The Public Voting Process
Votes by citizens are secret and tallied without record of which voter
voted for whom. Voting can be performed remotely by personal
computer, and the link between a remote computer and the voting
machine must be encrypted to prevent eavesdropping. If before
completion of stage 8 (described below), one minute of idle time
elapses without the voting machine receiving a message from the voter,
the voter's authoritative record for that ballot item is cleared, the
session ends, and the voter can begin his vote on that item again. To
vote, a voter engages in a session as follows, with stages identified
in parentheses preceding the description of the stage.
Upon establishment of an encrypted connection to the voting machine
(the same encrypted connection can be used for multiple sessions), the
session begins with (1) the voter providing his ostensible identity to
the voting machine, (2) the voting machine producing a cryptographic
challenge, and (3) the voter proving his identity by solving the
challenge. The session ends if the solution is incorrect.
The voter then (4) specifies what
poll item he intends to vote on, and (5a) the machine then verifies
the voter's eligibility to vote on that poll item, by accessing a
coherent authoritative database (voting on the item must be open, the
individual's record with respect to that poll item must not be
locked, the voter must be properly registered with no current
disqualifying legal handicaps, and must not have already finalized a
vote on the item). If eligibility is confirmed, then (5b) the
individual's record with respect to that poll item is locked for the
duration of the session and (5c) the voter is informed of his
eligibility, else the session ends.
If the poll item at issue is a vote for a legislator, the voter has
previously cast a vote for a legislator in the same unit of state, and
that vote has not yet expired, then (5d) the voter must provide the
voting machine with the receipt received at stage 9e in the course of
casting that previous vote. (5e) The voting machine verifies the
encoding and signatures of the 5d receipt, if any, and verifies that
the 5d receipt, if any, has not previously been submitted to effect
vote revocation. If verification fails, the session ends, otherwise
it continues. In either case, (5f) the voter is informed of the
results of his 5d submission, if any.
Next, (6a) the voter completes the specified poll item (specifies his
voting position on one item in the poll), (6b) computes a digest of
the completed poll item, (6c) computes an encryption of that digest
with a random symetric key of his choice, and (6d) computes a
decryption of that digest encryption using his private key using an
algorithm with which decryption can be safely used to generate a
signature.
(6e) The voter provides the voting machine with the completed poll
item, the above random symmetric key, and the fully processed digest
(the assymetric decryption of the symmetric encryption of the digest
of the completed poll item). The voting machine verifies the
validity and consistency of the data. Validity is determined by (7a)
confirmation that the name given for the item unambiguously identifies
a candidate, or the response given for a non-election item is a valid
response. Consistency is determined by (7b) confirmation that the
cryptographic relationships among the data are mathematically valid.
If the poll item as completed is not valid, or the consistency check
fails, the voter's authoritative record for that poll item is cleared,
this session ends, and the voter can begin his vote on that item
again. (7c) The voter is alerted to each invalid name in the previous
completed poll item (if any), and is alerted to each ambiguous name
(if any) as described above.
If validity and consistency are verified, the voting machine (7d)
generates a string with a random portion, a timestamp portion, a
portion identifying the precise poll item completed above (but not
including any information about how the poll item was completed),
and a portion fully identifying the individual, and (7e) demands that
the individual sign this with his private key. If (8) the individual
properly signs this string and forwards the signature to the machine,
then (9a) the signed string is archived by the machine and (9b) the
authoritative database is notified that the individual has completed
his vote on that particular item and cannot vote on it again, or if
the item is a vote for a legislator, the authoritative database is
provided with the receipt from stage 5d, if any.
Next, (9c) the voting machine computes an encryption of the above
random symmetric key using the individual's public key, and (9d)
produces a cryptographically verifiable receipt consisting of a
machine-signed record consisting of the completed poll item, the
above fully processed digest, the above timestamp, and the above
assymetric encryption of the symmetric key. (9e) This receipt is
delivered to the voter, and the session ends. With this receipt, the
individual can prove that he cast a vote on this particular item and
how it was cast.
The machine then (10) irreversibly discards its copy of the stage 6c
random key and archives a record consisting of the stage 6a completed
poll item and the associated stage 6d fully processed digest. The
individual (11) archives a copy of the stage 9d receipt.
When voting closes, all stage 10 item-digest pairs, and all stage 8
signed strings, are made anonymously and immediately available to the
public at large. For a particular item, the number of counted and
published stage 10 item-digest pairs must precisely equal the number
of stage 8 signed strings.
An individual can verify that his vote was registered correctly by
retrieving the completed poll item which has associated with it a
fully processed digest that matches his archived fully processed
digest (included in the receipt). The stage 6c symmetric key is
recovered by decrypting the stage 9c encryption of it found in the
receipt. Using the recovered stage 6c key, the voter ascertains
whether the published completed poll item matches. The individual
can prove that his vote was fraudulently registered by producing the
receipt the voting machine gave him, and showing that the fully
processed digest for which he was given a receipt was not published,
or that the completed poll item accompanying the fully processed
digest does not match the fully processed digest, in which case he
must provide the recovered stage 6c key.
Votes cannot be tallied or published until after the voting period has
ended, and must be tallied and published within 24 hours of the close
of voting.
If within one week following closing of a vote, more than 1% of voters
eligible to vote on an item demonstrate fraud in the vote on that
item, then the entire vote on that item is repeated.
previous section "Voting Procedures"
next section "Competency of State Employees"
back to index for this chapter ("General Principles of State")
back to top-level index
Send email to me at douzzer@mega.nu
Site Search
This is a preliminary draft. Pending changes are in The To-Do List