RU2444063C1 - Voting method with high-reliability biometric protection of anonymity of voter - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: in the method a voter public key and private key are generated when the voter fills an electronic ballot. The voter is provided with an electronic ballot choice and formation of an electronic digital signature under the filled ballot. Voter anonymity is ensured due to that the voter public key is placed on the electronic ballot together with the will expression of the voter and a unique identification number of the electronic ballot. The most effective is biometric neural network protection of anonymity of the voter and their private key, which enables to vote without presenting a passport or any other identification document.

EFFECT: high reliability of voting by ensuring that the voter, who remains anonymous, can follow the fate of their will of expression during counting.

3 cl, 5 dwg

Description

The invention relates to computer technology and can be used in anonymous electronic voting systems during elections, polls, referenda, providing for the voter’s personal appearance at the polling station.

The technical result of the invention is the emergence of guarantees that the voter himself, while remaining anonymous, can trace the fate of his personal will when he is taken into account at any of the vote counting levels (local election commission, regional election commission, republican election commission, central election commission).

Known methods for secret voting [1, 2, 3], based on the use of paper ballots. The main disadvantage of the methods is their high complexity, as well as the fact that voting results may be compromised if some of the voters conspire, and all of them fill out their ballots incorrectly (with errors). Then, after the announcement of the voting results, the organizers of the compromise may accuse the election commission of fraud. Only this circumstance is enough to make the methods [1, 2, 3] unsuitable for practical application.

Automation of vote counting and reduction of labor costs are carried out during the transition to the use of electronic newsletters [4]. The main disadvantage of the method [4] is that the electronic newsletter is less protected from attempts to compromise the voting system. So, it is possible to reuse the same electronic newsletter, secrecy of the vote is not ensured. Possible attack on the voting system using false means of identification of the voter. The voter receives his identification code at the election commission [4], and due to the anonymity of the voting procedure, the voter cannot check how many such codes are and to whom they were issued.

The use of technology for the formation of electronic digital signatures makes it possible to introduce strict accounting of all legally significant actions into election electronic voting systems. An example of the practical use of electronic digital signature mechanisms is the electronic voting method [5]. Using this method, remote electronic voting is possible. At the same time, all actions of the voters are controlled, because under each document formed by the voter (electronic ballot and receipt of receipt), he puts his electronic digital signature. The main disadvantage of the electronic voting method [5] is that the voter is forced to trust the election commission in terms of ensuring its anonymity. A voter cannot guarantee that his anonymity will never be compromised. The databases of the election commission containing a link between the voter's name and his identification number can be stolen (compromised). If they are encrypted, the encryption key may be compromised.

Closest to the proposed technical solution is the method [6], by which, upon registration of the voter, they are given an electronic medium with a system of its identifiers, and each significant action in the electronic voting system is signed with an electronic digital signature.

The main disadvantages of the method [6] are:

- the lack of the possibility on the part of the voter to control the election commission in terms of maintaining their anonymity;

- the lack of the ability of the voter to control the fate of his will at all stages of the vote count (including when sending the completed electronic ballot of the voter to other higher election commissions);

- the inability to control the actions of the voter by the officials of the election commission due to the anonymity of the vote.

The technical objectives of the proposed invention are:

1. Guaranteed guarantee of anonymity of the will of the voters (creation of such conditions that the members of the election commission are technically unable to compromise the anonymity of voters even in case of malicious intent);

2. ensuring the control of the fate of their will by the voter himself at all stages of the vote count, provided that he remains anonymous;

3. ensuring mutual control of election commissions and voters by providing voters with safe mechanisms for the formation of their personal anonymous electronic digital signatures;

4. removal of risks from voters due to the need to securely store their key pair used by them in the formation of their anonymous electronic digital signature.

The assigned technical tasks are solved by producing electronic ballots and providing them access to the voter after his identification and verification of his right to vote. The voter is granted the right to choose one of the ballot papers created earlier, certified by the electronic digital signature of the person responsible for the ballot paper production. For example, the provision of the right to choose can be realized by moving on the touch screen the numbers of ballots not yet filled out by voters. In this case, the voter makes a random choice by touching one of the numbers moving on the screen.

