WO2001022200A2 - Electronic voting scheme employing permanent ballot storage - Google Patents

Electronic voting scheme employing permanent ballot storage Download PDF

Info

Publication number
WO2001022200A2
WO2001022200A2 PCT/US2000/007986 US0007986W WO0122200A2 WO 2001022200 A2 WO2001022200 A2 WO 2001022200A2 US 0007986 W US0007986 W US 0007986W WO 0122200 A2 WO0122200 A2 WO 0122200A2
Authority
WO
WIPO (PCT)
Prior art keywords
computer
ballots
electronic ballots
electronic
data storage
Prior art date
Application number
PCT/US2000/007986
Other languages
French (fr)
Other versions
WO2001022200A9 (en
Inventor
Richard L. Green
Jim Adler
Original Assignee
Votehere, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Votehere, Inc. filed Critical Votehere, Inc.
Priority to AU39226/00A priority Critical patent/AU3922600A/en
Publication of WO2001022200A2 publication Critical patent/WO2001022200A2/en
Publication of WO2001022200A9 publication Critical patent/WO2001022200A9/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • G06F21/645Protecting data integrity, e.g. using checksums, certificates or signatures using a third party
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C13/00Voting apparatus
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/46Secure multiparty computation, e.g. millionaire problem
    • H04L2209/463Electronic voting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Definitions

