The Public Voting Process

Votes by citizens are secret and tallied without record of which voter voted for whom.   Voting can be performed remotely by personal computer, and the link between a remote computer and the voting machine must be encrypted to prevent eavesdropping.   If before completion of stage 8 (described below), one minute of idle time elapses without the voting machine receiving a message from the voter, the voter's authoritative record for that ballot item is cleared, the session ends, and the voter can begin his vote on that item again.   To vote, a voter engages in a session as follows, with stages identified in parentheses preceding the description of the stage.

Upon establishment of an encrypted connection to the voting machine (the same encrypted connection can be used for multiple sessions), the session begins with (1) the voter providing his ostensible identity to the voting machine, (2) the voting machine producing a cryptographic challenge, and (3) the voter proving his identity by solving the challenge.   The session ends if the solution is incorrect.

The voter then (4) specifies what poll item he intends to vote on, and (5a) the machine then verifies the voter's eligibility to vote on that poll item, by accessing a coherent authoritative database (voting on the item must be open, the individual's record with respect to that poll item must not be locked, the voter must be properly registered with no current disqualifying legal handicaps, and must not have already finalized a vote on the item).   If eligibility is confirmed, then (5b) the individual's record with respect to that poll item is locked for the duration of the session and (5c) the voter is informed of his eligibility, else the session ends.

If the poll item at issue is a vote for a legislator, the voter has previously cast a vote for a legislator in the same unit of state, and that vote has not yet expired, then (5d) the voter must provide the voting machine with the receipt received at stage 9e in the course of casting that previous vote.   (5e) The voting machine verifies the encoding and signatures of the 5d receipt, if any, and verifies that the 5d receipt, if any, has not previously been submitted to effect vote revocation.   If verification fails, the session ends, otherwise it continues.   In either case, (5f) the voter is informed of the results of his 5d submission, if any.

Next, (6a) the voter completes the specified poll item (specifies his voting position on one item in the poll), (6b) computes a digest of the completed poll item, (6c) computes an encryption of that digest with a random symetric key of his choice, and (6d) computes a decryption of that digest encryption using his private key using an algorithm with which decryption can be safely used to generate a signature.

(6e) The voter provides the voting machine with the completed poll item, the above random symmetric key, and the fully processed digest (the assymetric decryption of the symmetric encryption of the digest of the completed poll item).   The voting machine verifies the validity and consistency of the data.   Validity is determined by (7a) confirmation that the name given for the item unambiguously identifies a candidate, or the response given for a non-election item is a valid response.   Consistency is determined by (7b) confirmation that the cryptographic relationships among the data are mathematically valid.

If the poll item as completed is not valid, or the consistency check fails, the voter's authoritative record for that poll item is cleared, this session ends, and the voter can begin his vote on that item again.   (7c) The voter is alerted to each invalid name in the previous completed poll item (if any), and is alerted to each ambiguous name (if any) as described above.

If validity and consistency are verified, the voting machine (7d) generates a string with a random portion, a timestamp portion, a portion identifying the precise poll item completed above (but not including any information about how the poll item was completed), and a portion fully identifying the individual, and (7e) demands that the individual sign this with his private key.   If (8) the individual properly signs this string and forwards the signature to the machine, then (9a) the signed string is archived by the machine and (9b) the authoritative database is notified that the individual has completed his vote on that particular item and cannot vote on it again, or if the item is a vote for a legislator, the authoritative database is provided with the receipt from stage 5d, if any.

Next, (9c) the voting machine computes an encryption of the above random symmetric key using the individual's public key, and (9d) produces a cryptographically verifiable receipt consisting of a machine-signed record consisting of the completed poll item, the above fully processed digest, the above timestamp, and the above assymetric encryption of the symmetric key.   (9e) This receipt is delivered to the voter, and the session ends.   With this receipt, the individual can prove that he cast a vote on this particular item and how it was cast.

The machine then (10) irreversibly discards its copy of the stage 6c random key and archives a record consisting of the stage 6a completed poll item and the associated stage 6d fully processed digest.   The individual (11) archives a copy of the stage 9d receipt.

When voting closes, all stage 10 item-digest pairs, and all stage 8 signed strings, are made anonymously and immediately available to the public at large.   For a particular item, the number of counted and published stage 10 item-digest pairs must precisely equal the number of stage 8 signed strings.

An individual can verify that his vote was registered correctly by retrieving the completed poll item which has associated with it a fully processed digest that matches his archived fully processed digest (included in the receipt).   The stage 6c symmetric key is recovered by decrypting the stage 9c encryption of it found in the receipt.   Using the recovered stage 6c key, the voter ascertains whether the published completed poll item matches.   The individual can prove that his vote was fraudulently registered by producing the receipt the voting machine gave him, and showing that the fully processed digest for which he was given a receipt was not published, or that the completed poll item accompanying the fully processed digest does not match the fully processed digest, in which case he must provide the recovered stage 6c key.

Votes cannot be tallied or published until after the voting period has ended, and must be tallied and published within 24 hours of the close of voting.

If within one week following closing of a vote, more than 1% of voters eligible to vote on an item demonstrate fraud in the vote on that item, then the entire vote on that item is repeated.



previous section "Voting Procedures"

next section "Competency of State Employees"

back to index for this chapter ("General Principles of State")

back to top-level index



Send email to me at douzzer@mega.nu

Site Search


This is a preliminary draft. Pending changes are in The To-Do List