Roy's Techblog

One of the things on my plate at work right now is our upcoming AGM and board of directors election. We’re going to redo the election software. One of the things I’d like to try to do while doing it is to create a level of user confidence in the system for those that care to be able to validate the results, somehow.

I have a number of ideas that will help with it, and some goals that we’d like to achieve, either this year or next year.

Firstly, there’s the matter of protecting the election results until the election is complete such that even the developers and system administrators cannot retreive the results, even under pressure to do so from superiors.

Secondly, I’d like to see it possible to validate that my vote is actually contained in the results, without the result data needing to be revealed.

Thirdly, I’d like to ultimately be able to seperate the voter identity from the voter. This isn’t likely to be something that we can do right away as there are circumstances in an electronic election that mandate the discarding of invalid votes by invalid voters. Nevertheless, I think this data can be protected using techniques to address the first issue.

So how do I propose dealing with each of these? For the first issue – encrypting data, I’m looking into some form of encryption scheme that follows these rules:

• The software may encrypt the data without the need to know the secrets to decrypt it (Asymmetric encryption).
• In order to decrypt the data, T of N people would need to provide their keys to the system, where T is less than or equal to N, but greater than 1 person. For example, 2 of 5 or 3 of 5 keys. The requirement that this not be all T keys is that people will forget keys, passwords, or both. In fact, passwording these key chunks is scary in and of itself if T is a significant portion of N.

Because of the nature of our election process, I forsee that each person will actually need to carry several keys for different pieces of data that need opening at different times. For simplicty for the user, I imagine the software will bundle these into a single unit containing all their keys, protected by a single password.

Right now, the most likely candidate for this T of N decryption key system is secret sharing, specifically ssss.

For the second issue – I haven’t yet reseached techniques to do this. What I have in mind is some form of digital signature and/or fingerprint system. The idea being that when you cast your ballot, you get back a fingerprint or signature. When the election is completed, a routine is performed (after decryption is performed by having sufficient keys provided) which counts the ballots and generates a signature or fingerprint which is published. This fingerprint or signature would have several purposes:

1. to verify the nulber of ballots cast and the number of votes for each candidate, without actually having the results file posted.
2. to verify that an individual ballot is contained in the results.

I believe that such a signature along with a published algorithm should be satisfactory, especially if the signature or fingerprint provided for their results can be used against the election results signature or fingerprint to verify it contains their ballot’s signature.

And finally, for the last issue – seperating, or at least protecting voter identity data… This one is trickier. I’m imagining a mechanism whereby the vote is stored in one “ballot box” (encrypted) along with a vote id, and then the voter identity and vote id are stored in another “ballot box” encrpyted with a different key (which is then shared). Although this doesn’t make the election anonymous, it does make it so the Returning Officer can remove voters if necessary.

Ideally, I’d like to see voters validate before an election, and then given a ballot with an identifier on it, like we do here for elections - but have the ballot’s identifier torn off just prior to storage in the ballot box. The identifier is kept seperately to confirm the vote happened, but the two are never stored together. Electronically, I can see this working if you have two seperate systems in place - voter identification and ballot casting. The only communication between the two would be from the voting system to verify if a ballot id is valid.

Anyhow, time to do some research into the signatures issue.