Use of the New Smart Identity Card to Reinforce Electronic Voting Guarantees

Justo Carracedo Gallardo1 and Emilia P. Belleboni2 Departamento de Ingeniera y Arquitecturas Telemticas. Escuela Universitaria de Ingeniera Tcnica de Telecomunicacin. Universidad Politcnica de Madrid Ctra. Valencia km. 7. 28031 Madrid. Telephone: (+34) 91 336 78 02. Fax: (+34) 91 336 78 17, {carracedo1, belleboni2}@diatel.upm.es

Abstract The time will come when the electronic identity card or Smart Identity Card (SIC) already being issued by some governments - becomes a tool that enjoys public trust for use as an electronic document. This paper explores the advantages of introducing use of the SIC in a telematic voting system (Votescript+) based both on advanced cryptography and on the power of smart cards. The paper defends the use of SIC as a decisive element for the identification of voters both within the process of obtaining authorization to vote and as part of the process of individual verification of results, and it provides a summary description of the system operation protocol in different phases.

1. Introduction
At present, a number of countries are successfully implementing systems of electronic voting that automate all or part of the process of casting and tallying votes. Electronic ballot boxes are available in the voting center, in view of the voter, who casts the ballot by means of an electronic procedure that replaces traditional boxes with paper votes. Some countries have, in addition, computer networks to transmit the results of the tally carried out in electronic ballot boxes. A more advanced electronic voting scenario [1] uses telematic networks and specific telematic agents to deposit votes in a remote ballot box out of view of the voter. Both authorization to vote and the vote travel over the network. This type of voting is generally called remote electronic voting or telematic voting, although we prefer to use the latter nomenclature to clearly differentiate between these types of voting, thus reserving the term electronic voting only for systems in which the ballot boxes are located in a voting center. The technological dimension and the sociopolitical requirements of these two types of voting are radically different, and

a failure to clearly distinguish them would create public confusion [2]. In general terms, we can speak of two scenarios for telematic voting: a) voting requires personally reporting to specific voting sites; or b) voting can be done anywhere, i.e. at home, using the common accesses and resources of the Internet. The latter type could be called Internet voting. Since early 2000, the authors of this paper have been designing, implementing and testing telematic voting systems within the framework of the Votescript Project. [3]. In the voting processes presented in this paper, Votescript+, voting is undertaken at specific voting sites, with the use of dedicated telematic agents and own computer networks. However, in practice, these own networks are nothing but virtual networks supported by the data transport infrastructure o the Internet. One of the difficulties encountered in properly designing a telematic voting systems is that the requirements [4] often pose demands that are, in principle, seemingly contradictory. The outstanding aspects are: a) The voting system must ensure that only people with the right to vote can cast a vote, while it must also ensure that it is not possible to link this properly identified person to the vote he or she has cast. That is, a combination must be made although in different phases of two security services that are usually counterpoised: authentication and anonymity. b) The telematic voting system must provide mechanisms for voters to verify the treatment given their vote, but this mechanism must not allow the voter to prove to third parties what the content of the vote was, so as to prevent coercion and vote selling. This paper is a result of the research work undertaken in the project TSI2006-4864 Telematic Platform of Electronic Administration based on Choreography of Services, financed by the Spanish Ministry of Education and Science as part of the National R+D Plan.

*Validation Authority

Authentication Point (AP)

Administrator System Intervention Systems (AS) (IS)

a)

Identification and Authentication Network

Ballot Box (BB) Voting Cabin (VoC) b) Voting Network

Tallier Intervention System (TIS)

Tallier System (TS)

Verification Cabin (VeC)

c)

Verification Network

Tally Board (TB)

Figure 1: Global architecture of Votescipt+ Moreover, for the telematic voting system to emulate the guarantees provided by voting with ballots [5], work on components we might call official shall be supervised by other computer teams led by monitors or witnesses acting in representation of citizen groups participating in the voting process.

2. Votescript+ communication scenario

The Votescript+ proposal includes use of two smart cards for telematic voting: a) One of these is the voter's Smart Identity Card (SIC) issued by the government [6]. When this identification mechanism has been implemented, all citizens who wish to vote shall bear a personal SIC and will be accustomed to using it in other telematic