After the voter makes the choice of his ballot, the voter personally fills it out, for example, touching the sensitive screen in the parts corresponding to one or another will of the voter. The fundamental difference between the proposed method and analogues and prototype is that the voter forms his electronic digital signature under the ballot filled out by him. For this purpose, the voter initiates the process of creating a pair for himself from his public key and private secret key. The creation of the key pair of the voter is carried out using a pseudo random number generator. Further, according to the proposed method, the voter’s public key is placed in an electronic ballot paper filled out according to the will of the voter. After that, the voter signs the completed electronic newsletter with his personal (secret) key, touching the corresponding segment of the sensitive screen. The voter himself anonymously transmits the completed electronic ballot to the election commission for vote counting and publication. An anonymous transfer of a ballot filled out by a voter, for example, can be carried out by placing it in a random memory area with already filled out ballots. Before posting filled out ballots to the database, as well as a prototype, the completed ballot is covered by the electronic digital signature of the machine that generated this bulletin.

When implementing the proposed method, it is fundamentally important that the members of the election commission are technically unable to obtain information about which of the ballots is filled out by one or another voter, and the voter himself receives his public and his private key from the voting machine on his personal information carrier, and also its completed newsletter with all electronic digital signatures covering its parts. After the voter receives his personal information, this information in the voting system is destroyed.

When moving a completed electronic ballot to the database of completed anonymous electronic ballots by the proposed method, the election commission publishes this database. That is, after the publication of the database of anonymous ballots, any of the voters can find his ballot by his number and the public, but anonymous, key of the voter and make sure that his will is correctly reflected in the publicly accessible database of ballots. If the will of the voter is distorted or the number of his ballot is not published, according to the proposed method, the voter disavows his anonymity and openly addresses the election commission with a request to correct the mistake. At the same time, the voter sends his application signed by his electronic digital signature to the election commission.

According to the proposed method, the completed ballot paper contains three electronic digital signatures. The first signature is the signature of the person who created the electronic newsletter and assigned it a unique number. Verification of the first signature is carried out according to the published certificate of the public key of the person who generated the electronic newsletter. The second electronic signature is the anonymous signature of the voter. Its authenticity is verified using the public key of an anonymous voter posted on the electronic newsletter. The third electronic digital signature belongs to the machine that generated the completed newsletter. It is verified by the machine’s public key certificate published by the election commission and posted on the electronic newsletter. That is, there is mutual control of the election commission and its machine for generating electronic ballots by voters. After the publication of the database of anonymous electronic ballots, any voter can independently count the votes at their polling station or at any other polling station. For this purpose, the vote teller must launch a search engine that, according to the proposed method, checks all three electronic digital signatures in each ballot and, if they are correct, takes into account the will of the anonymous voters noted in the ballot.

Thus, according to the proposed invention (claim 1, formulas), each of the voters can verify the correctness of filling out their published anonymous ballot. In addition, each voter can be convinced of the objectivity of calculating the will of other anonymous voters. Throwing in fictitious electronic ballots is excluded by the fact that the machine for forming ballots is sealed and the number of ballots completed exactly matches the number of registered voters.

The fundamental difference between the proposed method and analogues and prototype is that each voter has the opportunity to sign his will with his digital signature and thereby control it at any stage of the vote count. If the voter will reliably (safely) keep his public anonymous key and his private (secret) key, then, while remaining anonymous, he can control the entire electoral process in terms of taking into account his will.

Unfortunately, the proposed method according to claim 1 of the claims has one significant drawback. It is associated with the need for the voter to safely keep their anonymous public key and their private secret key. As a rule, voters do not have the technical ability to keep their personal key for generating an electronic digital signature. The storage medium onto which the user’s personal data has been uploaded according to claim 1 should be stored in a specially rented cell of the bank safe, which is quite expensive and inconvenient (the voter loses his mobility, he is tied to the personal cell of the bank safe). This problem is typical for all technologies based on the use of electronic digital signatures. As a rule, the formation of a private key leads to the appearance of additional risks associated with its possible compromise. It is this circumstance (the emergence of additional risks) that is a side negative effect of the use of electronic digital signature mechanisms.

