WO2002046883A2

WO2002046883A2 - Electronic voting system

Info

Publication number: WO2002046883A2
Application number: PCT/US2001/048357
Authority: WO
Inventors: Jared Karro; Jie Wang
Original assignee: The University Of North Carolina At Greensboro
Priority date: 2000-12-06
Filing date: 2001-12-05
Publication date: 2002-06-13
Also published as: AU2002232584A1; WO2002046883A3; US20020077885A1

Abstract

The election system (10) may include one or more of a registrar (12), a plurality of ballots (14), and a plurality of authentication codes (112), a data reconciler (18) and a tally system (34). The registrar (12) may include a registrar link (20) that permits communications with at least a plurality of voters (22). The registrar link (20) may permit a voter (28) to obtain a unique voting ID (24) by registering with the registrar (12). The plurality of ballots (14) is for distribution to at least a portion of the plurality of voters (22). Each ballot may include a unique ballot ID (26) and a corresponding list of plain data (30) One authentication code (112) is used with a corresponding cast ballot (14). The data reconciler (18) may include a link (32) to the registrar (12).The system (34) may include a link (36) to the reconciler (18).

Description

ELECTRONIC VOTING SYSTEM Background of the Invention

(1) Field of the Invention

The present invention relates generally electronic voting system and, more particularly, to a system for carryings out elections over a network.

(2) Description of the Prior Art

CHAPTER I: INTRODUCTION

Democratic societies are founded on the principle of elections. However, it is not unusual that many eligible voters in a democratic society do not participate in elections. One of the common reasons for not participating is that voters find it inconvenient to go to the polls. In conventional elections, voters must go to a designated location near their residence. However, for various reasons voters are not always able to make it to these locations. They may be out of town on work or on vacation. Even if they are in town, their daily schedule may not permit them to get to the ballots.

With the rapid growth of the Internet, specifically the World Wide Web, voting online provides a reasonable alternative and in the future may replace conventional elections. Voting online would allow voters to participate in an election in any location that provides Internet access. Voters could cast their ballots while at work, at school, or in the comfort of their own home. Many public libraries have computers with Internet access that could also be used in elections. In some places, bookstores and coffee bars are also starting to provide Internet access. For those voters still without Internet access, voting districts would still have designated locations; only computers, instead of voting booths, would be used. There would be no need to restrict voters to a given district. The idea of electronic election over computer networks has been studied intensively for over fifteen years. A variety of cryptographic voting protocols have been proposed to minimize election fraud and maximize voter privacy (for example, see [Be87, BT94, Ch88b, Co86, CF85, C+96, CGS, CC97, F+93, IV91, MV98, NS91, NS, N+91, Sal96, Sch96, SK94]). Most of the early-proposed protocols only deal with a few certain issues of elections, mostly for theoretical interests. As pointed out in [F+93] and [CC97], such protocols are impractical to implement for a large-scale geographically distributed voting district. For a survey of several such protocols we refer the reader to Chapter 3.2 in Cranor and Cytron's paper [CC97]. So far there has not been a single government election done over the Internet. Fujioka, Okamoto, and Ohta [F+93] studied how to make online elections practical and proposed a voting protocol using cryptographic techniques of blind signatures and anonymous communication channels. Their protocol also uses central facilities to administrate elections and count votes. They justified that using central facilities is necessary for a voting scheme to be practical. Built on this work, Cranor and Cytron [CC97] recently designed and implemented a security-conscious polling system, called Sensus. However, Fujioka et al.'s protocol and the Sensus protocol suffer from several major drawbacks (we will describe these drawbacks in Chapter H). Some of these drawbacks are due to the use of blind signatures in large scales and the unpractical assumption of using anonymous communication channels (note that CPU identification numbers have been embedded into the new Intel's Pentium III chips that can be broadcast over the Internet). These drawbacks hinder Sensus from being used in large-scale elections.

CHAPTER JJ: EXISTING ELECTRONIC VOTING SCHEMES:

A survey of the existing electronic voting schemes follows. Since there are many variations of a few key concepts, we have grouped the voting schemes into groups based on their key techniques. By doing so, we hope to reveal the key drawbacks, as well as the benefits, of the main techniques without delving deep into specific details. A majority of this chapter will focus around Sensus.

SCHEMES THAT USE NO CENTRAL TABULATING AUTHORITY

[Sch96] presents a model that uses no central tabulating authorities. As a result, voters are required to do all the work, including performing all the checks and declaring a winner. To make matters even worse, the protocol is too complicated for a layman to understand. All of these factors make any scheme that uses no central tabulating authorities unsatisfactory.

SCHEMES THAT USE ALL-OR-NOTHING DISCLOSURE OF SECRETS (ANDOS) A number of existing protocols, such as [Sch96, N+91], use a technique known as ANDOS to guarantee anonymity. While the rest of the protocol may be feasible, the use of ANDOS for anonymity is not. The ANDOS protocol is extremely complex, making it unsuitable for large-scale elections. Thus, the presence of ANDOS causes these protocols to fail the scalability requirement.

On the other hand, if ANDOS is removed from these protocols, then the election is no longer anonymous. Therefore, the protocols now fail the privacy criterion. Also, in many cases it may not be possible to simply remove the ANDOS protocol, for otherwise other requirements may be violated.

SCHEMES THAT USE MULTI-PART ELECTIONS

[F+93] suggests a protocol that has several non-parallel phases. As a result, voters cannot proceed to the next phase of voting until the current phase is complete. Instead of the five or ten minutes it takes to cast a conventional ballot, in a large-scale election it could take days for a voter to cast their ballot in this model. With the need to still maintain a common polling area (for those without access to computers), this scheme is extremely inefficient as voters would be required to travel, and wait in lines, for multiple times.

SCHEMES THAT USE HOMOMORPHISMS OR SCAMBLERS

[SK94, CGS, C+96] devise voting schemes that use homomorphisms to protect the anonymity and integrity of the election. The basic idea is to divide a vote into many parts, such that the sum of all its parts is the original vote. There are several problems with using techniques such as this.

First, if all the parties receiving the parts of the election collaborate, then the election could be compromised. Also, since the vote is divided into many parts, and the security of the election is directly proportional to the number of parts, the scalability of such a scheme is hindered.

Large-scale implementation would result in either an insecure implementation, or an extremely costly (in both resources and financial) and time-consuming election. Since our ultimate goal was to devise a scheme that could function in a national, or global, election, the homomorphism approach does not satisfy our requirements.

In addition, these voting protocols are primarily limited to 'yes-no' votes. In the majority of the national elections, this is not the case. In addition to having multiple options, many elections also have the ability to 'write-in' a candidate. Even though the ability to have a 'write-in' candidate is not extremely significant, it is extremely important of our protocol to support multiple candidate elections. This need is evident with the election of the Reform Party's Jesse Ventura as governor of Minnesota.

[Sal96] does not use homomorphisms, but instead uses "scamblers" to protect the anonymity and integrity of the election. Once again, large-scale implementation of this protocol does not seem feasible, as the voter must contact every scambler. In addition, the voter is required to participate in a pre-election phase before every election. Requiring voters to register before every election could possibly result in fewer participants.

SCHEMES THAT USE BLIND SIGNATURES AND ANONYMOUS COMMUNICATION CHANNELS

Many electronic voting protocols have been proposed during the past fifteen years as we mentioned in Chapter I, but none of them seem to fit our set of requirements as nearly as Sensus. Many of these protocols, while of theoretical interest, are not practical to implement for a large number of geographically distributed voters [CC97]. Sensus, on the other hand, has actually been implemented and used in mock elections. Sensus is based on the voting protocol proposed in [F+93], which uses blind signatures and anonymous communication channels to administrate elections. In this chapter we will first outline these two protocols. We will then show that these two protocols suffer from several major drawbacks.

We begin with Fujioka et al.'s protocol [F+93], which consists of voters and three central facilities called registrar, validator, and tallier. Note that in [F+93], the validator is called the administrator and the tallier is called the counter. The registrar compiles a list of eligible voters, which could be performed before the actual election begins. (We note that the registrar facility is not mentioned explicitly in [F+93].) The protocol consists of seven phases outlined below, where the registration phase, not included in [F+93], is added here for completeness as in the Sensus protocol.

Registration phase. The registrar compiles a list of eligible voters prior to an election. Eligible voters generate public/private key pairs for signing ballots, and register to vote by sending the registrar their voter identifications and the public keys, which are placed in a registered voter list. (See [CC97] for a detailed implementation of this phase.) The registrar then sends the list to the validator.

Preparation phase. The voter V prepares a voted ballot b, encrypt it with a random string k he/she selects as in the bit-commitment scheme [Na90]. Assume that the committed ballot is x. The voter then blinds x into a new string e, signs e into a new string s, and sends (I, e, s) to the validator, where I is V's ID. Authorization phase. Using the registered voter list, the validator verifies that the signature s belongs to a registered voter I who has not yet voted, signs the ballot e into a new string d, and returns d to the voter. Voting phase. The voter V retrieves the blinding encryption layer, revealing an encrypted ballot y signed by the validator, and sends the pair (x, y) to the tallier via an anonymous communication channel as described in [Ch81, Ch88a, Pf84].

Collecting phase. The tallier checks the signature y, using the validator's public key, to make sure that x is from a legitimate voter, and places (x, y) on a list of valid ballots.

Opening phase. At the end of the election, the validator publishes the number of voters who were given the administrator's signature, and publishes a list of all triples (I, e, s) it has received; and the tallier publishes the list of valid ballots. The voter V then checks that the length of the list is equal to the number of voters, and that his/her vote (x, y) appears on the tallier's list, with index n. The voter then sends (n, k) to the tallier via an anonymous communication channel.

Counting phase. The tallier decrypts the corresponding committed ballot x using k and retrieves the ballot b, counts the votes, and announces the voting results.

The Sensus protocol, for a large part, is the same as Fujioka et al.'s protocol. It assumes that all communication between voter and election authorities occurs over an anonymous channel. What is different in Sensus is that it uses one extra central facility called pollster and that the tallier does not wait to the end to process votes. The latter is done by modifying the opening and counting phases. In particular, after the collecting phase, the tallier signs the encrypted ballot x and returns it to the voters as a receipt. Upon receiving the receipt, the voter sends the tallier the ballot decryption key k, and the tallier uses the key to decrypt x to obtain b and add the vote to the tally. Sensus still relies on voters to perform verification as in the opening phase of Fujioka et al.'s protocol. The pollster acts as a voter's agent, performing all cryptographic and data transfer functions on a voter's behalf.

Next, we show that using blind signatures as in these two protocols would allow the tallier to cheat the election without been detected. We note that in the preparation phase, if several voters would choose the same random keys k and vote in the same manner, then their encrypted ballots x will be exactly the same, and so they will obtain the same y with the validator's signature. The tallier can then replace a few (not all) of these pairs (x, y) with some other legitimate pairs (x y¹). When each of the affected voters checks for its vote, he/she will see (x, y) in the published list and hence will not detect anything wrong. To make matters worse, the tallier may generate new votes to replace duplicated votes. Since voters would use the same pseudo-random number generator provided by the system to generate secret keys k, and since in a large-scale election many of the votes will be the same, it is likely that many of the pairs (x, y) will be the same. This would make the attack successful, which would violate the accuracy criterion.

Fujioka et al. [F+93] noted that the validator could submit votes for voters who decide to abstain. They then suggested that voters who abstain should submit a blank ballot to avoid this from happening. This is hardly a practical solution because if the voters decide to abstain, they probably would not take the time to submit blank ballots either. Likewise, the voters who abstain cannot be relied upon to make sure that no votes were cast for them. To solve this problem, it may be possible to have some sort of time expiration on the ballots. This, however, may generate more problems. Another drawback with the Sensus protocol and Fujioka et al.'s protocol is that they rely on anonymous communication channels to provide anonymity. But anonymity is hard to guarantee over the Internet. Although there are services that offer the ability to browse the Web anonymously, such as anonymizer.com, the only way to guarantee that all voters use these services is to force them to use certain sites. However, voters cannot know, with any certainty, that these sites do not collaborate with any of the central facilities involved. Cranon and Cytron [CC97] suggest that an anonymous channel could be secured through the use of a chain of World Wide Web facilities. The problem with this solution is that some organization must configure this to occur. It would be difficult to ensure the voters that none of the Web facilities in the chain are secretly collaborating with the authority. The task of anonymity on the Web may have been made even more complicated with the recent introduction of embedding CPU identification numbers into Intel's Pentium HJ chips. These numbers can be broadcast over the Internet, identifying the voter's Internet connection and the machine from which they are casting their votes. This would violate the privacy criterion.

