WO1992003805A1 - Method for conducting a televote in a safe manner - Google Patents

Method for conducting a televote in a safe manner Download PDF

Info

Publication number
WO1992003805A1
WO1992003805A1 PCT/FI1991/000261 FI9100261W WO9203805A1 WO 1992003805 A1 WO1992003805 A1 WO 1992003805A1 FI 9100261 W FI9100261 W FI 9100261W WO 9203805 A1 WO9203805 A1 WO 9203805A1
Authority
WO
WIPO (PCT)
Prior art keywords
voter
voting
computer
ppvc
information
Prior art date
Application number
PCT/FI1991/000261
Other languages
French (fr)
Inventor
Jyrki Penttonen
Original Assignee
Tecnomen Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tecnomen Oy filed Critical Tecnomen Oy
Publication of WO1992003805A1 publication Critical patent/WO1992003805A1/en

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C13/00Voting apparatus

Definitions

  • the most important requirement is that the network must be geographically comprehensive, i.e. it must be accessible to voters as easily as possible.
  • telecommunication media best suitable for televoting ballots include a public dial telephone network, general circuit-switched data transmission networks or public package-switched data transmission networks.
  • This invention relates to a method capable of securing secrecy in televoting ballots.
  • Secrecy in ballots is a sum of several different factors. The most important aspect is generally considered to be the secrecy of the voting information. This means that the choice of vote of a private voter must not under any circumstances end up in the hands of anyone else but the voter him- or herself.
  • voting machine has a possibility of confirming the identity of a voter. This is to make sure that the voter only has a chance to use his or her own voting right.
  • a method of the invention can be applied to establish a televoting system, wherein all the above elements of a secret ballot can be secured.
  • a voter's computer whereby a person entitled to vote does the voting.
  • a physically protected voting computer which processes the voting data into such a form that it can be stored in a separate vote file (VF).
  • PPVC physically protected voting computer
  • VF separate vote file
  • a seal of the file is calculated in a manner that it depends on the information bit of the file, so that the alteration of even a single bit causes
  • VRF vote result file
  • PPVC voting computer
  • a system of the invention can suitably be used e.g. for a continuous survey of political climate, for decisionmaking, for organizing an advisory or binding referendum for example in:
  • a method of the invention can also be used for a number of other applications.
  • These applications suitable for the method, include e.g. brokerage systems for stock exchange and electronic funds transfer system.
  • the essential feature is a physically protected voting computer (PPVC), the voter being in communication therewith by means of his or her own voter's computer (VC).
  • PPVC physically protected voting computer
  • VC his or her own voter's computer
  • the system can also be carried out in a decentralized manner (fig. 2), e.g. a system covering the entire country can be decentralized as sub-systems in administrative districts and these, in turn, can be decentralized as subsystems in municipalities.
  • a decentralized manner e.g. a system covering the entire country can be decentralized as sub-systems in administrative districts and these, in turn, can be decentralized as subsystems in municipalities.
  • VC voters' computers
  • LPPVC local physically protected voting computers
  • RPPVC regional-level voting computers
  • RPPVC regionallevel voting computers
  • CPPVC central physically protected voting computer
  • the basic objective of the invention is to offer the voter a safe path in terms of privacy protection for carrying the voting information from a voter by way of voter's computer (VC) to voting computer (PPVC) and from there on to vote file (VF).
  • Said vote file is a file in which the voting information or data provided by all voters is stored in a centralized manner.
  • Another equally important objective is to supply the voters with reliable information about the voting results. This is important in order not to present the vote organizers with a possibility of manipulating the final voting results.
  • the voter's computer must have a confirmation of the identity of a voter.
  • the voter's computer (VC) must be capable of
  • PPVC voting computer
  • voting computer PPVC
  • voter's computer VC
  • voting computer must be conducted safely. Thus, under no circumstances must voting data be allowed to leak in deciphered form outside the physically protected section of voting computer (PPVC). This means that, unless protected physically, the voting data must be provided with a protection e.g. by using cryptological methods (ciphering, sealing).
  • VRF vote results