According to claim 2 of the proposed method, the voter transfers the additional risk associated with the possible compromise of his personal key to the guarantor of anonymity. A guarantor of anonymity can be a voter’s relative, a notary public, a lawyer, human rights activist, prosecutor, any person with a high level of trust. The guarantor of anonymity must give consent to the performance of its additional function and have an officially registered (in the certification center) public key certificate. The guarantor of anonymity must be aware of the additional risks associated with the fact that voters trust him to maintain their anonymity, hoping that the guarantor of anonymity is responsible for storing his personal key (for example, stores it in a rented bank cell).

According to claim 2 of the claims of the proposed method, in parallel with the voter's identification during registration, the person registering forms a file with personal data of the person being registered (name, patronymic, last name, address of residence). Further, these data are signed by electronic digital signature of the official who generated the personal data file. The signed personal data file is transmitted to the voter. In addition, according to the proposed method, a list of potential guarantors of anonymity who have submitted their public key certificates is formed in advance at the polling station. The voter chooses for himself not only a prepared electronic ballot for voting, but also his guarantor of anonymity.

Next, the voter fills out his electronic newsletter, generates an open and personal (secret) key for generating an electronic digital signature, signs his completed electronic newsletter, and the machine for generating the completed electronic newsletter also signs it. After that, the voter uses his private key and the public key of the guarantor of anonymity to encrypt his personal data file and his completed electronic newsletter [7]. In the ciphertext title, the voter indicates his public anonymous key, as well as the public key and the name of the guarantor of anonymity. This entire document is once again covered by the electronic digital signature of the voter and the electronic digital signature of the electronic ballot-filling machine. Further, the voter destroys his personal (secret) key, transfers his completed ballot paper and ciphertext for the guarantor of anonymity to his storage medium. In addition, the completed electronic ballot is anonymously transmitted to the election commission, for example, by moving it to the database of completed anonymous ballots. Also, the cryptographic text intended for the guarantor of anonymity is transferred to the election commission for storage.

The ciphertext created for the guarantor of anonymity is stored in the election commission and is not transmitted to anyone. No one in the election commission can disavow the anonymity of the voter, since for this you need to decrypt the ciphertext using the public key of the anonymous voter (it is in the header) and the private key of the guarantor of anonymity (it is not available to anyone). The guarantor of anonymity also cannot abuse the voter's trust and compromise his anonymity, since the guarantor of anonymity does not have ciphertext [7]. The ciphertext is stored only at the voter himself and at the election commission. It turns out that no one can compromise the anonymity of voters if the election commission reliably stores ciphertexts for guarantors of anonymity. Even if the ciphertext database is lost (compromised), the attacker must contact the guarantors of anonymity to decrypt it. Guarantors of anonymity in the event of unlawful treatment of them have the right to refuse an attacker and apply to law enforcement agencies.

After the implementation of the proposed invention according to claim 2 of the formula, the voter is able to control the correctness of accounting for their will. For this purpose, he searches for his completed anonymous newsletter by his number. Further, the voter compares the original of his completed ballot with the published one. If the voter has discovered a discrepancy (lack of his ballot), he will contact the election commission with a request to correct the published ballots. The election commission cannot be convinced of the correctness of the anonymous voter, since he destroyed his private key and was incapable (he cannot prove that it is his public key in the electronic anonymous bulletin). To establish justice, the election commission turns to the guarantor of anonymity and transfers the ciphertext to it. The guarantor of anonymity decrypts this ciphertext, finds out the name of the anonymous voter, and also receives the original of his completed electronic newsletter at the time of voting. The guarantor of anonymity appeals to the election commission, passes it the original of the completed electronic newsletter. The guarantor of anonymity makes sure that the rights of a real existing person are infringed, and this person presents an undistorted initial version of a completed and signed electronic newsletter. With these actions, the guarantor of anonymity can maintain the anonymity of those who contact him for help.