  • the following relates generally to electronic voting schemes.
  • the Internet is increasingly being used to conduct a variety of activities, including research, communication or document exchange, and "electronic commerce," in part, because it facilitates electronic communications with large databases, between individuals, and between vendors and purchasers.
  • the Internet comprises a vast number of computers and computer networks interconnected through communication channels. One individual can use a personal computer to connect via the Internet to another's computer.
  • the acceptance and wide-spread use of electronic commerce depends, in large part, upon the ease-of-use of conducting such electronic commerce or other activities. For example, if electronic commerce can be easily conducted, then even the novice computer user will choose to engage in such activities. Therefore, it is important that techniques be developed to facilitate conducting such activities electronically.
  • the Internet facilitates conducting activities electronically, in part, because it uses standardized techniques for exchanging information. Many standards have been established for exchanging information over the Internet, such as electronic mail, Gopher, and the World Wide Web (“WWW”).
  • the WWW service allows a server computer system (i.e., web server or web site) to send graphical web pages of information to a remote client computer system. The remote client computer system can then display the web pages.
  • Each resource (e.g., computer or web page) of the WWW is uniquely identifiable by a Uniform Resource Locator ("URL").
  • URL Uniform Resource Locator
  • a client computer system specifies the URL for that web page in a request (e.g., a HyperText Transfer Protocol ("HTTP”) request).
  • HTTP HyperText Transfer Protocol
  • the request is forwarded to the web server that supports that web page.
  • that web server receives the request, it sends the requested web page to the client computer system.
  • the client computer system receives that web page, it typically displays the web page using a browser.
  • a browser is typically a special-purpose application program for requesting and displaying web pages.
  • HTML HyperText Markup Language
  • HTML provides a standard set of tags that defines how a web page is to be displayed.
  • the browser sends the request to the server computer system to transfer to the client computer system an HTML document that defines the web page.
  • the browser displays the web page as defined by the HTML document.
  • the HTML document contains various tags that control the display of text, graphics, controls, and other features.
  • the HTML document may contain URLs of other web pages available on that server computer system or on other server computer systems.
  • the World Wide Web portion of the Internet is especially conducive to conducting electronic commerce, and a host of other activities that individuals have previously performed manually or over the phone.
  • One activity that has been difficult to transfer to the Internet or Word Wide Web has been voting.
  • An electronic voting scheme must ensure the privacy of each voter, as well as provide strict audit trails so that election officials or independent observers can verify no fraud has occurred.
  • Ballot types must range from simple yes/no initiatives to complex multi-way candidate races allowing for the possibility of write-in candidates.
  • the ballots must be tamper free, and must be sufficiently non-transitory, so that months after an election, the ballots and results can be reviewed by some independent authority. To date, the inventors are unaware of any system that fulfills these requirements.
  • Figure 1 is a block diagram illustrating an environment for use with an embodiment of the invention.
  • Figure 2 is a block diagram illustrating one embodiment for permanently storing electronic ballots for use with the environment of Figure 1.
  • Figure 3 is a flow diagram showing steps performed by the embodiment of Figure 2.
  • Figure 4 is a block diagram illustrating an alternative embodiment for permanently storing electronic ballots for use with the environment of Figure 1.
  • ballots are permanently stored using a Write-Once, Read-Many (WORM) drive.
  • WORM Write-Once, Read-Many
  • the electronic ballot box is formed as one or more web pages in an electronic "bulletin board” or voting website hosted by one or more web servers.
  • Alternative embodiments employ other permanent data storage devices, as explained below.
  • FIG. 1 and the following discussion provide a brief, general description of a suitable computing environment in which aspects of the invention can be implemented.
  • embodiments of the invention will be described in the general context of computer-executable instructions, such as routines executed by a general-purpose computer, such as a personal computer or web server.
  • a general-purpose computer such as a personal computer or web server.
  • aspects of the invention can be practiced with other computer system configurations, including Internet appliances, hand-held devices, multiprocessor systems, microprocessor-based or programmable consumer electronics, network PCs, mini computers, cell phones, mainframe computers, and the like.
  • aspects of the invention can be embodied in a special purpose computer or data processor that is specifically programmed, configured or constructed to perform one or more of the computer-executable instructions explained herein.
  • the invention can also be practiced in distributed computing environments where tasks or modules are performed by remote processing devices, which are linked through a communications network, such as a Local Area Network (LAN), Wide Area Network (WAN), and the Internet.
  • LAN Local Area Network
  • WAN Wide Area Network
  • program modules or sub-routines may be located in both local and remote memory storage devices.
  • the construction and operation of the various blocks shown in Figure 1 and 2 are of conventional design. As a result, such blocks need not be described in further detail herein, as they will be readily understood by those skilled in the relevant art.
  • a suitable environment of system 100 includes one or more voter or client computers 102, each of which includes a browser program module 104 that permits the computer to access and exchange data with the Internet, including web sites within the World Wide Web portion 106 of the Internet.
  • the voter computers 102 may include one or more central processing units or other logic processing circuitry, memory, input devices (e.g., keyboards and pointing devices), output devices (e.g., display devices and printers), and storage devices (e.g., fixed, floppy, and optical disk drives), all well known but not shown in Figure 1.
  • the voter computers 102 may also include other program modules, such as an operating system, one or more application programs (e.g., word processing or spread sheet applications), and the like.
  • there are N number of voter computers 102 representing voters 1, 2, 3 . . . N.
  • a server computer system 108 coupled to the Internet or World Wide Web ("Web") 106, performs much or all of the ballot collection, storing and other processes.
  • a database 110 coupled to the server computer 108, stores much of the web pages and data (including ballots) exchanged between the voter computers 102, one or more voting poll computers 112 and the server computer 108.
  • the server computer system 108 including the database 110, may employ security measures to inhibit malicious attacks on the system and to preserve the integrity of the ballots and other data stored therein.
  • the voting poll computer 112 is a personal computer, server computer, mini-computer, or the like, positioned at a public voting location to permit members of the public, or voters who may not have ready access to computers coupled to the Internet 106, to electronically vote under the system described herein.
  • the voter computers 102 may be positioned at individual voter's homes, where one or more voting poll computers 112 are located publicly or otherwise accessible to voters in a public election.
  • the voting poll computer 112 may include a local area network (LAN) having one server computer and several client computers or voter terminals coupled thereto via the LAN to thereby permit several voters to vote simultaneously or in parallel.
  • LAN local area network
  • the system 100 may be used.
  • the voter computers 102 may be laptops or desktop computers of shareholders, and the voting poll computer 112 can be one or more computers positioned within the company (e.g., in the lobby) of the company performing the election. Thus, shareholders may visit the company to access the voting poll computer 112 to cast their votes.
  • One or more optional authority or organization computers 114 may also be coupled to the server computer system 108 via the Internet 106. The authority computers 114, in certain electronic voting schemes, each hold a key necessary to decrypt the tally of electronic ballots stored in the database 110.
  • Threshold cryptographic systems require that a subset t of the total number of authorities n (i.e., t ⁇ n) agree to decrypt the ballots, to thereby avoid the requirement that all authorities are needed for ballot decryption.
  • the authority computers 114 may provide decryption shares based on their keys to the server computer system 108 after the voting period ends so that the server computer system may decrypt the tally results.
  • the server computer 108 includes a server engine 120, a web page management component 122, a database management component 124, as well as other components shown more clearly in Figure 2.
  • the server engine 120 performs, in addition to standard functionality, performs one or more electronic voting protocols, such as the protocols described in U.S. Patent Application No.
  • the server engine 120 performs all necessary ballot transmission to authorized voters, ballot collection, verifying ballots (e.g., checking digital signatures and passing verification of included proofs of validity in ballots), vote aggregation, ballot decryption and/or vote tabulation.
  • the web page component 122 handles creation and display or routing of web pages such as an electronic ballot box web page, as described below. Voters and users may access the server computer 108 by means of a URL associated therewith, such as http: Wwww.votehere.net, or a URL associated with the election, such as a URL for a municipality.
  • the municipality may host or operate the server computer system 108 directly, or automatically forward such received electronic ballots to a third party vote authorizer who may operate the server computer system.
  • the URL or any link or address noted herein, can be any resource locator.
  • the web page management process 122 and server computer 108 may have secure sections or pages that may only be accessed by authorized people, such as authorized voters or system administrators.
  • the server computer 108 may employ a secure socket layer ("SSL") and tokens or cookies to authenticate such users. Indeed, for small elections, or those where the probability of fraud is low (or results of fraud are relatively inconsequential), the system 100 may employ such simple network security measures for gathering and storing votes as explained below, rather than employing complex electronic encrypted ballots, as described in the above-noted patent application.
  • Methods of authenticating users (such as through the use of passwords), establishing secure transmission connections, and providing secure servers and web pages are known to those skilled in the relevant art.
  • the server computer system 108 includes a router 202 coupled between the Internet 106 and a firewall 204.
  • the router 202 acts as an interface between the Internet 106 and the server computer system 108.
  • the router 202 receives incoming electronic ballots or votes produced by the voter computers 102 or voting poll computer 112, and routes them through the firewall 204 to a web-load balancing system 206.
  • the firewall 204 protects the server computer system 108 from attacks or security breaches directed at the system from the Internet 106.
  • Any of various known firewall systems may be employed, such as those employing screened subnet architecture (e.g., packet filtering), and multi-homed host architecture (e.g., application gateway or dedicated proxy methods), although any of the many known firewall architectures may be employed.
  • the web-load balancing system 206 balances load on several web server computers 208 (three of which are shown in Figure 2). Load balancing is a technique well known in the art for distributing the processing load between two or more computers, to thereby more efficiently process instructions and route data. In the present context, the web-load balancing system 206 helps distribute received electronic ballots evenly between the web servers 208, which can be particularly important at peak traffic times.
  • each of the web servers 208 include internally or have coupled thereto write-once, read-many (WORM) drives 210.
  • the WORM drives 210 permanently store received electronic ballots.
  • the web load balancing device 206 may directly route received ballots to the WORM drives 210 (as opposed to having such ballots first being directed to the web servers 208).
  • the web-load balancing system 206 acts as an interface to the WORM drives 210 to provide load balancing for such drives so that all electronic ballots are permanently stored on the WORM drives in an efficient manner, particularly during times of peak traffic, and to overcome relatively slow write times (as compared to, for example, random access memory (RAM) write times).
  • Each of the web servers 208 executes a software enabled application programming interface (API) running as a service thereon to enable writing of the electronic ballots onto the associated WORM drive 210.
  • APIs for interfacing an application program such as the ballot collection and vote tallying process noted above and the writing of received ballots to the WORM drives 210 is similar to conventional APIs for permitting application programs for writing data to WORM drives or other similar drives.
  • web servers 208 and WORM drives 210 are employed for not only efficient load balancing of received web traffic and/or electronic ballots, but also for redundancy and fault tolerance reasons. Indeed, while only a single router 202, firewall 204 and web-load balancing system 206 are shown in Figure 2, the server computer system 108 may employ two or more such devices/systems to further improve fault tolerance for the system. To further improve processing efficiency, the web servers 208 may employ cryptographic accelerator cards or math coprocessors not shown to expedite cryptographic functions when the server computer system 108 execute cryptographically complex electronic elections. Likewise, the voting poll computer 112 and/or voter computers 102 can employ such cryptographic accelerator cards or math coprocessors for similar reasons.
