WO2012033535A2 - Remote voting with integrity and resistance to improper influence - Google Patents

Abstract

A remote voting system includes physical forms mailed or otherwise provided to voters. The forms contain codes hidden under scratch-off that voters use in voting online. First a voter provides votes online, such as cleartext or coded, using codes as one-time- passwords. Then a voter checks using a separate online device that the vote was properly posted and provides a second code that the voter may choose unpredictably from among plural options. Protocols for visits by voters to protected locations include aspects such as allowing voters to request false ballots be sent them while valid ballots are provided during the visit, recovery from forms that were at least claimed not delivered, and malware that may exhaust the codes supplied to a voter.

Description

REMOTE VOTING WITH INTEGRITY AND RESISTANCE TO IMPROPER

INFLUENCE

BACKGROUND OF THE INVENTION

1. Field of the Invention

The invention is in the general field of voting systems, and more specifically where votes are cast remotely without the protections of a polling place or other controlled location.

2. Description of Prior Art

The present application claims priority from a United States Provisional Application, by the present applicants, titled "Remote voting systems and configurations," USPTO 61 /381972, filed September 1 1 , 2010.

What is referred to generally here as "remote voting," includes so-called vote by mail, online voting, vote by phone and various combinations of channels for

communication of information and/or documents and/or active devices including between voters and those running an election, where the voter is not in a polling place booth during voting. Integrity of the outcome, that votes cast are included correctly in the final tally, is preferably ensured substantially in a way transparent to voters. Also, preferably so-called "improper influence," including vote buying and coercion, is at least substantially inhibited. In some settings, voters are able to visit a physical location, such as a polling place or election office, in order to "register" so that they can participate later in one or more elections; in other settings, such "in person" registration is not desired and a way to register online using suitable authentication is preferred.

Some proposed remote voting systems are substantially impractical because they require interaction in a voting booth with the voter's computer and some also require large amounts of computation and/or the breaking of elections into small parts. Practical and secure systems for achieving integrity and resistance to improper influence in remote voting are believed absent and desired and are accordingly included among the objects of the present invention. Other objects, features and advantages will be understood when this specification and the appended drawing figures are taken into consideration.

BRIEF DESCRIPTION OF THE DRAWING FIGURES

Figure 1 shows a first flowchart in accordance with teachings of the present invention. Figure 2 shows a second flowchart in accordance with teachings of the present invention. Figure 3 shows a third flowchart in accordance with teachings of the present invention. Figure 4 shows a plan view of series of interactions including a form view and a screen view in accordance with teachings of the present invention.

Figure 5 shows a first plan view of forms in accordance with teachings of the present invention.

Figure 6 shows a second plan view of forms in accordance with teachings of the present invention.

Figure 7 shows a first combination cryptographic protocol schematic and structure in accordance with teachings of the present invention.

Figure 8 shows a second combination cryptographic protocol schematic and structure in accordance with teachings of the present invention.

Figure 9 shows a combination form and process in accordance with teachings of the

present invention.

Figure 10 shows a third plan view of forms in accordance with teachings of the present invention.

Figure 1 1 shows a third combination cryptographic protocol schematic and structure in accordance with teachings of the present invention.

BRIEF SUMMARY OF THE INVENTION

This section introduces some of the inventive concepts in a way that will readily be appreciated, but that may make significant simplifications and omissions for clarity and should accordingly not be taken to limit their scope in any way; the next sections introduce and provide more detailed descriptions.

Physical forms are mailed or otherwise provided to voters to allow them to participate in elections. The forms contain codes hidden under scratch-off, or otherwise with code secrecy protected in a tamper-evident manner, and voters access the protected information by removing the scratch-off structure or the like, leaving evidence of this access, in obtaining those codes they use in voting online. Voters first provide their votes online, such as cleartext or coded, for instance using one of the protected codes as a kind of one-time-password in order for instance it is believed to inhibit spamming of the posting process. Then a voter preferably checks using a separate online device that the vote was properly posted and provides a second protected code, called a "lock-in," that voters may choose unpredictably from among plural options. The unpredictability of this choice of code by voters to those running the election is believed to impede "ballot box stuffing." The optional use of a second online device is also believed to increase resistance to malware.

There are various cases where voters may visit an official location, such as a polling place or election office or what may here also more generally be called a "controlled location," and identify themselves as part of a process conducted between the voter and election workers or the like.

As one example of such visits, before the material is sent to voters, in order to prevent improper influence of voters, voters may appear at an official location in person. In such cases voters may attest to an agreement to have the material that will be sent them secretly rendered uncountable. Voters may during such a pre-election visit also be given information allowing them to vote and be provided with verification that the vote they will cast using the information they are provided will be counted. This verification provided voters, like that to be described later, is believed preferably such that it cannot readily be used to convince other persons.

During an election, voters may also visit an official location and attest that they are unable to vote because they did not receive the material that was to be sent them. Whatever vote may be cast with the material that was to be sent will be rendered uncountable. Also, new voting material may be supplied the voter allowing the voters to cast a vote.

During an election, voters may also visit an official location and attest that malware or the like has caused them to use up the scratch-off protected codes, and request more such codes. During such a visit, voters show some ballot identi fier and this may be verified as relating to that voter, such as by a form that has a voter identifier printed on it, and they receive extension scratch-off codes.

In either of the just described example cases in which voters visit an official location during an election, a voter may be allowed to participate in a protocol during the visit that provides the voter with verification that the vote the voter has been allowed to cast has the same "countability" (here meaning that it will be counted in the tally of the election or not counted in the tally of the election) as that of the voting material that is the subject of the visit. As an example result, voters obtaining extra scratch-off s also provide some degree of verification that the material sent voters is related to countable ballots. Moreover, all the above-mentioned protocols conducted during voter visits may include the novel feature that the verification provided is not readily transferred by the voter to other persons, thereby preventing the protocols from being used to facilitate improper influence schemes.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

Detailed descriptions are presented here sufficient to allow those of skill in the art to use the exemplary preferred embodiments of the inventive concepts. Although apparently limiting statements may be included for clarity in exposition, this should not be taken to limit the scope of the invention.