Finally, in these two protocols, voters are relied upon to verify that their votes were counted. This is not practical, especially for voters who do not have convenient Internet access. These voters would have to revisit a polling place to verify their votes after the voting results are announced. Therefore, Sensus violates the simplicity and the verifiability criteria. Thus, there remains a need for a new and improved voting system that is secure while at the same time usable in large-scale elections. The present invention includes a new design for an electronic voting system. The voting system uses central facilities, but it does not use blind signatures or anonymous communication channels.

Summary of the Invention The present invention is directed to an election system. The election system may include one or more of a registrar, a plurality of ballots, a plurality of authentication codes, a data reconciler, and a tally system. The registrar may include a registrar link that permits communication with at least a plurality of voters. For example, the registrar link may permit a voter of the plurality of voters to obtain a unique voter ID by registering with the registrar. The plurality of ballots may be distributed to at least a portion of the plurality of voters. Each ballot may include a unique ballot ID and a corresponding list of plain data (sometimes herein referred to as a plain text version). The plurality of authentication codes may be generated such that one authentication code may be used with a corresponding cast ballot of the plurality of ballots. The data reconciler may include a data reconciler link for communicating to at least the registrar. Also, the tally system may include a tally system link for communicating with at least the data reconciler.

The election system may include a counter that may include one or more of a counter link, a ballot generator, a ballot authenticator, a counter database, a counter key generator, a counter database encryptor, and a counter database decryptor. The counter link may provide for communicating within at least the election system. The ballot generator may generate the plurality of ballots. A secure ballot generator may be preferred. The ballot generator may include one or more of a matching pair generator, a ballot encryption key generator, a ballot encryptor, and a ballot decryption key generator. The matching pair generator may generate a matching pair corresponding to each unique ballot ID and each corresponding list of plain data for each ballot of the plurality of ballots. The ballot encryption key generator may generate a plurality of ballot encryption keys corresponding to each of the plurality of ballots. A preferred ballot encryption key generator may be a ballot encryption key-decryption key pair generator. The ballot encryptor may encrypt the corresponding list of plain data for each of the plurality of ballots using the corresponding plurality of ballot encryption keys. The ballot decryption key generator may generate a plurality of ballot decryption keys corresponding to the plurality of ballots to facilitate decryption thereof. As noted, the ballot encryption key generator may be a ballot encryption key-decryption key pair generator in which case the ballot decryption key generator may be part of the ballot encryption key generator.

The ballot authenticator may facilitate the authentication of cast ballots. The ballot authenticator may include one or more of a tallier and a decryptor. The tallier may tally cast ballots, preferably after the ballots have been determined to be authentic. The decryptor may decrypt cast ballots prior to the tallying of the cast ballots.

The counter database includes at least the unique ballot IDs of the plurality of ballots. The counter database also may include one or more of a ballot decryption key, the plurality of ballots, matching pairs, and ballot encryption keys. Each ballot decryption key, matching pair and ballot encryption key set may correspond to a unique ballot ID of the plurality of ballots and, in a preferred embodiment, does correspond.

The counter key generator may be a public key-private key pair generator. The counter database encryptor may encrypt data prior to storing the data in the counter database. A preferred counter database encryptor includes an on the fly encryptor. The counter database encryptor preferably uses public keys generated by a plurality of facilities of the election system to encrypt the counter database.

Decryption of data within the counter database by the counter database decryptor may be desirable and might be necessary prior to one having an ability to access the data. A preferred counter database decryptor includes a partial decryptor.

The election system may include a matcher. The matcher may include one or more of a matcher link, a matcher database, a matcher key generator, a matcher database encryptor, and a matcher database decryptor. The matcher link includes communication at least within the election system and in particular with the plurality of voters.

The matcher database has at least a matching pair corresponding to each unique ballot ED of the plurality of ballots.

The matcher key generator may be a public key-private key pair generator. The matcher database encryptor may encrypt data prior to storing the data in the matcher database. A preferred matcher database encryptor includes an on the fly encryptor. The matcher database encryptor preferably uses public keys generated by a plurality of facilities of the election system to encrypt the matcher database.

Decryption of data within the matcher database by the matcher database decryptor may be desirable and might be necessary prior to one having the ability to access the data. A preferred matcher database decryptor includes a partial decryptor.

The election system may include a distributor that may include one or more of a distributor link, a distributor database, a distributor key generator, a distributor database encryptor, and a distributor database decryptor. The distributor link includes communication at least within the election system and in particular with the plurality of voters. The distributor database includes at least the plurality of ballots.

The distributor key generator may be a public key-private key pair generator. The distributor database encryptor may encrypt data prior to storing the data in the distributor database. A preferred distributor database encryptor includes an on the fly encryptor. The distributor database encryptor preferably uses public keys generated by a plurality of facilities of the election system to encrypt the distributor database.

Decryption of data within the distributor database by the distributor database decryptor may be desirable and might be necessary prior to one having the ability to access the data. A preferred distributor database decryptor includes a partial decryptor.

The plurality of ballots may include the list of plain data and an encrypted version thereof.

The data reconciler may provide the authentication code. One alternative for the authentication code includes an encrypted version of the list of plain data. The encrypted version of the list of plain data may be provided to the distributor for providing to the plurality of voters.

The plurality of matching pairs may correspond to an encrypted version of the list of plain data. The data reconciler may provide the plurality of matching pairs. In particular, the plurality of matching pairs may be provided to the matcher for distribution to the plurality of voters.

The election system includes the registrar that may include one or more of a registrar link, a voter identifier, a registrar database, a registrar key generator, a registrar database encryptor, a voter ID generator, and a registrar database decryptor. The registrar link may include communication at least within the election system and in particular with the plurality of voters. A preferred registrar link includes a bi-directional link. To that end, the registrar link may be an Internet link.

The voter identifier may determine the identity of a portion of the plurality of voters that have cast a vote. The registrar database includes voter information and may include voter names and unique voter ID. The registrar key generator may be a public key-private key pair generator. The registrar database encryptor may encrypt data prior to storing the data in the registrar database. A preferred registrar database encryptor may include an on the fly encryptor. The registrar database encryptor preferably uses public keys generated by a plurality of facilities of the election system to encrypt the registrar database. Decryption of data within the registrar database by the registrar database decryptor may be desirable and might be necessary prior to one having the ability to access the data. A preferred registrar database decryptor may include a partial decryptor.

The unique voter ID may include facilitating communication between a voter of the plurality of voters and the data reconciler. Also, the unique voter ID may include facilitating communication between a voter of the plurality of voters and the registrar. Moreover, the unique voter ID may permit a voter of the plurality of voters to obtain a ballot of the plurality of ballots. Also, the unique voter ID may permit verifying that a voter of the plurality of voters has cast a ballot of the plurality of ballots. The unique voter ED generator may include a counter for determining the number of unique IDs generated. The registrar link may include facilitating providing the unique voter ED from the data reconciler to a voter. Moreover, the registrar link may include facilitating providing a voter private key to a voter of the plurality of voters. In a preferred embodiment, the registrar may pass the voter private key to the voter of the plurality of voters without keeping a copy of the voter private key.

The election system may include an authenticator. The authenticator may include one or more of an authenticator link, a voter authenticator, an authenticator database, a voter key generator, a voter authenticator key generator, an authenticator database encryptor, and an authenticator database decryptor. The authenticator link may include communication at least within the election system and in particular with at least the registrar. The authenticator database may include a plurality of voter ID-decryption key pairs. Preferred voter ED- decryption key pairs include voter ED-voter public key pairs.

The voter key generator may be a voter decryption key generator. A preferred voter key generator includes a voter public key-private key pair generator. The authenticator key generator may be a public key-private key pair generator. The authenticator database encryptor may encrypt data prior to storing the data in the registrar database. A preferred authenticator database encryptor includes an on the fly encryptor. The authenticator database encryptor preferably uses public keys generated by a plurality of facilities of the election system to encrypt the authenticator database. Decryption of data within the authenticator database by the authenticator database decryptor may be desirable and might be necessary prior to one having the ability to access the data. A preferred authenticator database decryptor includes a partial decryptor.

The election system may include a verifier that may include one or more of a verifier link, a voter counter, a verifier database, a verifier key generator, a verifier database encryptor, and a verifier database decryptor. The authenticator link may include communication at least within the election system. The vote counter may count cast ballots to verify a vote tally. A preferred vote counter may include facilitating the independent counting cast ballots to verify a vote tally. The vote counter may include ballot decryptor for decrypting cast ballots to permit the vote counting of the vote tally. The verifier database may include a plurality of ballot ED-decryption key pairs. Preferred ballot ED-decryption key pairs may include ballot ED-voter public key pairs.

The verifier key generator may be a public key-private key pair generator. The verifier database encryptor may encrypt data prior to storing the data in the verifier database. A preferred verifier database encryptor may include an on the fly encryptor. The verifier database encryptor preferably uses public keys generated by a plurality of facilities of the election system to encrypt the verifier database.

Decryption of data within the verifier database by the verifier database decryptor may be desirable and might be necessary prior to one having the ability to access the data. A preferred verifier database decryptor includes a partial decryptor.

A data reconciler link includes permitting communication with a voter of the plurality of voters. A preferred communication method with a voter may be via an Internet link. Alternatively, a communication with a voter may be via an Intranet link. Communication with a voter may be direct; likewise, it may be indirect. The present invention fulfills needs in the art by providing a method of holding an election including enabling voters to register with a registrar facility by providing encryption keys to registered voters and storing the encryption key with an authenticator facility. The method includes distributing ballots having unique ballot ED's to requesting voters, receiving ballots having voter choices on them and encrypted using voters encryption keys, receiving from voters ballot ID, encrypted vote information and, voter ID at an authenticator facility, indications that votes have been cast with a ballots having indicated ballot ED's at a distributor facility, and an indication that the voter has voted at a registrar facility. The method includes authenticating the voter at the authenticator facility and passing authenticated votes and the ballot ID to a counter facility. In a preferred embodiment the method includes decrypting votes at the counter facility and tallying a number of votes, publishing a list containing encrypted votes and ballot ED's at the authenticator facility, publishing a list containing encrypted votes and ballot ID's at the counter facility, publishing a list containing voter ID's of cast ballots at the authenticator facility, examining the list containing voter ED's of cast ballots at the registrar facility to confirm that only registered voters voted, verifying at a verifier facility that the list containing encrypted votes and ballot ED's published at the authenticator facility is identical to the list containing encrypted votes and ballot ED's published at the counter facility, confirming at the verifier facility from the list containing encrypted votes and ballot ID's published at the authenticator facility and a decryption table the results published by the counter facility, examining at the distributor facility the list containing encrypted votes and ballot ED's published at the authenticator facility and the list containing encrypted votes and ballot ED's published at the counter facility to ensure that only legitimate ballots appear, and releasing the election results at the counter facility. Typically, at least one of the distributing and receiving steps includes transmitting information over the Internet. Preferably, distributing ballots includes distributing a number of ballots from an inventory of ballots that has more members than there are registered voters. Distributing ballots may include distributing a ballot having a ballot number, and a matching pair made up of plain-text versions of ballot choices and encrypted versions of ballot choices. Preferably, the encrypted version is encrypted using an encryption key unique to the ballot. The ballot choices may include ballot choices in municipal and national elections. Desirably, the acts of publishing include publishing to the general public. Preferably, passing authenticated votes includes passing data through a firewall.

