InetVote: Design

James F. Carter, UCLA-Mathnet, 2004-10-10

Objectives

The special feature of InetVote is that the whole voting process is conducted on the Internet, while still accomplishing the objectives that follow. All transactions shall be immune to interception, either by encryption (SSL/TLS), or because the content is public record. Each data structure handled by the voter shall be so formatted that at any step in the process it could be printed out and audited in detail, then scanned into a different computer for the next step.
Each participant shall cast only the authorized number of votes, generally one vote for each office or proposition.
Each participant shall vote in his proper jurisdiction, and not in any other. In voter registration, the election officials of that jurisdiction acknowledge that the voter has the right to vote there. InetVote is not responsible for coordinating between jurisdictions so that a voter who appears qualified in multiple jurisdictions may vote in only one of them.
Assuming the rules are followed, only the voter, not election officials nor hostile powers, may know both his own identity and who he voted for. In other words, this is a secret ballot (mostly).
The list of registered voters is public record, and members of the public may allege that particular voters are registered invalidly. Investigating such claims is not the responsibility of InetVote. If a voter is fully disqualified before he votes, he will not be able to cast a ballot. If, at the time of the election, a voter's registration is in dispute, InetVote shall accept his ballot, but if eventually he is disqualified, the ballot shall be found and removed. This requires that disputed ballots not be secret, so they can be matched up with the disqualified voters, but according to the rules, only election officials would be able to match up the ballot with the voter. After the election it is useless to allege that someone was registered invalidly since his ballot cannot be removed.
Before, during or after the election, each voter who has cast a ballot can verify that his ballot is among those to be counted, and anyone can download a list of who the registered voters are, and which of them cast ballots. After the election, anyone can download and count all the ballots. Thus, the number of voters and the number of ballots can be seen to be equal, and if everyone checked his ballot, fraudulent alteration of ballots would be apparent immediately.

Administrative Organization

The election officials are divided into two separate organizations: the Registrar of Voters and the Election Board. The Registrar of Voters is responsible for certifying who is allowed to vote. He has his own X.509 key pair, which is semi-permanent. The Election Board is responsible for handling and publishing the ballots. It also has has a X.509 key pair, which is different for each election.

The Registrar of Voters issues Ballot Tickets to known voters, which prove to the Election Board that the voter is qualified to vote. The Ballot Ticket is kept with the ballot. Voters need to trust that the Registrar of Voters will not keep a record of which Ballot Ticket was issued to which voter (except in special cases), so that the ballot can be secret.

Data Structures, Tables and Processes

Voter Registration Certificate

When the voter registers, he creates a key pair which he uses to produce a Certificate Signing Request, which contains the public key from the pair. If the Registrar of Voters is satisfied with the prospective voter's credentials, he signs the CSR, producing a X.509 certificate. The Registrar keeps one copy and returns another to the voter. For perfect resistance to election fraud the voter should produce the private key; however, it's a fact of life that some voters may need help in forging a private key. In this case the Registrar of Voters promises to retain only the certificate, not the private key.

Voter Registration Table

This is the list of registered voters. It needs these fields; those marked with (*) can be seen at any time by the general public.

Field Description
Name (*) Full name of voter
Name Credential Evidence given by the voter that he has the right to use that name.
Address (*) It is traditional to list the voter's point of physical presence.
Credential Evidence given by the voter that he meets the qualifications for voting: typically, evidence of owning or renting residential property within the jurisdiction, or service by a residential-type business such as the phone company. If, as is likely, voters often offer several credentials, this information would need its own table.
E-mail Address In case of a dispute, the Registrar of Voters will notify the voter by physical mail at the alleged residence address, and by e-mail if that address is provided.
Status (*) Indicates if the person voted.
Disputed (*) Boolean, true if the validity of the registration is being disputed.
Ballot_Ticket Only for non-secret ballots, the Ballot Ticket (see below) is saved here. The ballot is non-secret if the person's registration is disputed and not resolved by election day.
Certificate The Voter Registration Certificate.