1 Introduction

Internet voting is said to be inevitable. This belief, its self-fulfilling nature, and the escalating series of trials and elections already conducted over the web, suggest that it's at least worth considering the implications of online voting.

Internet voting is generally recognized as holding potential to improve voter access and participation. Often unstated is the additional hope that by lowering the overhead of elections it can increase the "directness" of our democracies, such as along the lines of the Swiss electoral system.

A'luch concern has, however, also been raised about potential dangers of Internet voting, for known systems and even for all possible systems. The main issues generally repeated in reports and academic presentations of this ilk appear to revolve around: (a) integrity, (b) improper influence, (c) denial of service, and (d) digital divide.

The present work obviates the first of these issues, as the level of integrity achieved here is far higher than that of current vote-by-mail and all but the best polling-place elections. In fact, we achieve a level comparable to so called "end-to-end" cryptographic voting systems, which are now starting to be used in public sector elections. (Integrity should not be confused with the strictly weaker and obsolete property, sometimes promulgated under the rubric of "security," which is predicated on a model where those conducting an election are in a position to tamper with integrity and attention is directed to measures for protecting against tampering by outsiders.)

The second issue (b). of improper influence, is amplified in online elections because online vote buyers or coercers can be difficult to trace or penalize. The argument that vote by mail, increasingly being allowed for general use, has "lowered the bar" by establishing the acceptability of improper influence attacks on elections flies in the face of over a hundred years of deliberate precedent in all the world's democracies. By solving improper influence for practical remote

we in effect "raise the bar" back up, if it were ever lowered, since our techniques can be used to cast votes by mail as well as online.

We also offer a significant improvement with respect to the third issue (c), denial of service attacks. Of course voters cannot cast votes when there is no online communication. If, however, only servers run by those conducting an election become inoperable, such as by a real or staged attack, novel techniques proposed here allow the election to proceed. This improves on the survivability of current proposed online election techniques and arguably even compares favorably with polling place elections.

The final issue (d), the once much discussed "digital divide," may already be a red herring. For one thing, the trend is away from such a divide, as mobile phones become more capable computers and as retail and public Internet access becomes generally available. For another, the trend is toward requiring online transactions, such as already for some visas as well as a growing array of other governmental and private-sector services. It is likely that polling-place elections will be offered in parallel with online voting for some time to come, putting the second and third issues (c) and (d) in effect on hold. An abrupt transition to online-only elections could result in sudden changes in voter demographics, which may be the dominant political issue facing Internet voting; but such concern is moderated by dual systems. The techniques presented here integrate to dual systems well, such as by indistinguishably combining the number of votes cast in the two systems and by polling places providing in-person registration services for remote voters.

The present work changes what should be expected by expanding what is practical— helping strengthen the mechanics of democracy.

1.1 High-level description

Voters cast ballots, in the same way for all versions of the system, simply by using a web browser or the like to post the votes online. A first number known to the voter (called in the sequel a recordID ), is also entered by the voter and associated with the posted vote.

This vote-casting process is shown in the flowchart of Figure 1.

After entering the vote and number, the voter should use a different computer to check that they have been posted correctly. If they are, the voter enters a second number (called lockln in the sequel) , which completes the voting transaction. Voters could also check that this second number is published properly (though there are other means to ensure this as will be described later) . All votes, and only those votes, with a published second number can be verified by voters as counted.

In the case where the voter discovers that the first number and vote are not properly published, the voter may already have an alternate first number and should simply try posting the vote again using that number. If the voter runs out of alternates, such as because of malware, a special step (shown in gray) allows the voter to authenticate themselves and obtain more alternates.

Numbers are provided to voters on "cards," pre-printed paper forms. The numbers are protected under scratch-off, which is to be removed as needed by voters.

There are two ways for voters to get cards containing valid numbers that they can then use to cast their votes: (1) "mailed card" : through the mail, or (2) "virtual card" : in person. Each voter obtains at most one such card in these basic systems. See Figure 2.

When cards axe physically mailed (or delivered), voters simply scratch off the protective coating over the numbers in order to reveal the numbers as needed to post their votes. In case a voter does not receive a card as expected, the voter can appear in person and authenticate themselves in order to obtain a replacement card.

When a voter gets a card in person (by providing some authentication) at an official location, the voter scratches off the protective coating and obtains the numbers at that time. For reasons detailed later, voters do not take the physical form from the official location— rather they record the numbers themselves, such as by writing them down, memorizing or dictating.

An election can simply use only mailed cards or only virtual cards. It may even use both types, such as allowing each voter a choice of type of card. Voters may, for instance, be able to obtain a virtual card up until a deadline after which mailed cards are to be sent to the remaining eligible voters.

Voters can be protected against improper influence by what will here be called "fake" cards, that is cards containing numbers for votes that will not be counted. Such fake numbers may simply be sold by voters or, for instance, used to cast ballots in front of someone trying to coerce the voter to vote a certain way. What makes fake cards effective is that there is no way for a vote buyer or coercer to tell fake from valid.

There are two ways fake cards are issued: (1) if the voter registers in person, then a fake card is mailed to the voter's address; (2) fake numbers are also freely available online, in case someone whishes to try to sell them to would-be online vote buyers. See Figure 3.

The voter will of course know when they are using numbers from a ballot that should be fake, because they took steps to obtain the fake card. But protections are needed to ensure that voters are not unsuspectingly supplied fake cards. Voters are allowed to check whether cards are fake in the privacy of a booth at an official location. \<¾ters obtain evidence of malfeasance, if what should be a valid card turns out to be fake as a part of such checking.