The invention also provides an election apparatus including a network of data handling devices configured to hold elections including a data handling device enabling voters to register with a registrar facility including providing encryption keys to registered voters and storing the encryption key with an authenticator facility, a data handling device distributing ballots having unique ballot ED's to requesting voters, a data handling device receiving ballots having voter choices on them and encrypted using voters encryption keys, data handling devices configured as authenticator, distributor and registrar facilities enabled to receive from voters ballot ID, encrypted vote information and, voter ID at the authenticator facility indications that votes have been cast with a ballots having indicated ballot ED's at the distributor facility, and an indication that the voter has voted at the registrar facility, to authenticate the voter at the authenticator facility and passing authenticated votes and the ballot ID to a data handling device configured as a counter facility.

In a preferred embodiment at least two of the data handling devices communicate information to one another over the Internet. The data handling device that distributes ballots typically distributes a number of ballots from an inventory of ballots that has more members than there are registered voters. Desirably, the ballot has a ballot number, and a matching pair made up of plain-text versions of ballot choices and encrypted versions of ballot choices. The encrypted version may be encrypted using an encryption key unique to the ballot. The ballot choices include ballot choices in municipal and national elections.

In a preferred embodiment the authenticator (as well as other facilities) is protected by a firewall. Accordingly, one aspect of the present invention is to provide an election system including a registrar, a plurality of ballots and a data reconciler. The registrar may include a registrar link that permits communication. For example, the registrar link may permit a voter of the plurality of voters to obtain a unique voter ID by registering with the registrar. At least a portion of the plurality of ballots may be for distribution to at least a portion of the plurality of voters. Each ballot may include a unique ballot ED and a corresponding list of plain data. The data reconciler may include a data reconciler link for communication to at least the registrar.

Another aspect of the present invention is to provide an election system including a registrar, a plurality of ballots, a plurality of authentication codes, and a data reconciler. The registrar may include a registrar link that permits communication. For example, the registrar link may permit a voter of the plurality of voters to obtain a unique voter ED by registering with the registrar. At least a portion of the plurality of ballots may be for distribution to at least a portion of the plurality of voters. Each ballot may include a unique ballot ID and a corresponding list of plain data. The plurality of authentication codes may be generated such that one authentication code may be used with a corresponding cast ballot of the plurality of ballots. The data reconciler may include a data reconciler link for communication to at least the registrar.

Still another aspect of the present invention is to provide an election system, generally designated that may include one or more of a registrar, a plurality of ballots, and a plurality of authentication codes, a data reconciler, and a tally system. A registrar link may permit communication with at least a plurality of voters. For example, the registrar link may permit a voter of the plurality of voters to obtain a unique voter ED by registering with the registrar. The plurality of ballots may be for distribution to at least a portion of the plurality of voters. Each ballot may include a unique ballot ID and a corresponding list of plain data (sometimes herein referred to as a plain text version). The plurality of authentication codes may be generated such that one authentication code may be used with a corresponding cast ballot of the plurality of ballots. The data reconciler may include a data reconciler link for communication to at least the registrar. Also, the tally system may include a tally system link for communication to at least the data reconciler.

These and other aspects of the present invention will become apparent to those skilled in the art after a reading of the following description of the preferred embodiment when considered with the drawings. Brief Description of the Drawings

FIGURE 1 is a block diagram illustrating communication between facilities during the registration phase according to an aspect of the present invention;

FIGURE 1A is a flow chart of the communication between facilities of FIGURE 1 during the registration phase according to an aspect of the present invention;

FIGURE 2 is a block diagram illustrating interaction between facilities during the pre- voting phase according to an aspect of the present invention;

FIGURE 2A is a flow chart of the interaction between facilities of FIGURE 2 during the pre-voting phase according to an aspect of the present invention; FIGURE 3 is a block diagram illustrating interaction between facilities during the voting phase according to an aspect of the present invention;

FIGURE 3 A is a flow chart of the interaction between facilities of FIGURE 3 during the voting phase according to an aspect of the present invention;

FIGURE 4 is a sample ballot and a sample matching pair according to an aspect of the present invention;

FIGURE 4A is a flow chart of the interaction between facilities of FIGURE 1 during the announcement phase according to an aspect of the present invention;

FIGURE 5 is a block diagram illustrating an election system according to an aspect of the present invention; FIGURE 6 is a block diagram illustrating some details of a registrar of FIGURE 5 according to an aspect of the present invention;

FIGURE 7 is a block diagram illustiating some details of an authenticator of FIGURE 5 according to an aspect of the present invention;

FIGURE 8 is a block diagram illustrating some details of a verifier of FIGURE 5 according to an aspect of the present invention;

FIGURE 9 is a block diagram illustrating some details of a tally system of FIGURE 5 according to an aspect of the present invention;

FIGURE 10 is a block diagram illustrating some details of a matcher of FIGURE 9 according to an aspect of the present invention; FIGURE 11 is a block diagram illustrating some details of a counter of FIGURE 9 according to an aspect of the present invention; and

FIGURE 12 is a block diagram illustrating some details of a distributor of FIGURE 9 according to an aspect of the present invention Description of the Preferred Embodiments

In the following description, like reference characters designate like or corresponding parts throughout the several views. Also in the following description, it is to be understood that such terms as "forward," "rearward," "left," "right," "upwardly," "downwardly," and the like are words of convenience and are not to be construed as limiting terms. CHAPTER πi: SYSTEM REQUIREMENTS

A good electronic voting system should not sacrifice voter privacy or introduce opportunities for fraud. For an electronic voting system to be useful and acceptable by voters, it must be at least as secure as conventional voting systems. We use the following set of nine criteria to ensure that an electronic voting system is secure and practical for large-scale elections.

Democracy: Only eligible voters are permitted to vote, and they can do so only once. Accuracy: A voter's vote cannot be altered, duplicated, or removed without being detected. Invalid votes are not tabulated in the final tally.

Privacy: Votes remain anonymous.

Verifiability: Voters can be sure that their votes are tabulated correctly, but voters are not required to verify their votes in order to ensure election integrity. Simplicity: Voters can finish voting quickly, with minimal equipment or special skills. Mobility: Voters are not restricted to physical location from which they can cast their votes Efficiency: The election can be held in a timely manner (i.e. all computations during the election are done in a reasonable amount of time and voters are not required to wait on other voters to complete their ballot). Scalability: The size of the election will not drastically affect performance.

Responsibility: Eligible voters who have not voted can be identified. (This is an optional requirement.) Among these criteria, democracy, accuracy, privacy, verifiability, simplicity, and mobility are directly relevant to the voters, which are adapted from [CC97]. The criteria of efficiency, scalability, and responsibility are added to our system.

For the privacy criterion, we may further require that no voter can prove that he or she voted in a particular way to prevent vote buying and extortion. But as pointed out in [CC97], unless voters are required to cast their votes from inside a solitary voting booth, voters will be able to prove how they voted by allowing buyers to observe them while they are casting their votes. Adding this requirement would comprise mobility, one of the major reasons to hold an online election. The current US government elections do not satisfy the verifiability criterion. If an election booth has malfunctions, for example, then some voters' ballots may not be counted correctly and the voters are not able to detect the error. In the past, elections have also been held in which ineligible voters, even the deceased, have been allowed to cast a vote.

Conventional election systems also do not handle mobility easily. For those voters who will not be in their home districts during the election and wish to vote, they must file absentee ballots. But due to time constraints, this may not always be possible, as their absence may not be known until the last minute.

The criteria of simplicity, efficiency, and scalability imply that in such a voting system, voters cannot be required or expected to communicate with other voters; and voters cannot be required to do all the computations of the election. This means that some central facilities must be employed in the system.

The responsibility criterion is not required in US elections, but it is required in Australian elections. By Australian laws, eligible voters are required to participate in government elections; they are subject to punishment if they do not participate without acceptable reasons [MV98]. By adding this criterion, our election scheme could be used around the world and in many different styles of elections. The current US voting system actually allows a list of participating voters to be generated, since voter names are crossed off of a list prior to them actually casting their ballot.

CHAPTER IV. THE PROPOSED PROTOCOL

Our protocol does not use blind signatures or require anonymous communication channels. Instead, our protocol uses a secure form of communication (e.g. HTTPS in Netscape) for all transactions. Our protocol consists of only four phases (procedures), which are explained below. The phases are registration, pre-voting, voting, and announcement. For clarity, our protocol uses six central facilities. They are the registrar, the authenticator, the distributor, the counter, the matcher, and the verifier. The responsibilities of these facilities will become clear when the protocol phases are described. To reduce costs, in actual implementation it may be possible to combine some facilities, but in doing so one must first ensure that the combined facility will not have access to extra information that would allow the facility to compromise the election process in any way.

Registration Phase. There are four steps involved in the registration phase. The voter only participates in two of the steps. Figure 1 shows a visual representation of the communication between the acting facilities. Figure 1A shows a flow chart of the registration phase. 1. In order to vote, a voter must first register with the registrar to identify himself as an eligible voter. 2. Upon registering, the registrar assigns a unique identification number to the voter, places the voter's name and ED in the registered voter list, and sends the ED without the name to the authenticator. 3. The authenticator generates a unique pair of public/private keys for the ED it received, stores them in a list, and sends the pair of the public key s and the ED to the registrar. 4. The registrar then sends the pair back to the voter. (In so doing, the authenticator will not know whom the given key s belongs to without conspiring with the registrar.)

Until everyone has their own digital signatures, it would be impossible to register votes without forcing them to go to the DMV or other such agency, so that their identity could be verified. If all parties already had digital signatures, these could be used to electronically verify their identity.

Remark. The key s may be valid for a long time for multiple elections, or could expire after a given time. If the key were to be kept for a long duration, it would probably be best to have the voter encrypt it with a password of his/her choice, so that no one else could use it. The original, unencrypted key would be destroyed and the encrypted key (still denoted by s) would be stored instead. The voter-encrypted key could be stored on the voter's license or identification card. Even if a license were stolen, a thief would not be able to vote as the voter, since the voter's key is encrypted. A thief would not know they had entered the wrong password until they were informed that they could not be authenticated. In addition, when the individual whose license was lost or stolen goes to get a new license, they would also be forced to re-register. They would be awarded a new key, and their old key would be revoked. Pre-voting Phase.

The pre-voting phase consists of six steps, with a seventh optional step. See Figure 2 for a visual representation of the facility interaction. Figure 2A shows a flow chart of the pre- voting phase. 1. The registrar sends the number of eligible registered voters to the counter.

2. The counter generates a larger number of ballots than the number of registered voters. Each ballot consists of three things: each of the choices on the ballot, an encrypted version of each choice, and a ballot ID. The counter keeps record of the decryption key and the ballot ED for each ballot so that the counter can later decrypt the cast votes. 3. The counter sends the ballots to the distributor.

4. The counter sends a copy of the decryption table to the verifier.

5. The counter sends the match pairings (pairs of a ballots encrypted and decrypted choices) to the matcher.

6. The registrar sends the authenticator a list of ED's that are eligible for the given election. If desired, the registrar may publish the names of these voters.

7. If desired, the verifier can check the ballots and pairings to confirm that they were properly generated.

Voting Phase. The voting phase consists of nine steps, with the voter participating in eight of the steps. The interaction between facilities is depicted in Figure 3. Figure 3 A shows a flow chart of the voting phase.

1. When the voter wishes to participate in the election, he/she contacts the distributor and asks for a ballot. 2. The distributor randomly selects a ballot and sends it to the voter.

3. The voter's Web browser requests the matching pair for the received ballot from the matcher.

4. The matcher sends the voter the appropriate matching pair.

5. The voter then signs the encrypted version of the desired vote using his/her signature key and sends them to the authenticator, along with the ballot's ID number, and the voter's own ID.

6. The voter's Web browser informs the distributor that the ballot with the given ballot ED has been cast. (In so doing, the distributor has a record of how many votes are actually cast, and by which ballots. This will prevent any facility from generating votes for unused ballots, solving a major problem in many of the previously discussed protocols.)

7. The voter's Web browser informs the registrar that the voter has cast a vote, but it is not required to tell the registrar which ballot ID it used.