Ballot Ticket

Field	Description
Name (*)	Full name of voter
Name Credential	Evidence given by the voter that he has the right to use that name.
Address (*)	It is traditional to list the voter's point of physical presence.
Credential	Evidence given by the voter that he meets the qualifications for voting: typically, evidence of owning or renting residential property within the jurisdiction, or service by a residential-type business such as the phone company. If, as is likely, voters often offer several credentials, this information would need its own table.
E-mail Address	In case of a dispute, the Registrar of Voters will notify the voter by physical mail at the alleged residence address, and by e-mail if that address is provided.
Status (*)	Indicates if the person voted.
Disputed (*)	Boolean, true if the validity of the registration is being disputed.
Ballot_Ticket	Only for non-secret ballots, the Ballot Ticket (see below) is saved here. The ballot is non-secret if the person's registration is disputed and not resolved by election day.
Certificate	The Voter Registration Certificate.

It eventually is appended to the ballot and uniquely identifies it. Its major field is a random but unique number (encoded as text); in addition, most jurisdictions will want another field indicating the election precinct to which the voter belongs, so the ballots can be grouped by precinct. (That feature is not included in this demo.)

On the day of election, the voter alleges his identity to the Registrar of Voters by presenting his X.509 Registration Certificate and a signature made with his private key. If the unique identifier from the certificate is in the Registration Table, the Registrar sends back a Ballot Ticket, which is another X.509 certificate including a separate unique identifier. The Election Board believes in this certificate and accepts a ballot to which it is attached.

Only for non-secret ballots, the Ballot Ticket identifier is recorded in the Voter Registration Table, so if a disputed registration later goes against the voter the ballot can be found and removed; otherwise, the Registrar promises to forget the relation between the voter and the Ballot Ticket.

The Ballot

To vote, the voter creates a key pair and a Certificate Signing Request (which uses a common name of Anonymous Voter, Secret Ballot). He fills out the ballot and attaches the Signing Request and his Ballot Ticket. If the Ballot Ticket is valid, the Election Board signs the request and sends back the certificate, concatenated with the Ballot Ticket certificate and a copy of the ballot itself, all signed with the Election Board's private key.

The Election Board's software checks the ballot for obvious or possible errors and brings them to the voter's attention. An invalid ballot (e.g. voting for two candidates) will not be accepted until the voter fixes it.

The voter is advised to save the signed ballot in case of election fraud. By the Election Board's signature he can prove that the ballot was cast, even if it disappears and the Election Board tries to repudiate it, and possessing the private key he can prove that he held the Ballot Ticket and signed the ballot, disproving allegations that he is trying to disqualify or otherwise influence someone else's ballot.

The ballot consists of these parts:

The Votes: One line (ending in newline) per office or proposition with four fields separated by semicolons; leading and trailing whitespace in a field is irrelevant. The fields are the office ID code, the code for the vote, the text description of the office, and the choice text. The latter can be filled arbitrarily for a write-in candidate. The Election Board's software is picky about consistency between the codes and the text descriptions, so the texts can be used for counting the ballots, automatically handling write-ins. Example:
15; E; President of the United States; Frodo Baggins
74; Y; Shall InetVote be used exclusively in this state?; Yes
Ballot Ticket: This was obtained from the Registrar of Voters in the previous step.
Date: When the ballot was cast.
Voter's Certificate: Since only the Ballot Ticket was known when the Election Board signed the certificate, it cannot be matched up with a particular voter until he voluntarily breaks secrecy to defend his ballot against election fraud, proving with his private key that he and not someone else cast the ballot.
Signature: The Election Board signs the ballot with its private key, certifying that this ballot was cast with all the above data together. Anyone can use the Election Board's public key to prove that this ballot was validly cast, whether or not it is in the official file of ballots.

At any time, anyone may view any ballot by specifying the Ballot Ticket. This access is only productive for the voter himself, to verify that his ballot was not altered fraudulently. After the election, anyone may download all the ballots. There should be exactly as many ballots as voters who were issued ballot keys. However, a few voters may accidentally destroy their keys with no backup, or may break off and not complete the voting process due to some personal emergency. Thus, the count of issued ballot keys should exactly equal the number of voters tagged as having voted.

Procedural Notes

Command line to create a self-signed certificate:

openssl req -new -newkey rsa:2048 -sha256 -x509 -days 3700 \
    -out eboard.crt -keyout eboard.key -nodes

Sample responses for the subject of the above key:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Sasquatch County
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Election Board
Organizational Unit Name (eg, section) []:Election of 2004-11-02
Common Name (eg, YOUR name) []:James F. Carter, Chairman of the Election Board
Email Address []:helpdesk@eboard.sasquatch.ca.us