1.2 Comparison

2 Mailed cards system

2.1 Description of mail system

Scenario All cards are sent by regular mail. Each card has voter's name printed on it. This use-case can also include a scenario where cards can be obtained by voters at polling place (then name and address of a voter is written over the card).

Integrity Correctly posted vote is correctly tallied (with overwhelming probability - ex- 1. a voter can check if her or his vote is to be counted:

• a voter can check if her vote is correctly recorded on a public bulletin board, (it cannot ''disappear" from a post-office like in mail-in voting) ,

• a vote cannot be changed after it is cast (publicly locked in).

2. a voter has higher level of privacy - mailed cards printing process is designed in a way tha.t EA does not know which card a given voter gets (use of scratch off).

Improper influence There are issues concerning improper influence - but the problems are very similar to ones known for most mail-in election schemes. Namely there are the following issues:

• a voter may show after elections her card - data on a card together with data published on BB reveal her choice. That is why we suggest use of technique of card printing described in Section 6.1. Thanks to this technique, a voter cannot prove how she voted after ballot casting.

• a voter may take a video of the ballot casting process - which can also be done in the case of postal-voting.

• a voter may sell card to a buyer but the same problem exists with a current postal voting (even if voter's signature is needed on an envelope).

Aggregation EA posts number of registered voters that receive mailed cards. Procedure of printing and mailing cards should be supervised.

Fairness In order to cast a ballot, a voter needs to authenticate to the third party - this assures that each voter can cast only one vote (we also show other solution that does not require third party authentication service - see Section 6.10).

For voters that claim that haven't get their card, a new card can be issued at the polling place. But this happens only in a case when a given voter has not yet cast any ballot (this fact is established with a third party responsible for authentication). After manual issuance of a new card a voter cannot request another one.

Ballot secrecy Process of cards printing and tumbling results that EA does not know who gets which card see Figure 9. The privacy threats can only come from the fact that EA could see from which IP address ballot is cast¹. Usability Voters obtain cards like regular mail-in ballots. This is convenient for the voters since they do not need appear in person at the polling place - just like in the case of traditional mail-in elections.

This solution is also more convenient for EA since it collects ballots in electronic way - there is no need of manual vote counting.

2.2 Voter Experience

2.2.1 Vote casting

In this section we describe only a basic voter experience during vote casting of a mailed ballot. A process of ballot casting is described in details in Section 5.5. Figure 4 presents vote casting process.

A voter gets a paper card by mail with recordID and lockin printed under scratch-off. A card is printed on both sides. Voting is performed in three steps:

1. Recording a vote [Figure 4 (1-4)] A voter visits election website. She makes her choice, scratches-off a layer that covers recordID and enters this number.

2. Verification of recording [Figure 4 (5)] A voter visits election website (i.e. from another computer) and checks if her vote is properly recorded (posted on a bulletin board). Only when a voter is satisfied with the posting, she goes to the next step. If not, she goes to the Step 1 and uses recordID from the back side. If she does not have any unused recordID then she orders extra record! Ds.

3. Lockin casting [Figure 4 (6-8)] A voter visits election website (from another computer) , authenticates to the third party server and then scratches-off and enters lockin.

2.2.2 Visit - extra recordlDs

When a. voter discovers that her vote is not correctly posted then she can use value of recordID from the back-side of a card. But if a vote is not posted correctly again then voter visit polling place and get a card with additional recordl Ds (see Figure 5) which allow for overwriting previously posted votes. A voter casts a ballot only when it is recorded correctly. In order get additional recordl Ds a voter needs to provide prefix of lockin - new recordl Ds will be linked with a lockin voter has.

2.2.3 Visit - lost mail

If a voter does not get mail with a card she can obtain a new card. We assume that there is an authentication scheme used upon lockin casting (e.g., a server operated by a third party). 3 Virtual cards system 3.1 Digital cards only setting

Scenario A voter in order to cast a vote needs to appear in person at the polling place and get a digital card containing recordID and lockln by oblivious transfer (OT) procedure. A voter learns in the privacy of a booth numbers which allow her to cast a vote but a voter comes out of a booth with no proof of which numbers she has learnt.

There are also virtual dummy cards. These are the cards that contain numbers which will be accepted by a system but votes cast with those numbers will not be counted. Dummy cards can be obtained by voters - these cards are indistinguishable from the authentic [countable) ones by anyone but EA. Voters can get them both online and at the polling place (they can be preprinted or obtained from a kiosks).

Integrity OT process is designed in a way that EA does not know which of the two possible values a voter gets. Thanks to this fact, EA cannot cast a ballot for the voter - there is 50% chance that EA is going to be caught (if it does not follow the protocol).

Improper influence The digital-cards issuing makes a voter immune against all kinds of improper influence - there is no way (published commitments are unconditionally binding and computationally hiding) (without cooperation with EA) to distinguish between authentic numbers learned by a voter (between numbers that are countable) and fake numbers that a voter learns (and dummy card). A voter has no evidence of the numbers she has learnt at the polling place. An adversary cannot tell if given number is authentic or dummy. So any computationally bounded adversary (coercer. vote buyer) can be easily cheated by a voter by providing him a dummy card.

Fairness Each voter who obtained digital card was already authenticated (in order to get the digital card a voter needs to provide photo ID that is verified) so there is no need of a third-party authentication like in only mailed cards- scenario. A voter can get and so cast only one card.

Ballot secrecy A voter takes the OT forms from a hopper. The forms are printed in a way that does not allow for distinguishing between them (i.e. there are no serial numbers printed on them). As a result of this, EA does not know which card a voter gets.

Usability This solution may seem be inconvenient because a voter needs to appear in person at the polling place. But it is important to stress that a voter learns, during a visit, only values that allows her to cast a card during next elections - it is independent on the list of candidates (ballot style), so a voter may visit polling place long before the start of a election.