8. The authenticator first checks the signature to authenticate the voter. The authenticator then verifies that the authenticated voter is permitted to vote in the given election. Once authenticated, the authenticator passes only the legitimate encrypted vote and the ballot's ED to the counter. Ef authentication fails, the authenticator will notify the voter that he/she is not allowed to vote. The authenticator would then notify the registrar and distributor with a cancellation. 9. The voter's browser generates a receipt when the authenticator confirms receiving the ballot packets. Announcement Phase.

The announcement phase requires no interaction between the different facilities. Each facility merely releases certain information to the public. To verify the integrity of the election, the verifier facility compares certain published lists. An individual voter could also compare some of these lists. The integrity of the election does not require a voter to do so, but allowing a voter to perform such checks increases the security as explained in Lemma 3 of Section 6. Figure 4A shows a flow chart of the announcement phase. 1. The counter decrypts the votes it has received and tallies the vote. 2. The authenticator publishes list #1 containing the encrypted ballots and the ballot ED.

3. The counter publishes list #2 containing its version of list #1. Both lists 1 and 2 should be identical.

4. The authenticator publishes list #3 consisting of all voter IDs that cast ballots (in numerical order). 5. The registrar looks at list #3 and confirms that only valid voters voted. (This list could also be published if desired.)

6. The verifier confirms that lists 1 and 2 are identical. (To prevent cover-ups, it may be desirable to have lists 1 and 2 be sent to the verifier before they are published.)

7. The verifier uses list 1 and the decryption table (from counter in the pre-voting phase) to confirm the results published by the counter.

8. Voters can look at lists 1 and 2 to see their votes on both of these lists.

9. The distributor looks at lists 1 and 2 to be ensured that only legitimate ballots appear. Any illegal ballots can than be removed and the results recalculated. The distributor could also release its list of ballot ED's, but this should be done after the authenticator and the counter released their encrypted ballot lists.

10. The counter announces the election results, which can be verified by the verifier.

Remark. Revealing the source code, much in the same way as with PGP, could allow laymen to check the validity and honesty of the facilities. Ballot & Matching Pair Construction.

A basic ballot that is generated by the counter contains three items. The first is a ballot number. Depending upon the implementation of our protocol, the ballot number would contain sections for the district and election numbers. The remaining two items are lists. One list contains a plain- text version of the ballot choices. The next list contains the ballot choices after being encrypted using the encryption key for the ballot. The two lists are permutated, making it impossible to pair the plain-text choice with the encrypted choice without the matching pair for that particular ballot.

The matching pair contains the ballot number and a list of paired numbers. The first number in the pairing corresponds to the plain-text choice. The second number corresponds to the encrypted choice that matches the plain-text version of the first number.

Figure 4 shows a sample ballot and its corresponding matching pair. The ballot number is 134134613. The four possible choices on this ballot are Bush, Dole, Gore, and Ventura. The notation e(Dole) represents Dole after being encrypted with the ballot's key. The matching pair (1,3) designates that the third encrypted choice, e(Bush), corresponds to the first plain-text choice, Bush.

CHAPTER V: SECURITY MEASURES AND IMPLEMENTATION To ensure that elections are held fairly, we must develop security measures to prevent individual modules of our voting system from conspiring with each other. We require that each of the facilities generate a pair of public and private keys of its own. These pairs should be replaced from time to time. To keep elections from being delayed, we recommend changing the keys between elections. We assume that not all of the facilities can be compromised at the same time. This is a reasonable assumption, for there is little one can do if all of the facilities are compromised simultaneously. In any conventional voting system, the overall security and integrity rely on humans. This means that the integrity of a traditional election is only as strong as that of the people running it. We will use a public-key encryption decryption, scheme where keys commute. To prevent facilities from communicating illegally, all facilities will monitor the facility-facility communication channel. 5.1. Data Protection. Each facility is required to encrypt its database (list of data) on the fly, e.g., one record at a time, using the public keys of all the facilities. By doing so, the only way to completely decode a piece of data would be to acquire the secret keys of all severs, which, by our assumption, is impossible. Because the database is encrypted piece by piece, the facility can easily extract the portion of the data from the database it needs to see and then sends it to the other facilities to decrypt it.

It is not necessary to encrypt election results, as they will be released at the end of the election. It would also be very easy to see any discrepancy in the results when all of the lists are released. It is necessary to encrypt the database of the distributor to protect the ballots that have not been given out.

5.2. Security of Communication Channels. We have two type of communication to deal with. The first type is between facilities, and the second type is between a voter and a facility.

Facility-facility communication. For communications between facilities, we need to ensure that these communications cannot be intercepted or altered; we also need to ensure that facilities do not collaborate to compromise the integrity or anonymity of the election. We accomplish both of these goals using the following protocol. When facility A wants to transmit data to facility B, facility A sends the encrypted data to a randomly selected third facility C. Facility C then decrypts the data with its own secret key, verifies that the size and the structure of the data it received have not been altered, and sends the data to another randomly selected facility D. The process is continued until the data finally reaches facility B, and facility B will be able to read the data after it uses its private key to decrypt the data. Since intermediate facilities cannot completely decrypt the data, they will not know what exactly is being sent. The protocol can ensure that the information being sent is of legitimate size and structure. The only way for an intermediate facility to cheat would be to rearrange the information so it matches this size and structure. This would cause some information, such as some of the ballots to be left off, but the other facilities would be able to notice this when tabulation occurs.

Since facilities could manipulate this process by breaking the illegal data into small parts and reporting sizes that make the data appear legitimate. The facilities should each keep a log of the status of the protocol. This way communication can only occur between two facilities at appropriate times and should be limited as to how many communications they are permitted.

To reduce the amount of traffic, as well as decryption computation, communication between facilities should be done in large blocks. For instance, the counter should send all of the ballots to the distributor, and the authenticator should send the counter encrypted ballots in a large number of blocks.

Voter-facility communication. Since we are dealing with the Internet, the most logical form of security for the interaction between the voter and the central facility would be to use HTTPS. HTTPS is already considered to be a secure form of communication for the Internet. It is considered to be a de facto standard; as long as it is viewed as such, it would be reasonable to use HTTPS. If circumstances cause a new standard to arise, this new standard should be adopted for this type of communication.

The only alteration to the HTTPS protocol we will have to deal with is the fact that when the voter is being sent something it would be encrypted. Of course, the facility also would not be able to look up the requested information. Therefore, the facility encrypts the database and sends it to the other facilities to remove their encryption. The facility gets the information back, decrypts it with its secret key and then looks up the requested information.

5.3. Denial of Service Attacks. In order to ensure that a system designed using our protocol will work properly; we must devise a way to protect against someone using a denial of service attack. Otherwise, by preventing access to a certain district's servers, it would be possible to affect the results of an election. Those districts that traditionally vote one way could be targeted to prevent voters in those districts from being able to vote.

To get around these types of attacks, districts should be designed to share information. Each district would generate the ballots, matching pairs, and ballot decryption keys as previously described. Ballot EDs would contain a district ID, election ED, and the typical ballot ID. This would prevent districts from having duplicate ballot EDs.

Voters would register with their district. When it comes time to distribute their information, the districts would divide them into groups. Each of these groups would contain districts that traditionally vote differently. These groups would share ballot decryption keys, matching pairs, and valid voter IDs. To prevent the same ballot from being given out to multiple voters, the individual ballots would not be shared with the other districts.

When voters attempt to contact their district's server and are unable to retrieve a ballot due to a denial of service attack, they would be forwarded to the next server in the list. If they were denied service when they attempt to submit their vote, they would be forward onto the next server. Since all the servers know who can vote, and how to decrypt ballots, any facility can tally the vote. Results from the facilities would then be combined as a whole and compared instead of comparing each district's results individually.

For local elections, where voters' ballot is specific to their district, each district would send a chunk of the district's ballots to each of the districts in their group. When a voter requests a ballot, the voter would be given a ballot from his district's ballot box. Each district would be pulling ballots out of a ballot box containing unique ballots for whichever district the voter belongs to.

5.4. Buying Votes or Kidnapping Voters. The ability of one party of candidate to buy votes, or simply force voters to vote a particular way is increased when an election is held electronically. A candidate could pay potential voters to vote for them and then watch them vote. Likewise, a candidate could kidnap people and force them vote a particular way. To some degree, if we allow voters to change their vote, our protocol protects against these two types of attacks. The candidate attempting to buy votes would have no guarantee that the voter does not go back and alter their vote. If the candidate buying votes does not watch the voter vote, but merely requires the voter to show a receipt, then since the receipt only contains the encrypted ballot, the candidate has no way to guarantee that the voter voted as the desired. Kidnapping voters would require that all the kidnapped voters be held until after the voting phase has ended. If released earlier, voters could change votes. They would also be required to be kidnapped before the process begins, otherwise they could vote before being kidnapped and then not properly sign their ballot, thus forcing the ballot to be rejected. Kidnapping large enough numbers of voters to affect an election and hold them for the duration of the election would easily be detected, and appropriate action could be taken.

CHAPTER VI: PROOF OF COMPLIANCE

In this chapter we provide proofs that our protocol satisfies all nine of the criteria defined in Chapter HI. Recall that we assume that not all facilities collaborate at the same time. We first prove the following lemma.

Lemma 1. If no facility knows all other facilities' secret keys, then any collaboration among facilities can be detected by a non-collaborating facility.

Proof. We note that each facility's data is stored in an encrypted form with all the other facilities' public keys. The collaborating facilities cannot bypass the other facilities, because without them the data cannot be decrypted. Hence, the only way for two facilities A and B to collaborate is to cheat: The sending facility A does not encrypt the data and sends the data directly to the receiving facility B. Such activities can be detected by a non- collaborating facility C by monitoring the data transactions in the follow ways. Case I. Facility A specifies that facility B is the destination facility and sends the data directly to B. Then the non-collaborating facility C can find out that A cheats because C must receive the data before B does.

Case 2. Facility A specifies that facility B is not the destination, but picks B to be the first facility to pass the data. Then the non-collaborating facility C can find out that A cheats after a few rounds of transactions because A is supposed to randomly pick a third facility to send the data and C should have a chance to receive it in a few rounds.

The similar proof can be applied for the case where more than two facilities collaborate. This completes the proof.

Based on Lemma 1, we assume that no facilities collaborate in the rest of the proofs presented below.

Lemma 2. The democracy criterion is satisfied.

Proof. We assume that no cheating occurs in the registration phase; otherwise, there is little we can do no matter what voting protocol is used.

We first show that only eligible voters are allowed to vote. If an ineligible voter tries to vote, the authenticator can notice this and will not allow the vote to be cast. If the authenticator cheats by allowing an ineligible voter to participate in the election, the registrar will notice this when it receives the list of ED's that voted. If the registrar allows an ineligible voter to vote, then either too many voters would be permitted to vote, or an eligible voter would be denied the right to vote by the authenticator. In the first case, since we know the exact number of eligible voters for the given election in the registration phase, the authenticator or the counter would notice that too many people were being allowed to participate. In the second case, the voter will be notified and so the voter can challenge the registrar or the authenticator. The voter could request the regisfrar to inform the authenticator that he/she is eligible, which may then result in the first case. Next, we show that each eligible voter can only vote once. If a voter tries to vote twice, the authenticator would notice that the signature key s and ID had already been used. Depending upon the voting scenario, the new vote would either overwrite the old vote, or it would simply be ignored. If the authenticator tries to pass the new vote on anyway, it would have to place it in place of someone else's vote, because otherwise the lists posted at the end would not match in length. The registrar, however, has it's own list of voters, and their ED's that actually voted. Eventually, there would be a conflict with these lists. This completes the proof.

Lemma 3. The accuracy criterion is satisfied. Proof. Due to the fact that voters are given a receipt, and that they are allowed to view the published lists as described in the Announcement Phase, a voter's vote cannot be altered, duplicated, or removed without being detected. An attempt to alter or remove votes would be futile since the cheating party would not know which voters are going to check for their ballot. If a cheater changes a ballot and the voter whom cast the ballot examines the list, it would be evident that fraud had occurred. Appropriate measures could than be taken to remedy the error. In a large scale election, the cheater would be required to alter many ballots, increasing the likely hood of being caught.