  • the identification of a voter is based on a
  • voting computer PPVC
  • voter's computer VC
  • public key methods Each voter's computer (VC) possesses its own secret key which is possessed only by said computer. This key, as well as all other confidential information in the voter's computer (VC), is retained in a physically protected location.
  • the voting computer has its own secret key which is likewise possessed only by the said computer and is physically protected.
  • Voter Voter's computer Voting computer PPVC- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  • Voter's computer requests authentication.
  • Voter supplies authentication information, a PIN code and data on the tape of magnetic tape card.
  • authentication information and delivers to the voter a positive acknowledgement, in case that authentication was successful.
  • voting computer This message is ciphered with the public key of voting computer (PPVC) and, thus, only the said voting computer (PPVC) is capable of deciphering it. This serves also as a partial authentication. If, namely, the voter's computer (VC) can make sure later that the counterpart device has been capable of correctly deciphering the message delivered thereby, the said voter's computer (VC) can confirm the identity of voting computer
  • the message contains a voter's unique
  • identification number ID v identification number for a voter's computer
  • constant field C1 a constant field
  • R1 random number
  • the random number is created by the voting computer (PPVC) itself and it is included in the message in order to make sure that the said authentication sequences would look different each time. This is necessary to eliminate the so-called replay attacks.
  • the voting computer after receiving a message delivered by the voter's computer (VC), wherein the identity of a voter and a voter's computer is
  • the voting computer searches a sealed public key file (PKF) for a public key matching this
  • the message contains the voter's identification ID v , identification ID m for voter's computer, constant C1, and random field R1 supplied by voter's computer (VC), as well as a corresponding second constant field C2 and a random field R2.
  • the meaning of these two latter fields is the same as that of the corresponding fields supplied by the voter's computer (VC).
  • the message is ciphered in a manner that the topmost cipher or encryption uses a public key of the voter's computer (VC) and the inner cipher or encryption uses the secret key of the voting computer (PPVC).
  • the purpose of the topmost cipher or encryption is to prevent the disclosure of information.
  • the voter's computer sends out a message similar to that of the preceding step.
  • the purpose of an outer encryption is to prevent disclosure of the information contents of the message.
  • An encryption key used herein is the public key of the voting computer (PPVC). This encryption can only be
  • the inner encryption is accordingly produced by using the secret key of a voter's computer, thus facilitating the authentication of the voter's
  • step 6 authentication has been performed on both sides. The voter's
  • VC can be sure that it is communicating to the voting computer (PPVC) it is supposed to be communicating with.
  • PPVC voting computer
  • PPVC voting computer
  • the voting computer requests a voter for voting information.
  • the voter replies with voting information or data of his or her choice.
  • This data may contain quite varied information. It may contain information about a ballot to be participated in, possibly whether to cancel or alter previously given votes, whether to participate in a new ballot, and the actual voting data.
  • the voting data provided by a voter is delivered by the voter's computer (VC) to the voting computer
  • the voting computer checks the authenticity of a received message by using constant and random fields and records the voting information in a vote file.
  • the new voting information is included in the vote file by creating a new reading for the random vector (RV) and by using this and the master key (Km) for ciphering the voting information and for sealing it in the vote file.
  • the voting computer receives an acknowledgement message from the voting computer (PPVC), checks it for authenticity and, if the message has been authentic and correct, reports to a voter that the voting information delivered by him or her has now been included in the vote file. Then, the voter's computer (VC) disconnects the link.
  • a voter requests the system for vote results.
  • the voter's computer presents a voter's request for vote results to the voting computer (PPVC). This is effected by means of cipher and authentication mechanisms similar to those of the preceding steps.
  • the voting computer delivers a vote result
  • the voter's computer delivers the vote result information received thereby to a voter.