3.2 Voter Experience

3.2.1 Vote casting

There is no physical proof of which numbers a voter has learnt in a booth. To achieve improper influence immunity voters need to be able to obtain dummy values of recordlDs and locklns that will be accepted by the system but not counted. For this purpose voters can download such values from a dedicated server.

3.2.2 Visit - extra recordlDs

The procedure of obtaining additional recordlDs is exactly the same as in the case of mailed cards.

3.2.3 Visit - lost numbers

In the case of virtual cards one cannot allow voters for obtaining new values of recordID and lockln. This is caused by the fact that system do not require voter authentication upon locklncasting. So voters could claim that they have lost/forgotten their numbers while casting many ballots.

4 Mixed system

Scenario System uses two kinds of cards: mailed and digital. Mailed cards can be countable or dummy. All digital cards issued at the polling place are countable (and there are also digitcil dummy cards as well). Each voter gets only one countable card (either mailed or digital).

By default all voters obtain one mailed cards. But those who have appeared before the certain moment obtain an digital countable card and a dummy mailed card is sent to them. All other voters are mailed a countable card.

In this setting the recordlDs for mailed and digital cards are indistinguishable while the locklns are. So anyone can see if a given lockln corresponds to a mailed card (dummy or countable) or to a digital card (dummy or countable). The countability can be decided only by a voter who gets given card. Voter can visit polling place and check the countability of a mailed card (a name and address printed on a card is verified against photo ID used by a voter). Countability of digital cards is verified in the same way like in the pure digital-card scenario. In the case of casting lockln corresponding to an digital-card this is not needed (a voter has already been authenticated). In order to send lockln corresponding to a mailed card a voter needs to authenticate herself to a third-party (or see Section 6.10 - which explains how to avoid need of online authentication of voters).

Integrity EA is required to publish numbers of issued countable mailed cards and number of dummy mailed cards (equal to the number of issued digital cards). Those two numbers should sum up to the number of registered voters. One needs to verify number of printed countable and dummy mailed cards and to supervise printing and mailing process.

The digital-cards subsystem remains unchanged while the mailed-cards part is modified by introducing dummy cards. To avoid situation when a voter obtains a dummy card without obtaining digital one, a countability check procedure is introduced. A voter may visit polling station and verify countability of her mailed card. If a card occurs to be a dummy, EA needs to provide a voter's signed request certifying that she has already ordered a dummy mailed card (in order to get digital one).

Improper influence With the assumption that a coercer does not cooperate with EA, a coercer cannot tell if a given mailed card is dummy or countable. This suffices to limit improper influence in the case when sufficiently large number of voters visit polling station in order to get digital card (and a mailed dummy). This may require a fraction of voters need to visit a polling place to get digital card prior to the mailing stage.

This is important to point out that by combining two configurations we get a combination that inherits properties of the card that is immune to improper influence.

Fairness A voter can cast only one ballot that will be counted. If a voter has ordered digital card - this is the one that will be counted - then the one which is sent to voter is dummy.

If a voter does not receive her mailed card she can visit a polling station and request a card. The procedure preserving fairness and voters' privacy is described in Section 6.10.

Ballot secrecy EA does not know which card a voter gets.

Usability In this scenario voters are not required to visit a polling place. But hopefully some fraction of them would do that (to increase improper influence resistance).

4.1 Voter Experience

4.1.1 Vote casting

Vote casting process depends on the type of card that a voter wants to cast. Both cases were described above. 4.1.2 Visit - extra recordlDs

The procedure of obtaining additional recordlDs is exactly the same as in the case of mailed cards/digital cards.

4.1.3 Visit - lost mailed cards

Unfortunately for the mixed system it is not easy to allow voters to get another card if a given card is not delivered to her. This can be done but at the price of ballot secrecy.

4.1.4 Visit - digital card issuance

The procedure of issuance is exactly the same as in a pure digital scenario, but as a part of that procedure a voter needs to sign a request for dummy mail card.

4.1.5 Visit - countability check

Because in the system there are dummy cards, a voter needs to be able to perform countability check for mailed card. Only voters who signed request for dummy mail card (those who got digital card) may obtain dummy mailed cards. All others should get countable cards and they need to be able to check if their cards are indeed countable.

During in person procedure a voter - owner of mailed card gets two slips of paper printed with numbers. A voter checks: if those numbers sum up (digit by digit) to the lockin voter examines and checks if sum of extra digits is even (extra digits have the same parity). A voter can take home only one of these slips, value from chosen slip is later published by EA, with key to the commitment to that value.

4.2 Election timeline

Election is divided in three periods: pre election 1. period starts with a system setup:

• EA generates values in the election tables and publishes commitments to them

• pre-election audit is performed (row-wise)

• EA print s digital cards

2. voters are allowed to visit and get digital cards

3. mailed cards are printed and sent election voters can

1. cast their votes through a website 2. visit to verify countability of cards

3. get extra recordID for a given lockln post election · EA publishes a tally

• post election audit (column-wise)

• voters can check countability of cards

Visits A voter is allowed to visit a polling station: before, during or after given election. A voter can visit a polling station: between election · check countability of any mailed ballot (any card with a name),

• get digital ballot for the next elections (will get a dummy mailed ballot for next election) during election · with a ballot for current election

mailed unvoted

1. verify if a ballot is countable

2. next possible steps:

— either gets digital ballot for the current election - all data associated with a mailed ballot are opened

— either use the same mailed ballot to cast a vote

— either vote on paper then all data connected with a mailed ballot are opened

mailed voted

1. spoil a ballot - open commitments to mailed ballot

2. get digital ballot for the current election

digital ballot partial

1. check countability of the partial²

5 Description

5.1 Setup

EA generates tables: Ballots. Locklns, ReMap. Switchboard, Results, ExtraB allots which are kept private, but EA publishes commitments to the values in those tables. EA also generates private tables that help them later to find connections between data stored in tables. Correspondence between data in tables is showed on the Figure 7. Each row of these tables corresponds to some ballot. Data for a given ballot can be located in different rows of the different tables. In the mixed scenario (with both mailed and digital cards) Locklns table is divided into two subtables - one that corresponds to mailed ballots and the second corresponding to digital ballots. Ballots are paired - we call them /mfced-ballots. Linked ballots are printed back-to-back on the same sheet of paper on mailed card and sent to a voter or they are printed two-up and used for the digital ballot issuance protocol.