There are three kinds of votes that are considered invalid, namely, votes made by ineligible voters, votes made by eligible voters but the votes are in incorrect formats, and votes generated by central facilities for unused ballots. For the first kind of invalid votes, as shown in the proof of Lemma 2, they will be detected before the final result is announced, and so they will not be counted. For the second kind of invalid votes, the counter will not be able to tally them since they are in wrong formats. For the third kind of invalid votes, since many lists are published at the end of the election, no facility can generate votes for unused ballots without being detected. This completes the proof.

Lemma 4. The privacy criterion is satisfied.

Proof. The only facility that can see the voters' names is the registrar. The registrar, however, can only see the encrypted ballot cast by a particular voter's ED. The registrar has no way to decrypt this vote without collaborating with the counter. We have shown in Lemma 1 that this can not occur.

Lemma 5. The verifiability criterion is satisfied.

Proof. Voters can be sure that their votes were tabulated by verifying that their ID and encrypted key are in the lists posted by the authenticator and the counter. Moreover, the voters are not relied upon to verify their votes because this is the job of the verifier. Although we do not require voters to check their ballots, it can be assumed that some will. Therefore, since the verifier does not know who will check their ballots, the verifier cannot cheat without being detected.

Lemma 6. The simplicity criterion is satisfied.

Proof. The voter is required to do very little, except that he/she needs to register and vote. The facilities do the majority of the work, with the voter's computer doing very minor calculations, and voters can vote with minimal equipment and skill.

Lemma 7. The mobility criterion is satisfied.

Proof. This is straightforward since our protocol is to be used over the World Wide Web. A voter can participate in the election anywhere there is access to the Internet.

Lemma 8. The efficiency criterion is satisfied.

Proof. As we mentioned earlier that in our protocol, the facilities do the most of the computations. In particular, all the calculations, except the signatures, are done before the voting even occurs. This means that very little time is consumed in the actual voting process. The main delay in voting would be the actual network communication. If the voting population were divided into districts the network delay would be minimal. Keeping the facilities in a close physical proximity, connected via a high-speed network, would also minimize delays. We can run the facilities using powerful computers (or special-purpose computers) to increase efficiency. Lemma 9. The scalability criterion is satisfied.

Proof. Since our protocol is to be run over the World Wide Web, it is easily scalable and divisible. If districts are desired or needed, our protocol will compensate for that by having each district running its own facilities. Large-scale elections would run smoother if they were partitioned, but it is not necessary to do so. Lemma 10. The responsibility criterion can be satisfied.

Proof. As we mentioned before that the responsibility criterion is an optional requirement, which is not required in the US elections. But it is desirable in Australian elections. If this criterion is desired, the registrar can easily make it possible by publishing the names that have voted.

CHAPTER VII: ADDITIONAL PROPERTIES

In addition to the properties we proved in Chapter VI, we outline below some additional properties of our voting protocol.

• Our protocol can be easily modified to allow the facilities to hold multiple elections simultaneously. For instance, we can participate in a nationwide election at the same time we vote for local officials or ordinances. This could be achieved by adding an election ID to the ballots. The ED would tell the facilities what election the given ballot is for. Voters would request a set of ballots instead of a single ballot. • Voters may be allowed to change their vote. This could be done in one of two ways. First, authenticator holds all votes till the end, to change a vote, the user just resubmits their vote. The authenticator throws out the old vote and keeps the new one. Second, when the authenticator sees that the voter has already cast his/her ballot for the given election, the authenticator asks the counter to remove the ballot from its list. The authenticator then sends the new vote to the counter. As an added benefit of this property, we can make vote selling more difficult, because the buyer now has to lock the seller until the end of the election to prevent the buyer from changing his/her vote.

• If voters were permitted to change their vote, the threat of organizations buying votes would be eliminated. Organizations could not be guaranteed that the voter would not alter their vote after being paid. Organizations could still kidnap voters and force them to vote a particular way, but this would be much easier to detect than simply paying the poor for their votes.

• Our protocol can handle many types of elections (e.g., several candidates, picking multiple candidates, write-in), with very limited modification.

• Interested parties could have their own facilities designed to check the integrity of the election.

• Using the distributor facility, we are allowing elections to occur on the Internet without worrying about hiding or masking EP addresses. The distributor facility also provides additional reliability on the integrity of the election.

Final remark If the parties running the individual facilities would not collaborate (e.g., due to conflict interests) and they are in a secure environment, then some of the security measures such as encrypting data using the public keys of all facilities could be removed.

With the rapid spread and availability of the required technology, it is only a matter of time before society turns to the need for electronic elections. Much like an old pair of jeans, society has outgrown the conventional election. However, before this can occur a way of holding elections electronically must be developed and tested. At least, it must be as simple to use, secure, and anonymous as the current system. Ideally, it should be superior to the conventional model, because it should not be limited to location, size, or the influence of those overseeing the election.

We have shown that existing schemes for electronic elections do not satisfy all of the requirements for an electronic election. As a result we have introduced a new schema that satisfies all of our requirements. In addition, we have provided logical proofs supporting our claims toward the satisfaction each of the requirements. We have also suggested several techniques for securing this protocol to fit the needs and environment of the election. While the scheme has not been implemented, we have shown that the techniques supporting the scheme are fundamentally solid.

Referring now to the drawings in general and Figure 5 in particular, it will be understood that the illustrations are for the purpose of describing preferred embodiments of the invention and are not intended to limit the invention thereto. As best seen in Figure 5, an election system, generally designated 10, is shown constructed according to an embodiment of the present invention. In this embodiment, the election system 10 includes a registrar 12, a plurality of ballots 14 as depicted in Figure 3, a plurality of authentication codes 112, a data reconciler 18, and a tally system 34. As seen in Figures 5 and 6, the registrar 12 includes a registrar link 20 that permits communication with at least a plurality of voters 22. For example, the registrar link 20 permits a voter 28 of the plurality of voters 22 to obtain a unique voter ED 24 by registering with the registrar 12. The plurality of ballots 14 is for distribution to at least a portion of the plurality of voters 22. Each ballot includes a unique ballot ED 26 and a corresponding list of plain data 30 (sometimes herein referred to as a plain text version). The plurality of authentication codes 112 is generated such that one authentication code 1 12 is used with a corresponding cast ballot of the plurality of ballots 14. As seen in Figure 5, the data reconciler 18 includes a data reconciler link 32 for communication to at least the regisfrar 12. Also, as seen in Figures 5 and 9, the tally system 34 includes a tally system link 36 for communication to at least the data reconciler 18.

In an alternative embodiment according to the present invention, an election system 10 includes a registrar 12, a plurality of ballots 14 and a data reconciler 18. The registrar 12 includes a registrar link 20 that permits communication. For example, the registrar link 20 permits a voter 28 of the plurality of voters 22 to obtain a unique voter ED 24 by registering with the registrar 12. At least a portion of the plurality of ballots 14 is for distribution to at least a portion of the plurality of voters 22. Each ballot includes a unique ballot ID 26 and a corresponding list of plain data 30. The data reconciler 18 includes a data reconciler link 32 for communication to at least the registrar 12.

In still another alternative embodiment of the present invention, an election system 10 includes a registrar 12, a plurality of ballots 14, a plurality of authentication codes 112 and a data reconciler 18. The registrar 12 includes a registrar link 20 that permits communication. For example, the registrar link 20 permits a voter 28 of the plurality of voters 22 to obtain a unique voter ED 24 by registering with the registrar 12. At least a portion of the plurality of ballots 14 is for distribution to at least a portion of the plurality of voters 22. Each ballot may include a unique ballot ID 26 and a corresponding list of plain data 30. The plurality of authentication codes 112 is generated such that one authentication code 112 is used with a corresponding cast ballot of the plurality of ballots 14. The data reconciler 18 includes a data reconciler link 32 for communication to at least the registrar 12.

As seen in Figures 5, 9 and 11, the election system 10 includes a counter 40. As depicted in Figure 11, the counter 40 of election system 10 includes a counter link 42, a ballot generator 44, a ballot authenticator 64, a counter database 72, a counter key generator 74, a counter database encryptor 76, and a counter database decryptor 80. The counter link 42 of the counter 40 provides for communication within at least the election system 10.

The ballot generator 44 generates the plurality of ballots 14. A secure ballot generator is preferred. As depicted in Figure 11 , the ballot generator 44 includes a matching pair generator 46, a ballot encryption key generator 52, a ballot encryptor 56, and a ballot decryption key generator 60. The matching pair generator 46 generates a matching pair 50 corresponding to each unique ballot ED 26 and each corresponding list of plain data 30 for each ballot of the plurality of ballots 14. The ballot encryption key generator 52 generates a plurality of ballot encryption keys 54 corresponding to each of the plurality of ballots 14. A preferred ballot encryption key generator 52 is a ballot encryption key-decryption key pair generator. The ballot encryptor 56 encrypts the corresponding list of plain data 30 for each of the plurality of ballots 14 using the corresponding plurality of ballot encryption keys 54. The ballot decryption key generator 60 generates a plurality of ballot decryption keys 62 corresponding to the plurality of ballots 14 to facilitate decryption thereof. As noted, the ballot encryption key generator 52 may be a ballot encryption key-decryption key pair generator in which case the ballot decryption key generator 60 may be part of the ballot encryption key generator 52

The ballot authenticator 64 authenticates cast ballots. As depicted in Figure 11, the ballot authenticator 64 includes a tallier 66 and a decryptor 70. The tallier 66 tallies cast ballots, preferably after the cast ballots have been determined to be authentic. The decryptor 70 decrypts cast ballots prior to tallying cast ballots.

The counter database 72 includes at least the unique ballot IDs 26 of the plurality of ballots 14. As depicted in Figure 11, counter database 72 further includes a ballot decryption key 62, the plurality of ballots 14, matching pairs 50, and ballot encryption key 54. Each ballot decryption key 62, matching pair 50 and ballot encryption key 54 set corresponds to a unique ballot ED 26 of the plurality of ballots 14.

As depicted in Figure 11, the counter key generator 74 is a public key-private key pair generator. The counter database encryptor 76 encrypts data prior to storing the data in the counter database 72. A preferred counter database encryptor 76 is an on the fly encryptor. The counter database encryptor 76 preferably uses public keys generated by a plurality of facilities of the election system 10 to encrypt the counter database 72.

As depicted in Figure 11 , decryption of data within the counter database 72 by the counter database decryptor 80 may be necessary prior to one having the ability to access the data. A preferred counter database decryptor 80 is a partial decryptor.

As seen in Figures 5, 9 and 10, the election system 10 includes a matcher 82. As depicted in Figure 10, the matcher 82 of election system 10 includes a matcher link 84, a matcher database 86, a matcher key generator 90, a matcher database encryptor 92, and a matcher database decryptor 94. The matcher link 84 is for communication at least within the election system 10 and in particular with the plurality of voters 22.

The matcher database 86 has at least a matching pair 50 corresponding to each of the unique ballot IDs 26 of the plurality of ballots 14.

As depicted in Figure 10, the matcher key generator 90 is a public key-private key pair generator. The matcher database encryptor 92 encrypts data prior to storing the data in the matcher database 86. A preferred matcher database encryptor 92 is an on the fly encryptor. The matcher database encryptor 92 preferably uses public keys generated by a plurality of facilities of the election system 10 to encrypt the matcher database 86.

As depicted in Figure 10, decryption of data within the matcher database 86 by the matcher database decryptor 94 may be necessary prior to one having the ability to access the data. A preferred matcher database decryptor 94 is a partial decryptor.

As seen in Figures 5, 9 and 12, the election system 10 includes a distributor 96. As depicted in Figure 10, the distributor 96 of election system 10 includes a distributor link 100, a distributor database 102, a distributor key generator 104, a distributor database encryptor 106, and a distributor database decryptor 110. The distributor link 100 is for communication at least within the election system 10 and in particular with the plurality of voters 22. The distributor database 102 has at least the plurality of ballots 14.

