities of the decision units, - means for inspecting, upon receipt of an incoming message, the identity of the decision unit from which this incoming message originates, and - means for compiling a derived message based on this incoming message, this derived message is an anonymous message essentially devoid of any item of decipherable identity information by the counting unit, - because the counting unit includes: - means for receiving the messages derived from the verification unit and for processing these messages in such a way as to compile a statistic of the corresponding source information items, and - a file of the statistics thus collected. According to a number of advantageous auxiliary features of the present invention: -] means for encrypting or coding the source information item of the decision unit are public key encryption means operating on the basis of the public key of the counting unit; - the verification unit also includes means for sending back to the decision unit an acknowledgment of the received message, after inspecting that the identity of this decision unit is consistent. - in the latter case, the verification unit advantageously includes means for encrypting or encoding the received message acknowledgment, these means are public key encryption means operating on the basis of the public key of the information unit, this key is stored in the file of the identities of the decision units; - the counting unit further includes means for sending back to the verification unit an acknowledgment of the message received after receipt and processing of the corresponding derived message; - the messages exchanged between the decision units, the verification unit and the counting unit include, with respect to at least some of them, a signature or digital signature and the unit receiving such message includes means to verify the corresponding signature; - the decision unit further includes means for encrypting or coding the identity information item, these means being public key encryption or coding means operating on the basis of the public key of the verification unit; - the decision unit is a telematics terminal cooperating with a particular microcircuit card to a given user and insertable to a reader of this terminal; - the verification unit is a computing or calculation device and the counting unit is a microcircuit card insertable into a reader of this computing device. Other features and advantages of the invention will arise from reading the detailed description given below of two examples of the implementation of the invention, these examples are of course only of an illustrative and non-limiting nature. Figure 1 illustrates schematically a first implementation of the invention, applied to a remote or remote secure electronic voting system. Figure 2 illustrates schematically a second implementation of the invention, applied to a system of sampling or scrutiny of statistical consumption, secure and remote, The first implementation of the invention: the remote secure electronic voting system.

The decision unit consisting of an electronic system, such as a telematics terminal (for example a videotext terminal, a microcomputer or a specialized terminal), preferably associated with an individual smart card at a time, is schematized as DU in Figure 1. user and that constitutes an electronic "voter card", capable of storing, with the desired degree of security, the information required for the transaction which will be further explained herein. The reference VU designates the verification unit, which can consist in particular of a remote computation or calculation center, connected by means of a telematic link to the decision unit DU. As a variant, especially in the case of a restricted number of information items to be counted (small number of voters), the VU verification unit may consist of a microprocessor smart card, inserted into an appropriate reader, once the The microchip's memory capacity is sufficient. The CU counting unit, which will aggregate and store the statistical data (ie the results of the voting in the particular case of an electronic voting system), is a processing unit which is functionally and structurally separated from the unit of voting. VU verification.