  • WORM drives Any of several known WORM drives may be employed, such as Model No. CMO R540 MO, by Sony Corporation, Model No. HP5200ex SureStore, by Hewlett Packard, and Model No. T6-5200, by Maxoptix. These drives typically employ a 5.2 inch (13.2 centimeter) diameter, optical disk or cartridge, enhanced polycarbonate-type continuous composite WORM (CCW), having up to 5.2 Gigabytes of storage.
  • CCW enhanced polycarbonate-type continuous composite WORM
  • DVD drives may be used instead of the WORM drives 210.
  • DVD drives offer wide support on various computing platforms, as well as high capacity, wide feature set, numerous drivers supporting such disks, low cost, and the like.
  • CD- Write once media may also be employed, but may suffer from low memory capacity when used with large elections employing encrypted ballots.
  • the web servers 208 may be coupled to one, or a bank of, smart cards, printed circuit boards or cartridges containing programmable read-only memory (PROM), electronically programmable read-only memory (EPROM), and the like.
  • PROM programmable read-only memory
  • EPROM electronically programmable read-only memory
  • Such memory may provide faster write times than WORM drives, but may be less tamper resistant and more expensive, particularly for elections with numerous voters and large ballots.
  • Other computer-readable media may include magnetic disk drives, Bernoulli cartridges, and flash memory cards, if sufficient safeguards are employed (both hardware and software) to ensure that ballots stored thereon are tamper proof and not subject to fraud once ballots had been written thereto.
  • the server computer system 108 provides a website or "bulletin board" to which each voter posts his or her digitally signed electronic ballot.
  • the server computer system 108 permanently stores each ballot in the database 110, so that ballots may not be altered or erased, as described herein.
  • the web server computer system 108 verifies each ballot and aggregates or tallies them to produce a final tally, although verification, and some or all portions of ballot aggregation, decryption and tallying can be performed as ballots are received (or "on the fly”).
  • step 300 a process 300 performed by the server computer system 108 and voting organization providing such system is shown.
  • each component or step is generally described as a single function performed by the server computer system 108 (or authority employing such system).
  • the server computer system 108 provides electronic ballots to authorized voters. Voters may be authorized in any number of processes, such as those described in U.S. Patent Application
  • Each electronic ballot includes all predete ⁇ riined voting issues, instructions for voting, and any relevant cryptographic keys or processes.
  • each electronic ballot includes a digital signature provided by the server computer system 108.
  • voters who receive such ballots may check the digital signature to ensure that the ballot has not been corrupted or altered.
  • the electronic ballots may be emailed to each of the authorized voters.
  • the database 110 includes the email addresses, URLs, links or other logical addresses for the voter computers 102 and voting poll computer 112.
  • the server computer system 108 then automatically retrieves each logical address and forwards the appropriate electronic ballot to each address.
  • the server computer system 108 may provide a web page to be accessed by the voting computers 102 and voting poll computer 112. By accessing such web page, and proving authentication of the relevant voter, the voter may then download from the server computer system 108 an electronic ballot.
  • These two methods of electronic ballot distribution represent server initiated and client initiated distribution methods; of course, many other similar methods may be employed whereby the server computer system 108 forwards electronic ballots to authorized users, or where the voter computers 102 and voting poll computer 112 request electronic ballots.
  • the server computer 108 receives electronically signed ballots from the voters.
  • the server computer system 108 provides the above-noted web page bulletin board that allows each voter to post his or her ballot thereto during a predetermined voting period.
  • other methods for receiving electronic ballots are possible, including email, wireless data transmission (e.g., via cell phone or portable/wearable computer), and the like.
  • the server computer 108 may provide a digitally signed receipt to the voter recognizing receipt of the voter's electronic ballot.
  • the server computer 108 may first provide such receipt to one or more of the authority computers 114 who in turn add their digital signatures before forwarding the receipt to the voter.
  • the server computer 108 no longer permits additional ballots to be received and written to the WORM drive 210.
  • the server computer system 108 continues to collect additional ballots after the predetermined voting period, but flags each ballot as being late or otherwise provides some indication about when such ballots were received.
  • the web server computer 208 does record such late ballots via the WORM drives 210.
  • the web servers 208 in the server computer system 108 write each received ballot to the WORM drives 210 or other permanent data storage media devices.
  • the server computer system 108 may employ solid state memory (e.g., RAM) or other electronic memory buffers to buffer and hold electronic ballots temporarily before being written to one of the WORM drives 210.
  • solid state memory e.g., RAM
  • Such electronic buffers are particularly useful during peak traffic times, however, may suffer from possible security shortcomings in that a fraudulent voting organization could tamper with electronic ballots, when in the buffer, before they are written to the WORM drives 210.
  • the server computer system 108 verifies each received ballot.
  • the verification can include checking the digital signature of each received ballot, and verifying the validity of each ballot, such as verifying correct hash function output and/or proofs of validity, such as under zero knowledge proofs.
  • Such verification can be performed as the server computer system 108 sequentially reads each ballot previously written to the WORM drives 210.
  • the server computer system 108 can perform some or all of such verification of received ballots before step 306 (before they are written to the WORM drives 210).
  • the server computer system 108 can verify the digital signature or compute the hash function of each ballot before writing it to the WORM drives 210.
  • the server computer system 108 may discard such ballots, and not write them to the WORM drives 210.
  • third party voting verification authorities may request that all received ballots be permanently stored before any unauthorized ballots are discarded.
  • step 310 the server computer system 108 aggregates the stored ballots and decrypts the results, with a threshold number of authorities if such an encryption protocol is employed. Ballot authorization and decryption under a threshold number of authorities is described in greater detail in the Multi-Way
  • the voting organization providing the server computer system 108 may provide the storage data to a voter verification authority.
  • the voting organization may provide one or more WORM disks from the WORM drives 210 to a third party organization who verifies that no fraud had occurred during the vote or ballot tabulation. Any method of physically transferring the WORM disks to such a third-party vote verifying organization may be employed, including courier services.
  • the server computer system 108 may employ a one-way hash function or simple error correction/detection technique (e.g., cyclic redundancy check (CRC)) to the data, or groups of data stored on the WORM disk.
  • CRC cyclic redundancy check
  • the server computer system 108 at predetermined times, or after a predetermined number of electronic ballots have been received, perform such a hash function or other method to provide an additional level of security and verification to ballots stored by the WORM drives 210.
  • the results of the hash function are then likewise stored by the WORM drive, and can be presented to and verified by the third-party voting verification authority.
  • the voting organization running the server computer system 108 and/or third-party voting verification authority may destroy the WORM disks after a predetermined time period.
  • Many elections require that all ballots be saved or stored for a predetermined time period during which third parties may challenge or review election results to ensure that no fraud occurred. After such predetermined time period, however, the ballots typically must be destroyed. Therefore, the WORM disks may then be destroyed in step 314, to thereby effectively eliminate all electronic ballots.
  • the voter computers 102 may each have stored thereon, their own ballots, but this option is left to each voter.
  • electronic ballots may be digitally signed by each authorized voter and posted by the voters to an area on a bulletin board or website representing a "ballot box.” Ballots are encrypted by the voters but never decrypted. Multi-way elections are possible using both discrete log, elliptic curve and general group cryptosystems, all of which employ homomorphic properties to allow ballots to be combined to produce encrypted tallies. This multi-way election scheme ensures universal verifiability since any third party can see who voted without seeing how they voted and duplicate the combination of the encrypted ballots to obtain the encrypted tally.
  • Ballots are accompanied with zero -knowledge proofs of validity to ensure that a voted ballot includes only allowable options, without leaking any information about which ballot option the voter chose. Such proofs are non-interactive and all received ballots are automatically stored permanently by the WORM drives 210.
  • the encrypted tallies are decrypted by t of n authorities without reconstructing the authorities' private key, using threshold encryption techniques.
  • the decryption protocol requires a zero-knowledge proof which ensures that the correct ciphertext (ballot) has been decrypted using the private-key share corresponding to the authorities' group public-key. Further, compromise of the voter privacy would require a conspiracy of at least t of the n number of authorities.
  • the server computer system 108 with the WORM drives 210 or other permanent data storage devices, are useful for not only storing electronic ballots, but also for registering preregistered write-in candidates for elections, and other data for write-in candidates and votes.
  • a write-in candidate submits his or her name, ballot or precinct identifier and a race identifier.
  • the server computer system 108 generates a candidate number for the identified race and computes a unique encryption generator.
  • the candidate's name, ballot identifier, race identifier, candidate number and generator are stored by the WORM drive 210.
  • a database is created containing a record for each person eligible to hold any office appearing on the ballot.
  • the record contains the person's name, unique identifier and an encryption generator.
  • the voter may fill in the name of a write-in candidate on the electronic ballot.
  • the server computer system 108 queries the database for that name, and if a match is found, the unique identifier and any necessary encryption data are used to form the vote for that candidate on the electronic ballot.
  • the WORM drive 210 may be used to create a permanent record of such database for all eligible people to hold office on a given ballot. This permanent record could then be later reviewed by a third-party vote verification authority to ensure that all relevant names were included in the database.
  • FIG. 4 an alternative embodiment of the invention is depicted as a system 400.
  • the web server computers 208 are coupled directly to the internet 106, such as by means of only SSL and TCP/IP ports.
  • the web servers 208 have only a limited command set and are thus more secure than platforms coupled to the internet by means of a router or other high functionality/command set devices.
  • the web servers 208 are coupled to an array of WORM drives 210 by means of a distributed file server 402.
  • a distributed file server or system is a type of file system in which the file system itself manages and transparently locates pieces of information (e.g.
  • the distributed file server 402 also manages read and write functions to the WORM drives 210 and database 110.
  • the distributed file server 402 may be a process running on each, or one of, the web servers 208, or on a separate hardware device. Indeed, one of the web servers 208, WORM drives 210, and the database 110 may be enclosed within a single box to form a "vote engine" that may be connected directly to the Internet 106 as a stand alone product.
  • the distributed file server 402 receives ballots from the web servers 402 and determines which of several WORM drives 210 to instruct to write the ballot.
  • the distributed file server 402 also stores the received ballots in the database 110 for rapid access and rapid write-time with respect to the web servers 208.
  • the request is provided to the distributed file server 402, which in turn identifies where the ballot or desired file is stored, retrieves such ballot/file, and provides it to the web server.
  • one of the authority computers 114 also includes a WORM drive 210 coupled thereto.
  • the authority computers may store such receipts. To enhance data integrity, such received receipts may be stored in the WORM drive 210.
  • the authority computer can ensure that the web server computers 208 have not eliminated any ballots from the final tally.
  • the authority computer 114 may receive and store on the WORM drive 210 other information, including ballots that may be forwarded thereto, and the like.
  • the concepts of the invention can be used in various environments other than the Internet.
  • the concepts can be used in an electronic mail environment in which electronic mail ballots or forms are processed and stored.
  • a web page or display description e.g., the bulletin board
  • various communication channels such as local area networks, wide area networks, or point-to-point dial-up connections, may be used instead of the Internet.
  • the various transactions may also be conducted within a single computer environment, rather than in a client/server environment.
  • Each voter or client computer may comprise any combination of hardware or software that interacts with the server computer or system.
  • These client systems may include television-based systems, Internet appliances and various other consumer products through which transactions can be performed.
  • a "link” refers to any resource locator identifying a resource on the network, such as a display description of a voting authority having a site or node on the network.
  • resource locator identifying a resource on the network
  • hardware platforms such as voter computers, terminals and servers, are described herein, aspects of the invention are equally applicable to nodes on the network having corresponding resource locators to identify such nodes.