As depicted in Figure 12, the distributor key generator 104 is a public key-private key pair generator. The distributor database encryptor 106 encrypts data prior to storing the data in the distributor database 102. A preferred distributor database encryptor 106 is an on the fly encryptor. The distributor database encryptor 106 preferably uses public keys generated by a plurality of facilities of the election system 10 to encrypt the distributor database 102.

As depicted in Figure 12, decryption of data within the distributor database 102 by the distributor database decryptor 110 may be necessary prior to one having the ability to access the data. A preferred distributor database decryptor 110 is a partial decryptor.

As depicted in Figure 4, the plurality of ballots 14 includes the list of plain data 30 and an encrypted version 114 thereof.

The data reconciler 18 provides the authentication code 112. One alternative for the authentication code 1 12 is an encrypted version 114 of the list of plain data 30. The encrypted version 114 of the list of plain data 30 is provided to the distributor 96 for proving to the plurality of voters 22.

As depicted in Figure 4, the plurality of matching pairs 50 corresponds to an encrypted version 1 14 of the list of plain data 30. The data reconciler 18 provides the plurality of matching pairs 50. In particular, the plurality of matching pairs 50 is provided to the matcher 82 for distribution to the plurality of voters 22.

As seen in Figures 5 and 6, the election system 10 includes the registrar 12. As depicted in Figure 6, the registrar 12 of election system 10 includes a registrar link 20, a voter identifier 116, a registrar database 120, a registrar key generator 124, a registrar database encryptor 126, a voter ED generator 134, and a registrar database decryptor 130. The registrar link 20 is for communication at least within the election system 10 and in particular with the plurality of voters 22. A preferred registrar link 20 is bi-directional. To that end, the registrar link 20 may be an Internet link 132.

The voter identifier 116 is determining the identity of the plurality of voters 22 that have cast a vote. As depicted in Figure 6, the registrar database 120 includes voter information 122 such as voter names 128 and unique voter ID 24 of the plurality of voters 22.

As depicted in Figure 6, the registrar key generator 124 is a public key-private key pair generator. The registrar database encryptor 126 encrypts data prior to storing the data in the registrar database 120. A preferred registrar database encryptor 126 is an on the fly encryptor. The registrar database encryptor 126 preferably uses public keys generated by a plurality of facilities of the election system 10 to encrypt the registrar database 120.

As depicted in Figure 6, decryption of data within the registrar database 120 by the registrar database decryptor 130 may be necessary prior to one having the ability to access the data. A preferred registrar database decryptor 130 is a partial decryptor. The unique voter ED 24 facilitates communication between a voter 28 of the plurality of voters 22 and the data reconciler 18. Also, the unique voter ED 24 facilitates communication between a voter 28 of the plurality of voters 22 and the registrar 12. Moreover, the unique voter ID 24 permits a voter 28 of the plurality of voters 22 to obtain a ballot of the plurality of ballots 14. Also, the unique voter ED 24 permits verifying that a voter 28 of the plurality of voters 22 has cast a ballot of the plurality of ballots 14.

As depicted in Figure 6, the unique voter ID generator 134 includes a counter 136 for determining the number of unique EDs generated. The registrar link 20 facilitates providing the unique voter ID 24 from the data reconciler 18 to a voter 28. Moreover, the registrar link 20 facilitates providing a voter private key 140 to a voter 28 of the plurality of voters 22. In a preferred embodiment, the registrar 12 passes the voter private key 140 to the voter 28 of the plurality of voters 22 without keeping a copy of the voter private key 140.

As seen in Figures 5 and 7, the election system 10 includes an authenticator 142. As depicted in Figure 7, the authenticator 142 of election system 10 includes an authenticator link 144, a voter authenticator 146, an authenticator database 150, a voter key generator 154, a voter authenticator key generator 156, an authenticator database encryptor 160, and an authenticator database decryptor 162. The authenticator link 144 is for communication at least within the election system 10 and in particular with at least the registrar 12. The authenticator database 150 includes a plurality of voter ID-decryption key pairs 152. Preferred voter ID-decryption key pairs 152 are voter ED-voter public key pairs.

The voter key generator 154 is a voter decryption key generator. A preferred voter key generator 154 is a voter public key-private key pair generator.

As depicted in Figure 7, the authenticator key generator 156 is a public key-private key pair generator. The authenticator database encryptor 160 encrypts data prior to storing the data in the authenticator database 150. A preferred authenticator database encryptor 160 is an on the fly encryptor. The authenticator database encryptor 160 preferably uses public keys generated by a plurality of facilities of the election system 10 to encrypt the authenticator database 150.

As depicted in Figure 7, decryption of data within the authenticator database 150 by the authenticator database decryptor 162 may be necessary prior to one having the ability to access the data. A preferred authenticator database decryptor 162 is a partial decryptor.

As seen in Figures 5 and 8, the election system 10 includes a verifier 164. As depicted in Figure 8, the verifier 164 of election system 10 includes a verifier link 166, a vote counter 170, a verifier database 174, a verifier key generator 176, a verifier database encryptor 180, and a verifier database decryptor 182. The authenticator link 166 is for communication at least within the election system 10. The vote counter 170 counts cast ballots to verify a vote tally. A preferred vote counter 170 facilitates the independent counting of cast ballots to verify a vote tally. The vote counter 170 includes a ballot decryptor 172 for decrypting cast ballots to permit the vote counting of the vote tally.

The verifier database 174 includes a plurality of ballot ID-decryption key pairs 168. Preferred ballot ED-decryption key pairs 168 are ballot ED-voter public key pairs.

As depicted in Figure 8, the verifier key generator 176 is a public key-private key pair generator. The verifier database encryptor 180 encrypts data prior to storing the data in the verifier database 174. A preferred verifier database encryptor 180 is an on the fly encryptor. The verifier database encryptor 180 preferably uses public keys generated by a plurality of facilities of the election system 10 to encrypt the verifier database 174.

As depicted in Figure 8, decryption of data within the verifier database 174 by the a verifier database decryptor 182 may be necessary prior to one having the ability to access the data. A preferred a verifier database decryptor 182 is a partial decryptor.

A data reconciler link 32 permits communication with a voter 28 of the plurality of voters 22. A preferred communication method with a voter 28 is via an Internet link 132. Alternatively, a communication with a voter 28 is via an Intranet link. Communication with a voter 28 may be direct; it may be indirect. Our invention is a new electronic voting protocol that can be used on large-scale online elections. In particular, our protocol satisfies the following requirements:

1. Democracy: Only eligible voters are permitted to vote, and they can do so only once.

2. Accuracy: A voter's vote cannot be altered, duplicated, or removed without being detected. Invalid votes are not tabulated in the final tally.

3. Privacy: Votes remain anonymous.

4. Verifiability: Voters can be sure that their votes are tabulated correctly, but voters are not required to verify their votes in order to ensure election integrity.

5. Simplicity: Voters can finish voting quickly, with minimal equipment or special skills. 6. Mobility: Voters are not restricted to physical location from which they can cast their votes.

7. Efficiency: The election can be held in a timely manner (i.e. all computations during the election are done in a reasonable amount of time and voters are not required to wait on other voters to complete their ballot).

8. Scalability: The size of the election will not drastically affect performance.

9. Responsibility: Eligible voters who have not voted can be identified. (This is an optional requirement.)

Our protocol uses a secure form of communication (e.g. HTTPS in Netscape) for all transactions over the World Wide Web. In particular, our protocol consists of four phases (procedures), which are explained below. The phases are registration, pre-voting, voting, and announcement.

For clarity, our protocol uses six central facilities. They are the registrar, the authenticator, the distributor, the counter, the matcher, and the verifier. The responsibilities of these facilities will become clear when the protocol phases are described. To reduce costs, in actual implementation it may be possible to combine some facilities, but in doing so one must first ensure that the combined facility will not have access to extra information that would allow the facility to compromise the election process in any way.

Registration Phase. Four steps are involved in the regisfration phase. The voter only participates in two of the steps. Figure 1 shows a visual representation of the communication between the acting facilities. 1. In order to vote, a voter must first register with the registrar to identify himself as an eligible voter^'.

2. Upon registering, the registrar assigns a unique identification number to the voter, places the voter's name and ED in the registered voter list, and sends the ID without the name to the authenticator. 3. For each ED it receives, the authenticator generates a unique pair of public/private keys (Pub_Keyιo, Priv_Keyι_D), stores (ID, Pub_Keyro) in a list, and sends (ID, Priv_Keyιo) to the registrar.

4. The registrar then sends the pair (ED, Priv Keyio) back to the voter. (In so doing, the authenticator will not know whom the given key Priv_KeyrD belongs to without conspiring with the registrar. The voter uses his/her key Priv_Keyi_D to sign his/her ballot in the voting phase.)

Remark. The signature key PrivJf eylD may be valid for a long time for multiple elections, or could expire after a given time. If the key were to be kept for a long duration, it would probably be best to have the voter encrypt it with a password of his/her choice, so that no one else could use it. The original, unencrypted key would be destroyed and the encrypted key would be stored instead. The voter-encrypted key could be stored on the voter's license or identification card. Even if a license were stolen, a thief would not be able to vote as the voter, since the voter's key is encrypted. In addition, when the individual whose license was lost or stolen goes to get a new license, he/she would also be forced to re-register for a new key; and the old key would be revoked.

If a voter does not have a signature key yet, he/she is required to visit the DMV or other such agencies to have his/her identity verified and obtain a signature key. After a voter obtains a signature key, he/she is no longer required to visit the DMV for a new signature key; for the existing key can be used to verify his/her identity electronically.

Pre-voting Phase.

The pre-voting phase consists of six steps, with a seventh optional step. See Figure 2 for a visual representation of the facility interaction.

1. The registrar sends the number of eligible registered voters to the counter.

2. The counter generates a larger number of ballots than the number of registered voters. Each ballot consists of three things: each of the choices on the ballot, an encrypted version of each choice, and a ballot ID. The counter keeps record of the decryption key and the ballot ID for each ballot so that the counter can later decrypt the cast votes. The counter keeps a record of mappings of ballot choices to encrypted ballot choices for each ballot. 3. The counter sends the ballots to the distributor.

4. The counter sends a copy of the decryption table to the verifier.

5. The counter sends the match pairings (mapping of a ballots encrypted to decrypted choices) to the matcher.

6. The registrar sends the authenticator a list of ID's that are eligible for the given election. If desired, the registrar may publish the names of these voters.

Voting Phase.

The voting phase consists of nine steps, with the voters, or their browsers, participating in eight of the steps. The majority of these steps are simple Web transactions. The interaction between entities is depicted in Figure 3.

1. When the voter wishes to participate in the election, he/she contacts the distributor and asks for a ballot.

2. The distributor randomly selects a ballot and blindly sends it to the voter.

4. The matcher sends the voter the appropriate matching pair.

5. The voter then signs the encrypted version of the desired vote using his/her signature key Priv_Keyr_D and sends it to the authenticator, along with the ballot's ED number, and the voter's ED.

6. The voter's Web browser informs the distributor that the ballot with the given ballot ED has been cast. (In so doing, the distributor has a record of how many votes are actually cast, and by which ballots. This will prevent any facility from generating votes for unused ballots, solving a major problem in many of the previously discussed protocols.) 7. The voter's Web browser informs the registrar that the voter has cast a vote, but it is not required to tell the registrar which ballot ED it used.

8. The authenticator first checks the signature to authenticate the voter. The authenticator then verifies that the authenticated voter is permitted to vote in the given election. Once authenticated, the authenticator passes only the legitimate encrypted vote and the ballot's ID to the counter. If authentication fails, the authenticator will notify the voter that he/she is not allowed to vote. The authenticator would then notify the registrar and distributor with a cancellation.

9. The voter's browser generates a receipt when the authenticator confirms receiving the ballot packets.

Announcement Phase.

