Voting with untrusted servers: A new architecture
As far as I know this is the only proposed design for a anonymous, verifiable voting system in which the server is untrusted.
- There is a public list of voters who are real and eligible to vote.
- The voter’s computers are secure
A basic outline
Voters connect to the server establishing a secure connection. The server places voters into groups of 30 or so. The server then shares the IP addresses of all the group members with each other. The voters then disconnect with the server and vote on their local machines. Each user must enter an passphrase(footnote 4) that will correspond to their vote. Their votes along with passphrases are then encrypted using the servers public key. These encrypted vote+passphrase packets are sent from each member of the group to every other member of the group. Packets are also randomly forwarded between members so that no group member can know from whom the packet is coming.
At the end of a given time interval(20 mins) all the group members have 30 encrypted votes on their machine. Each voter then sends all 30 votes, the groupID and the 30 passphrases back to the server. The server then decrypts the packets, verifies that the votes coming from each of the group members are not contradictory and then publicly publishes the decrypted votes, the members of each group and the pass phases(see footnote 2)
Voters can then verify that their vote was counted by going to the public vote list, finding their group and checking that they are listed as a member of the group, and that their pass phrase corresponds to their vote. If their pass phrase does not correspond to their vote they can force the whole group to be broken up and re-vote.(footnote 1)
Anyone in the world can access the public lists of voters, and votes at anytime during the voting process.
Possible areas of attack:
- If all of voters of a given group minus 1 collude the anonymity of the trustworthy voter is lost.
- A virus on the voters computer can compromise the voters anonymity
- Physical coercion can force the voter to vote a certain way. The voter can always recall the vote at a later point.
- An untrustworthy server can falsify groups. Sending untrustworthy IPs to each of the group members and compromise anonymity. This can be solved by publishing the IPs along with the group. Voters record the IPs of their group members and can check that they are the same as the ones published.
- This is a big problem with this design. It allows voters to disrupt the voting process. If a voter does this more than twice then the system can revoke their ability to vote for this election online and require them to go to a polling station. Other options include tracking culprits and flagging them.
- A passphrase is just a string like “doggy”