In cryptography, the procedures for the so-called “blind” electronic digital signature are known, when a previously encrypted digital document is signed by a third party. The proposed method is not a kind of "blind" electronic digital signature. The electronic digital signature of the guarantor of anonymity by the proposed method is used only after decryption of the information.

The restoration of justice by the guarantor of anonymity may occur otherwise. If the anonymous voter himself turns to the guarantor of anonymity and provides him with ciphertext. In addition, law enforcement agencies that are officially involved in abuse investigations can contact the guarantor of anonymity. In this case, law enforcement agencies must remove the corresponding ciphertexts from the election commission in order to transfer them to the guarantor of anonymity. The use of the invention according to claim 2 of the formula is focused on a situation where the voter is of limited legal capacity (sick or old).

The main technical result of the implementation of claim 2 of the claims is that the voter gets rid of additional risks associated with the need to store his personal key used to sign the electronic newsletter with his will. At the same time, he still has the opportunity to control the election commission through the involvement of his guarantor of anonymity. In fact, the guarantor of anonymity at the right time plays the role of an independent witness capable of confirming the correctness of the voter. Despite the fact that the voter has destroyed his personal key for the formation of his electronic digital signature, he, the voter, retains his legal capacity in asserting his right to anonymous voting and a fair account of his will.

Removing additional risks for the safe storage of a personal key for generating an electronic digital signature of a voter can be carried out according to claim 3 of the claims. It is proposed to completely repeat the method described in claim 1, that is, generate an electronic newsletter with a unique number, sign it with an electronic digital signature of the person responsible for the manufacture. Next, the voter is identified by his passport or other document. If the voter has the right to vote, then he is granted access to the machine to fill out the electronic ballot. The voter selects the number of the filled-in ballot, for example, by touching this number on the sensitive screen of the machine. Further, the voter indicates his will by touching the corresponding areas of the sensitive screen. Then the voter creates for himself a pair of his public key and his private key [7]. After that, the voter presents examples of his biometric image to the electronic newsletter filling machine, for example, touches the fingerprint scanner with his finger.

Further, according to the proposed method, the training procedure for the neural network transducer biometrics-code, launched in accordance with GOST R 52633.5 [8], is launched. The training is conducted on several examples of the biometric image and the personal key of the voter. After the training is completed, the voter's private key is destroyed, and the voter receives it every time he presents his biometric image (after putting his finger on the scanner machine). In addition, after training, the examples of the biometric image of the voter used in the training are destroyed.

Then the voter puts his public key in the electronic bulletin and signs his completed anonymous ballot with his electronic digital signature. For this purpose, the voter puts his finger on the fingerprint scanner. The fingerprint image is converted into biometric parameters, they are fed to the inputs of the trained neural network, the output personal key of the voter appears at the outputs of the trained neural network [8], which is used to generate the electronic digital signature of the voter under his filled-in anonymous electronic bulletin.

Further, the electronic newsletter filling machine covers the entire newsletter with its electronic digital signature. As a result, the electronic newsletter contains a unique identification number of the ballot, the voter's public key, his will and three electronic digital signatures. The user writes this combination of data on his information carrier, and also transfers it to the election commission for publication. The transfer is carried out by anonymous posting of information in the database of anonymous completed ballots. Additionally, the parameters of the trained neural network of the biometric converter-code of the private key are placed on the information medium of the voter. All traces of the work of the voter with the automatic filling of the electronic bulletin are destroyed.

After the actions described above, the voter has his completed anonymous bulletin and the parameters of his trained neural network. The proposed method eliminates the risks associated with the storage and possible compromise of the voter's private key. If the media of the voter falls into the wrong hands, then another person cannot compromise the anonymity of the voter or try to adjust his will. He cannot replace the voter’s biometrics with his own person, as it is covered by the electronic digital signature of the ballot-filling machine. It is also almost impossible to extract a private key from a correctly formed neural network transducer biometric code. That is, the voter's personal information carrier becomes secure. Voter can use it repeatedly; no special requirements for its storage are presented. This compares favorably with the method according to claim 3 from the method according to claim 1.

