Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard - France Télécom Hervé Sibert - France Télécom

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Agenda Introduction Overview of the system Main properties Prototype implementation Conclusion

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Agenda Introduction Overview of the system Main properties Prototype implementation Conclusion

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Introduction (1) Off-line vs. on-line vote On-line vote = distant vote using a PC or a mobile phone Off-line vote (using a voting machine) French context On-line vote assimilated to absentee vote (forbidden in France since 1975) Off-line vote Recent deployment Voting "blackboxes" quite usual now Use cryptography to secure the system -e-Poll, e-Poll2 based on blind signatures -e-Poll2 experimented during the vote on the EC Constitution

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Introduction (2) A joint work betweenand France Telecom cryptographic algorithms and architecture ST smart card technology and knowledge Objectives Develop an e-Voting system based on smart cards Put the main cryptographic tools inside the card, so as to have the voter control his own privacy Prove the feasibility of implementating "complex" algorithms inside smart cards Take into account countries' specifics -Ballot anonymity revocation (UK) -Elections can last several days (Czech Republic) -…

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Agenda Introduction Overview of the system Main properties Prototype implementation Conclusion

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Overview of the system (1) Framework Off-line vote in a polling station, using a voting machine One voting card is used for several elections The attendance is done by the smart card -There is no handwritten attendance Design of the smart card The smart card is designed to authorize only one vote per election The ballot is signed using a list signature scheme -each card uses its own secret key to enable the detection of double vote -all cards also share a common private key, used to prove the authenticity of the vote (as for group signatures)

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Overview of the system (2) - The actors Voters Register at Registration Centers Have their card personalized by the Smart Card Creation Center System authorities The Certification Authority manages the PKI for attendance Key Recovery Authorities can help recover the list signature unique secret key of a card Key Authorities deliver the shared list signature private key to cards the Revocation Authority can retrieve the identity from a ballot (optional) Vote authorities Controllers are in charge of the organization of an election Tellers are in charge of the reception and counting of the ballots

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Overview of the system (3) - Voter registration Request Certificate

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, Overview of the system (4) - Voting phase +

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Overview of the system (5) - Counting phase Done by Tellers Verification of the attendances Counting of the votes Announce of the results

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Agenda Introduction Overview of the system Main properties Prototype implementation Conclusion

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Main properties (1) - Cryptographic tools Usual PK signature scheme for the attendance PK encryption scheme for encrypting the ballot The El Gamal scheme is particularly suitable to divide the key between several scrutineers Possibility of using a threshold encryption scheme List signature scheme Similar to group signature, but allows the straight detection of double vote Simplified version built upon classical (RSA) signature scheme, a PK encryption scheme and a PRNG …all these algorithms being implemented inside the smart card!

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Main properties (2) - Security Security with tamper resistant smart cards All and only votes of legitimate voters are taken into account, double vote is detected Anonymity is ensured thanks to list signatures and can be revoked Hash-based mechanism to prove to a voter that his vote was taken into account Attacks against tamper-resistance List signature can no more prevent double vote Still, no more frauds than broken cards if there is no other weakness in the voting chain Double-vote prevention Ensured by three means: list signatures, attendance checking, voting history checked inside the card

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Main properties (3) - Scalability Verifiability and fraud detection Mechanism inside the card that provides each voter with a hash of his plaintext ballot. After the counting phase, the hash of each deciphered ballot is published. Minor anonymity concerns Inclusion of a mix-net To secure the process against vote tracing on the network layer Possibility of voting from any polling station / remote voting Attendance databases must be on-line… …if off-line, then all multiple votes should be erased before the counting phase

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Agenda Introduction Overview of the system Main properties Prototype implementation Conclusion

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Prototype Implementation ST Smart Card ST19WR66 -8-bit CPU with 224 KB ROM, 6 KB RAM and 66 KB EEPROM -ICAO 66 O.S., RSA and 3DES base cryptographic schemes France Telecom algorithms on board Voting phases Java application Certification by Certatoo PKI (France Telecom) Performance Ballot creation procedure: 900 ms Attendance creation procedure: 800 ms Counting phase < 1 minute for 1000 ballots (Xeon 2,4GHz, 1GB RAM)

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Agenda Introduction Overview of the system Main properties Prototype implementation Conclusion

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Conclusion Smart cards are the cryptographic heart of the system No distant authority like in the case of blind signatures The security of the system remains in the voters' hands Stimulates the confidence of voters in the system Improvements to come Components and system testing (formal methods, attacks against cards) Integration of a more complex list signature scheme inside the card -No longer will there be a private key shared by several cards -Will provide at least the same security as other, blind signature-based schemes, with improved confidence from the voters

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Thank you for your attention