InetVote: Vote (1): Prove Who You Are

James F. Carter, UCLA-Mathnet, 2004-10-10

Online voting is done in these steps:

Prove who you are. You send to the Registrar of Voters your registration certificate, signed with your secret key. The Registrar issues you a ballot ticket (in a script), which is sent back. The Registrar promises not to remember who the ticket was issued to (except for disputed registrations), so the ballot can be secret.
Execute the script, creating a second secret key and Certificate Signing Request, which is appended to the Ballot Ticket.
The Election Board provides the ballot form. Make your choices. Include the above file, containing the Ballot Ticket and the new Certificate Signing Request, with your ballot. The Election Board records your votes and sends back to you a copy of the ballot, plus a signed Ballot Certificate and the Ballot Ticket, all signed by the Election Board. Thus, in case of election fraud you can prove that you cast that particular ballot. Your voting is now complete.

Prove Who You Are

Locate your voting-related files, specifically your voter registration certificate and key, called register.usr and register.key unless you renamed the files. Remember the passphrase for the secret key. When you have these items all ready, make a signature for the registration certificate by following the instructions for your operating system. (You may vary the instructions, e.g. use different directories or a full path name, but the form given is the easiest for beginners to follow.)

UNIX, including MacOS-X and Linux: Use (or start) a shell session (console window). Change to the directory for your voting-related files, and then run the file signing script. If you've renamed the registration certificate or key, use the actual names of those files. The signature will be written in sign-register.usr (or the name of the certificate with sign- prepended).
cd $HOME/votefiles
/bin/sh signfile.sh register.key register.usr
Microsoft® Windows®: Same as above except you're using a Cygwin shell.

Send your Registration Certificate and the signature to the Registrar of Voters by using the form below. You will receive in return a script that makes a new secret key and Certificate Signing Request. Save this script to a file on disc (suggested name is vote.sh), with your other voting-related files.

In this form use the two choose buttons to find and select your Registration Certificate, typicalloy called register.usr, and its signature, called sign-register.usr. On Microsoft® Windows® (Microsoft Internet Explorer web browser) ypu can open the file finder and then drag and drop the file's icon from the folder display into the file finder. Try it on competitor web browsers also; it's likely to work.

Remember to select whether you want a sample ballot, for testing if you can do the procedure, or a real one.

Submit Signed Registration Certificate

Item Select File
Registration Certificate The certificate is typically called register.usr

Signature File The signature is typically called sign-register.usr

Ballot Type Sample / Test Vote for Real
Get Ballot Ticket

Item	Select File
Registration Certificate	The certificate is typically called register.usr
Signature File	The signature is typically called sign-register.usr
Ballot Type	Sample / Test	Vote for Real
Get Ballot Ticket

Next Step

Save the Ballot Ticket script to a file on disc (suggested name: vote.sh). Then proceed to execute the script in Step 2.

How to Cheat

There are two opportunities here for voters to cheat. First, if you have registered fraudulently, the payoff comes here when you get the Registrar of Voters to issue you a Ballot Ticket to which you are not entitled. Second, if you have stolen someone's voting-related files and cracked the passphrase on his secret key, here is where you get value from the exploit.

The Registrar of Voters also has a major cheating opportunity at this point. The Registrar promises to forget who the Ballot Ticket was issued to. But suppose some corrupt computer programmer breached trust and recorded the information in a hidden table, After the election anyone can download the ballots and count them. The corrupt programmer could deliver the table to his criminal employer, and if, for example, your vote had been bought (possibly by more than one candidate) but you did not vote as promised, an enforcer could visit you and discuss the error of your ways.

It is much harder to match up the ballot with the voter in a manual system, which is an advantage in corruption resistance. If provisional ballots are accepted, they are signed by the voter whose registration is disputed and are kept separate, much like what InetVote does.

In this issue there are several competing values:

Keep the ballot secret: The Election Board could record with the ballot, not the Ballot Ticket number but its own unique key. Of course they could also secretly record the map from Ballot Tickets to unique IDs, but to make the exploit work, both the Election Board and the Registrar of Voters would have to be in collusion with the same criminal enterprise, not unbelieveable but considerably harder than corrupting just one agency.
Remove ineligible ballots: As InetVote is presently designed, if your registration is disputed before the election, your Ballot Ticket number will be recorded, and if you are later found to be wrongly registered, your ballot can be found and removed. But this requires the actual Ballot Ticket to be kept with the votes, so they can later be found.
Audit ballot: To keep the Election Board honest, there is a feature where the voter can specify his Ballot Ticket number and receive a copy of his ballot before the polls close. But this could also be made to work with a random ballot identifier.