The announcement phase requires no interaction between the different facilities. Each facility merely releases certain information to the public. To verify the integrity of the election, the verifier facility compares certain published lists. An individual voter could also compare some of these lists. The integrity of the election does not require a voter to do so, but allowing a voter to perform such checks increases the security as explained in Lemma 3 of Section 6 of our paper [KW99], which is included as an attachment of this document. o The counter decrypts the votes it has received and tallies the vote.

o The authenticator publishes a list, called List 1 , containing the encrypted vote and the ballot ED.

o The counter publishes a list, called List 2, containing its version of List 1. Both Lists 1 and 2 should be identical.

o The authenticator publishes a list, called List 3, consisting of all voter EDs that cast ballots (in numerical order).

o The registrar looks at List 3 and confirms that only valid voters voted. (The register could publish a list of all eligible voters if desired.)

o The verifier confirms that Lists 1 and 2 are identical. (To prevent cover-ups, it may be desirable to have Lists 1 and 2 be sent to the verifier before they are published.) o The verifier uses List 1 and the decryption table (from counter in the pre- voting phase) to confirm the results published by the counter.

o Voters can look at Lists 1 and 2 to see their votes on both of these lists. They can also check for their ID in List 3.

o The distributor looks at Lists 1 and 2 to be ensured that only legitimate ballots appear. Any illegal ballots can than be removed and the results recalculated.

o The distributor could also release its list of ballot ED's, but this should be done after the authenticator and the counter released their encrypted ballot lists.

o The counter announces the election results, which can be verified by the verifier.

Remark. Revealing the source code, much in the same way as with PGP, could allow laymen to check the validity and honesty of the facilities.

Ballot & Matching Pair Construction. A basic ballot that is generated by the counter consists of three items. The first is a ballot number. Depending upon the implementation of our protocol, the ballot number would contain sections for the district and election numbers. The remaining two items are lists. One list contains a plain-text version of the ballot choices. The next list contains the ballot choices after being encrypted using the encryption key for the ballot. The two lists are permutated, making it impossible to pair the plain-text choice with the encrypted choice without the matching pair for that particular ballot.

The matching pair contains the ballot number and a list of paired numbers. The first number in the pairing corresponds to the plain-text choice. The second number corresponds to the encrypted choice that matches the plain-text version of the first number. Figure 4 shows a sample ballot and its corresponding matching pair. The ballot number is 134134613. The four possible choices on this ballot are Bush, Dole, Gore, and Ventura. The notation e(Dole) represents Dole after being encrypted with the ballot's key. The matching pair (1,3) designates that the third encrypted choice, e(Bush), corresponds to the first plain-text choice, Bush. Expand on novel and unusual features which distinguish this invention from present technology.

The current US government elections do not satisfy the verifiability criterion. If an election booth has malfunctions, for example, then some voters' ballots may not be counted correctly and the voters are not able to detect the error. In the past, elections have also been held in which ineligible voters, even the deceased, have been allowed to cast a vote.

Conventional election systems also do not handle mobility easily. Voters who will not be in their home districts during the election and wish to vote must file absentee ballots. But due to time constraints, this may not always be possible, as their absence may not be known until the last minute.

The idea of electronic election over computer networks has been studied intensively over the past fifteen years. A variety of cryptographic voting protocols have been proposed to minimize election fraud and maximize voter privacy (for example, see [Be87, BT94, Ch88, Co86, CF85, C+96, CGS, CC97, F+93, IV91, MV98, NS91, NS, N+91, Sal96, Sch96, SK94]). Most of the early-proposed protocols only deal with a few certain issues of elections, mostly for theoretical interests. As pointed out in [F+93] and [CC97], such protocols are impractical to implement for a large-scale geographically distributed voting district. For a survey of these protocols we refer the reader to Section 3.2 in Cranor and Cytron's paper [CC97], Chapter III of Karro's master thesis [KaOO] and Chapter II above. So far there has not been a single government election done over the Internet.

Fujioka, Okamoto, and Ohta [F+93] studied how to make online elections practical and proposed a voting protocol using cryptographic techniques of blind signatures and anonymous communication channels. Their protocol also uses central facilities to administrate elections and count votes. They justified that using central facilities is necessary for a voting scheme to be practical. Built on this work, Cranor and Cyfron [CC97] recently designed and implemented a security-conscious polling system, called Sensus. However, Fujioka et al.'s protocol and the Sensus protocol suffer from several major drawbacks. These drawbacks are described in Section 3 of our paper [KW99], and in Chapter III of Karro's master thesis [KaOO] and Chapter II above; both are attached to this document. Some of these drawbacks are due to the use of blind signatures in large scales and the unpractical assumption of using anonymous communication channels (Note that CPU identification numbers have been embedded into the new Intel's Pentium III chips that can be broadcast over the Internet). These drawbacks hinder Sensus from being used in large-scale elections. o Our protocol is superior over all the previous protocols in that our protocol satisfies all the nine requirements mentioned in the beginning of item b. The correctness proof is given in Section 6 of our paper [KW99]. Moreover, our protocol also satisfies the following extra properties.

o Our protocol can be easily modified to allow the facilities to hold multiple elections simultaneously. For instance, we can participate in a nationwide election at the same time we vote for local officials or ordinances. This could be achieved by adding an election ED to the ballots. The ID would tell the facilities what election the given ballot is for. Voters would request a set of ballots instead of a single ballot.

o Voters may be allowed to change their vote. This could be done in one of two ways. First, the authenticator holds all votes till the end, to change a vote, the user just resubmits their vote. The authenticator throws out the old vote and keeps the new one. Second, when the authenticator sees that the voter has already cast his/her ballot for the given election, the authenticator asks the counter to remove the ballot from its list. The authenticator then sends the new vote to the counter. As an added benefit of this property, we can make vote selling more difficult, because the buyer now has to lock the seller until the end of the election to prevent the seller from changing his/her vote.

o If voters were permitted to change their vote, the threat of organizations buying votes would be eliminated. Organizations could not be guaranteed that the voter would not alter their vote after being paid. Organizations could still kidnap voters and force them to vote a particular way, but this would be much easier to detect than simply paying the poor for their votes. Those being kidnapped would have to be held till the end of the voting process.

o Our protocol can handle many types of elections (e.g., several candidates, picking multiple candidates, write-in), with very limited modification.

o Interested parties could have their own facilities designed to check the integrity of the election. These facilities would only have to monitor the published lists, instead of monitoring the entire process. o Using the distributor facility, we are allowing elections to occur on the Internet without worrying about hiding or masking EP addresses. The distributor facility also provides additional reliability on the integrity of the election. To ensure that elections are held fairly, we require that each of the facilities generate a pair of public and private keys of its own. These keys will be used to prevent individual modules in our voting system from conspiring with each other. These keys should be replaced from time to time. To keep elections from being delayed, we recommend changing the keys between elections. We assume that not all of the facilities can be compromised at the same time. This is a reasonable assumption, for there is little one can do if all of the facilities are compromised simultaneously. In any conventional voting system, the overall security and integrity rely on humans. This means that the integrity of a traditional election is only as strong as that of the people running it. We will use a public-key encryption/decryption, scheme where encryption and decryption commute with different keys. To prevent facilities from communicating illegally, all facilities will monitor the facility-facility communication channel.

Data Protection. Each facility is required to encrypt its database (list of data) on the fly, e.g., one record at a time, using the public keys of all the facilities. By doing so, the only way to completely decode a piece of data would be to acquire the secret keys of all severs, which, by our assumption, is impossible. Because the database is encrypted piece by piece, the facility can easily extract the portion of the data from the database it needs to see and then sends it to the other facilities to decrypt it.

Security of Communication Channels. We have two types of communication to deal with. The first type is between facilities, and the second type is between a voter and a facility.

Facility-facility communication. For communications between facilities, we need to ensure that these communications cannot be intercepted or altered; we also need to ensure that facilities do not collaborate to compromise the integrity or anonymity of the election. We accomplish both of these goals using the following protocol. When facility A wants to transmit data to facility B, facility A sends the encrypted data to a randomly selected third facility C. Facility C then decrypts the data with its own secret key, verifies that the size and the structure of the data it received have not been altered, and sends the data to another randomly selected facility D. The process is continued until the data finally reaches facility B, and facility B will be able to read the data after it uses its private key to decrypt the data.

Since intermediate facilities cannot completely decrypt the data, they will not know what exactly is being sent. The protocol can ensure that the information being sent is of legitimate size and structure. The only way for an intermediate facility to cheat would be to rearrange the information so it matches this size and structure. This would cause some information, such as some of the ballots to be left off, but the other facilities would be able to notice this when tabulation occurs.

The only alteration to the HTTPS protocol we will have to deal with is the fact that when the voter is being sent something it would be encrypted. Of course, the facility also would not be able to look up the requested information. Therefore, the facility encrypts the database and sends it to the other facilities to remove their encryption. The facility gets the information back, decrypts it with its secret key and then looks up the requested information. ^ Denial of Service Attacks. In order to ensure that a system designed using our protocol will work properly; we must devise a way to protect against someone using a denial of service attack. Otherwise, by preventing access to a certain district's servers, it would be possible to affect the results of an election. Those districts that traditionally vote one way could be targeted to prevent voters in those districts from being able to vote.

To get around these types of attacks, districts should be designed to share information. Each district would generate the ballots, matching pairs, and ballot decryption keys as previously described. Ballot IDs would contain a district ID, election ID, and the typical ballot ID. This would prevent districts from having duplicate ballot IDs. Voters would register with their district. When it comes time to distribute their information, the districts would divide them into groups. Each of these groups would contain districts that traditionally vote differently. These groups would share ballot decryption keys, matching pairs, and valid voter IDs. To prevent the same ballot from being given out to multiple voters, the individual ballots would not be shared with the other districts. When voters attempt to contact their district's server and are unable to retrieve a ballot due to a denial of service attack, they would be forwarded to the next server in the list. If they were denied service when they attempt to submit their vote, they would be forward onto the next server. Since all the servers know who can vote, and how to decrypt ballots, any facility can tally the vote. Results from the facilities would then be combined as a whole and compared instead of comparing each district's results individually.

Buying Votes or Kidnapping Voters. The ability of one party of candidate to buy votes, or simply force voters to vote a particular way is increased when an election is held electronically. A candidate could pay potential voters to vote for them and then watch them vote. Likewise, a candidate could kidnap people and force them vote a particular way.

To some degree, if we allow voters to change their vote, our protocol protects against these two types of attacks. The candidate attempting to buy votes would have no guarantee that the voter does not go back and alter their vote. If the candidate buying votes does not watch the voter vote, but merely requires the voter to show a receipt, then since the receipt only contains the encrypted ballot, the candidate has no way to guarantee that the voter voted as the desired.

Kidnapping voters would require that all the kidnapped voters be held until after the voting phase has ended. If released earlier, voters could change votes. They would also be required to be kidnapped before the process begins, otherwise they could vote before being kidnapped and then not properly sign their ballot, thus forcing the ballot to be rejected. Kidnapping large enough numbers of voters to affect an election and hold them for the duration of the election would easily be detected, and appropriate action could be taken.

Comment on possible uses for the invention.

With the rapid growth of the Internet, specifically the World Wide Web, voting online provides a reasonable alternative and in the future may replace conventional elections. Voting online would allow voters to participate in an election in any location that provides Internet access. Voters could cast their ballots while at work, at school, or in the comfort of their own home. Many public libraries have computers with Internet access that could also be used in elections. In some places, bookstores and coffee bars are also starting to provide Internet access. For those voters still without Internet access, voting districts would still have designated locations; only computers, instead of voting booths, would be used. There would be no need to restrict voters to a given district.

We presented an early draft of this work [KW99] at the 15th Annual Computer Security Applications Conference held in Phoenix, Arizona on December 6-10, 1999. At the conference it was suggested that we seek private or government support to implement our protocol. We were also informed that the US government, particularly the Armed Forces which accounts for a large quantity of absentee ballots, were attempting to devise a way to hold elections online.

While the intention of this invention is to hold elections electronically, this invention could be used on a smaller scale also. It could be used for stockholder votes, union votes, and school elections. It could also be used for polls or surveys. If survey participants are to receive rewards for participating, they could receive their reward while keeping their opinions anonymous.