This counting unit CU can be a computing or computing center connected to the counting center of the verification unit VU but, advantageously, it can also be a smart card with direct microprocessor, inserted into a reader of the verification unit VU during the period of the registration of votes. Once the counting operation is completed (after the registration has been closed in the case of voting), by means of a study of the memory of the CU counting unit (for example the corresponding smart card) it will be possible to know the result final directly, as long as there is certainty of its authenticity but without being able to investigate the identity of the voters, this has not been sent to the counting unit; In addition, this way of proceeding prevents any dynamic observation or movement of the results. In the preferential case in which smart cards are used for the DU decision unit, the CU counting unit, and possibly the VU verification unit, due to the portable nature of these smart cards, the system can be physically implemented in the form, on the one hand, of a first device that serves to collect or collect the votes and that cooperates with the two (or three) smart cards and, on the other hand, of another device that makes it possible to present the results, the latter The apparatus is separated from the first device and therefore does not present the possibility of plagiarism or falsification. The manner in which the transaction is carried out will now be described, taking the example of a source information item S collected at the level of the decision unit DU and consisting of a vote sent by a voter whose identity is Id. each of the decision unit DU, verification unit VU and counting unit CU employ a public encryption key, PKD, PKV and PKC respectively, which is known to the other units of the system, and also a key of decryption or secret decoding, SKD, SKV and SKC respectively, which is known only to the corresponding unit and is the counterpart of the respective public keys PKD, PKV and PKC. These three units also use signatures or respective digital rubrics SiD, SiV and SiC that make it possible to implement a signature mechanism or digital signature with the public key cryptographic or encryption system (the secret decryption algorithm that is used as a signature algorithm and the public encryption algorithm that serves for the verification of the corresponding signatures). The basic idea is to hide (via a public key encryption system) the vote sent by the unit of 30 DU decision from the verification unit VU, but not from the counting unit CU, and in allowing the VU verification to omit the identity information of the message sent by the decision unit DU before transmission to the counting unit CU. The decision unit encodes or encrypts the item (the vote) of source information S and an item Rl of random data with the public key PKC of the counting unit, this produces a result: XI = PKX (S, Rl). (1) Then the decision unit encodes this result XI with its individual data item Id, for example its identity or the certificate of its signature or signature (the principles of public key cryptography, authentication mechanisms and digital signatures are, as indicated above, known techniques which therefore will not be re-explained in detail). This encryption or coding is carried out with the public key PKV of the verification unit, this produces a result: X2 = PKV (XI, Id). (2) Finally, the decision unit DU signs the message X2 by means of its signature SiD, to produce a final message: MI = SiD (X2) = SiD (PKV (PKC (SnRl), Id)) (3) This IM message is sent to the VU verification unit. 1 ] The verification unit begins by deciphering MI to obtain message XI and Id by means of its secret key SKV, and verify the signature of X2 by means of the signature associated with Id. In the case of inconsistency, the verification unit introduces the voter to its database Bl after having verified that this voter has not yet voted. Then it associates the identity Id with an item of random data R2, individual for the voter and stores it in the database Bl together with the identity Id. Then the verification unit forms a message consisting of the signature of XI and X2 by means of its individual signature SiV, that is: M2 = SiV (XI, R2) SiV (PKC (S, Rl), R2) (4) This message M2 is sent to the counting unit CU. As can be seen, it does not contain reliable indication to reveal the identity of the voter, since the R2 data item associated with this identity is a random data item which has no meaning for someone who does not have the Bl file. In the event that the voter has already been registered in the database of the file Bl, and that the M3 message (see more details later) has already been returned to the decision unit, the verification unit, at this stage , sends again an Al message without transmitting anything to the CU counting unit. Upon receiving the message M2, the counting unit CU verifies the signature and decrypts the message XI to obtain the value S, this encryption is carried out by means of the secret key SKC, individual for the counting unit. The item S of source information (the vote) is then counted to the database B2 of the counting unit which, as can be seen, has no knowledge of the identity of the voters or of any means to recover this identity. the information exchanged or stored. Then the counting unit CU recognizes the receipt of the information item and confirms the appropriate execution of the count by signing the two items Rl and R2 of random data with the signature SiC, to produce a message (first acknowledgment): Al = SiC (Rl, R2) The verification unit VU receives the message Al, verifies its signature and acknowledges the receipt of this message when sending a confirmation message (second acknowledgment) to the CU counting unit: A2 = SiV ( Rl) (6) Upon receipt of this confirmation message A2, the counting unit CU, after having verified the signature, deletes Rl from database B2.

As you can see, this database can consist of a file of relatively restricted size since it contains, in addition to the statistical results, only the messages in progress, the receipt of which has not yet been recognized. Next, the VU verification unit scans its database Bl to find the identity Id corresponding to item R2 of random data, and Rl records. Then it codes Rl and another random data item R3 by means of the public key PKD of the decision unit, to produce a confirmation message (third acknowledgment): A3 = PKD (Rl, R3) (7) The unit of DU decision, upon receipt of the A3 message, decrypts the latter by means of its individual secret key SKD and compares the random value Rl obtained after deciphering the message A3 with the value R1 which it had generated by itself and the time when the Source information item S was produced, and which had allowed the MI message to be collected. The concordance of the two values thus compared indicates with certainty that the item S of source data has been correctly transmitted and processed in a consistent manner, and that this has certainly been the case in all stages of the process.