Ballots-table Each row contains: • recordID

Locklns-table In fact there are two sub-tables in the Locklntable: Digital-subtable for the digital ballots - those have locklnA and locklnB columns and Mailed-subtable for the mailed ballots.

Digital Lockins-subtable For each row pair ID G R {0. . . . K} is generated at random. And two values I A, IB G R {0, . . . K} . Each row contains:

• locklnA \lA

• locklnB

\l,B

• summandl

• summand2

Each row of the LocAJn' s-table corresponds to one of the rows of the Ballots- table.

Rows of this tables are linked but only EA sees that linking. But if rows i. j are linked then:

• corresponding ballots are printed on the same digital ballot form,

• corresponding ballots have the same countability (the same value of countMe in the corresponding row of Results table).

For each locklnA, locklnB values called summands are chosen independently at random: sAl, sA2. sBl, sB2 G R {0, . . . , K}. locklnX is derived from summands: locklnX := sXl Θ sX2, where θ denotes digit-by-digit sum mod 10.

For each summand additional digits are chosen at random: eAl, eA2, eBl, eB2 R {0, . . . . 9} but:

+eB2). Moreover for countable ballots those digits have the same parity: Parity (eAl) = Parity (eA2) and Parity(eBl) = Parity(eB2) (for dummy ballots they have different parity: Parity(eAl) Parity(eA2) and Parity(eBl) Parity(eB2)). both digits have the same parity and for dummy ballots extra digits have different parity. summandl := sAl— eAl#sBl— eBl summand2 := sA2 - eA2#sB2 - eB2

(e.g., summ,andl = 4321-5#8231-2, summand2 = 7827-8#4985-l and thus locklnA = 1148 and locklnB— 5116 and corresponding ballot is dummy).

Mailed Lockins-subtable (Mailed) Each row contains:

• lockln

• pair ID

• summandl

• summand2

Rows of Mailed Locklnssubtable are linked in pairs. For linked rows i. j a common pair ID E R {0, . . . K} is chosen uniformly at random so pairID(i) = pairlD(j). Then for each row following values, called suinmands. are chosen independently at random: sl(i) , s2(i) E R {0, . . . . K)■ The lockln value is derived: lockIn(i) := sl (i) ® s2(i).

Then the additional two digits per row are chosen el(i), e2(i) E R {0, . . . , 9} for row i and el(j), e2(j) R {0, . . . , 9} for row j. But for the linked rows i and j the parity of the sum must be the same: Parity (el(i) + e2(i)) = Pa,rity(el(j) + e2(j)). If Parity(el(i)) = Parity(e2(i)) then corresponding ballot will be counted - count Me value of the corresponding row in the Results-table is set to 1. If el(i) + e2(i) is odd then this row corresponds to a dummy ballot (count Me = 0 in the corresponding row of the Results-table) . The summands are derived as a concatenation of the following values: summand(i) := sl (i)— el ('i) , sum,ma,nd2(i) : = s2(i) - e2(i).

ReMap-table Each row of this table contains a back-pointer to the row of Locfc/ns-table and a pointer to the row of £?a//ois-table

• i/OcA;/ns-pointer - a back-pointer to a row of LocA:/?7,s-table

• Ha/Zois-pointcr - a pointer to a row of Ballots-table

This table binds recordlDs with the locklns.

A R.eMap can be treated as a random permutation

B.eMap(i) := Ballots-po ter(j) if Lock Jn's-pointer(j) = i ReMap^{~ l}(i) := Lockln' s-pointer(j) if i?a//o£s-poiriter(j) = i

Results-table A row of a Results-table contains a count Me bit. It is set to 1 if a corresponding ballot will be counted (a ballot is countable), and is equal 0 if not (a ballot is dummy).

Switchboard-table Each row of this table contains a back-pointer to the row of Ballots- table and a pointer to the row of Results-table

• Ballots-pom^' ter - a back-pointer to a row of Ballots-table

• Results-pointer - a pointer to a row of Results-table

Switchboard if in fact a random permutation.

Siuitchboard(i) := Results-pomtei(j) if Ballots' s-pomter(}) = i Switchboard^{~ x} {i) : = Ballots' s-pomter(j) if Hes¾t/is-pointer(j) = i

ExtraBallots Each row of this table contains:

• serial of a. card with extra, ballots

• eBallotID - id of an extra ballot

5.2 Card operations

5.2.1 Mailed-card printing

Each card is printed back-to-back (on both sides): on heads-side and on tails-side. Each side of a card contains some data from a single row of the jBa Zois-table and from (possibly) different row of the Loc/e/n's-table.

If data from the zth row of the Ballots-table are chosen to be printed on the heads-side of the card then on the tails-side there are printed data from the jth row - row that is linked to the zth row.

The following data (from appropriate rows) are printed on each side of a card:

RecordID (recordID(i)) from the Ballots table is printed under the scratch-off (recordlD(j) on the back-side),

Lockln equal to LockInX(ReMap^~l (i)) (X e {A. B}) from the corresponding row of the Lockln's table is printed under the scratch-off (LocklnX R.eMap^{~ x} (j)) is printed on the back-side).

Then all cards are mixed up and a voter's name is printed as well (compare Figure 9):

Voter's name is printed in clear text Ballots mailing Every voter obtains a card (dummy or countable).

5.2.2 Digital cards printing

Each form is printed on both sides.