Abstract

The invention relates to a method for conducting a televote in a safe manner. All processing of voting information is effected inside a physically protected data processing unit (PPVC) in a manner that under no circumstances does any piece of voting information provided by voters appear outside the said physically protected data processing unit (PPVC) in a deciphered form or in such a form that it could be deciphered by someone else but the said physically protected data processing unit (PPVC).

Description

Method for conducting a televote in a safe manner
Televoting refers to a voting procedure, where the voters are offered the possibility of using their voting rights for example by utilizing a data communication network.
In principle, the nature of televoting is such that a data network used as a telecommunication medium must fulfil certain requirements in order to be accepted for
televoting. The most important requirement is that the network must be geographically comprehensive, i.e. it must be accessible to voters as easily as possible. The
telecommunication media best suitable for televoting ballots include a public dial telephone network, general circuit-switched data transmission networks or public package-switched data transmission networks.
The extensive geographical coverage of a network used as a telecommunication medium creates nevertheless a problem for conducting a vote and particularly for the preservation of a secret ballot. The fact that these networks are easily accessible makes them vulnerable in terms of privacy protection.
A traditional opinion has been that one of the major obstacles to the introduction of televoting systems has been the fact that a secret ballot cannot be guaranteed with these procedures. This invention relates to a method capable of securing secrecy in televoting ballots.
Secrecy in ballots is a sum of several different factors. The most important aspect is generally considered to be the secrecy of the voting information. This means that the choice of vote of a private voter must not under any circumstances end up in the hands of anyone else but the voter him- or herself.
In terms of a secret ballot, another important aspect in voting systems is also the confirmation of mutual reliable identification. A system cannot be considered safe unless the voter has a positive assurance that he or she is indeed communicating with the intended voting machine and not, for example, with some eavesdropper imitating the operation of a voting machine. On the other hand, it is equally
important that the voting machine has a possibility of confirming the identity of a voter. This is to make sure that the voter only has a chance to use his or her own voting right.
Another, but slightly less significant aspect in a secret ballot is generally considered the protection of the information as to whether a given voter has used his or her voting right in a given ballot. For example, this security requirement is not fulfilled in elections carried out in a traditional manner. Whether or not a given person has used his or her voting right is basically always public
information.
However, in terms of a secret ballot, according to the relevant general principles, it is essential to be able to protect the information as to whether or not a voter has used his or her voting right in a given ballot. This aspect has even been the subject of rather extensive public debate. It has been stated that it is ethically wrong to compromising to reveal whether or not a voter has used his or her voting right.
A major threat to all voting systems is also such an attack on the system, which seeks to manipulate the actual outcome of an election. THE PROCEDURE AND APPLICATIONS OF THE METHOD
A method of the invention can be applied to establish a televoting system, wherein all the above elements of a secret ballot can be secured.
Fig. 1 shows an operational block diagram for one method of this invention. It can be divided into the following elements:
1. A voter's computer (VC), whereby a person entitled to vote does the voting.
2. A physically protected voting computer (PPVC), which processes the voting data into such a form that it can be stored in a separate vote file (VF). The
physically protected computer is designed in a manner that unauthorized persons have no access to recorded secret keys or other confidential information.
Neither is it possible to interfere in any way with the functions, operating flow etc. carried out by the said physically protected data processing unit.
3. A vote file (VF) for storing the voting results as
received from the voters. It should be appreciated that the file can be kept outside the physically protected data processing unit, but the processing thereof is nevertheless protected by means of
cryptological methods. The file is protected both against disclosure (ciphering) of the data and against alteration attempts (digital signature) of the data.
A seal of the file is calculated in a manner that it depends on the information bit of the file, so that the alteration of even a single bit causes
approximately 50 % alteration of the seal bits. Calculation of the seal is effected by means of a master key (Km), which is inside the physically protected data processing unit and known only to the said voting computer (PPVC). The seal is dependent not only on the above-mentioned voting data and master key (Km) but also on a random vector RV) created by the physically protected data processing unit itself. The purpose of this is to protect against possible attacks of copying type. These attacks involve attempts to use previously gathered sealed or ciphered information by replacing it with the present
information.
4. A vote result file (VRF), wherein the voting computer (PPVC) calculates from the recorded vote file (VF) the actual outcome of a ballot.
5. A public key file (PKF) for storing a public key
representing every voter.
A system of the invention can suitably be used e.g. for a continuous survey of political climate, for decisionmaking, for organizing an advisory or binding referendum for example in:
issues concerning an entire state
municipal affairs
decision-making in societies and organizations (e.g. political parties)
operations of polling firms (gallup)
A method of the invention can also be used for a number of other applications. These applications, suitable for the method, include e.g. brokerage systems for stock exchange and electronic funds transfer system. In view of proper operation of the system, the essential feature is a physically protected voting computer (PPVC), the voter being in communication therewith by means of his or her own voter's computer (VC).
The system can also be carried out in a decentralized manner (fig. 2), e.g. a system covering the entire country can be decentralized as sub-systems in administrative districts and these, in turn, can be decentralized as subsystems in municipalities. This produces a hierarchal system, wherein the lowest level of hierarchy, the
municipalities, is provided with a required number of subsystems consisting of voters' computers (VC) and local physically protected voting computers (LPPVC). The following level of hierarchy carries e.g. regional-level voting computers (RPPVC), in relation to which the locallevel voting computers take the position of a voter.