Abstract

Disclosed is a system for recording records, such as electronic ballots in an electronic scheme. A web server posts a web page having a ballot box. Individual voters receive and submit to the web page electronic ballots reflecting their votes. The web server computer permanently stores each received electronic ballots using a Write-Once, Read-Many (WORM) drive or similar device to prevent ballots from later being erased or altered. Election results may then be tallied, and the results of such tallying, together with the received ballots, transmitted or provided to a third-party authority to review the election results.

Description

ELECTRONIC VOTING SCHEME EMPLOYING PERMANENT BALLOT STORAGE
CROSS-REFERENCE TO RELATED APPLICATION
This application claims the benefit of U.S. Provisional Patent Applications, having numbers 60/126,080 and 60/149,621, filed March 25, 1999, and August 16, 1999, respectively, both of which are currently pending.
TECHNICAL FIELD
The following relates generally to electronic voting schemes.
BACKGROUND
The Internet is increasingly being used to conduct a variety of activities, including research, communication or document exchange, and "electronic commerce," in part, because it facilitates electronic communications with large databases, between individuals, and between vendors and purchasers. The Internet comprises a vast number of computers and computer networks interconnected through communication channels. One individual can use a personal computer to connect via the Internet to another's computer. In the field of electronic commerce, although many commercial transactions performed today could be performed electronically, the acceptance and wide-spread use of electronic commerce depends, in large part, upon the ease-of-use of conducting such electronic commerce or other activities. For example, if electronic commerce can be easily conducted, then even the novice computer user will choose to engage in such activities. Therefore, it is important that techniques be developed to facilitate conducting such activities electronically.
The Internet facilitates conducting activities electronically, in part, because it uses standardized techniques for exchanging information. Many standards have been established for exchanging information over the Internet, such as electronic mail, Gopher, and the World Wide Web ("WWW"). The WWW service allows a server computer system (i.e., web server or web site) to send graphical web pages of information to a remote client computer system. The remote client computer system can then display the web pages. Each resource (e.g., computer or web page) of the WWW is uniquely identifiable by a Uniform Resource Locator ("URL"). To view a specific web page, a client computer system specifies the URL for that web page in a request (e.g., a HyperText Transfer Protocol ("HTTP") request). The request is forwarded to the web server that supports that web page. When that web server receives the request, it sends the requested web page to the client computer system. When the client computer system receives that web page, it typically displays the web page using a browser. A browser is typically a special-purpose application program for requesting and displaying web pages.
Currently, web pages are often defined using HyperText Markup Language ("HTML") although other standards are on the horizon. HTML provides a standard set of tags that defines how a web page is to be displayed. When a user makes a request to the browser to display a web page, the browser sends the request to the server computer system to transfer to the client computer system an HTML document that defines the web page. When the requested HTML document is received by the client computer system, the browser displays the web page as defined by the HTML document. The HTML document contains various tags that control the display of text, graphics, controls, and other features. The HTML document may contain URLs of other web pages available on that server computer system or on other server computer systems. The World Wide Web portion of the Internet is especially conducive to conducting electronic commerce, and a host of other activities that individuals have previously performed manually or over the phone. One activity that has been difficult to transfer to the Internet or Word Wide Web has been voting. An electronic voting scheme must ensure the privacy of each voter, as well as provide strict audit trails so that election officials or independent observers can verify no fraud has occurred. Furthermore, as with many electronic commerce techniques, such an electronic voting scheme must be easy for voters to use. Ballot types must range from simple yes/no initiatives to complex multi-way candidate races allowing for the possibility of write-in candidates. The ballots must be tamper free, and must be sufficiently non-transitory, so that months after an election, the ballots and results can be reviewed by some independent authority. To date, the inventors are unaware of any system that fulfills these requirements.
BRIEF DESCRIPTIONS OF DRAWINGS
The headings provided herein are for convenience only, and do not affect the scope or meaning of the claimed invention. Figure 1 is a block diagram illustrating an environment for use with an embodiment of the invention.
Figure 2 is a block diagram illustrating one embodiment for permanently storing electronic ballots for use with the environment of Figure 1.
Figure 3 is a flow diagram showing steps performed by the embodiment of Figure 2.
Figure 4 is a block diagram illustrating an alternative embodiment for permanently storing electronic ballots for use with the environment of Figure 1.
DETAILED DESCRIPTION
Aspects of the invention overcome limitations of the prior art and provide numerous additional benefits. In one embodiment of the invention, ballots are permanently stored using a Write-Once, Read-Many (WORM) drive. This prevents anyone, such as election officials, hackers, etc., from erasing votes or altering ballots from an electronic "ballot box". The electronic ballot box is formed as one or more web pages in an electronic "bulletin board" or voting website hosted by one or more web servers. Alternative embodiments employ other permanent data storage devices, as explained below.
The following description provides specific details for a thorough understanding of, and enabling description for, embodiments of the invention. However, one skilled in the art will understand that the invention may be practiced without these details. In other instances, well known structures and functions have not been shown or described in detail to avoid unnecessarily obscuring the description of the embodiments of the invention. Some of the detailed description provided herein is explicitly disclosed in the provisional patent applications; much of the additional material will be recognized by those skilled in the relevant art as being inherent in the detailed description provided in the provisional patent applications, or well known to those skilled in the relevant art. Those skilled in the relevant art can readily implement aspects of the invention based on the detailed description provided in the provisional patent applications.
Figure 1 and the following discussion provide a brief, general description of a suitable computing environment in which aspects of the invention can be implemented. Although not required, embodiments of the invention will be described in the general context of computer-executable instructions, such as routines executed by a general-purpose computer, such as a personal computer or web server. Those skilled in the relevant art will appreciate that aspects of the invention (such as for small elections) can be practiced with other computer system configurations, including Internet appliances, hand-held devices, multiprocessor systems, microprocessor-based or programmable consumer electronics, network PCs, mini computers, cell phones, mainframe computers, and the like. Aspects of the invention can be embodied in a special purpose computer or data processor that is specifically programmed, configured or constructed to perform one or more of the computer-executable instructions explained herein. The invention can also be practiced in distributed computing environments where tasks or modules are performed by remote processing devices, which are linked through a communications network, such as a Local Area Network (LAN), Wide Area Network (WAN), and the Internet. In a distributed computing environment, program modules or sub-routines may be located in both local and remote memory storage devices. Unless described otherwise, the construction and operation of the various blocks shown in Figure 1 and 2 are of conventional design. As a result, such blocks need not be described in further detail herein, as they will be readily understood by those skilled in the relevant art. Referring to Figure 1, a suitable environment of system 100 includes one or more voter or client computers 102, each of which includes a browser program module 104 that permits the computer to access and exchange data with the Internet, including web sites within the World Wide Web portion 106 of the Internet. The voter computers 102 may include one or more central processing units or other logic processing circuitry, memory, input devices (e.g., keyboards and pointing devices), output devices (e.g., display devices and printers), and storage devices (e.g., fixed, floppy, and optical disk drives), all well known but not shown in Figure 1. The voter computers 102 may also include other program modules, such as an operating system, one or more application programs (e.g., word processing or spread sheet applications), and the like. As shown in Figure 1, there are N number of voter computers 102, representing voters 1, 2, 3 . . . N.
A server computer system 108, coupled to the Internet or World Wide Web ("Web") 106, performs much or all of the ballot collection, storing and other processes. A database 110, coupled to the server computer 108, stores much of the web pages and data (including ballots) exchanged between the voter computers 102, one or more voting poll computers 112 and the server computer 108. The server computer system 108, including the database 110, may employ security measures to inhibit malicious attacks on the system and to preserve the integrity of the ballots and other data stored therein. The voting poll computer 112 is a personal computer, server computer, mini-computer, or the like, positioned at a public voting location to permit members of the public, or voters who may not have ready access to computers coupled to the Internet 106, to electronically vote under the system described herein. Thus, the voter computers 102 may be positioned at individual voter's homes, where one or more voting poll computers 112 are located publicly or otherwise accessible to voters in a public election. The voting poll computer 112 may include a local area network (LAN) having one server computer and several client computers or voter terminals coupled thereto via the LAN to thereby permit several voters to vote simultaneously or in parallel.