transactions. It should be recalled that possession of a valid SIC does not necessarily mean that the citizen shall have the right to vote, as they may be excluded owing to age, court decisions, residence in a region outside that in which the voting process is being held, etc. b) The other is the Smart Voting Card (SVC), a JavaCard that will be generic and identical for all voters that is provided to each voter at the beginning of the process. The SVC will run Votescript algorithms and all sensitive data will be stored securely, including the codes used to encrypt information. To satisfy the requirements demanded by the public, the use of three independent networks has been established (Figure 1): one to identify and authenticate voters, another to cast the vote and a third to allow the voter to verify treatment of his or her vote. The Votescript+ communication scenario includes a set of automatic systems that are described below: . Authentication Points, APs. These are computer systems that can authenticate voters and provide authorization for casting a vote. . Administration System, AS. Can be considered the official system that issues the authorizations requested by voters. . Several Intervention Systems, ISs, responsible for supervising and monitoring the operation of the official AS. . Voting Cabins, VoCs, which allow a voter to cast a vote, storing the voting receipt in the voting card, thus enabling it to provide proof for verification. . Ballot Box, BB, which returns voting receipts and stores votes until they are counted. . Tallier System, TS, which opens the votes and performs the official tally. . Several Tally Intervention Systems, TIS, which prevent the introduction, modification or elimination of valid votes by performing the task of the TS simultaneously. . Tally Board, TB, where the Tallier publishes the results that the TIS compares with their own. . Verification Cabins, VeCs, which allow voters to access network resources that will verify that the data stored on the voting card and in the records published by the system are congruent. Figure 1 also depicts the Validation Authority, which will be implemented as an integral part of the identification system linked to the SIC. The Validation Authority is not part of the development of Votescript+, but is rather a system that cooperates with Votescript+. The SIC will be used by the voter within the identification and authentication network in cooperation with the Validation Authority (Figure 1 a). In the voting phase, a voter will only use the SVC, thus robustly separating the identificationauthentication phase from the vote casting phase.

In the verification phase, the voter uses the SIC, although in this case the network is not connected to the Validation Authority. Votescript+ delegates to the SIC scheme assurance of the identity of those who seek to vote. As this assurance becomes more robust over time, this enhancement will be improved by Votescrpt+ owing to this delegation of identification.

3. Brief description of protocols in Votescript+

The voter authentication phase begins with the process of identifying the voter according to the protocols and resources of Votescript+, taking into consideration the existence of the SIC (Smart Identity Card) with the capacity to authenticate a person and sign in that persons name in accordance with certain use procedures.

3.1. In the identification and authentication network

The identification and authentication network (Figure 2) puts the voter in contact with the Administrator System, performing the consecutive steps that, with the collaboration of the SIC Validation Authority, lead to identification of the person through a secure channel. The Validation Authority is a resource outside Votescript+ that is provided by the SIC infrastructure.
SIC Smartcard Reader 1 2 7 SVC Smartcard Reader 9 Authentication Point 3 6 8 4 5 Administrator System *Validation Authority

Figure 2: Process of identifying person and establishing secure communication channel. In the explanation that follows, the step indicated in the figure is marked with a number in parentheses. In this phase, the Votescript Smart Voting Card (SVC) asks the SIC to (1) begin the identification process, the SIC answers with its authentication certificate (2) which is then sent by means of the SVC to the Validation Authority through Administrator System (3 and 4), whose response (5) is approval or denial of the information submitted by the SIC. The Administrator System will sent to the

SVC a piece of information signed (6) with the result of the transaction. If the process is successful, a secure cannel is established for communication between the Authentication Point and the Administrator System. In case of denial, the reason for the event must be indicated. The SVC checks the signature on the information of the Administrator System and stores it in a secure place that prevents its deletion or modification, whether accidental or malicious. The bits of information stored in the registries of the Administrator System and the SVC will enable an auditor to discover the cause of an impediment to voting, thus deterring the temptation in this phase of arbitrarily denying the right of certain citizens to vote. Given that the SIC is not designed to decode the information sent to the voter confidentially, and that the previous action completes a preliminary step in authenticating the person it cannot yet be said that the person is a voter the SVC generates a session key for confidential reception of information (Kaut), a verification token (VT), a pair of keys (kdV, kcV) and a set of opacity factors [7] (OAS, OIS1, OIS2, etc) needed to make opaque the kdV sent to the Administrator System (OAS(kdV)) and to each of the Intervention Systems (OIS1(kdV)...) Then, the SIC, in steps (7) and (8), signs the verification token (Vs(VT)), the session key (Vs(kaut)), the Voter ID (Vs (Voter Id)) and the kdV key made opaque for all recipients All this whose encryption is shown below,1 is stored (9) in a secure place on the SVC. [(VT), Vs (VT), (kaut), Vs (kaut), (Voter Id), Vs (Voter Id), (OAS (kdV), Vs (OAS (kdV))), (OIS1 (kdV), Vs (OIS1 (kdV))), ...] This is how the SVCs interaction with the SIC and the Validation Authority ends.