Accordingly, on the top level of hierarchy, said regionallevel voting computers (RPPVC) are linked with a central physically protected voting computer (CPPVC) for
calculating the national results.
Benefits gained by the method include, for example:
1. Conducting a televote even in real time while
providing a secret ballot for a private voter. The real-time feature is a major benefit over traditional voting systems. Traditionally, the voters are given a possibility of influencing matters once every four years. A method of this invention is capable of providing the voting results (VRF) daily and even quicker than that.
2. Storing, protecting and sealing the voting data so as to prevent manipulation of the data. 3. Whether or not a voter has used his or her voting right can be kept secret. This is a further benefit in the method as compared to traditional voting systems.
The basic objective of the invention is to offer the voter a safe path in terms of privacy protection for carrying the voting information from a voter by way of voter's computer (VC) to voting computer (PPVC) and from there on to vote file (VF). Said vote file is a file in which the voting information or data provided by all voters is stored in a centralized manner. Another equally important objective is to supply the voters with reliable information about the voting results. This is important in order not to present the vote organizers with a possibility of manipulating the final voting results.
Achieving the above objective requires confirmation of the following aspects:
1. The voter must have a confirmation of discussing
definitely with a voter's computer (VC) and not, for example, with an eavesdropper imitating the operation thereof.
2. The voter's computer (VC) must have a confirmation of the identity of a voter.
3. The voter's computer (VC) must be capable of
authenticating a voting computer (PPVC), i.e. there must be mechanisms whereby the voter's computer (VC) can confirm the identity of a voting computer (PPVC).
4. The data processing and data storage performed in
voting computer (PPVC) and voter's computer (VC) must be arranged safely in terms of secrecy protection. Above all, this applies to information important in terms of secret ballot, such as the voting data of individual voters.
5. The calculation of voting results (VRF) in voting
computer (PPVC) must be conducted safely. Thus, under no circumstances must voting data be allowed to leak in deciphered form outside the physically protected section of voting computer (PPVC). This means that, unless protected physically, the voting data must be provided with a protection e.g. by using cryptological methods (ciphering, sealing).
6. The algorithms to calculate vote results (VRF) must be such that counted vote results (VRF) cannot possibly be used to conclude the voting data given by an individual voter. This applies also to so-called combination attacks comprising several file searches, none of which reveals confidential information alone but a suitable combination of such file searches nevertheless does so. Thus, the vote results (VRF) calculation algorithms in voting computer (PPVC) must be provided with checks for discovering such attacks.
7. The storage of public information (e.g. public keys of public key systems) associated with ciphers and authentications being stored in voting computer (PPVC) and voter's computer (VC) must be arranged in a manner that it is not possible for outsiders to tamper with this information without voting computer (PPVC) discovering such actions.
8. There is a safe way of informing a voter of the vote results without anyone having a chance to manipulate this information on the way.
In the realization of one method of the invention shown in fig. 1, the identification of a voter is based on a
magnetic card in his or her possession and on a password known only to this particular voter.
The authentication between voting computer (PPVC) and voter's computer (VC) is effected in the present system by the application of so-called public key methods. Each voter's computer (VC) possesses its own secret key which is possessed only by said computer. This key, as well as all other confidential information in the voter's computer (VC), is retained in a physically protected location.
Accordingly, the voting computer (PPVC) has its own secret key which is likewise possessed only by the said computer and is physically protected.
More detailed information about public key methods, the operating principles and reliability thereof will not be described in this context but, instead, reference is made to the items of literature listed hereinbelow.
1. Baker H., Piper F., Cipher Systems, The protection of Communications, Edinburgh and London, Northwood
Publications, 1982.
2. Seberry, Pieprzyk, Cryptography, An Introduction to Computer Security, New York, Prentice Hall, 1989.
3. Davies D. W., Price W. L., Security for Computer
Networks, An Introduction to Data Security in
Teleprocessing and Electronics Funds Transfer,
Chichester, John Wiley & Sons, 1984. EXAMPLE :
The following is a detailed description of a specific voting procedure.
Voter Voter's computer Voting computer (PPVC) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1. Authentication request
< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2. Authentication information
(Magnetic card data and PIN code)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->
3. Acknowledgement of authentication
< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4. E(Kpk, (IDv,IDm,C1,R1})
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->
5. E(Kpi,E(Ksk,{IDv,IDm,C1,R1,C2,R2})
< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6. E(Kpk,E(Ksi,{IDv,IDm,C1,R1,Cz,Rz})
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >
7. Inquiry for voting data
< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
8. Delivery of voting data (VOTE)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -> 9. E(Kpk,E(Ksj,{IDv,IDm,C1,R1,C2,R2})}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->
10. E(Kpi,E(Ksk,{lDv,IDm,C1,R1,C2,R2,VOTE})
< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
11. Acknowledgement of successful voting
< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
12. Inquiry of vote result
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->
13. E(Kpk,E(Ksi,{IDv,IDm,C1,R1,C2,R2,RESULT_REQ}))
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >
14. E(Kpi,E(Ksk,{IDv,IDm,C1,R1,C2,R2,VOTING_RESULT}))
< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15. Transmission of vote result
< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
16. Disconnection
< - - - - - - - - - - - - - - - - - - - - - - - -<> - - - - - - - - - - - - - - - - - - - - - - - - -> The voting operation proceeds step-by-step as follows:
1. Voter's computer (VC) requests authentication.
2. Voter supplies authentication information, a PIN code and data on the tape of magnetic tape card.
3. Voter's computer (VC) checks the voter's
authentication information and delivers to the voter a positive acknowledgement, in case that authentication was successful.
4. Voter's computer (VC) delivers the authentication