Under an alternative embodiment, the system 100 may be used. In the context of a private election, such as the election of corporate officers or board members. Under this embodiment, the voter computers 102 may be laptops or desktop computers of shareholders, and the voting poll computer 112 can be one or more computers positioned within the company (e.g., in the lobby) of the company performing the election. Thus, shareholders may visit the company to access the voting poll computer 112 to cast their votes. One or more optional authority or organization computers 114 may also be coupled to the server computer system 108 via the Internet 106. The authority computers 114, in certain electronic voting schemes, each hold a key necessary to decrypt the tally of electronic ballots stored in the database 110. Threshold cryptographic systems require that a subset t of the total number of authorities n (i.e., t<n) agree to decrypt the ballots, to thereby avoid the requirement that all authorities are needed for ballot decryption. The authority computers 114 may provide decryption shares based on their keys to the server computer system 108 after the voting period ends so that the server computer system may decrypt the tally results. The server computer 108 includes a server engine 120, a web page management component 122, a database management component 124, as well as other components shown more clearly in Figure 2. The server engine 120 performs, in addition to standard functionality, performs one or more electronic voting protocols, such as the protocols described in U.S. Patent Application No. , filed March 24, 2000, entitled "Multi-way Election Method and Apparatus," and assigned to the same assignee as this invention. Thus, the server engine 120 performs all necessary ballot transmission to authorized voters, ballot collection, verifying ballots (e.g., checking digital signatures and passing verification of included proofs of validity in ballots), vote aggregation, ballot decryption and/or vote tabulation. The web page component 122 handles creation and display or routing of web pages such as an electronic ballot box web page, as described below. Voters and users may access the server computer 108 by means of a URL associated therewith, such as http: Wwww.votehere.net, or a URL associated with the election, such as a URL for a municipality. The municipality may host or operate the server computer system 108 directly, or automatically forward such received electronic ballots to a third party vote authorizer who may operate the server computer system. The URL, or any link or address noted herein, can be any resource locator. The web page management process 122 and server computer 108 may have secure sections or pages that may only be accessed by authorized people, such as authorized voters or system administrators. The server computer 108 may employ a secure socket layer ("SSL") and tokens or cookies to authenticate such users. Indeed, for small elections, or those where the probability of fraud is low (or results of fraud are relatively inconsequential), the system 100 may employ such simple network security measures for gathering and storing votes as explained below, rather than employing complex electronic encrypted ballots, as described in the above-noted patent application. Methods of authenticating users (such as through the use of passwords), establishing secure transmission connections, and providing secure servers and web pages are known to those skilled in the relevant art.
Referring to Figure 2, a more detailed representation of the server computer system 108 is shown. The server computer system 108 includes a router 202 coupled between the Internet 106 and a firewall 204. The router 202 acts as an interface between the Internet 106 and the server computer system 108. The router 202 receives incoming electronic ballots or votes produced by the voter computers 102 or voting poll computer 112, and routes them through the firewall 204 to a web-load balancing system 206.
The firewall 204 protects the server computer system 108 from attacks or security breaches directed at the system from the Internet 106. Any of various known firewall systems may be employed, such as those employing screened subnet architecture (e.g., packet filtering), and multi-homed host architecture (e.g., application gateway or dedicated proxy methods), although any of the many known firewall architectures may be employed.
The web-load balancing system 206 balances load on several web server computers 208 (three of which are shown in Figure 2). Load balancing is a technique well known in the art for distributing the processing load between two or more computers, to thereby more efficiently process instructions and route data. In the present context, the web-load balancing system 206 helps distribute received electronic ballots evenly between the web servers 208, which can be particularly important at peak traffic times.
As shown in Figure 2, each of the web servers 208 include internally or have coupled thereto write-once, read-many (WORM) drives 210. As explained more fully below, the WORM drives 210 permanently store received electronic ballots. Thus, in addition to the database 110 which stores the ballots for rapid access and processing by the web servers 208, the WORM drives 210 permanently store such ballots in the event of a catastrophic fault, or to later verify election results, as noted below. As shown by the broken lines in Figure 2, the web load balancing device 206 may directly route received ballots to the WORM drives 210 (as opposed to having such ballots first being directed to the web servers 208).
The web-load balancing system 206 acts as an interface to the WORM drives 210 to provide load balancing for such drives so that all electronic ballots are permanently stored on the WORM drives in an efficient manner, particularly during times of peak traffic, and to overcome relatively slow write times (as compared to, for example, random access memory (RAM) write times). Each of the web servers 208 executes a software enabled application programming interface (API) running as a service thereon to enable writing of the electronic ballots onto the associated WORM drive 210. APIs for interfacing an application program such as the ballot collection and vote tallying process noted above and the writing of received ballots to the WORM drives 210 is similar to conventional APIs for permitting application programs for writing data to WORM drives or other similar drives. Several web servers 208 and WORM drives 210 are employed for not only efficient load balancing of received web traffic and/or electronic ballots, but also for redundancy and fault tolerance reasons. Indeed, while only a single router 202, firewall 204 and web-load balancing system 206 are shown in Figure 2, the server computer system 108 may employ two or more such devices/systems to further improve fault tolerance for the system. To further improve processing efficiency, the web servers 208 may employ cryptographic accelerator cards or math coprocessors not shown to expedite cryptographic functions when the server computer system 108 execute cryptographically complex electronic elections. Likewise, the voting poll computer 112 and/or voter computers 102 can employ such cryptographic accelerator cards or math coprocessors for similar reasons.
Any of several known WORM drives may be employed, such as Model No. CMO R540 MO, by Sony Corporation, Model No. HP5200ex SureStore, by Hewlett Packard, and Model No. T6-5200, by Maxoptix. These drives typically employ a 5.2 inch (13.2 centimeter) diameter, optical disk or cartridge, enhanced polycarbonate-type continuous composite WORM (CCW), having up to 5.2 Gigabytes of storage. Once data, such as electronic ballots, has been written to the optical disks in the WORM drives 210, the data may not later be erased or altered. In other words, such WORM drives 210 permit data to be permanently stored thereon once, and then thereafter read therefrom numerous times.
Other permanent data storage devices are possible. Digital Versatile Disk (DVD) drives may be used instead of the WORM drives 210. DVD drives offer wide support on various computing platforms, as well as high capacity, wide feature set, numerous drivers supporting such disks, low cost, and the like. CD- Write once media may also be employed, but may suffer from low memory capacity when used with large elections employing encrypted ballots.
Other permanent data storage media and associated data storage devices may be used, and may be desirable in certain elections. For example, the web servers 208 may be coupled to one, or a bank of, smart cards, printed circuit boards or cartridges containing programmable read-only memory (PROM), electronically programmable read-only memory (EPROM), and the like. Such memory may provide faster write times than WORM drives, but may be less tamper resistant and more expensive, particularly for elections with numerous voters and large ballots. Other computer-readable media may include magnetic disk drives, Bernoulli cartridges, and flash memory cards, if sufficient safeguards are employed (both hardware and software) to ensure that ballots stored thereon are tamper proof and not subject to fraud once ballots had been written thereto.
Under one embodiment, the server computer system 108 provides a website or "bulletin board" to which each voter posts his or her digitally signed electronic ballot. The server computer system 108 permanently stores each ballot in the database 110, so that ballots may not be altered or erased, as described herein. Once the predetermined polling period ends ("the polls close"), the web server computer system 108 verifies each ballot and aggregates or tallies them to produce a final tally, although verification, and some or all portions of ballot aggregation, decryption and tallying can be performed as ballots are received (or "on the fly").
Referring to Figure 3, a process 300 performed by the server computer system 108 and voting organization providing such system is shown. To illustrate the processes 300 for gathering and storing electronic ballots, each component or step is generally described as a single function performed by the server computer system 108 (or authority employing such system). One skilled in the relevant art will appreciate that each of these components or steps may be implemented as several separate routines or subroutines. In step 302, the server computer system 108 provides electronic ballots to authorized voters. Voters may be authorized in any number of processes, such as those described in U.S. Patent Application
No. , filed March 24, 2000, entitled "Method, Article and
Apparatus for Registering Registrants, Such As Voter Registrants" and assigned to the assignee of the present invention. Each electronic ballot includes all predeteπriined voting issues, instructions for voting, and any relevant cryptographic keys or processes.
Additionally, each electronic ballot includes a digital signature provided by the server computer system 108. Thus, voters who receive such ballots may check the digital signature to ensure that the ballot has not been corrupted or altered.
Under step 302, the electronic ballots may be emailed to each of the authorized voters. Under this method, the database 110 includes the email addresses, URLs, links or other logical addresses for the voter computers 102 and voting poll computer 112. The server computer system 108 then automatically retrieves each logical address and forwards the appropriate electronic ballot to each address. Alternatively, the server computer system 108 may provide a web page to be accessed by the voting computers 102 and voting poll computer 112. By accessing such web page, and proving authentication of the relevant voter, the voter may then download from the server computer system 108 an electronic ballot. These two methods of electronic ballot distribution represent server initiated and client initiated distribution methods; of course, many other similar methods may be employed whereby the server computer system 108 forwards electronic ballots to authorized users, or where the voter computers 102 and voting poll computer 112 request electronic ballots.
In step 304, the server computer 108 receives electronically signed ballots from the voters. In one embodiment, the server computer system 108 provides the above-noted web page bulletin board that allows each voter to post his or her ballot thereto during a predetermined voting period. Of course, other methods for receiving electronic ballots are possible, including email, wireless data transmission (e.g., via cell phone or portable/wearable computer), and the like. The server computer 108 may provide a digitally signed receipt to the voter recognizing receipt of the voter's electronic ballot. Furthermore, the server computer 108 may first provide such receipt to one or more of the authority computers 114 who in turn add their digital signatures before forwarding the receipt to the voter. After the predetermined voting period ends, the server computer 108 no longer permits additional ballots to be received and written to the WORM drive 210. Under an alternative embodiment, the server computer system 108 continues to collect additional ballots after the predetermined voting period, but flags each ballot as being late or otherwise provides some indication about when such ballots were received. The web server computer 208, under this alternative embodiment, does record such late ballots via the WORM drives 210.
In step 306, the web servers 208 in the server computer system 108 write each received ballot to the WORM drives 210 or other permanent data storage media devices. In general, it is desirable to write each ballot received under step 304 immediately to one of the WORM drives 210 under step 306. Under an alternative embodiment, the server computer system 108 may employ solid state memory (e.g., RAM) or other electronic memory buffers to buffer and hold electronic ballots temporarily before being written to one of the WORM drives 210. Such electronic buffers are particularly useful during peak traffic times, however, may suffer from possible security shortcomings in that a fraudulent voting organization could tamper with electronic ballots, when in the buffer, before they are written to the WORM drives 210.