The fact that the information carrier of the voter does not need to be protected and securely stored makes the proposed method according to claim 3 convenient for voters. The implementation of the method according to claim 3 of the formula, for example, makes it possible to correct the voter the results of their will. For this purpose, the voter must re-present his personal information carrier to the electronic newsletter filling machine. Using this personal information, the machine is able to find the right anonymous bulletin and adjust its filling. In this case, the voter must receive his personal key by presenting his biometric image (for example, a fingerprint picture). This is a completely new technical feature, which provides only the use of claim 1 and claim 3 of the claims. Analogs and prototype do not provide such an opportunity.

For the previous methods, the adjustment of one’s own will in the framework of the time allotted for this is impossible, which is familiar, but not always rational. One of the additional features of the proposed method is voting without a passport and other identification documents. It is enough for the voting system to present its individual carrier of voter information. According to this medium (when implementing claim 1 and claim 3 of the formula), the voting system is able to unambiguously determine that the voter has already been registered and is able to vote using his former public key and his former private key. That is, according to the proposed technology, a voter or other identification card is required for the voter only if he decides to change his pair from the public and private keys.

It should be noted that the biometric neural network authentication performed according to claim 3 of the claims according to the classification of GOST R 52633.0-2006 [9] is highly reliable, as it is built on keeping the biometric image used by the voter secret. According to the requirements of GOST R 52633.0-2006 [9], biometrics can be classified as highly reliable only if the biometric image of a person is kept secret (open biometrics, for example, used by international passport and visa documents, are not a secret, respectively, is not highly reliable). On the personal information carrier of the voter there is no voter name, there is no other personal data, there is no mention of what biometric technology was used in training the neural network. When analyzing the parameters of a trained neural network, it is impossible to indicate which biometric image was used by the voter, that is, the proposed method is highly reliable. The data on the personal information carrier of the voter is not accessible to the members of the election commission (the voter receives identification data from the election commission from the prototype), and accordingly, the voter is guaranteed to be protected from abuse by members of the election commission. According to the proposed method, the voter himself can choose the technology of his biometric identification (fingerprint, handwritten signature, handwritten password, voice password phrase, features of the three-dimensional geometry of facial features, skin folds on the hand, drawing of the iris, etc.). The voter himself chooses any of the biometric technologies, which is equipped with an automatic filling of electronic ballots. Independent choice of technology by the voter is one of the elements to ensure the protection of his anonymity.

The practical implementation of devices for implementing the proposed methods is illustrated in figures 1-5.

Figure 1 shows a block diagram of the connection of the elements of the automatic filling electronic bulletin of an anonymous voter, where:

block-1 - base with unfilled electronic ballots created for voting;

block-2 - screen sensitive to the voter’s touch;

block-3 - a generator of a pair of a public key and a private (secret) key of an anonymous voter;

block 4 - cryptographic tool for verifying and generating an electronic digital signature;

block 5 - personal and public keys for generating and verifying the electronic digital signature of the electronic newsletter filling machine;

block 6 - a base with completed electronic ballots for anonymous voters;

block-7 - an individual carrier of information of the voter.

Figure 2 shows the structural block diagram of the organization of the data of the electronic voting bulletin, where:

block 8 - identification parameters of an electronic voting ballot created in advance;

block-9 - data fields reflecting the will of an anonymous voter;

block-10 - electronic digital signature of the election commission, covering the data of block-8 and block-9;

block-11 - public key data of an anonymous voter and public key data of the ballot-filling machine;

block-12 - an electronic digital signature of an anonymous voter, covering block-8, block-9, block-10, block-11;

block-13 - electronic digital signature of the electronic newsletter filling machine, formed at the end of voting.

Figure 3 shows a block diagram reflecting the structure of the data placed on the individual information carrier of the voter (in block-7), where:

block 14 - a completed electronic bulletin of an anonymous voter (in more detail reflected in figure 2);

block 15 - personal (secret) key of an anonymous voter.