request to voting computer (PPVC). This message is ciphered with the public key of voting computer (PPVC) and, thus, only the said voting computer (PPVC) is capable of deciphering it. This serves also as a partial authentication. If, namely, the voter's computer (VC) can make sure later that the counterpart device has been capable of correctly deciphering the message delivered thereby, the said voter's computer (VC) can confirm the identity of voting computer
(PPVC). The message contains a voter's unique
identification number IDv, identification IDm for a voter's computer, a constant field C1, and a random number R1. The reason to include constant C1 in the message is that, upon deciphering the message, the said voting computer (PPVC) can make a decision as to whether the received message is indeed the one
expected to be received, in other words, intelligible. The random number is created by the voting computer (PPVC) itself and it is included in the message in order to make sure that the said authentication sequences would look different each time. This is necessary to eliminate the so-called replay attacks.
5. The voting computer (PPVC), after receiving a message delivered by the voter's computer (VC), wherein the identity of a voter and a voter's computer is
confirmed for voting computer (PPVC), checks a
constant field included in the message. If the constant field is what it is supposed to be, i.e. what is agreed on a system level as an appropriate constant field, the voting computer searches a sealed public key file (PKF) for a public key matching this
particular voting computer, checks the seal, and sends an authentication acknowledgement message back to the voter's computer (VC). The message contains the voter's identification IDv, identification IDm for voter's computer, constant C1, and random field R1 supplied by voter's computer (VC), as well as a corresponding second constant field C2 and a random field R2. The meaning of these two latter fields is the same as that of the corresponding fields supplied by the voter's computer (VC). The message is ciphered in a manner that the topmost cipher or encryption uses a public key of the voter's computer (VC) and the inner cipher or encryption uses the secret key of the voting computer (PPVC). The purpose of the topmost cipher or encryption is to prevent the disclosure of information. This is secured by the fact that no one else but the voter's computer (VC) is capable of deciphering this particular message as it requires the secret key of the voter's computer (VC), which is possessed by voter's computer (VC) only. The purpose of an inner cipher or encryption is to authenticate the voting computer (PPVC) to the voter's computer (VC). Accordingly, this is secured by the fact that it has only been possible for voting computer (PPVC) to produce the said encryption text as no one else is in possession of the said secret key. It should be noted that, after step 5, the said voting computer (PPVC) has authenticated itself to the voter's
computer (VC) but there is not yet any security as to the authenticity of a voter or voter's computer (VC), since anyone could have delivered the message
mentioned in step 4.
6. The voter's computer (VC) sends out a message similar to that of the preceding step. The purpose of an outer encryption is to prevent disclosure of the information contents of the message. An encryption key used herein is the public key of the voting computer (PPVC). This encryption can only be
deciphered by the voting computer (PPVC) since only that is in possession of a secret key corresponding thereto. The inner encryption is accordingly produced by using the secret key of a voter's computer, thus facilitating the authentication of the voter's
computer (VC). This is because only the voter's computer (VC) has been capable of conducting the operation, it being the only one in possession of this secret key.
It should be noted that, after step 6, authentication has been performed on both sides. The voter's
computer (VC) can be sure that it is communicating to the voting computer (PPVC) it is supposed to be communicating with. Likewise, the voting computer (PPVC) can be sure of the identity of the voter's computer (VC) and a voter.
7. Following step 6, with all-around authentications
completed, there has also been established a safe data-transmission link between voter and voting computer (PPVC). Thus, the transmission of voting information can now be started from voter to voting computer (PPVC). This is effected in two stages.
Firstly, the voting computer (PPVC) requests a voter for voting information.
8. The voter replies with voting information or data of his or her choice. This data may contain quite varied information. It may contain information about a ballot to be participated in, possibly whether to cancel or alter previously given votes, whether to participate in a new ballot, and the actual voting data.
9. The voting data provided by a voter is delivered by the voter's computer (VC) to the voting computer
(PPVC). The message is provided with constant and random fields similar to those included in the
preceding messages. These are added for the same reason, i.e. to give the message a random nature against repetition and similar attacks. The ciphers are also produced the same way as before; the outermost cipher is again for covering the information while the innermost cipher is for the authentication of a message.
10. The voting computer (PPVC) checks the authenticity of a received message by using constant and random fields and records the voting information in a vote file.
This is accompanied by checking also the integrity of a vote file by opening the seal of a vote file by using a random vector (RV) located inside the said physically protected data processing unit (PPVC) as well as a master key (Km). The new voting information is included in the vote file by creating a new reading for the random vector (RV) and by using this and the master key (Km) for ciphering the voting information and for sealing it in the vote file. This is followed by delivering an acknowledgement to the voter's computer (VC). This acknowledgement is created by the application of principles similar to those included in the preceding messages to secure the secrecy of information and the authentication of a message.
11. The voting computer (PPVC) receives an acknowledgement message from the voting computer (PPVC), checks it for authenticity and, if the message has been authentic and correct, reports to a voter that the voting information delivered by him or her has now been included in the vote file. Then, the voter's computer (VC) disconnects the link.
12. A voter requests the system for vote results.
13. The voter's computer (VC) presents a voter's request for vote results to the voting computer (PPVC). This is effected by means of cipher and authentication mechanisms similar to those of the preceding steps.
14. The voting computer (PPVC) delivers a vote result
calculated thereby to the voter's computer (VC). This transmission is also properly protected against possible manipulation. At this stage, secrecy of the transmitted information is no longer of utmost importance, since vote results are generally public information.
15. The voter's computer (VC) delivers the vote result information received thereby to a voter.
16. The link between voting computer (PPVC) and voter's computer (VC) is disconnected.