In step 308, the server computer system 108 verifies each received ballot. The verification can include checking the digital signature of each received ballot, and verifying the validity of each ballot, such as verifying correct hash function output and/or proofs of validity, such as under zero knowledge proofs. Such verification can be performed as the server computer system 108 sequentially reads each ballot previously written to the WORM drives 210. Alternatively, the server computer system 108 can perform some or all of such verification of received ballots before step 306 (before they are written to the WORM drives 210). For example, the server computer system 108 can verify the digital signature or compute the hash function of each ballot before writing it to the WORM drives 210. If the digital signatures do not verify or the computer hash function results do not match, the server computer system 108 may discard such ballots, and not write them to the WORM drives 210. However, third party voting verification authorities may request that all received ballots be permanently stored before any unauthorized ballots are discarded.
In step 310, the server computer system 108 aggregates the stored ballots and decrypts the results, with a threshold number of authorities if such an encryption protocol is employed. Ballot authorization and decryption under a threshold number of authorities is described in greater detail in the Multi-Way
Election Method and Apparatus application noted above.
In step 312, the voting organization providing the server computer system 108 may provide the storage data to a voter verification authority. For example, the voting organization may provide one or more WORM disks from the WORM drives 210 to a third party organization who verifies that no fraud had occurred during the vote or ballot tabulation. Any method of physically transferring the WORM disks to such a third-party vote verifying organization may be employed, including courier services. Under an alternative embodiment, the server computer system 108 may employ a one-way hash function or simple error correction/detection technique (e.g., cyclic redundancy check (CRC)) to the data, or groups of data stored on the WORM disk. The server computer system 108, at predetermined times, or after a predetermined number of electronic ballots have been received, perform such a hash function or other method to provide an additional level of security and verification to ballots stored by the WORM drives 210. The results of the hash function are then likewise stored by the WORM drive, and can be presented to and verified by the third-party voting verification authority.
In step 314, the voting organization running the server computer system 108 and/or third-party voting verification authority may destroy the WORM disks after a predetermined time period. Many elections require that all ballots be saved or stored for a predetermined time period during which third parties may challenge or review election results to ensure that no fraud occurred. After such predetermined time period, however, the ballots typically must be destroyed. Therefore, the WORM disks may then be destroyed in step 314, to thereby effectively eliminate all electronic ballots. Of course, the voter computers 102 may each have stored thereon, their own ballots, but this option is left to each voter.
Under one embodiment of the invention, which employs the protocols described in the above-noted patent application, electronic ballots may be digitally signed by each authorized voter and posted by the voters to an area on a bulletin board or website representing a "ballot box." Ballots are encrypted by the voters but never decrypted. Multi-way elections are possible using both discrete log, elliptic curve and general group cryptosystems, all of which employ homomorphic properties to allow ballots to be combined to produce encrypted tallies. This multi-way election scheme ensures universal verifiability since any third party can see who voted without seeing how they voted and duplicate the combination of the encrypted ballots to obtain the encrypted tally. Ballots are accompanied with zero -knowledge proofs of validity to ensure that a voted ballot includes only allowable options, without leaking any information about which ballot option the voter chose. Such proofs are non-interactive and all received ballots are automatically stored permanently by the WORM drives 210. The encrypted tallies are decrypted by t of n authorities without reconstructing the authorities' private key, using threshold encryption techniques. The decryption protocol requires a zero-knowledge proof which ensures that the correct ciphertext (ballot) has been decrypted using the private-key share corresponding to the authorities' group public-key. Further, compromise of the voter privacy would require a conspiracy of at least t of the n number of authorities.
The server computer system 108, with the WORM drives 210 or other permanent data storage devices, are useful for not only storing electronic ballots, but also for registering preregistered write-in candidates for elections, and other data for write-in candidates and votes. Under the multi-way election method and apparatus application noted above, a write-in candidate submits his or her name, ballot or precinct identifier and a race identifier. The server computer system 108 generates a candidate number for the identified race and computes a unique encryption generator. The candidate's name, ballot identifier, race identifier, candidate number and generator are stored by the WORM drive 210. Before the beginning of the election, registration of new write-in candidates is closed, and information for all write-in candidates is read from the WORM drive 210 by the server computer 108 and added to the appropriate electronic ballots before such ballots are distributed to voters. All received ballots are then stored on the WORM drive 210, together with any and all votes for preregistered write-in candidates.
Under an alternative method for write-in candidates described in the above application, a database is created containing a record for each person eligible to hold any office appearing on the ballot. The record contains the person's name, unique identifier and an encryption generator. For any given race, the voter may fill in the name of a write-in candidate on the electronic ballot. The server computer system 108 then queries the database for that name, and if a match is found, the unique identifier and any necessary encryption data are used to form the vote for that candidate on the electronic ballot. The WORM drive 210 may be used to create a permanent record of such database for all eligible people to hold office on a given ballot. This permanent record could then be later reviewed by a third-party vote verification authority to ensure that all relevant names were included in the database.
Referring to Figure 4, an alternative embodiment of the invention is depicted as a system 400. As shown in Figure 4, the web server computers 208 are coupled directly to the internet 106, such as by means of only SSL and TCP/IP ports. Thus, the web servers 208 have only a limited command set and are thus more secure than platforms coupled to the internet by means of a router or other high functionality/command set devices. The web servers 208 are coupled to an array of WORM drives 210 by means of a distributed file server 402. A distributed file server or system is a type of file system in which the file system itself manages and transparently locates pieces of information (e.g. ballots) from remote files and distributes files across a network, such as the LAN effectively formed by the web servers, WORM drives and distributed file server shown in Figure 4. The distributed file server 402 also manages read and write functions to the WORM drives 210 and database 110. The distributed file server 402 may be a process running on each, or one of, the web servers 208, or on a separate hardware device. Indeed, one of the web servers 208, WORM drives 210, and the database 110 may be enclosed within a single box to form a "vote engine" that may be connected directly to the Internet 106 as a stand alone product.
The distributed file server 402 receives ballots from the web servers 402 and determines which of several WORM drives 210 to instruct to write the ballot. The distributed file server 402 also stores the received ballots in the database 110 for rapid access and rapid write-time with respect to the web servers 208. When one of the web servers 208 wishes to retrieve one of the ballots or some other file, the request is provided to the distributed file server 402, which in turn identifies where the ballot or desired file is stored, retrieves such ballot/file, and provides it to the web server.
As shown in Figure 4, one of the authority computers 114 also includes a WORM drive 210 coupled thereto. Under the embodiment described above where the authority computers receive and digitally sign ballot receipts for the voter computer 102 (recognizing that the voter's electronic ballot has been received), the authority computer may store such receipts. To enhance data integrity, such received receipts may be stored in the WORM drive 210. Thus, the authority computer can ensure that the web server computers 208 have not eliminated any ballots from the final tally. Of course, the authority computer 114 may receive and store on the WORM drive 210 other information, including ballots that may be forwarded thereto, and the like.
One skilled in the art will appreciate that the concepts of the invention can be used in various environments other than the Internet. For example, the concepts can be used in an electronic mail environment in which electronic mail ballots or forms are processed and stored. In general, a web page or display description (e.g., the bulletin board) may be in HTML format, email format, or any other format suitable for displaying information (including character/code based formats, bitmapped formats and vector based formats). Also, various communication channels, such as local area networks, wide area networks, or point-to-point dial-up connections, may be used instead of the Internet. The various transactions may also be conducted within a single computer environment, rather than in a client/server environment. Each voter or client computer may comprise any combination of hardware or software that interacts with the server computer or system. These client systems may include television-based systems, Internet appliances and various other consumer products through which transactions can be performed.
In general, as used herein, a "link" refers to any resource locator identifying a resource on the network, such as a display description of a voting authority having a site or node on the network. In general, while hardware platforms, such as voter computers, terminals and servers, are described herein, aspects of the invention are equally applicable to nodes on the network having corresponding resource locators to identify such nodes.
Unless the context clearly requires otherwise, throughout the description and the claims, the words 'comprise', 'comprising', and the like are to be construed in an inclusive sense as opposed to an exclusive or exhaustive sense; that is to say, in the sense of "including, but not limited to". Words using the singular or plural number also include the plural or singular number, respectively. Additionally, the words "herein", "hereunder", and words of similar import, when used in this application, shall refer to this application as a whole and not to any particular portions of this application.
The above description of illustrated embodiments of the invention is not intended to be exhaustive or to limit the invention to the precise form disclosed. While specific embodiments of, and examples for, the invention are described herein for illustrative purposes, various equivalent modifications are possible within the scope of the invention, as those skilled in the relevant art will recognize. The teachings of the invention provided herein can be applied to other record storage systems, not necessarily the electronic voting system described above. The various embodiments described above can be combined to provide further embodiments. All of the above references and U.S. patents and applications are incorporated by reference. Aspects of the invention can be modified, if necessary, to employ the systems, functions and concepts of the various patents and applications described above to provide yet further embodiments of the invention. These and other changes can be made to the invention in light of the above detailed description. In general, in the following claims, the terms used should not be construed to limit the invention to the specific embodiments disclosed in the specification and the claims, but should be construed to include all ballot or record storage systems that operate under the claims to provide a method for permanently storing such data. Accordingly, the invention is not limited by the disclosure, but instead the scope of the invention is to be determined entirely by the claims.