The system just described is able to detect any possible loss of message (next to, for example, a transmission failure) because all sent messages are the point of a return receipt acknowledgment. In general, after a predetermined period, if the received message acknowledgment Al, A2 or A3 is not received by the unit which expects to receive it, this unit resends the same message, the receipt of which must have been acknowledged. The various possibilities of message loss (or deterioration of the message) and the manner in which the system can remedy this will be explained below: - loss of message MI: the decision unit resends the message MI; since this message is the first message to arrive at the verification unit, the last one processes it in the manner indicated above. - loss of the A3 message: the decision unit sends the MI message again but, unlike the previous case, the identity of the voter has already been loaded into the database Bl; if the message A3 has already been sent by the VU verification unit, the latter sends it back, otherwise the message is ignored (such is the case when the message Al has not yet been received). - loss of the M2 message: the VU verification unit sends M2 again; since this message is considered by the CU counting unit as the first, the procedure continues in the normal way. - loss of the message Al: in this case, the verification unit VU sends M2 again but, since the corresponding message has already been the subject of a load to the database B2 of the counting unit CU, the latter does not modify the corresponding header of the file and only resends the acknowledgment of Al. - loss of message A2: in this case, the counting unit CU sends the message Al again; since the VU verification unit, after inspecting its database, notices that the corresponding message M2 has already been sent, then it will only forward the acknowledgment A2 to the counting unit CU. In addition to the possibility of remedying some loss of information during transmission, the system has the main advantage of maximum security with respect to the anonymous nature of the vote, the verification of the identity of the voter and the impediment of some identity falsification or double vote. Thus: - the anonymous nature of the vote is assured, since anyone who could be able to collect the information traveling on the various transmission channels could not associate a vote with the corresponding voter, unless it has the possibility to break the codes, this presupposing that you know the three secret keys SKD, SKV and SKC. Furthermore, it will be noted in this regard that neither the VU verification unit nor the CU counting unit are capable of carrying out such an operation., since they only know a part of the codes and do not have the possibility of discovering the other part of them. - the voter is sure that his vote has been taken into account, since the only unit capable of deciphering the random data item Rl, which is associated with the vote, is the CU count unit. - the VU verification unit makes it possible to filter double votes or unauthorized votes (by virtue of a non-consistent identity). - the system is protected from any loss of the message in the course of transmission, which losses can be detected in the various stages of the transaction and can be remedied appropriately. Second implementation of the invention: study system of safe statistical consumption at a distance. Figure 2 illustrates a second implementation of the process of the invention, performed in a somewhat simplified way compared to the previous mode.

This second implementation is particularly appropriate for a consumer study system for statistical purposes. An example of such a study is that used by providers of television programs by means of a sampling system which is installed at the request of listeners or listeners and can be connected to the provider's server computing center to inform them of the program heard. , to make it possible to produce accurate statistics. In such an example, it would be possible to imagine the system being hijacked to obtain information about the consumer's private life. Thus, in the techniques implemented in the present, the client is unequivocally identified when he calls (this identification is necessary in such a way that the statistics are not contaminated by pirated statements). However, the identification of the client provides a knowledge of their habits, for example a knowledge of the times for which they are absent, or it can be used to create a file of the people who watch a particular program, etc., in other words, to invade the private life of the listener or listener. As in the first implementation, the system used in this second implementation, illustrated in Figure 2, includes a decision unit DU, a verification unit VU and a counting unit CU which are functionally and structurally separated from each other. The decision unit produces a source information item S (the consumption study, uncoded), is selected by an identifier Id and has individual and secret public keys PKD and SKD respectively, to allow the decoding of the information exchanged. This DU decision unit can, for example, be a sampling system which is connected to a television in order to produce the source data item S and receives an individual smart card for the user, which makes it possible to store and manage the identifier and the keys and encryption or coding algorithm. This decision unit DU is connected via a telematic link to a VU verification unit, for example, the computing center of a television program provider or a given body to the work of collecting the required statistics. This VU verification unit contains a database Bl integrated from the file of the users who will form the subject of the study. The verification unit VU is in turn connected to a counting unit CU, which can advantageously be a smart card inserted into a reader of the verification unit VU.