Claims

Claims
1. A method for conducting a televote in a safe manner, c h a r a c t e r i z e d in that all processing of voting information is effected inside a physically protected data processing unit (PPVC) in a manner that under no
circumstances does any piece of the voting information delivered by individual voters appear outside the said physically protected data processing unit (PPVC) in
deciphered form or in such a form that it could be
deciphered by someone else but the said physically
protected data processing unit (PPVC).
2. A method as set forth in claim 1, c h a r a c t e r i z e d in that a voter's identity can be confirmed and, thus, it is secured that it is only possible for a voter to use his or her own voting right, this being secured by the fact that only a voter's computer (VC) is in possession of a secret key or some other secret information whose
presence is checked by a voting computer (PPVC) and, accordingly, since voter's computer (VC) has identified a voter, a chain of authentication is established from the voting computer (PPVC) all the way to a voter, thus making sure of the identity of a voter.
3. A method as set forth in claim 1, c h a r a c t e r i z e d in that a voter can confirm the authenticity of a voting computer, i.e. make sure that a voter is communicating with the particular voting computer he or she is supposed to be linked with, this being secured by the fact that only the voting computer (PPVC) is in possession of a secret key or other secret information whose presence is checked by the voter's computer (VC).
4. A method as set forth in claim 1, c h a r a c t e r i z e d in that the public keys of voters can be stored outside a physically protected data processing unit in a manner, however, that the keys are sealed so that the reading of the said seal depends not only on said public keys but also on a random number (RV) created by the physically protected data processing unit itself and on a fixed key (Km), this feature making sure that it is not possible to alter the key information or e.g. to take up out-of-date information for reuse.
5. A method as set forth in claim 1, c h a r a c t e r i z e d in that the voting information provided by voters can be stored outside a physically protected data processing unit in a manner, however, that the voting information is sealed and ciphered only with a key located inside a physically protected data processing unit so that the reading of said seal depends not only on the said voting information but also on a random number (RV) created by the physically protected data processing unit itself and on a fixed key (Km), this feature making sure that it is not possible to alter the voting information or e.g. to take up out-of-date information for reuse.
6. A method as set forth in claim 1, c h a r a c t e r i z e d in that vote results can be transmitted to voters in a manner that a voter can confirm the authenticity thereof, i.e. that said vote results are counted from the delivered voting information (VF) and that the vote results have not been manipulated during the count or transmission thereof.
PCT/FI1991/000261 1990-08-27 1991-08-26 Method for conducting a televote in a safe manner WO1992003805A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI904216 1990-08-27
FI904216A FI86486C (en) 1990-08-27 1990-08-27 FOERFARANDE FOER ATT ARRANGERA TELEROESTNINGEN PAO ETT SAEKERT SAETT.

Publications (1)

Publication Number Publication Date
WO1992003805A1 true WO1992003805A1 (en) 1992-03-05

Family

ID=8530978

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI1991/000261 WO1992003805A1 (en) 1990-08-27 1991-08-26 Method for conducting a televote in a safe manner

Country Status (2)