Claims

1. An electronic voting system for use with a computerized network, comprising: a plurality of voting computers coupled to the computerized network, wherein each voting computer provides an electronic encrypted ballot representing at least one vote; a server computer system coupled to the computerized network, wherein the server computer system includes: at least one server computer for receiving the plurality of electronic ballots from the plurality of voting computers, performing at least one cryptographic operation relative to the plurality of electronic ballots, and determining a tally of the votes; and a write-once, read-many data storage device coupled to the server computer and having a computer-readable medium therein, wherein the server computer and data storage device are configured to permanently write the plurality of received electronic ballots to the computer-readable medium.
2. The system of claim 1, further comprising: at least one voting poll computer coupled to the computerized network and providing another plurality of electronic encrypted ballots to the server computer system; at least one authority computer coupled to the computerized network that provides at least one cryptographic key for decrypting at least a portion of the plurality of electronic ballots and the another plurality of electronic ballots; and wherein the server computer system includes at least one router coupled to the computerized network, and at least one firewall coupled between the router and the server computer.
3. The system of claim 1, further comprising: at least one voting poll computer coupled to the computerized network, wherein the voting poll computer is coupled to a plurality of additional terminals over a network to receive, and provide to the server computer system, another plurality of electronic encrypted ballots.
4. The system of claim 1 wherein the computerized network includes the World Wide Web, wherein each of the plurality of voting computers include a web browser program, and wherein the server computer system includes: at least two web server computers, each having at least one of the data storage devices, wherein at least one of the web server computers provides a ballot box web page for the plurality of voting computers to post their respective electronic ballots thereto, and a load balancing and fault tolerance system coupled between the World Wide Web and the two web server computers, wherein the load balancing and fault tolerance system is configured to provide substantially equal numbers of the plurality of electronic ballots to the two web servers and data storage devices, and to detect for and reroute received electronic ballots if one of the two web server computers suffers a fault.
5. The system of claim 1 wherein the computer-readable medium in the data storage device is a removable optical disk.
6. The system of claim 1 wherein the plurality of voter computers include at least one palm-sized computer, cell phone, wearable computer, interactive television terminal or Internet appliance.
7. A computer system for receiving a plurality of electronic ballots over a network, comprising: at least one server computer for receiving the plurality of electronic ballots from the network, and performing at least one operation relative to the plurality of electronic ballots; and a permanent data storage device coupled to the server computer and having a computer-readable medium, wherein the server computer and data storage device are configured to write the plurality of received electronic ballots to the computer-readable medium in an unalterable fashion, and wherein the electronic ballots may be read from the computer-readable medium thereafter.
8. The system of claim 7 wherein the electronic ballots are encrypted and represent votes from a plurality of voters, wherein at least one authority computer coupled to the network provides at least one cryptographic key to the server computer for decrypting at least a tally from the plurality of electronic ballots, and wherein the system further comprises: at least one router coupled to the computerized network, and at least one firewall coupled between the router and the server computer.
9. The system of claim 7 wherein the network includes the World Wide Web, and wherein the server computer system includes: at least two web server computers coupled to the World Wide Web; at least two data storage devices coupled respectively to the two web server computers, wherein at least one of the web server computers provides a ballot box web page for receiving the electromc ballots.
10. The system of claim 7 wherein the server computer system includes: at least two server computers, each having one of the data storage devices, and a load balancing system coupled between the network and the two server computers, wherein the load balancing system is configured to distribute the plurality of electronic ballots to the two servers, the data storage devices, or both.
11. The system of claim 7 wherein the data storage device is a write- once, read-many (WORM) drive.
12. The system of claim 7 wherein the data storage device is a CD-R drive.
13. The system of claim 7 wherein the data storage device is a digital versatile disk (DVD) drive.
14. The system of claim 7 wherein the data storage device is a removable structure, and wherein the computer-readable medium includes, secured to the structure, programmable read only memory (PROM) or electronically programmable read only memoiy (EPROM).
15. The system of claim 7 wherein the server computer receives at least some of the plurality of electronic ballots from at least one palm-sized computer, cell phone, wearable computer, interactive television terminal or Internet appliance.
16. The system of claim 7 wherein the server computer performs a hash or error detection operation on at least one set of the electronic ballots stored by the data storage device, and wherein the data storage device stores a result of the operation on the computer-readable medium.
17. The system of claim 7 wherein the server computer performs an authentication or verification operation on at least one set of the received electronic ballots and does not cause the data storage device to store those electronic ballots that fail the authentication or verification operation.
18. The system of claim 7 wherein the server computer adds a late flag to at least one set of the plurality of electronic ballots stored by the data storage device, wherein the late flag indicates that the set of electronic ballots were received outside of a predetermined time period.
19. The system of claim 7 wherein the server computer is configured to receive write-in candidate data and wherein the server computer and data storage device are configured to write the write-in candidate date to the computer-readable medium in an unalterable fashion.
20. The system of claim 7, further comprising: another permanent data storage device having a computer-readable medium for storing at least some of the plurality of received electronic ballots thereto; and a distributed file server communicating with the permanent data storage device and the another permanent data storage device, and which receives the electronic ballots and determines to which of the data storage devices to route the received electronic ballots.
21. In an electronic voting system having a data processing device coupled to a network for receiving a plurality of electronic ballots, an apparatus comprising: a permanent data storage device coupled to the data processing device and having a computer-readable data storage medium, wherein the data storage device is configured to receive the plurality of received electronic ballots from the data processing device and to write the plurality of received electronic ballots to the computer-readable medium in an unalterable fashion, and wherein the data processing device may read the electronic ballots from the computer-readable medium thereafter, but not alter or delete any of the electronic ballots.
22. The apparatus of claim 21 wherein the electronic ballots are encrypted and represent votes from a plurality of voters, wherein the network includes the World Wide Web having a virtual ballot box for receiving the plurality of electronic ballots, wherein the computer-readable data storage medium is an optical disk and wherein the optical disk forms a permanent record for electronic ballots posted to the virtual ballot box.
23. The apparatus of claim 21 wherein the electronic ballots are encrypted and wherein the permanent data storage device stores the encrypted electronic ballots.
24. The apparatus of claim 21 wherein the data storage device is a write-once, read-many (WORM) drive.
25. The apparatus of claim 21 wherein the data storage device is a CD-R drive.
26. The apparatus of claim 21 wherein the data storage device is a digital versatile disk (DVD) drive.
27. The apparatus of claim 21 wherein the data storage device is a removable structure, and wherein the computer-readable medium includes, secured to the structure, programmable read only memory (PROM) or electronically programmable read only memory (EPROM).
28. The apparatus of claim 21 wherein the data processing device performs a hash or error detection operation on at least one set of the plurality of electronic ballots stored by the data storage device, and wherein the data storage device stores a result of the operation on the computer-readable data storage medium.
29. The apparatus of claim 21 wherein the data processing device adds a late flag to at least one set of the plurality of electronic ballots stored by the data storage device, wherein the late flag indicates that the set of electronic ballots were received outside of a predetermined time period.
30. A computer-readable medium for storing a computer readable data structure, comprising: a write-once, read-many computer readable medium having written thereto a plurality of encrypted electromc ballots from a plurality of voters, wherein each encrypted electronic ballot represents at least one vote from one of the plurality of voters, wherein a data processing device may read the plurality of encrypted electronic ballots from the write-once, read-many computer-readable medium, but not alter or delete any of the encrypted electronic ballots.
31. The apparatus of claim 30 wherein the data processing device is an authority computer, and wherein the permanent data storage device stores digitally signed receipts indicating receipt of received electronic ballots.
32. The computer-readable medium of claim 30 wherein the write- once, read-many computer readable medium is a write-once, read-many (WORM) optical disk.
33. The apparatus of claim 30, further comprising a distributed file system communicating with the permanent data storage device, which receives the electronic ballots from the data processing device.
34. The computer-readable medium of claim 30 wherein the write- once, read-many computer readable medium is a CD-R disk.
35. The computer-readable medium of claim 30 wherein the write- once, read-many computer readable medium is a digital versatile disk (DVD) disk.
36. The computer-readable medium of claim 30 wherein the write- once, read-many computer readable medium is a removable structure having secured thereto programmable read only memory (PROM) or electronically programmable read only memory (EPROM).
37. An electronic voting method, comprising: receiving a plurality of electronic ballots from a plurality of voters from a network; performing at least one operation relative to the plurality of electronic ballots; and writing each of the plurality of received electronic ballots to a computer-readable medium in an unalterable fashion.
38. The method of claim 37 wherein receiving a plurality of electronic ballots includes receiving encrypted electronic ballots representing votes from a plurality of voters, and wherein the method further comprises: distributing, over the network, a plurality of initial electronic ballots to the plurality of voters; receiving at least one cryptographic key from at least one authority for decrypting at least a portion of the plurality of electronic ballots; decrypting at least a tally of the electronic ballots based on the received key or keys; and providing the computer-readable medium to a third party verifier after decrypting.
39. The method of claim 37 wherein receiving a plurality of electronic ballots includes receiving the electronic ballots over the World Wide Web, and wherein the method further comprises: providing a ballot box web page for receiving the electronic ballots.
40. The method of claim 37 wherein receiving a plurality of electronic ballots includes receiving over the network at least some of the plurality of electronic ballots from at least one palm-sized computer, cell phone, wearable computer, interactive television terminal or Internet appliance.
41. The method of claim 37, further comprising: performing a hash or error detection operation on at least one set of the electronic ballots; and storing a result of the operation on the computer-readable medium.
42. The method of claim 37, further comprising performing an authentication or verification operation on the plurality of received electronic ballots.
43. The method of claim 37, further comprising: adding a late flag to at least one set of the plurality of electronic ballots, wherein the late flag indicates that the set of electronic ballots were received outside of a predetermined time period; and writing the set of electronic ballots to the computer-readable medium with associated flags.
44. The method of claim 37 wherein the instructions are performed in the order of receiving a plurality of electronic ballots, perfoπ ing at least one cryptographic operation, and writing each of the plurality of received electronic ballots..
45. A computer-readable medium storing instructions for instructing a computer coupled to a network, the instructions comprising: receiving a plurality of electronic ballots from a plurality of voters from the network; and writing each of the plurality of received electronic ballots to a computer-readable medium in an unalterable fashion.
PCT/US2000/007986 1999-03-25 2000-03-24 Electronic voting scheme employing permanent ballot storage WO2001022200A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU39226/00A AU3922600A (en) 1999-03-25 2000-03-24 Electronic voting scheme employing permanent ballot storage

