Practical Pollsterless Remote Electronic Voting - tws/papers/ Pollsterless Remote Electronic Voting ... 1.2 Thesis Hypothesis ... 2.4.1 Voluntary Voting System Guidelines ...Authors:

  • View
    213

  • Download
    1

Embed Size (px)

Text of Practical Pollsterless Remote Electronic Voting - tws/papers/ Pollsterless Remote Electronic Voting...

  • Practical PollsterlessRemote Electronic Voting

    A thesis to be submitted to theUNIVERSITY OF ST ANDREWS

    for the degree ofDOCTOR OF PHILOSOPHY

    by

    Timothy W. Storer

    School of Computer Science

    University of St Andrews

    April 2006

  • But it appears to me indispensable that the signature

    of the elector should be affixed to the paper at a

    public polling-place, or if there be no such place

    conveniently accessible, at some office open to all

    the world, and in the presence of a responsible

    public officer. The proposal which has been thrown

    out of allowing the voting papers to be filled up at

    the voters own residence, and sent by the post, or

    called for by a public officer, I should regard as

    fatal. The act would be done in the absence of the

    salutary and the presence of all the pernicious

    influences. The briber might, in the shelter of

    privacy, behold with his own eyes his bargain

    fulfilled, and the intimidator could see the extorted

    obedience rendered irrevocably on the spot.

    John Stuart Mill.

    Considerations on Representative Government,

    1860.

  • Abstract

    This thesis describes the design of a novel class of pollsterless voting schemes. Many

    cryptographic voting schemes necessitate a pollster because the client side computations

    are beyond the understanding or ability of the voter. Such interactions require that the voter

    trust the software to perform operations on their behalf, and in effect, the pollster acts as the

    voter. Conversely, the pollsterless schemes presented here permit voters to interact with an

    election authority directly, without complex computations. Pollsterless schemes have the

    additional advantage of permitting voting on virtually any networked device, increasing the

    potential mobility of voting.

    The proposed pollsterless schemes are implemented and then evaluated with respect to the

    particular requirements of the UK public election context. The flexibility of pollsterless

    schemes in particular are demonstrated to fulfill the diverse requirements that may arise in

    this context, whilst the mobility of pollsterless schemes is demonstrated to fulfill require-

    ments to improve the convenience of voting.

  • I, Timothy W. Storer, hereby certify that this thesis, which is approximately 55000 words

    in length, has been written by me, that it is the record of work carried out by me, and that

    it has not been submitted in any previous application for a higher degree.

    date signature of candidate

    I was admitted as a research student in September 2002 and as a candidate for the degree

    of Doctor of Philosophy in September 2003; the higher study for which this is a record was

    carried out in the University of St Andrews between 2002 and 2006.

    date signature of candidate

    I hereby certify that the candidate has fulfilled the conditions of the Resolution and Regu-

    lations appropriate for the degree of Doctor of Philosophy in the University of St Andrews

    and that the candidate is qualified to submit this thesis in application for that degree.

    date signature of supervisor

    In submitting this thesis to the University of St. Andrews I understand that I am giving

    permission for it to be made available for use in accordance with the regulations of the

    University Library for the time being in force, subject to any copyright vested in the work

    not being affected thereby. I also understand that the title and abstract will be published,

    and that a copy of the work may be made and supplied to any bona fide library or research

    worker.

    date signature of candidate

  • Acknowledgement

    This thesis, and the work it describes, would never have been completed without the support

    of many others.

    Those who have provided academic guidance during the course of this project include my

    initial supervisor, Ursula Martin, who provided much early input; Pam Briggs and Linda

    Little at the PACT Laboratory at Northumbria University; and James McKinna within the

    School. In addition, the work was generously funded by Microsoft Research, and later by

    ESRC.

    Many members of the School played a part in ensuring that this thesis was completed and

    submitted on time. I thank in particular Graeme Bell, James McKinna and Tom Kelsey,

    who gave their time to read the final drafts and/or provided practice for the oral defence.

    Thanks also to my friends in the School who contributed by simply making another four

    years as a student so worthwhile; and to my parents for not asking too often whether I

    would be getting a job soon.