Then (Figure 3), the VT signed by the SIC is stored in the SVC, while the session key (kaut) to be used in the return communication is concatenated with the voter ID and the opaque signed keys. This information, which is encrypted with the public key of the Administrator System, is sent (10) from the SVC to the Administrator System through the Authentication Point and through the secure channel now established.2 ASP [(kaut), (Voter Id), Vs (Voter Id), (OAS (kdV), Vs (OAS (kdV))), (OIS1 (kdV), Vs (OIS1 (kdV))), ...] The Administrator System deciphers the data received and forwards it (11) to the Intervention Systems in order to gain their authorization: [(Voter Id), Vs (Voter Id), (OAS (kdV), Vs (OAS (kdV))), (OIS1 (kdV), Vs (OIS1 (kdV))), ...] Then, both the Administrator System and the Intervention Systems verify the identity of the voter and the signature; moreover, if the authorization has not already been signed, the proper opaque key kdV is blindly signed. The Administrator System gathers (12) all this information IS1bsig (OIS1 (kdV)), IS2bsig (OIS2 (kdV))... This, together with its own blind signature of the key kdV, comprises the package of blindly signed keys.3 This key package is encrypted by the Administrator System and again encrypted with the voters authentication session key to be sent to the Authentication Point (13) confidentially with proof of origin.4 kaut [ASs[ASbsig (OAS (kdV)), IS1bsig (OIS1 (kdV)), ...]] The Authentication Point sends the information (14) to the SVC, which is the only device able of knowing the content and verifying the signatures. Once these signed kdV keys have been unblinded, they will constitute the authorization to vote that will be linked inseparably to the vote in the following phase.

Smartcard Reader

Intervention Systems (IS) 11 12

3.2. In the voting network

Upon completion of the process in the identification and authentication network, the voter goes to the Voting Cabin (Figure 4) where he or she delivers the vote, using solely the SVC. The voter inserts the SVC in the device which has no encryption capacities located in the Voting Cabin.

Smartcard Reader 14 Authentication Point

10 13

Administrator System (AS)

Figure 3: Authorization transmitted on secure channel.

1 The separation with commas indicates that messages or pieces of information are sent or stored in a concatenated manner, one after another. Vs (kaut ) Indicates that message kaut is encrypted with a private key of V (asymmetrical cryptography) OAS (kdV), stand for the application of an opacity factor to message kdV, to make it opaque for the entity AS.

ASP [m] stand for the encryption of message m with the public key of AS (asymmetrical cryptography) 3 Absig[OA(m)] represents the blind or opaque signature of the message m, using the private key of A. 4 kaut [m] stand for symmetrical encryption transaction, where kaut is the secret key and m is the clear message.

SVC Smartcard Reader 4 Voting Cabin

2 3 Ballot Box (BB)

required of the Administrator and a sufficient number of Supervisors to prevent one or a small number of them from blocking the entire electoral process. Individuals will insert their SICs and the smart cards identifying their respective roles in the system and, following biometric identification, will recompose the key to allow the opening of the Ballot Box (1). Mechanisms of comparison are provided to verify that all the systems are receiving the same information.
2 Tallier Intervention Systems 1 Tally Board (TB) 2 Tallier System (TS) 3

Figure 4: Anonymous casting of vote The Voting Cabin requests that the voter cast a vote (1), which is encrypted in the SVC with kcV (pair of kdV), concatenated with kdV, and with the authorization (kdV, signed by the Intervention and Authentication Systems, and by the Administrator System). As this information, which is ultimately deciphered by the Tallier and by the Tallier Information Systems, could subsequently jeopardize the secrecy of the vote, it is protected in a Secure Envelope between the card and the Tallier5 (Secure Envelope, SET). SET contains [kcV[Vote], kdV, ASbsig (OAS (kdV)), IS1bsig (OIS1 (kdV)), ...]] A KS symmetrical key is generated, which, along with the aforementioned Secure Envelope, is inserted in another, external, Secure Envelope this time between the SVC and the Ballot Box. This piece of information is sent (2) to the Ballot Box SEBB[KS, SET] The Ballot Box deletes the external Secure Envelope and separates the two pieces of information: SET and KS. The SET is stored in the Ballot box until the period for casting votes is over. Beside this SET is encrypted with the public key of the Election Authority, signed by the Ballot Box and encrypted with KS to be sent (3) confidentially to the SVC as receipt of the cast vote. KS[EAP[SET ], BBs[EAP[SET]]] The Voting Cabin delivers (4) the information to the SVC, which obtains and verifies the signature of the Ballot Box, after which it securely stores the receipt, which can be revealed only if the voter wishes to present it to the Election Authority. After the end of the vote reception period, the presence is required of persons acting as the Administrators and Supervisors to build, among all, the key needed to open the Ballot Box and start the process of dumping its contents into the Tallier and the Tally Intervention Systems (Figure 5), thus providing guarantees that no one has previously possessed the intermediate results of the voting as insider information. In fact, the presence shall be
Implementation of this Secure Envelope uses mechanisms that are similar to those used in the so-called Secure Channel, offering more protection than a standard digital envelope.
5

Ballot Box (BB)

Figure 5: The tallying of votes is supervised. Once again, the presence is required of persons acting as the Administrator and Supervisors to, among all, build the private key of the Tallier. This key is delivered to the Tallier System and to all the Tallier Intervention Systems to allow them to learn the internal content of each of the encrypted votes they have received from the Ballot Box (2). Once the SET envelopes are open, the deciphering of votes and the tally is performed. The Tallier sends to the Tally Board (TB) (3) the information consisting of the key kdV and the signatures of the Administrator and the Intervention Systems on the key kdV, along with the deciphered vote. After the results are released, a global verification is undertaken in which each Supervisor checks that the information matches that in their system; otherwise, the Election Authority will be asked to perform the checks necessary of the registries.