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US12608099P 1999-03-25 1999-03-25
US60/126,080 1999-03-25
US14962199P 1999-08-16 1999-08-16
US60/149,621 1999-08-16

Publications (2)

Publication Number Publication Date
WO2001022200A2 true WO2001022200A2 (en) 2001-03-29
WO2001022200A9 WO2001022200A9 (en) 2002-08-08

Family

ID=26824267

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/US2000/007986 WO2001022200A2 (en) 1999-03-25 2000-03-24 Electronic voting scheme employing permanent ballot storage
PCT/US2000/007737 WO2001020562A2 (en) 1999-03-25 2000-03-24 Multiway election method and apparatus

Family Applications After (1)

Application Number Title Priority Date Filing Date
PCT/US2000/007737 WO2001020562A2 (en) 1999-03-25 2000-03-24 Multiway election method and apparatus

Country Status (2)

Country Link
AU (2) AU3922600A (en)
WO (2) WO2001022200A2 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002056230A3 (en) * 2000-11-22 2003-05-01 Votehere, Inc. Electronic voting system
US6950948B2 (en) 2000-03-24 2005-09-27 Votehere, Inc. Verifiable, secret shuffles of encrypted data, such as elgamal encrypted data for secure multi-authority elections
US7099471B2 (en) 2000-03-24 2006-08-29 Dategrity Corporation Detecting compromised ballots
US7360094B2 (en) 2001-03-24 2008-04-15 Demoxi, Inc. Verifiable secret shuffles and their application to electronic voting
US7389250B2 (en) 2000-03-24 2008-06-17 Demoxi, Inc. Coercion-free voting scheme
US8554607B2 (en) * 2001-03-13 2013-10-08 Science Applications International Corporation Method and system for securing network-based electronic voting
US20140012635A1 (en) * 2012-07-09 2014-01-09 Everyone Counts, Inc. Auditing election results
US10186102B2 (en) 2011-03-28 2019-01-22 Everyone Counts, Inc. Systems and methods for remaking ballots
US11087578B2 (en) 2018-11-15 2021-08-10 Daniel Bernard Ruskin Voting booth, system, and methods of making and using same

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI20010761A (en) * 2001-04-11 2002-10-12 Suomen Posti Oyj Method, system and device for voting
JP4774650B2 (en) 2001-08-07 2011-09-14 日本電気株式会社 Zero-knowledge proof system and method showing discrete logarithmic match or mismatch
AU2002338954A1 (en) * 2001-12-12 2003-06-23 Scytl On Line World Security, Sa Secure electronic voting method and the cryptographic protocols and computer programs used
US20070116283A1 (en) * 2003-11-03 2007-05-24 Koninklijke Philips Electronics N.V. Method and device for efficient multiparty multiplication
WO2014177581A1 (en) 2013-04-30 2014-11-06 Thomson Licensing Threshold encryption using homomorphic signatures
US10445966B1 (en) 2018-07-27 2019-10-15 Hart Intercivic, Inc. Optical character recognition of voter selections for cast vote records
US11956350B2 (en) 2021-03-31 2024-04-09 Seagate Technology Llc Yes and no secret sharing with hidden access structures

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5495532A (en) 1994-08-19 1996-02-27 Nec Research Institute, Inc. Secure electronic voting using partially compatible homomorphisms
US5682430A (en) 1995-01-23 1997-10-28 Nec Research Institute, Inc. Secure anonymous message transfer and voting scheme

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6950948B2 (en) 2000-03-24 2005-09-27 Votehere, Inc. Verifiable, secret shuffles of encrypted data, such as elgamal encrypted data for secure multi-authority elections
US7099471B2 (en) 2000-03-24 2006-08-29 Dategrity Corporation Detecting compromised ballots
US7389250B2 (en) 2000-03-24 2008-06-17 Demoxi, Inc. Coercion-free voting scheme
WO2002056230A3 (en) * 2000-11-22 2003-05-01 Votehere, Inc. Electronic voting system
US8554607B2 (en) * 2001-03-13 2013-10-08 Science Applications International Corporation Method and system for securing network-based electronic voting
US7360094B2 (en) 2001-03-24 2008-04-15 Demoxi, Inc. Verifiable secret shuffles and their application to electronic voting
US10186102B2 (en) 2011-03-28 2019-01-22 Everyone Counts, Inc. Systems and methods for remaking ballots
US20140012635A1 (en) * 2012-07-09 2014-01-09 Everyone Counts, Inc. Auditing election results
US11087578B2 (en) 2018-11-15 2021-08-10 Daniel Bernard Ruskin Voting booth, system, and methods of making and using same

Also Published As

Publication number Publication date
AU3770200A (en) 2001-04-17
AU3922600A (en) 2001-04-24
WO2001020562A2 (en) 2001-03-22
WO2001022200A9 (en) 2002-08-08
WO2001020562A3 (en) 2001-10-18

Similar Documents

Publication Publication Date Title
US7565540B2 (en) Fully electronic identity authentication
US6973581B2 (en) Packet-based internet voting transactions with biometric authentication
US7418401B2 (en) Secure internet transactions on unsecured computers
Cranor et al. Sensus: A security-conscious electronic polling system for the internet
US11100743B1 (en) Blockchain-based election system
US7640181B2 (en) Distributed network voting system
US20060095376A1 (en) Virtual meetings
Cranor et al. Design and implementation of a practical security-conscious electronic polling system
US20050132201A1 (en) Server-based digital signature
US20020133396A1 (en) Method and system for securing network-based electronic voting
WO2001022200A2 (en) Electronic voting scheme employing permanent ballot storage
Helbach et al. Secure internet voting with code sheets
Pereira Individual verifiability and revoting in the Estonian internet voting system
Gaweł et al. Apollo–end-to-end verifiable internet voting with recovery from vote manipulation
CN113014394B (en) Electronic data certification method and system based on alliance chain
Al-Rawy et al. A design for blockchain-based digital voting system
KR100453616B1 (en) Method, article and apparatus for registering registrants, such as voter registrants
Hastings et al. Security considerations for remote electronic UOCAVA voting
WO2004092965A1 (en) Self-enrollment and authentication method
Pan et al. Enhanced name and vote separated E‐voting system: an E‐voting system that ensures voter confidentiality and candidate privacy
Stenbro A survey of modern electronic voting technologies
Nestås Building trust in remote internet voting
US11967186B1 (en) Blockchain-based election system
WO2022125041A1 (en) Electronic election and voting method and system with privacy protection and biometric authentication
Prosser et al. Implementing an Internet-Based Voting System for Public Elections: Project Experience

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

AK Designated states

Kind code of ref document: C2

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: C2

Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

COP Corrected version of pamphlet

Free format text: PAGES 1-18, DESCRIPTION, REPLACED BY NEW PAGES 1-19; PAGES 19-23, CLAIMS, REPLACED BY NEW PAGES 20-29; PAGES 1/4-4/4, DRAWINGS, REPLACED BY NEW PAGES 1/4-4/4; DUE TO LATE TRANSMITTAL BY THE RECEIVING OFFICE

122 Ep: pct app. not ent. europ. phase
NENP Non-entry into the national phase in:

Ref country code: JP