Requirements for (secure) Electronic Voting
Some time ago kuasar told me about an initiative named Partido de Internet (PdI for short). The idea is to create a political party which would vote every law proposition and every initiative in the parliament depending on the results of an individual electronic election. So, affilates would vote in a per-initiative basis through the Internet, and the representatives of the PdI in the parliament would vote according to the results.
Setting aside the political implications, whether I (or you) think this is a good idea or not, I want to talk here about electronic voting. As soon as she mentioned it to me, I started thinking "Wait... this is not so easy. You know, we want elections to be secure, one doesn't want everyone to know what he voted, but he wants his vote to be counted in the right way... there are several requirements which are not so easy to meet".
So I asked her about how would they implement it... and the answer was that probably using the e-DNI, the spanish electronic id card, which of course provides digital signatures. Yeah, that's right, you could use such a device to implement an electronic voting scheme... but there is quite a lot of thinking involved in order to make it right!
Let's start here a series of posts for brainstorming about e-voting. I'll start setting up what I (and the literature I have from last year's subjects about crypto protocols 😉 ) think an electronic voting scheme needs to provide. These are the requirements I can see, but maybe you can think of some other so feel free to comment on it!
- Privacy or Anonymity: A voter wants his vote to remain anonymous. There should be absolutely no way to link a voter with its vote, neither by other voters or by the election authorities.
- Eligibility: Only voters who are eligible for voting should be able to vote, and only once. A legitimate voter should not be able to cast two different votes, and of course a non-legitimate voter should not be able to vote.
- Fariness: The results can only be obtained at the end of the elections... so that other voters cannot be influenced.
- Verifiability: The outcome of the elections needs to be fair, i.e. the results have to be equal to the votes casted by the voters.
- Individual verifiability: An individual voter can verify that his vote was actually counted.
- Receipt free: A voter cannot prove that he voted for a given party. This way one cannot be coerced to vote for a given party.
Some of these requirements are more important than others, some of them are really required for any fair electronic voting system that one can think of, and others are just desirable. In subsequent posts we will look at some electronic voting protocols and try to see which requirements they meet.
Before finishing, one thing is clear: meeting the requirements is not trivial. For instance, vote privacy and verifiability seem to pose a contradiction... how come one can only vote if he is eligible to it, but a vote cannot be revealed to anyone? We'll see some ways of doing it in some time ;-).
July 1st, 2009 - 00:34
Viendo la implantación actual de lectores de SC, aunque estén baratos muy pocos tendrán uno llegado el momento. Creo que habrÃa que tener en cuenta la opción del uso de certificados y similares para poder hacer la votación.
Si quieres ganar adeptos tendrÃas que aceptar que te votase gente “no afiliada”, es lógico para llegar al parlamento.
Entonces luego está el marrón de gente que vaya “en grupo”. Asumiendo que has ganado X escaños en el parlamento, ¿a quién vas a representar desde el PDI? En principio dices, pues a toda esa gente que no está deacuerdo bla bla bla pero:
un grupo organizado de N personas (que votó al partido X, distinto, con tropecientos escaños sin mayorÃa) coge y re-vota en el PDI aumentado asà el posible porcentaje ante una proposición. Sinceramente no veo tan sencillo poder controlar a “mafias” de grupos grandes de gente. Una persona puede ser del partido mayoritario y luego ser instando por su partido a copar los votos del PDI y no veo manera simple de controlarlo.
La verdad es que es un tema delicado y tecnológicamente ya ni te cuento.
July 1st, 2009 - 13:02
El tema de que vote gente no afiliada es complejo. Con afiliado no me refiero a que sean gente directamente relacionada con el partido, sino gente que se haya registrado para votar…
Al menos habria que tener un ‘censo electoral’ que te permita discriminar quien puede votar y quien no, y marcarlo como que ha votado para que nadie pueda votar dos veces.
Otra opcion es usar el e-DNI para identificar a los votantes que hayan votado (usando firmas ciegas para ocultar el voto o lo que haga falta, ya veremos los protocolos) y comprobar la validez de su certificado mediante la PKI del e-DNI…
Asi no tendrias un registro de quienes pueden votar, sino que cualquier persona con un e-DNI valido podria votar. Pero eso nos anyade un problema en cuanto a la edad legal para votar… que habria que pensar como resolver. No se si el certificado del e-DNI incluye cosas como fecha de nacimiento y tal.
Yo creo que lo mejor es tener un censo, que no anyadir complejidad extra permitiendo votar ‘a cualquiera’.
July 2nd, 2009 - 09:37
TuXeD, pásame algo de bibliografÃa del tema si tienes, por favor. Y si se puede encontrar en el “mercado de segunda mano” mucho mejor 🙂
July 3rd, 2009 - 19:24
Hola Alvaro,
Lo que yo tengo es básicamente un capÃtulo de la asignatura ‘Verification of security protocols’ ( http://cs.ru.nl/~chaack/teaching/2IF02-Spring08/ ) donde analizamos un protocolo de votación electrónica con proVerif ( este es el enlace: http://cs.ru.nl/~chaack/teaching/2IF02-Spring08/chapter09-view.pdf ) y la primera parte de Cryptography 2 sobre protocolos criptográficos.
Puedes encontrar las notas de clase en http://www.win.tue.nl/~berry/2WC13/LectureNotes.pdf . También hay referencias a otros documentos al respecto ahÅ y supongo que en otras partes.
En principio con los mecanismos que se explican en esas notas de clase deberÃa ser posible implementar ese tipo de sistemas… ya escribiré algo más al respecto 🙂
Saludos