Figure 4 shows a block diagram of the organization of data placed on an individual information carrier of the voter (in block-13) when implementing the proposed method according to claim 2, where:

block 16 - a completed electronic bulletin of an anonymous voter (shown in more detail in figure 1);

block-17 - ciphertext of the voter's personal data encrypted using the voter's private key and the public key of the guarantor of voter anonymity;

block 18 - the public key and name of the guarantor of anonymity chosen by the voter;

block-19 - electronic digital signature of the voter, covering block-16, block-17, block-18;

block-20 - electronic digital signature of the electronic newsletter filling machine, covering block-16, block-17, block-18, block-19.

Figure 5 shows a block diagram of the organization of data placed on an individual information carrier of the voter (in block-13) when implementing the proposed method according to claim 3, where:

block 21 - the last completed electronic bulletin of an anonymous voter (shown in more detail in figure 1);

block-22 - data of a trained neural network converter biometrics-code of the voter's personal key;

block-23 - electronic digital signature of the electronic newsletter filling machine, covering block-21, block-22.

The machine used by the voter to implement the method proposed according to claim 1 of the claims consists of a base (block-7) of unfilled electronic ballots that are created for future voting. The output of the base of block-7 is connected to the input of block-8, the first output of block-8 is connected to the input of block-9, the second output of block-8 is connected to the information input of block-10. The second information input of block-10 is connected to the output of block-11. The output of block-10 is connected to the input of block-13 and to the input of block-13.

The automatic machine for filling out electronic ballots works as follows: before voting, its database (block-1) is filled with pre-prepared electronic ballots for voting, in addition, a personal key of the machine is entered into its block-5 to generate its digital signature after the completion of each voting act. After that, the automatic filling of electronic ballots is sealed and placed in a place for individual voting.

When voting, the voter presents his passport, and the official of the election commission gives the voter access to the machine to fill out electronic ballots. At the same time, the official cannot remember all the voters who should use the machine. When voting, the voter selects one of the prepared electronic ballots, touching one of the numbers of the ballots, passing as captions on a sensitive screen (block-2). At the same time, the screen form of the electronic newsletter changes, and the voter is given the opportunity to choose the candidate for which the voter wants to vote. The voter selects the candidate by touching the corresponding part of the screen (block-2).

After the voter has made his choice, a signal arrives at the input of block-3 from the sensitive screen (block-2). On this signal, block-3 generates a pair of the voter's public key and the voter's private key. Next, block-4 generates an electronic digital signature of the voter using the voter's personal key, this electronic digital signature covers the completed electronic newsletter and the voter's public key inserted into it. Then block 4 re-covers the received data with a second electronic digital signature, which is generated on the personal key of the ballot-filling machine. After that, the voting process is considered completed, the completed electronic ballot is removed from the base of block-1 and placed in the base of block-6, in addition, the filled-in electronic ballot is placed in the individual information medium of the voter (flash memory, smart card of the voter or other information medium of the block 7). In addition, a voter’s personal key is entered into the memory of an individual information carrier of the block-7 voter, and a pair of voter keys (public and private) is deleted inside the electronic ballot-filling machine.

As a result of the operation of the electronic ballot-filling machine, an anonymous ballot paper filled by the voter appears in the database of block 6, and the same ballot and the personal key of the anonymous voter appear in block 7. The data structure of the completed ballot is shown in figure 2. The structure of the data recorded on an individual storage medium (block-7) is shown in Fig.3.

It should be noted that the voter may decide that he fully trusts the electoral system and refuses to control it in advance. In this case, the voter does not have to provide the vending machine with his own individual storage medium (block-7). The machine informs the voter that there is no information carrier in the corresponding slot (slot) and obtain consent from the voter to refuse to document the data on his carrier. A variant of the implementation of the voting procedure is possible, when the election commission provides all voters with individual (empty) information carriers. This fundamentally distinguishes the proposed method from the prototype method, when the voter receives an already generated electronic identifier in the election commission (such an identifier may already be compromised).

Another advantage of the proposed method is that it allows each voter to control the fate of their will. According to the proposed method, the election commission publishes anonymous completed ballots, after the end of voting and their extraction from block-6. That is, each voter can find his completed ballot by his number and compare with the original, which was handed to him on an individual information carrier of the voter. If the will of the voter is not distorted, the voter has the right to trust the entire system of electronic voting. Then he can independently calculate how many people supported his chosen candidate. To do this, each voter can independently launch a search engine on a publicly available database of anonymous electronic newsletters.