Country Link
FI (1) FI86486C (en)
WO (1) WO1992003805A1 (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0577921A2 (en) * 1992-07-06 1994-01-12 The Center For Political Public Relations, Inc. Election terminal apparatus
EP0580119A2 (en) * 1992-07-20 1994-01-26 Kabushiki Kaisha Toshiba Election terminal apparatus
WO1996002044A1 (en) * 1994-07-08 1996-01-25 Votation Corporation Remote recording computer voting system
FR2729260A1 (en) * 1995-01-10 1996-07-12 Journal Telephone Soc Du METHOD FOR TRANSMITTING INFORMATION PROTECTED BETWEEN A USER AND A COMPUTER BY A TELECOMMUNICATIONS NETWORK
WO1996032818A1 (en) * 1995-04-13 1996-10-17 Nokia Telecommunications Oy Televoting in an intelligent network
EP0743620A2 (en) * 1995-05-19 1996-11-20 Nec Corporation Secure receipt-free electronic voting
EP0763803A1 (en) * 1995-09-15 1997-03-19 THOMSON multimedia Anonymous information acounting system for statistics, particularly for electronic voting operations or periodical consumption inventory
FR2749423A1 (en) * 1996-05-31 1997-12-05 Bertoncelli Patrick Simon Electronic voting system for national elections
WO2000021041A1 (en) * 1998-10-06 2000-04-13 Chavez Robert M Digital elections network system with online voting and polling
WO2000062257A1 (en) * 1999-04-12 2000-10-19 Opentec Pty Limited Online election system
EP1249799A2 (en) * 2001-04-11 2002-10-16 Suomen Posti Oy Method, arrangement and device for voting
WO2002056230A3 (en) * 2000-11-22 2003-05-01 Votehere, Inc. Electronic voting system
NL1021632C2 (en) * 2002-10-11 2004-04-14 Nedap Nv Electronic voting system, involves removing selected candidate from plus list and sending resulting minus list to computer for identity removal before minus lists are deducted from plus lists
US6950948B2 (en) 2000-03-24 2005-09-27 Votehere, Inc. Verifiable, secret shuffles of encrypted data, such as elgamal encrypted data for secure multi-authority elections
US7099471B2 (en) 2000-03-24 2006-08-29 Dategrity Corporation Detecting compromised ballots
EP1348187A4 (en) * 2000-11-27 2007-03-14 Bruce Hasbrouck Dickson Reeves Method for collection and collation of data
WO2007084026A1 (en) * 2006-01-17 2007-07-26 Federalny Tsentr Informatizatsii Pri Tsentralnoy Izbiratelnoy Komissii Rossiyskoy Federatsii Computer-assisted operational information management system for preparing and casting a vote
US7360094B2 (en) 2001-03-24 2008-04-15 Demoxi, Inc. Verifiable secret shuffles and their application to electronic voting
US7389250B2 (en) 2000-03-24 2008-06-17 Demoxi, Inc. Coercion-free voting scheme
AU2003222410B2 (en) * 2003-05-09 2009-11-05 Scytl Election Technologies S.L. Secure electronic polling method and cryptographic processes therefor

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4290141A (en) * 1979-07-02 1981-09-15 General Electric Company Electronic voting system
SE442249B (en) * 1983-11-17 1985-12-09 Ericsson Telefon Ab L M PROCEDURE AND DEVICE FOR VERIFICATION OF PERSONAL IDENTIFICATION NUMBER AND CHECKING INSERT NUMBER SERIES IN IDENTIFICATION MEDIA
SE455652B (en) * 1983-06-15 1988-07-25 Innovationscentralen Ab Voting security system
EP0420355A1 (en) * 1989-09-27 1991-04-03 N.V. Nederlandsche Apparatenfabriek NEDAP Election apparatus

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4290141A (en) * 1979-07-02 1981-09-15 General Electric Company Electronic voting system
SE455652B (en) * 1983-06-15 1988-07-25 Innovationscentralen Ab Voting security system
SE442249B (en) * 1983-11-17 1985-12-09 Ericsson Telefon Ab L M PROCEDURE AND DEVICE FOR VERIFICATION OF PERSONAL IDENTIFICATION NUMBER AND CHECKING INSERT NUMBER SERIES IN IDENTIFICATION MEDIA
EP0420355A1 (en) * 1989-09-27 1991-04-03 N.V. Nederlandsche Apparatenfabriek NEDAP Election apparatus