The following data corresponding to the ith row of a Ballots table are printed on front-side of a form:

RecordID (recordID(i)) from the Ballots table is printed under the scratch-off,

LocklnA (LockInA(B,eMap^~1 (i))) from the corresponding row of the Lockln's table is printed under the scratch-off.

On the back-side of a form following data are printed (upside down - this assures that vertical cut divides a form that each side has only suffixes or only prefixes of printed data).

RecordID (recordl D(i)) from the Ballots table is printed under the scratch-off,

LocklnB (LockInB(ReA^/Iap^~1 (i))) from the corresponding row of the Lockln's table is printed under the scratch-off.

5.3 Visit - issuance of digital card

The procedure of obtaining digital card is performed at the polling stations (is presented on a Figure 6).

Issuance of digital card

A) Voter visits polling station in person.

B) EA checks voter identity against the roster. If a voter is already registered

then

1. gets written request for a mailed dummy card from a voter

2. adds voter to a mailing list for dummy cards

else registers a voter

C) Voter

1. picks one digital card from a hopper of pre-printed digital cards scratch-off: recordl D, locklnA on one side and recordl D, iocklnB on the other side.

2. picks the second card get for verification

EA cuts in half verification card

Voter picks one of the halves of a verification card (we call it "partial" )

EA shreds unchosen half Voter

1. takes the chosen card to a booth

2. chooses a side

3. scratches-off a layer and learns recordID and lockin (a voter needs to write down otherwise note or memorize those numbers)

4. gives back a card to EA - unscratched side up³

EA shreds returned card in front of a voter, without looking at the bottom

As a result of digital card issuing procedure a voter has a recordID and a lockin that she can use to cast a vote. The EA does not know which of the two possible locklns voter has learnt - so EA cannot cast additional \Otes (a voter can catch EA with 50% chance by providing the value of a second lockin).

A voter can get extra recordlDs (see Section 5.6) - she just need to provide a prefix of her lockin. Prefixes of locklns for the same card are the same - so obtaining extra recordlDs does not reveal EA which lockin a voter has.

A voter gets a partial - with a suffix of a recordID and suffixes of locklns - she can use it to verify if forms were printed correctly since all data corresponding to unused digital cards are opened at the end of elections.

5.4 Visit— countability check

A voter may check whether a mailed card or a partial is countable or dummy. A voter can do it during at any time: before (recordID is posted), during (recordID is posted but lockin is not) or after (both recordID and lockin are posted) vote casting. For the purpose of this procedure. EA prints forms on demand, forms are presented on the Figure 10.

Countability verification for mailed cards (lockin)

A) Voter presents a mailed card in person revealing the lockin (i. e. corresponding to the 2th row of the Lockln-table).

B) EA

1. checks voter identity against the name printed on the mailed card.

2. Prints and provides voter two part paper form (e.g. , printed two-up and to be separated later). On the first part value of L(i, sumrnandl) is printed, on the second part L(i, summand,2) is printed.

3. Prints and provides voter a copy of a signed request from Issuance of digital card step B described in Section 5.3 or an empty page if a voter did not signed that request.

C) Voter 1. checks the two parts of the form in a booth:

(a) if lockln = L(i, summandl) Θ L(i, sum,mand2)

then [the given lockln was issued by EA]

else Scream [EA malfeasance]

(b) if Parity (LSD(L(i, summandl))) = LSD(Parity(L(i, summand2))) then [the card is countable]

else [the card is dummy] .

If a voter has not ordered a mailed dummy card - Step B in Issuance of digital card procedure

then in order to prove malfeasance the voter insist that EA show signed request from a procedure Issuance of digital card step B described in Section 5.3.

2. Chooses one sides of the form to keep and the other to return to EA.

D) EA

1. Ensures that returned part is one of the two parts given to the voter; checks which of the two parts it is; shreds it.

2. Publishes the key to the commitment to the part of the form that voter kept.

E) Voter [optional] Checks remotely if the opened commitment is consistent with the value printed on the part of the form that the voter kept.

5.5 Vote

A) Voter

1. Visits election website.

2. Makes her choice v with standard browser technique.

3. Scratches-off to reveal recordID⁴.

4. Enters recordID.

B) EA

1. If recordID G B (record I D)

then

(a) Opens a commitment to the recordID on the bulletin board.

(b) Confirms to the voter that recordID is valid.

else asks a voter to re-enter recordID (back to the step A.4)

C) Voter (some time later, and preferably from another computer) Visits election website

Enters first I digits of her recordi D and checks if (recordi D, v) is posted on the bulletin board.

If a (recordi D, w) appears, but with v w

then vote was not posted correctly

(a) Scratches-off to see a prefix of a lockin.

(b) Checks if a lockin is posted.

then the part of unscratched lockin is a proof of malfeasance (for mailed card) and (with probability ^ with digital card)

else a voter may cast another vote by using different recordi D (from the back-side or extra recordi Ds Section 6.2) - back to the step A.4 else vote is posted, correctly

(a) scra.tches-off the layer to learn the value of lockin

(b) enters lockin preferably from another computer

5) EA Posts to the bulletin board lockin

1. Opens commitments to the values of the linked ballot:

(a) from Ballots table: recordi D .

(b) from Lockln's table: lockin.

(c) from ReMap table: locklns-pointer , ballots-pointer . 5.6 Visit— extra recordlDs

It may happen that a vote is not correctly posted. In that case a voter is allowed to visit a polling place and obtain extra recordlDs. Votes sent with extra recordlDs will overwrite previously cast ballots. Voter still uses the same lockin.

A) Voter

1. visits polling station in person

2. provides a prefix of lockin.

B) EA

1. Checks if lockin identified by the prefix corresponds to

mailed card Checks voter identity against the name printed on the mailed card, digital card [no check needed] C) Voter

1 picks an extension form from a hopper,

2 scratches off serial number from this form

3 shows serial of extension form

D) EA

1. Creates a public link from the recordID corresponding to the lockln provided by the voter to the rows of ExtraBallots matching the serial number of the extension form.

2. Prints and post on the bulletin board a certificate which binds provided prefix of a lockln with a serial of a form which he obtained.

Voter is allowed to perform further extensions of recordlDs. To authenticate this step she is obliged to provide "getMore" number that is printed under scratch-off on extension form and is connected with a serial number of a given form (not shown in the figures) .

5.7 Tallying

Write-ins The system allows for write-ins. The values entered by a voter are published next to the submitted recordID in the Ballots table. To avoid attacks on privacy write- in votes cannot be directly copied into Switchboard and Results tables because they can be unique so when copied into a Results table they would reveal countability of a given recordID. In order to avoid this threat, write-in values are transformed into a form which disallows for distinguishing them e.g., Marion Johns 3213→ Marion Johns.

Tally

EA

Tally 1. Transforms write-in votes in Ballots table into non-unique form.

2. Copies votes from Ballots table into appropriate rows of Switchboard table (according to the pre-election commitments, to all instances of Switchboard table).

3. Copies votes from each instance of Switchboard table into the appropriate rows of the corresponding rows of corresponding instance of Results table.

Print audit 1. Opens commitments corresponding to every unused lockln: values from ReMap, Ballots, Switchboard and Results tables. 5.8 Multiple-contests

It is very easy to increase a level of anonymity of voters by publishing separate results for each contest. This significantly reduces number of unique encoding of a ballots. It is done by generating a distinct ReMap and Results tables for each contest (see Figure 11).

6 Extra credit

6.1 Self-destructing card

Ballots can be prepared in such a way that a recordID is printed on the scratch-off layer which covers lockln. This makes recordID being destroyed while a voter wants to learn a value of a lockln (see Figure 12).

6.2 Multi-cards

Cards can be prepared slightly different. Instead of one recordID per one lockln, one can generate and print many recordl Ds for a given lockln - this approach is similar to the one described in Section 5.6 but saves voter efforts. In this case voters do not need to visit a polling place when their vote occurs not to be posted correctly.

6.3 Fake recordID server

For the configuration which uses digital cards, a server which provides voters dummy values of locklns and recordl Ds is required.

6.4 Changing countable mailed card into a dummy

This property would be nice because in some cases voters can be coerced just after receiving mailed card (countable) - without having chance of obtaining dummy numbers. On the other hand such a procedure may increase threats of integrity (EA could undetectably change countable votes into dummies).

6.5 Waiting for acknowledge on lockln

For the small election, values of locklns should be published with delay. This should increase level of anonymity and makes traffic analysis harder and so limiting possibility of linking recordl Ds with locklns. 6.6 Secure printing

Instead of performing oblivious transfer protocol during issuing digital cards one can use a physical procedure of printing, tumbling and then cutting cards. This procedure results with the similar properties as the oblivious transfer procedure performed by a voter in a booth.

6.7 Physical digital cards printing

Mailed cards can be printed in a way that simulates digital cards issuance process. After printing (recordID and both locklns) and tumbling, a random part containing one of two locklns is cut and shredded.

6.8 Third party servers

The system divides vote casting in distinct steps. Moreover, for casting digital cards no further voter authentication is required. This allows to use various methods of collecting votes, including those which use P2P network. Such an approach may lead to improved DOS-attacks immunity.

6.9 Ballot secrecy

A voter can be provided with a card for given election which would hide her choice - one can use i.e. Sure Vote. The other way to increase voter's privacy is to use encryption of votes. In order to cast a vote a voter uses voting application which encrypts her choice with the public key of a system (threshold encryption scheme can be used). At the end of election private key is published and so the ballots become public. A voter can check if the encryption of a vote made by voting application is correct by using a different computer.

6.10 Mailed cards without authentication

Process of mailed cards printing can be split between two parties (compare with the Figure 9).

First party prints recordlDs and locklns and covers them with scratch-off. It also prints a barcode (also under scratch-off) on each of the cards, this binds printed numbers with that barcode (this link is kept secret). After the printing by the first party, cards are tumbled.

Second party picks each card and prints a name and address of a voter on it. It also prints a barcode that links value of that code with a voter's name and address. Then the part containing both barcodes is cut-off from the card and stored by the Second Party.⁰

With cards being printed that way one achieves the following property (in the mixed system): a voter can visit a polling place and claim that she did not get her mailed card. Cooperating parties can issue a voter ExtraBallots that will overwrite any that could be cast with the numbers printed on the lost card (a voter needs to sign a request) . So the change of the printing scheme leads to the situation when there is no problem with lost or stolen mailed cards. This leads to the situation that there is no need of using third party authentication - each voter cast ballot with numbers that were printed on a card that she was mailed (there is no thread of "stealing votes" because every voter can "get her card back" ).

7 Conclusions

We presented Remotegrity - a family of highly customizable internet voting systems that are designed for national elections. Any member of R.emotegrity family offers unconditional integrity. R,emotegrity in "mixed" -configuration (both mailed and digital cards) assures also immunity against improper influence.

Notes

¹ Voters can easily avoid that threat by using different computers for each of the stage of voting. They can also use software assuring anonymous communication like TOR.

²Partial is a half of an unchosen form that voter gets as a result of digital-ballot issuance procedure 3This allows poll worker to learn neither which card voter chosen nor which side of a card a voter has learnt.

⁴For the mailed cards and for extra recordlDs, not for digital card.

⁵In fact similar procedure can be performed with one party only - thanks to the fact that the first barcode is covered by scratch-off and cards are tumbled.

APPENDIX - Example Setup

Counts 0 0 0 1 0

Lock I iv s ReMap Ballots (above) Switchboard Result

Extra ballots (below)

Table 1 : Election tables (secret)

8.2 Alice - countable mailed card

Alice obtains a mailed card with the following values under the scratch-off:

RecordID Lockin

Top 0876 0534

Bottom 9072 5672

She chooses values from bottom-side to cast her vote. Vote casting is as follows:

1. She casts (9072. Julia) . Her vote is accepted.

2. She uses other computer to verify if (9072, Julia) is indeed posted. If so, she goes to the next step.

3. She enters lockin: 5672.

4. EA:

• opens commitment to: the Lockin, recordID printed on the unused side,

• opens commitments in the ReMap - shows that Locklnand RecordID from the back-side are indeed from one card

• opens commitment to Lockin- link between used and unused side of a card are revealed.

Julia

Ballots

Table 2: Election tables after Alice's vote 8.3 Bob - digital card and dummy mailed card

Digital card Bob gets a digital card during in-person visit (and orders a dummy card to be mailed-him). He learns: recordID, locklnB for that card and a suffix of another recordID and lockln:

RecordI D LocklnA LocklnB

7 J 03 ???? 58725720

??65 ???? ??19

He casts (7103, Joe) and then sends lockin 58725720.

Dummy card Bob obtains a dummy card by mail with the following values under the scratch-off:

RecordID Lockln

Top 3946 4514

Bottom 9699 3522

tells wether take home one of the forms, i.e. 2742— 2. EA opens commitment to this form.

He chooses values from the top side to cast his vote. He casts (3946, Julia) and then sends lockin 4514.

opened - together with countMe bit. Thanks to this, voter can verify if his ballot is properly printed and moreover if his vote will be counted.

Lockln Ballots

Table 3: Election tables after Alice's and Bob's vote 8.4 Oskar— countable mailed card and extra recordlDs

Mailed card and extensions Oscar obtains a countable mailed card with the following values under the scratch-off:

RecordID Lockin

top 2883 7779

bottom 9686 6492

He chooses top-side to cast his vote.

He casts (2883, Julia) but then he finds out that his vote has not been posted correctly - on the BB a value (2883, Joe) is posted instead.

He can use values of the card's second side and try again from a different computer: (9686. Julia) if the problem appears again - on the BB a value (9686, Joe) is posted then Oskar visits a polling place.

At a polling place. Oskar asks for comitability check for his card(s). In the first step, Oskar performs comitability check for his mailed card. EA checks name and address printed on a card against the photo ID given by a voter. Bob reveals prefix of a lockin to a poll worker: 77. Poll worker prints a proof. : summandl = 0205— 9 summancl2 = 7574— 7. Bob goes into a booth and checks: if digit-by-digit sum of the sumrnands equals to lockin, and

0205-9

if sum of extra digits is even (which corresponds to a countable card): e 7574-7

7779-6 — countable

Bob takes home one of the slips e.g., with sumrnand2 = 7574— 7 - commitment to that value will be opened.

serial eRecordID

2019 3139

2938

Oskar casts from a different computer: (3139, Julia) (correctly posted).

When Oskar is satisfied with the posting he casts a lockIn6492.

Julia

Lock in Ballots Extra Ballots

Table 4: Election tables after Alice's. Bob's and Oskar Vote's vote 8.5 Tally

3946 J ulia

9072 J ulia

2883 ^■J«e

9699

7103 Joe

9686 4ee Julia

0876

Lockln ReMap Ballots

Table 5: EA opens commitments to the linked ballots and to the verified summands.

Lockln ReMap Ballots Switchboard Results

Table 6: EA publishes results. Votes that are being counted (those which were locked are copied to the corresponding rows of Switchboard table and then to Results table.

Lockln ReMap Ballots Switchboard Results

Table 7: Post-election audit: commitments are opened column-wise. For this instance, rig column of ReMap and right column for Switchboard were opened.

While these descriptions of the present invention have been given as examples, it will be appreciated by those of ordinary skill in the art that various modifications, alternate configurations and equivalents may be employed without departing from the spirit and scope of the present invention.

Claims

What is claimed is:

1. An election method, in which voters cast votes remotely, comprising:

(a) providing voters the option to request that an opportunity to vote be provided them whose votes should be uncounted;

(b) counting the ballots that are to be counted, but excluding counting of ballots that are to be uncounted;

(c) where the uncounted votes are substantially indistinguishable from the counted votes, at least by persons without special access to the system and that are outside of a controlled location.

2. The election method according to claim 1 , including providing a voter in a controlled location with verifiable evidence that a vote will be counted and that evidence substantially unverifiable by persons outside the controlled location without special access.

3. A method for allowing voters to cast votes remotely, including: providing at least some voters with plural codes protected by tamper-evident secrecy protections and the making public of valid codes provided by a voter, such that the choice of which code that a voter evidently accesses is substantially unpredictable to the system.

4. The method according to claim 3, wherein the process of arriving at the tally is publicly- verifiable as a result of the publication of commitments to various values including the hidden codes and the selective revealing of at least some of those values after the election.

5. A remote voting method, comprising the steps of: providing a first code by a voter to a remote system in posting vote information and providing at least a second code by a voter to confirm the posted vote information by the voter.

6. The method according to claim 5, wherein at least the choice by the voter of one of the codes that a voter reveals substantially unpredictable to the system.

7. A verification method, comprising: an in-person verification by a voter of the countability of voting information, without evidence of countability being substantially transferable by the voter to other persons.

8. The verification method according to claim 7, wherein the voter sees at least some correspondence between information indicia on each of two elements and the voter being allowed to retain at most one of the elements.

9. A method for remote voting, comprising: allowing a voter to obtain the ability to vote that is invoked when a voter claims that voting material that was to be sent to the voter was not received by the voter; where the material if it is voted results in an uncounted vote and where information linking voter to material sent is stored as indicia on physical elements and evident accessing of tamper-indicating secrecy protection on certain of the physical elements is substantially necessary in order to link voter to vote.

10. The method according to claim 9, wherein indicia with secrecy protected by tamper- indicating structure is formed related to elements linkable to one of voter identity or vote information and the elements are physically randomized and then associated with the other of the voter identity or vote information.