When counting, the search engine must verify the accuracy of all three digital signatures contained in the electronic newsletter (figure 2). At the same time, the fidelity of the second and third EDS is checked by the voter's public key and the public (published) key of the electronic newsletter filling machine. The EDS of the election commission (block-10) will differ from the original, as the voter has changed the data field for the EDS corresponding to his will. To verify the authenticity of the original blank e-newsletter, you need to change the data field of the will to initially neutral. Then the verification machine will confirm the absence of distortion.

As a result, each of the voters according to the proposed method gets the opportunity to control the electoral system of electronic voting, which is not the case with the analogues and prototype methods.

Consider a second example of the implementation of the proposed method according to claim 2. In this case, in block 1 (Fig. 1), a database of potential guarantors of voter anonymity should be added with a link for each guarantor to his public key certificate. Accordingly, after choosing an electronic newsletter, the voter must indicate the guarantor of anonymity that he trusts. The guarantor is selected by the voter by touching one of the lines of the captions moving on the screen with the names and other descriptions of potential guarantors of anonymity. The voter must be familiarized with a list of guarantors of his anonymity in advance. In addition, when registering a voter, an official must create a file with the personal data of the voter and sign it with his electronic digital signature. This file is placed on the individual information carrier of the voter in block-7.

In the implementation of the second example, the operation of the device begins with verification of the electronic digital signature of the official who previously created the file with the personal data of the voter. In the case of a valid digital signature, the voter expresses his will, the formation of the electronic signature of the voter under block-4 filled in the electronic ballot, the personal data of the voter is encrypted on the public key of the guarantor of anonymity and the personal key of the voter. It is known that cryptographic operations of creating EDS and verifying EDS can be used to generate a common session key of confidential communication between the voter and the guarantor of anonymity [7]. That is, block-4 generates a common session symmetric communication key from the public key of the guarantor of anonymity and the personal key of the voter and encrypts the personal data of the voter on it.

Next, the completed electronic ballot, ciphertext with the voter's personal data, the public key of the guarantor of anonymity and his name are combined into one package and covered by the digital signature of the anonymous voter and the digital signature of the electronic ballot filling machine. This electronic document has a data structure, shown in figure 4, it is placed on the individual information carrier of the voter, as well as in block-6 with filled in electronic ballots.

After the removal of additional digital documents from the block-6 with the data structure of figure 4, they are not published and stored by the election commission as documents for official use. The advantage of the method according to claim 2 in comparison with claim 1 is that the voter’s personal key is not placed on the individual voter information medium. The personal key of the voter is destroyed after the formation of his documents with the structure of figure 2 and figure 4. They also destroy open personal data of the voter located on his individual information carrier. An advantage of the method according to claim 2 in comparison with the method according to claim 1 is that there are no storage requirements for block 7 at all. Nevertheless, the voter retains the opportunity to correct the errors discovered by him (possible abuse of officials) of the electronic voting system.

Consider the third embodiment of the method proposed in paragraph 3 of the claims. It differs from the first implementation option in that the electronic newsletter filling machine has a number of readers of biometric images of the voter. After creating a pair from his public key and private key by block-3, the voter presents to the scanners of the learning machine examples of his biometric images. Then, the voter carries out training of the biometrics-code neural network converter on his biometric images and his personal key code. After that, the electronic bulletin filling machine forms the electronic bulletin itself and combines it with the data of a trained neural network converter. Further, a combination of these data is covered by an electronic digital signature of the electronic newsletter filling machine (the structure shown in FIG. 5 is formed). A digital document with the structure of FIG. 5 is placed on an individual information medium of a voter (block-7). The voter’s personal key is destroyed.

The advantage of the method according to claim 3 of the claims is that it allows the voter to correct the mistakes made or to vote in the next election without presenting his passport. The information on the individual carrier of the voter (block-7) is enough for highly reliable biometric authentication of the user. This information is safe, that is, there are no requirements for the safety of storing an individual information carrier of the voter. Compromising this information does not lead to the loss of anonymity of the voter, as well as to the transfer of his right to electronic voting to another person.