3.3. In the verification network

After the results are released, any voter may, for a limited period, report to a Verification Cabin (VeC) with their SIC and SVC, (Figure 6) where they will find two devices for effecting individual verification

.
SIC Smartcard Reader 2 1 Smartcard Reader 6

SVC

3 5

Tally Board (TB) 4

Verification Cabin (VeC)

Figure 6: In verification phase, there is no communication with the Validaton Authority. The system will first verify that the voter is carrying his or her own SVC; to reach it, the SIC will sign the VT (verification token) presented to it by the SVC, steps (1) and (2). If this verification is successful which does not require the use of the Validation Authority the transaction continues with the sending to the Tally Board (3) of the kdV and a session key KST inside of a secure envelope between the verification cabin and the Tally Board SETB. SETB contains [kdV, KST] The Tally Board retrieves kdV and locates the vote (4) which has been encrypted with the key, signs the vote and encrypts it with KST to be sent back (5) to the Verification Cabin. KST[vote, TBs[vote]] The Verification Cabin sends (6) the piece of information to the Smart Voting Card, which opens the envelope, verifies the signature and sends the vote to the cabin to be displayed to the voter. If the voter does not agree with the vote displayed, he or she can present their SVC (accompanied or not by a trusted expert) to the Election Authority, where, after retrieval of the vote receipt signed by the Ballot Box, it will be determined if the behavior of the system was accurate or whether error or fraud has occurred. This possibility of verification acts as a deterrence against any attempt by the Ballot Box to destroy votes, while the insertion or modification of votes would be exposed owing to the set of encryption registries and mechanisms proposed.

In countries with a tradition of using a national identity document, conventional voting systems with paper, trust regarding the identity guarantees of voters depend upon the trustworthiness and reliability of said document. In like manner, in Votescript+, which proposes transferring the vote to cyberspace, assuring the identity of voters is delegated in a system linked to the new SIC (Smart Identity Card) which is gradually being adopted in a number of countries, Spain among them. As time progresses and this assurance becomes ever more robust and deserving of public trust, and use of the SIC becomes a part of everyday life, this improvement will subsequently be inherited by Votescript+. With respect to future work, we would highlight the need to consider multi-ballot box voting for cases in which tallies in a single voting process must be performed separately for different groups of voters that are allowed to vote at any voting site.

5. Acknowledgments.
The authors of this paper wish to thank the other members of the research group who have participated in previous proposals and developments within the framework of the Votescript Project. We would give our special thanks to Ana Gmez, Sergio Snchez, Jos David Carracedo and Jess Moreno.

6. References
[1] Cranor, Lorrie F.; Cytron, Ronald K.:. Design and Implementation of a Practical Security-Conscious Electronic Polling System, WUCS-96-02, Informatic Department of the University of Washington, St. Louis, USA, 1996. [2] Carracedo Gallardo, J. Seguridad en Redes Telemticas, Ed. McGraw-Hill, 2004 pp 495-522 (Spanish). [3] Gmez, A. Prez, E. Snchez, S. Carracedo, J. Moreno J. and Carracedo, J.D. VOTESCRIPT: telematic voting system designed to enable final count verification http://www.collecter.org/archives/2005_October/07.pdf (Access date 28.05.2009). [4] Diffie, W. Landau S. E. Privacy on the line: the politics of wiretapping and encryption. MIT Press, 2007. [5] Mercuri R. Facts About Voter Verified Paper Ballots. http://www.notablesoftware.com/Papers/VVPBFacts.pdf 2004 (Access date 28.05.2009). [6] INFSO-ICT-PSP-224993,Secure idenTity acrOss boRders linked. http://www.eid-stork.eu/ (Access date 28.05.2009). [7] Chaum, D.: Blind signatures for untraceable payments. Advances in Cryptology, Crypto '82, Springer-Verlag, Berlin. 1983; pp. 199-203

4. Conclusions and future work

Development of the Votescript+ system once again shows that the security of a telematic voting process must not rely solely upon the honesty and professional skill of the system managers, but mainly on the availability of secure encryption mechanisms and telematic protocols for accidental errors or illicit actions and malicious collusion between different actors participating in the voting process.