Cited By (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0577921A2 (en) * 1992-07-06 1994-01-12 The Center For Political Public Relations, Inc. Election terminal apparatus
EP0577921A3 (en) * 1992-07-06 1994-08-31 Center For Political Public Re
EP0580119A2 (en) * 1992-07-20 1994-01-26 Kabushiki Kaisha Toshiba Election terminal apparatus
EP0580119A3 (en) * 1992-07-20 1995-03-22 Tokyo Shibaura Electric Co Election terminal apparatus.
US5497318A (en) * 1992-07-20 1996-03-05 Kabushiki Kaisha Toshiba Election terminal apparatus
WO1996002044A1 (en) * 1994-07-08 1996-01-25 Votation Corporation Remote recording computer voting system
FR2729260A1 (en) * 1995-01-10 1996-07-12 Journal Telephone Soc Du METHOD FOR TRANSMITTING INFORMATION PROTECTED BETWEEN A USER AND A COMPUTER BY A TELECOMMUNICATIONS NETWORK
EP0722152A1 (en) * 1995-01-10 1996-07-17 Societe Du Journal Telephone Secure information transmitting process between a user and a computer using a telecommunication network
US5970385A (en) * 1995-04-13 1999-10-19 Nokia Telcommunications Oy Televoting in an intelligent network
AU707157B2 (en) * 1995-04-13 1999-07-01 Nokia Telecommunications Oy Televoting in an intelligent network
WO1996032818A1 (en) * 1995-04-13 1996-10-17 Nokia Telecommunications Oy Televoting in an intelligent network
EP0743620A3 (en) * 1995-05-19 2000-07-19 Nec Corporation Secure receipt-free electronic voting
EP0743620A2 (en) * 1995-05-19 1996-11-20 Nec Corporation Secure receipt-free electronic voting
KR100446997B1 (en) * 1995-09-15 2004-11-03 똥송 멀티메디아 에스. 에이. For statistical purposes, in particular for anonymous aggregation of information items with respect to operations in electronic voting or periodic surveys on consumption
EP0763803A1 (en) * 1995-09-15 1997-03-19 THOMSON multimedia Anonymous information acounting system for statistics, particularly for electronic voting operations or periodical consumption inventory
FR2738934A1 (en) * 1995-09-15 1997-03-21 Thomson Multimedia Sa ANONYMOUS ACCOUNTING SYSTEM FOR INFORMATION FOR STATISTICAL PURPOSES, IN PARTICULAR FOR ELECTRONIC VOTING OPERATIONS OR PERIODIC CONSUMPTION RECORDS
US6021200A (en) * 1995-09-15 2000-02-01 Thomson Multimedia S.A. System for the anonymous counting of information items for statistical purposes, especially in respect of operations in electronic voting or in periodic surveys of consumption
FR2749423A1 (en) * 1996-05-31 1997-12-05 Bertoncelli Patrick Simon Electronic voting system for national elections
WO2000021041A1 (en) * 1998-10-06 2000-04-13 Chavez Robert M Digital elections network system with online voting and polling
WO2000062257A1 (en) * 1999-04-12 2000-10-19 Opentec Pty Limited Online election system
US6950948B2 (en) 2000-03-24 2005-09-27 Votehere, Inc. Verifiable, secret shuffles of encrypted data, such as elgamal encrypted data for secure multi-authority elections
US7099471B2 (en) 2000-03-24 2006-08-29 Dategrity Corporation Detecting compromised ballots
US7389250B2 (en) 2000-03-24 2008-06-17 Demoxi, Inc. Coercion-free voting scheme
WO2002056230A3 (en) * 2000-11-22 2003-05-01 Votehere, Inc. Electronic voting system
EP1348187A4 (en) * 2000-11-27 2007-03-14 Bruce Hasbrouck Dickson Reeves Method for collection and collation of data
US7360094B2 (en) 2001-03-24 2008-04-15 Demoxi, Inc. Verifiable secret shuffles and their application to electronic voting
EP1249799A3 (en) * 2001-04-11 2005-05-18 Suomen Posti Oy Method, arrangement and device for voting
EP1249799A2 (en) * 2001-04-11 2002-10-16 Suomen Posti Oy Method, arrangement and device for voting
NL1021632C2 (en) * 2002-10-11 2004-04-14 Nedap Nv Electronic voting system, involves removing selected candidate from plus list and sending resulting minus list to computer for identity removal before minus lists are deducted from plus lists
AU2003222410B2 (en) * 2003-05-09 2009-11-05 Scytl Election Technologies S.L. Secure electronic polling method and cryptographic processes therefor
WO2007084026A1 (en) * 2006-01-17 2007-07-26 Federalny Tsentr Informatizatsii Pri Tsentralnoy Izbiratelnoy Komissii Rossiyskoy Federatsii Computer-assisted operational information management system for preparing and casting a vote

Also Published As

Publication number Publication date
FI904216A (en) 1992-02-28
FI86486B (en) 1992-05-15
FI86486C (en) 1992-08-25
FI904216A0 (en) 1990-08-27

Similar Documents

Publication Publication Date Title
WO1992003805A1 (en) Method for conducting a televote in a safe manner
US4326098A (en) High security system for electronic signature verification
CA2023872C (en) Databaseless security system
US5528231A (en) Method for the authentication of a portable object by an offline terminal, and apparatus for implementing the process
US5864667A (en) Method for safe communications
US5345506A (en) Mutual authentication/cipher key distribution system
US5978475A (en) Event auditing system
US5517567A (en) Key distribution system
KR101205385B1 (en) Method and system for electronic voting over a high-security network
JP2007282295A (en) Cryptographic system and method with key escrow feature
Micali Fair cryptosystems
JPH10508438A (en) System and method for key escrow and data escrow encryption
WO1999024895A1 (en) Tamper resistant method and apparatus
US7490768B2 (en) Election system enabling coercion-free remote voting
EP0843439B1 (en) Data encryption technique
CA2335532A1 (en) Apparatus and method for end-to-end authentication using biometric data
CA1255769A (en) Secured message transfer system and method using updated session code
EP0119707A1 (en) Automatic verification
CN110138547A (en) Based on unsymmetrical key pond to and sequence number quantum communications service station cryptographic key negotiation method and system
CN110113152A (en) Based on unsymmetrical key pond to and digital signature quantum communications service station cryptographic key negotiation method and system
JP7259578B2 (en) Authentication system and authentication method
da Silva Mendes Trusted Civitas: Client trust in Civitas electronic voting protocol
Zimmermann Why do you need PGP
Alpert et al. Receipt-Free Secure Elections 6.857 Final Project
Cropper CORE Metadata, citation and similar papers at core. ac. uk

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): DE DK GB NL NO SE

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH DE DK ES FR GB GR IT LU NL SE