Information sources

1. RF patent No. 2153192 "Method of secret ballot by ballot", priority 12.11.1999.

2. RF patent No.RU2178586 “Method of secret ballot”, priority dated 01.12.1999.

3. RF patent No. 2178203 “Method of secret ballot by ballot”, priority dated April 28, 2001.

4. RF patent No. 2212056 “Method of voting using electronic ballots”, priority dated December 27, 2001.

5. RF patent No. 2242793 "Method of electronic voting", priority of 02/06/2003.

6. RF patent No. 2298229 “Method of electronic voting, processing of results”, priority dated December 15, 2004.

7. Romanets Yu.V., Timofeev P.A., Shangin V.F. Information security in computer systems and networks. M .: Radio and communications, 1999 (p. 125. Paragraph 4.1. First paragraph).

8. The first edition of GOST R 52633.5 "Information security. Information security technique. Automatic training of neural network converters biometrics-access code. "

9. GOST R 52633.0-2006 “Information security. Information security technique. Requirements for highly reliable biometric authentication. ”

Claims (3)

1. A method of voting with highly reliable biometric protection of the anonymity of the voter, which consists in producing electronic ballots with a unique identification number, authenticated with an electronic digital signature, issuing one ballot to each voter upon registration, providing the voter with the opportunity to personally fill out his ballot using the machine filling out ballots, as well as in the automated generation of an electronic digital signature under the data at each significant action of the voter and the representative of the election commission, characterized in that each voter at the polling station creates a pair for himself from the public and personal keys, after which the voter personally selects one of the electronic ballots, fills out his chosen ballot, puts his public key into his ballot , then signs it with his electronic digital signature and publishes his completed ballot, for example, anonymously placing it in the database of the filled-in ballots of the election commission, in addition , the voter remembers his secret key, as well as his completed and signed electronic newsletter on his information carrier, while in the voting system information about the voter’s key pair is destroyed, the ballots are checked by authenticating the votes by checking all electronic digital signatures, then by number of the ballot, the voter controls the correctness of the account of his will, in case the voter finds a distortion of his will, the voter corrects this distortion through disavowing their anonymity and an official appeal to the election commission, signing their appeal with their electronic digital signature. 2. The method according to claim 1, characterized in that when registering the voter at the polling station, a file with the personal data of the voter is formed and this file is signed with an electronic digital signature of the person who generated the personal data file, then this file is transferred to the voter, moreover, the selective the precinct forms a list of persons who agree to be guarantors of anonymity of voters and have provided certificates of their public keys for this purpose, each voter chooses a guarantor of anonymity for himself, then using open the first key of the guarantor of anonymity and his personal key, the voter encrypts his personal data file, then the voter indicates his public key and the public key of his guarantor of anonymity, digitally signs his ciphertext and transfers it to the election commission for storage, after which the voter destroys his personal key, and on a personal information carrier, the voter receives and stores only the bulletin and ciphertext filled out by him for the guarantor of anonymity, in case of detection of a distortion of his will the teller appeals to the guarantor of anonymity with a request to disavow his anonymity, deciphering his personal information in conjunction with his completed ballot, then the guarantor of anonymity appeals to the election commission with a request to correct the discovered error. 3. The method according to claim 1, characterized in that the voter, before using his personal key, presents examples of his biometric image to the electronic newsletter machine and instructs the neural network to convert these examples into the voter's personal key, then the voter destroys his personal key, as well as biometric examples of images on which the neural network was trained, the newsletter filling machine signs the parameters of the trained neural network with its digital signature and saves them to the person of the voter’s information medium, if necessary, to obtain his personal key, the voter will copy the parameters of his neural network into the electronic bulletin filling machine, the machine will verify the parameters of the trained neural network by checking his electronic digital signature below them, then the voter will present his biometric image to the electronic ballot filling machine and receives at the outputs of the neural network its personal key for generating an electronic digital signature.

Images