This CU counting unit has a database B2 formed from the statistical results file, which file can be of restricted size since only the final results are retained. Once the consumption studies have been carried out based on the requests of all users, the smart card can be separated from the VU verification unit and read by a separate device, with the certainty that the statistics which have been integrated into it have been the subject of an identity verification, but without being able to find out this identity. Now we will describe the manner in which the transaction is carried out. The decision unit DU (sampling system installed at the request of the client) prepares the consumption study S and codifies this information item with the public key PKC of the consumption unit CU, to produce an item of information PKC (S) which can be decoded by the counting unit CU by means of its secret key SKC, and consequently by itself. Before transmitting this PKC (S) information item, the DU decision unit will first identify the VU verification unit itself by transmitting its Id identity to it.

Then the verification unit VU will search through its database Bl the information related to this identity and verify that it is certainly a registered client, that the latter has not yet sent his study, which is or is not one of a selection of clients to be taken into account, etc. Additionally, it retrieves the PKD public key corresponding to this particular client. Then the verification unit VU sends back a random value R to the decision unit DU, a value which would have been generated if the preliminary checks indicate the consistency of the various parameters emanating from the decision unit DU. Upon receiving this random data item R, the decision unit DU produces a message coded on the basis of this value R and the data item PKC (S) (representative of its consumption): MI - SKD (R, PKC (S) ). (8) This message MI, sent to the verification unit VU, is decrypted by the latter by means of the corresponding public key PKD retained in memory in database Bl. Then update this database, for example by indicating, for subsequent inspection, the day and time of study submission (especially to prevent a study from being transmitted twice), and sending the information item PKC (S) obtained by decoding the message MI to the counting unit CU, in the form of a message: M2 = PKC (S). (9) Upon receiving M2, the CU counting unit will have the possibility of extracting the consumption information S from it by decoding by means of its secret key SKC, and study counting. As in the previous implementation, it can be seen that all of the data exchanges are safe, and that it is not possible to unequivocally find out the identity of the client and its consumption, the unit which processes the identity (the VU verification unit) is incapable. of deciphering the study and the unit for processing the study (the CU counting unit) that receives an item of information which, although verified, does not carry evidence as to the identity of the sender.

Claims (9)

1. A system for the anonymous counting of information items for statistical purposes, especially with respect to operations in electronic voting or in frequent consumer surveys, characterized in that: - it includes a plurality of decision units, at least one verification unit and at least one counting unit, these units are functionally and structurally separated and because each decision unit includes: means for producing a source information item to be counted and an identity information item that is selected from the unit of information. decision and - means to encode or encrypt the source information item, in such a way as to render it essentially undecipherable by the verification unit and decipherable by the counting unit, - the verification unit includes: - a file of the identities of the units of decision, means to verify, upon receiving an incoming message, the identity of the decision unit From which this incoming message originates, and - means for collecting a derived message based on this incoming message, this derived message is an anonymous message essentially devoid of any item of identity information decipherable by the counting unit, - the counting unit includes: means to receive the messages derived from the verification unit and to process these messages in such a way to collect a statistic of the corresponding source information items, and a file of the statistics thus collected.

2. The system according to claim 1, characterized in that the means for coding or encrypting the source information item of the decision unit are public encryption or coding means operating on the basis of the public key of the counting unit.

3. The system according to claim 1, characterized in that the verification unit further includes: means for sending back to the decision unit an acknowledgment of receipt of the message, after inspecting that the unit of this decision unit is consistent.

4. The system according to claim 3, characterized in that the verification unit further includes: means for encoding the acknowledgment of the message, these means are public key coding means operating on the basis of the public key of the unit of decision, this key is stored in the file of the identities of the decision units.

5. The system in accordance with the claim 1, characterized in that the counting unit further includes: - means for sending back to the verification unit an acknowledgment of receipt of the message, after receiving and processing the corresponding derived message.

6. The system according to claim 1, characterized in that the messages exchanged between the decision units, the verification unit and the counting unit include, with respect to at least one of them, a digital signature and the unit receiving such message includes means to verify the corresponding signature.

7. The system according to claim 1, characterized in that the decision unit further includes: means for coding the identity information item, these means are public key coding means operating on the basis of the public key of the unit check.

8. The system according to claim 11, characterized in that the decision unit is a telematic terminal cooperating with a particular microcircuit card for a given user and insertable to a reader of this terminal.

9. The system according to claim 1, characterized in that the verification unit is a computing device and the counting unit is a microcircuit card insertable into a reader of this computing device.