    My supervisor, Ishbel Duncan, deserves special thanks for her constant support over four

    years, ensuring that the work was completed. Ishbel proved an endless source of advice,

    ideas, encouragement and (most importantly) candid criticism.

    And finally, Amanda, who will almost certainly never read this, I couldnt have done it

    without you.

  • Published Research

    Tim Storer and Ishbel Duncan.

    Polsterless remote electronic voting.

    Journal of EGovernment, 1(1):75103, October 2004.

    Tim Storer and Ishbel Duncan.

    Practical remote electronic elections for the UK.

    In Stephen Marsh, editor, Privacy, Security and Trust 2004 Proceedings of the Second An-

    nual Conference on Privacy, Security and Trust, pages 4145, Fredericton, New Brunswick,

    Canada, October 2004. National Research Council Canada, University of New Brunswick.

    Tim Storer and Ishbel Duncan.

    Modelling context for the design of remote electronic voting schemes.

    In Pedro Isaas, Piet Kommers, and Maggie Macpherson, editors, IADIS International Con-

    ference e-Society 2004, volume 2, pages 10011004, Avila, Spain., July 2004. IADIS

    Press.

    Tim Storer and Ishbel Duncan.

    Two variations of the mCESG pollsterless e-voting scheme.

    In Randal Bilof, editor, COMPSAC 05 The 29th Annual International Computer Software

    & Applications Conference, pages 425430, Edinburgh, Scotland, July 2005. IEEE Com-

    puter Society.

  • Contents

    List of Figures vi

    List of Tables viii

    1 Introduction 1

    1.1 Remote Electronic Voting in Computer Science . . . . . . . . . . . . . . . 1

    1.2 Thesis Hypothesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

    1.3 Major Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

    1.4 Organisation of Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

    2 Voting and Technology 5

    2.1 Voting and Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

    2.2 Voting Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

    2.3 Voting Contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

    2.3.1 Classification of Voting Contexts . . . . . . . . . . . . . . . . . . 15

    2.3.2 Instances of Voting Contexts . . . . . . . . . . . . . . . . . . . . . 33

    2.3.3 Summary: Voting Context Diversity . . . . . . . . . . . . . . . . . 37

    2.4 Requirements and Standards . . . . . . . . . . . . . . . . . . . . . . . . . 37

    2.4.1 Voluntary Voting System Guidelines . . . . . . . . . . . . . . . . 37

    2.4.2 Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . 42

    2.4.3 CESG Security Study (UK) . . . . . . . . . . . . . . . . . . . . . 44

    2.4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

    2.5 Voting Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

    i

  • ii

    2.5.1 Mix Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

    2.5.2 Homomorphic Schemes . . . . . . . . . . . . . . . . . . . . . . . 49

    2.5.3 Blind Signature Schemes . . . . . . . . . . . . . . . . . . . . . . 50

    2.5.4 Hybrid Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

    2.5.5 RIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

    2.5.6 Summary of Voting Schemes . . . . . . . . . . . . . . . . . . . . 63

    2.6 Voting Systems and Technologies . . . . . . . . . . . . . . . . . . . . . . 63

    2.6.1 Ballots and Boxes . . . . . . . . . . . . . . . . . . . . . . . . . . 64

    2.6.2 Postal or Mail in Paper Ballots . . . . . . . . . . . . . . . . . . . 66

    2.6.3 Lever Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

    2.6.4 Punch Card/Optical Scan . . . . . . . . . . . . . . . . . . . . . . 67

    2.6.5 Direct Recording Electronic Machines (DREs) . . . . . . . . . . . 68

    2.6.6 Remote Electronic Voting Systems . . . . . . . . . . . . . . . . . 71

    2.6.7 Summary of Voting Systems and Technologies . . . . . . . . . . . 73

    2.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

    3 Requirements for UK Public Elections 75

    3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

    3.2 Convenience Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 77

    3.3 Electoral System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

    3.3.1 Unordered Selection of Options . . . . . . . . . . . . . . . . . . . 80

    3.3.2 Ordered Selection of Options . . . . . . . . . . . . . . . . . . . . 81

    3.3.3 Mixed Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

    3.4 Secrecy Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

    3.4.1 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . .