|
Security
and cryptology
1. Will my
vote in any case remain anonymous?
2. How will
CyberVote avoid "double voting"?
3. Will the
voter have the possibility to use his/her right to
leave a blank ballot or to cast an invalid
ballot?
4. How will
you guarantee that the system will remain under the
control of citizens and not computer scientists?
5. What is
"universal verifiability"?
6. What level
of verifiability is legally required for public elections?
7. Can a
virus or Trojan horse attack CyberVote?
8. To what
extent CyberVote will ensure the secrecy of the vote?
9. How will
CyberVote authenticate the voter?
10. How will
you prevent attacks on the CyberVotecomputers?
11. How will
CyberVote ensure software integrity on the server
side and on the client side?
12. How will
you ensure that my vote will be protected and not
controlled?
13. How will
CyberVote ensure voter anonymity?
14. Will
CyberVote use blind signature algorithms?
15. What is
"homomorphic encryption"?
16. How will I
be sure that my vote will be taken into account?
17. What is a
"trusted server approach"?
18. How will
you solve the problem of priorities between e-voting, voting by mail and
traditional voting?
19. What will
happen if during the casting of my vote the ballot
server crashes?
20. How
will CyberVote transport my vote?
21. Will
CyberVote support recounts?
22. How
CyberVote will prevent form the hacking of the votes and the decryption of
these votes 10 or 20 years later?
See also the frequently
asked questions on :
Legal
aspects
Use
of mobile phones
Use of the system
Commercial and marketing
How will CyberVote
avoid "double voting"?
The
system will register the successful voting of the voter. After that, no
more ballots from that voter will be accepted.
If the voter will also
cast his vote in paper form, that vote will be counted and the electronic
vote will be discarded.
[Back
to top]
Will the voter have
the possibility to use his/her right to leave
a blank ballot or to cast an invalid ballot?
A blank
ballot will be among the choices to make when casting a vote, but
it will be impossible to cast an invalid ballot. If desired, it is possible
for voters to express non-anonymously that they refuse to vote.
[Back
to top]
How will you
guarantee that the system will remain under the
control of citizens and not computer scientists?
As
usual, trust in the system by the general audience will be achieved
indirectly. An
Internet-based voting system needs to be certified in a similar way
as electronic
voting machines get certified these days: the general audience
does not need to inspect the voting
machines or even try to understand the inner
workings of these machines.
[Back
to top]
What is "universal
verifiability"?
"Universal
verifiability" means that it is possible for anybody to check that
the final tally is correctly computed
from the valid ballots displayed on the bulletin
board.
This is stronger than
"local verifiability" where correctness of the final
tally follows only if one assumes
that each voter will check whether its vote has been counted.
[Back
to top]
What level of
verifiability is legally required for public elections?
Current
practice is that observers and scrutineers will check the proceedings
of the elections and the operation of
the voting machines. For the CyberVote system, providing
universal verifiability, these
observers and scrutineers may check the contents of
the bulletin boardand see if the tally is computed correctly. (For a
system with local verifiability, this
cannot be done at the same level as it
depends ultimately on the voters
checking their votes after the
election finished.)
[Back
to top]
Can a virus or
Trojan horse attack CyberVote?
Yes,
like any other client software in an insecure PC environment.
Anti-virus software
should be used and strict security guidelines followed to limit the risk of
a virus or Trojan horse attack.
Secure user interface
techniques can be applied to the CyberVote client to prevent Trojan horses.
[Back
to top]
How will CyberVote
authenticate the voter?
The
preferred authentication mechanism is a smart card containing a private
key for issuing digital signatures.
Weaker authentication mechanisms such as
PIN codes can be used if smart cards
cannot be used; of course, this affects the overall security
of the system.
[Back
to top]
How will you
prevent attacks on the CyberVote computers?
As a
measure of precaution against Denial of Service attacks,routers should
have secure routing protocols implemented.
Further, filters, or
"sniffers'', can be used as well as any other generally
available countermeasures.
[Back
to top]
How will CyberVote
ensure software integrity on the server side
and on the client side?
Network
intrusion detection and integrity checking tools can be used.
In particular, it must be checked that the client software is authentic,
e.g., by verifying a digital signature
issued by CyberVote authorities. As part
of the certification process of the
system, the client software (source code and executable code)must be
checked for processing the selected votes correctly. For instance, if
a voter types 'yes' it must be
ensured that the vote cast by the client software indeed represents
'yes' vote and nothing else.
[Back
to top]
How will you ensure
that my vote will be protected and not controlled?
The
vote is stored on the bulletin board in encrypted form, so
it cannot be read by non-authorized parties.
A threshold scheme will
be applied for decryption. This means a minimum number of talliers need to
cooperate in order to be able to
decrypt a vote.
Furthermore, if
homomorphic encryption is used, the talliers do not need
to decrypt single votes at all, but only the final tally.
[Back
to top]
How will CyberVote
ensure voter anonymity?
See "homomorphic encryption" and "threshold
cryptography".
[Back
to top]
Will CyberVote use
blind signature algorithms?
Blind
signatures are needed with schemes using anonymous channels.
CyberVote will not
need (and hence not assume the availability of) anonymous channels.
[Back
to top]
What is "homomorphic
encryption"?
Essentially
it means that the product of all the encrypted
ballots is the encryption of the final tally.
So we only need to
decrypt the product of all the encrypted ballots.
[Back
to top]
How will I be sure
that my vote will be taken into account?
See
"universal verifiability" (*,
**).
[Back
to top]
What is a "trusted
server approach"?
An
approach where the voters must essentially trust the server to (i) maintain
ballot secrecy for their votes and (ii) to
tally the votes correctly. All trust
is thus put in a single entity.
The alternative is that
these properties are achieved through a cryptographic
protocol, which ensures that these
security properties hold unless a large number of parties
is corrupted. This way, trust is distributed
among a large number of parties.
[Back
to top]
How will you solve
the problem of priorities between e-voting, voting by mail and traditional
voting?
The
encrypted ballots are stored together with the names
of the voter. So the digital ballot can be removed if
the voter has also voted by mail or traditional voting.
[Back
to top]
What will happen if
during the casting of my vote the ballot server
crashes?
Cybervote
will make sure that there is only a small probability
that the voting server will not be available during the
election. However, there is always the possibility to
vote (additionally) in the traditional way (with paper ballots).
The paper ballot is the one which is counted then, and
the digital ballot of the voter is discarded.
[Back
to top]
What will happen if
during the casting of my vote my client software
crashes?
See
also Legal Aspects.
The software will be
tested to run correctly on the most common
platforms. Some minimum requirements on hardware and software will be
stated in the installation guide of the
software. However Cybervote can not guarantee proper functioning
in all cases.
If you are unable to
restart the client again, you will have
to look for a public voting client in your neighbourhood.
On your second attempt,
you will have to find out whether your first
vote has appeared on the bulletin board or not and possibly
cast your vote again.
[Back
to top]
Will somebody else
than me be able to vote using my authentication material?
If the
voting takes place at a polling station you will have to identify yourself
there (as with traditional voting)before you are allowed to enter the
voting booth.
If your presence at a
polling station is not required,identification schemes will be used.
During the registration phase you
will commit yourself to some secret information that enables
you (and only you) to prove your identity.
The holder of this
information (or hardware token) will be able to cast his vote on Election
day. Therefore you should keep this
information strictly to yourself.
[Back
to top]
How will CyberVote
transport my vote?
The
encrypted ballot will be transmitted over the Internet.
The CyberVote protocols
are designed to be secure. Nevertheless, as
an additional layer of security SSL/TLS can be used.
[Back
to top]
How will CyberVote
store my vote?
The
encrypted ballots will be stored by the voting server in a database.
[Back
to top]
Will CyberVote
support recounts?
Recounts
in the traditional sense will not be needed. The"universal
verifiability'' property of the voting scheme makes it possible for
scrutineers (maybe even for ordinary voters and others)
to verify that the published tally matches the encrypted ballots.
[Back
to top]
How
CyberVote will prevent form the hacking of the votes and the decryption of
these votes 10 or 20 years later?
CyberVote will pick key
lenght to keep the encryption secure for 10 years considering some
assumptions (eg the growth of computers efficiency will be the same as now).
See also the frequently
asked questions on :
Legal
aspects
Use
of mobile phones
Use of the system
Commercial and marketing
|