BIBLIOGRAPHY

[Be87] J. Benaloh. Verifiable Secret-Ballot Elections. PhD. Thesis, Yale University, 1987. [BT94] J. Benaloh and D. Tuinstra. Receipt-free secret-ballot elections. In Proceedings of the 26^th ACM Symposium on Theory of Computing, pages 544-553, ACM Press,

1994. [Ch82] D. Chaum. Blind signatures for untraceable payments. In Blind Signatures for

Untraceable Payments, D. Chaum, R. Rivest, and A. Sherman, eds., pages 199-203,

Plenum Press, 1982. [Ch81] D. Chaum. Untraceable elecfronic mail, return addresses, and digital pseudonyms.

Communication of the ACM, 24(1981), pp. 84-88. [Ch88a] D. Chaum. The dinning cryptographers problem: unconditional sender and recipient untraceability. Journal of Cryptography, 1(1988), pp. 65-75. [Ch88b] D. Chaum. Elections with unconditionally secret ballots and disruption equivalent to breaking RSA. In Proceedings of Advances in Cryptology (EUROCRYPT88), vol.

330 of Lecture Notes in Computer Science, pages 177-182, Springer- Verlag, 1988. [Co86] J.Cohen. Improving privacy in cryptographic elections. Yale University Tech. Rep.

DCS/TR-454, 1986. [CF85] J. Cohen and M. Fisher. A robust and verifiable cryptographically secure election scheme. In Proceedings of the 26' IEEE Annual Symposium on Foundations of

Computer Science, pages 372-382, IEEE Computer Society Press, 1985. [C+96] R. Cramer, M. Frankin, B. Schoenmakers, and M. Yung. Multi-authority secret ballot elections with linear work. In Proceedings of Advances in Cryptology

(EUROCRYPT96), vol. 1070 of Lecture Notes in Computer Science, pages 72-83, Springer- Verlag, 1996.

[CGS] R. Cramer, R. Gennaro, and B. Schoenmakers. A secure and optimally efficient multi-authority election scheme. Manuscript acquired from rosario@watson.ibm.com. [Cr96] L. Cranor. Electronic voting: computerized polls may save money, protect privacy. ACM Crossroads (Electronic Journal) , 1996.

[CC97] L. Cranor and R. Cytron. Sensus: A security-conscious elecfronic polling system for the Internet. In Proceedings of the Hawaii International Conference on System

Sciences. Wailea, Hawaii, 1997. [F+93] A. Fujioka, T. Okamoto. and K. Ohta. A practical secret voting scheme for large scale elections. In Proceedings of Advances in Cryptology (AUSCRYPT'92), vol. 718 of Lecture Notes in Computer Science, pages 244-251, Springer- Verlag, 1993. [KW99] J. Karro and J. Wang. Towards a Practical, Secure, and Very Large Scale Online Election. In Preceedings of the 15' Annual Computer Security Applications Conference, pages 161-169, EEEE Computer Society. 1999.

[Iv91] K. Iversen. A cryptographic scheme for computerized general elections. In

Proceedings of Advances in Cryptography (CRYPTO'91), vol. 576 of Lecture Notes in Computer Science, pages 405-419, Springer- Verlag, 1991. [MV98] Y. Mu and V. Varadharajan. Anonymous secure e-voting over a network. In Proceedings of the 14' Annual Computer Security Applications Conference, pages

293-299, IEEE Computer Society. 1998. [Na90] M. Naor. Bit commitment using pseudo-randomness. In Proceedings of Advances in Cryptology (CRYPTO'90), vol. 435 of Lecture Notes in Computer Science, pages 218-229, Springer- Verlag, 1990. [Ne93] P. Neumann. Security criteria for electronic voting. In Proceedings of the 16^th National Computer Security Conference, pages 478-481, 1991. [NS91 ] H. Nurmi and A. Salomaa. A cryptographic approach to the secret ballot.

Behavioral Science. 36(1991), pp. 34-40. [NS] H. Nurmi and A. Salomaa. Secret ballot elections and public-key cryptosystems. Manuscript.

[N+91] H. Nurmi, A. Salomaa, and L. Santean. Secret ballot elections in computer

. networks. Computers & Security, 10(1991), pp. 553-560. [Pf84] A. Pfitzmann. A switched/broadcase ISDN to decrease user obervability. In

Proceedings of the International Zurich Seminar on Digital Communication, pages 183-190, EEEE Computer Society Press, 1984.

[Sal96] A. Salomaa. Public-Key Cryptography. 2^nd edition. Springer- Verlag, Berlin, 1996. [Sch96] B. Schneier. Applied Cryptology, 2^nd edition. John Wiley & Sons, New York, 1996. [SK94] K. Sako and J. Kilian. Secure voting using partially compatible homomorphisms. In Proceedings of Advances in Cryptology (CRYPTO'94), vol. 839 of Lecture Notes in Computer Science, pages 411-424, Springer- Verlag. 1994.

U.S. Patent No. 6,021,200 to Fischer; U.S. Patent No. 4,764,120 to Griffin, et al.

U.S. Patent No. 4,774,665 to Webb U.S. Patent No. 5,218,528 to Wise, et al.

U.S. Patent No. 5,231,668 to Kravitz

U.S. Patent No. 5,400,248 to Chisholm.

U.S. Patent No. 5,495,532 to Kilian, et al. U.S. Patent No. 5,583,329 to Davis III, et al..

U.S. Patent No. 5,875,432 to Sehr

U.S. Patent No. 5,682,430 to Kilian, et al.

U.S. Patent No. 5,878,399 to Peralto

U.S. Patent No. 6,026,163 to Micali The entire disclosure of each of the above documents is hereby incorporated by reference herein.

Certain modifications and improvements will occur to those skilled in the art upon a reading of the foregoing description. It should be understood that all such modifications and improvements have been deleted herein for the sake of conciseness and readability but are properly within the scope of the following claims

Claims

What is Claimed:

1. An election system including:

(a) a registrar including a regisfrar link for communication to at least permit a plurality of voters to obtain a unique voter ID;

(b) a plurality of ballots for distribution to at least a portion of said plurality of voters, each ballot including a unique ballot ID and a list of plain data; and

(c) a data reconciler including a data reconciler link for communication to at least said registrar.

2. The election system according to Claim 1 further including a tally system having a tally system link for communication to at least said data reconciler.

3. The election system according to Claim 2 further including a counter having a counter link for communication at least within said election system.

4. The election system according to Claim 3 further including a ballot generator for generating said plurality of ballots.

5. The election system according to Claim 4 wherein said ballot generator is secure ballot generator.

6. The election system according to Claim 5 further including a matching pair generator for generating a matching pair corresponding said unique ballot ED and said corresponding list of plain data for each of said plurality of ballots.

7. The election system according to Claim 5 further including a ballot encryption key generator for generating a plurality of ballot encryption keys corresponding to said plurality of ballots.

8. The election system according to Claim 7 wherein said ballot encryption key generator is a ballot encryption key-decryption key pair generator.

9. The election system according to Claim 7 further including a ballot encryptor for encrypting said corresponding list of plain data for each of said plurality of ballots using said corresponding plurality of ballot encryption keys.

10. The election system according to Claim 5 further including a ballot decryption key generator for generating a plurality of ballot decryption keys corresponding to said plurality of ballots to facilitate decryption thereof.

11. The election system according to Claim 3 further including a ballot authenticator for authenticating cast ballots.

12. The election system according to Claim 11 further including a tallier for tallying cast ballots.

13. The election system according to Claim 12 further including a decryptor for decrypting cast ballots prior to tallying cast ballots.

14. The election system according to Claim 3 further including a counter database having at least said unique ballot EDs of said plurality of ballots.

15. The election system according to Claim 14 said counter database further including a decryption key corresponding to each of said unique ballot IDs of said plurality of ballots.

16. The election system according to Claim 14 said counter database further including at least one of:

(a) said plurality of ballots;

(b) a matching pair corresponding to each of said unique ballot IDs; and

(c) an encryption key corresponding to each of said unique ballot IDs.

17. The election system according to Claim 3 further including a counter key generator.

18. The election system according to Claim 17 wherein said counter key generator is a public key-private key pair generator.

19. The election system according to Claim 14 further including a counter database encryptor.

20. The election system according to Claim 19 wherein said counter database encryptor is an on the fly encryptor.

21. The election system according to Claim 19 wherein said counter database encryptor uses public keys generated by a plurality of facilities of said election system to encrypt said counter database.

22. The election system according to Claim 19 further including a counter database decryptor.

23. The election system according to Claim 22 wherein said counter database decryptor is a partial decryptor.

24. The election system according to Claim 2 further including a matcher having a matcher link for communication at least within said election system.

25. The election system according to Claim 24 wherein said matcher link is for communication with said plurality of voters.

26. The election system according to Claim 24 further including a matcher database having at least a matching pair corresponding to each of said unique ballot IDs of said plurality of ballots.

27. The election system according to Claim 24 further including a matcher key generator.

28. The election system according to Claim 27 wherein said matcher key generator is a public key-private key pair generator.

29. The election system according to Claim 26 further including a matcher database encryptor.

30. The election system according to Claim 29 wherein.,said c matcher database encryptor is an on the fly encryptor.

31. The election system according to Claim 29 wherein said matcher database encryptor uses public keys generated by a plurality of facilities of said election system to encrypt said matcher database.

32. The election system according to Claim 29 further including a matcher database decryptor.

33. The election system according to Claim 32 wherein said matcher database decryptor is a partial decryptor.

34. The election system according to Claim 2 further including a distributor having a distributor link for communication at least within said election system.

35. The election system according to Claim 34 wherein said distributor link is for communication with said plurality of voters.

36. The election system according to Claim 35 further including a distributor database having at least said plurality of ballots.

37. The election system according to Claim 34 further including a distributor key generator.

38. The election system according to Claim 37 wherein said distributor key generator is a public key-private key pair generator.

39. The election system according to Claim 36 further including a distributor database encryptor.

40. The election system according to Claim 39 wherein said distributor database encryptor is an on the fly encryptor.

41. The election system according to Claim 39 wherein said distributor database encryptor uses public keys generated by a plurality of facilities of said election system to encrypt said matcher database.

42. The election system according to Claim 39 further including a distributor database decryptor.

43. The election system according to Claim 42 wherein said distributor database decryptor is a partial decryptor.

44. An election system including:

(a) a registrar including a registrar link for communication to at least permit a plurality of voters to obtain a unique voter ID;

(b) a plurality of ballots for distribution to at least a portion of said plurality of voters, each ballot including a unique ballot ID and a list of plain data; (c) a plurality of authentication codes, an authentication code for use with a cast ballot of said plurality of ballots; and

(d) a data reconciler including a data reconciler link for communication to at least said registrar.

45. The election system according to Claim 44 wherein said authentication code is provided by said data reconciler.

46. The election system according to Claim 44 said plurality of ballots further including an encrypted version of said list of plain data.

47. The election system according to Claim 44 wherein said authentication code is an encrypted version of said list of plain data.

48. The election system according to Claim 47 wherein said encrypted version of said list of plain data is provided to a distributor for proving to said plurality of voters.

49. The election system according to Claim 47 further including a plurality of matching pairs corresponding to an encrypted version of said list of plain data.

50. The election system according to Claim 49 wherein said plurality of matching pairs is provided by said data reconciler.

51. The election system according to Claim 50 wherein said plurality of matching pairs are provided to a matcher for distribution to said plurality of voters.

52. The election system according to Claim 44 said registrar further including a voter identifier for determining the identity of said plurality of voters that have cast a vote.

53. The election system according to Claim 44 said registrar further including a regisfrar database of said plurality of voters.

54. The election system according to Claim 53 wherein said registrar database includes voter information.

55. The election system according to Claim 54 wherein said voter information includes voter names.

56. The election system according to Claim 53 said registrar database further including unique voter EDs of said plurality of voters.

57. The election system according to Claim 53 said registrar further including a regisfrar key generator.

58. The election system according to Claim 57 wherein said registrar key generator is a public key-private key pair generator.

59. The election system according to Claim 53 further including a registrar database encryptor.

60. The election system according to Claim 59 wherein said registrar database encryptor is an on the fly encryptor.

61. The election system according to Claim 59 wherein said registrar database encryptor uses public keys generated by a plurality of facilities of said election system to encrypt said registrar database.

62. The election system according to Claim 59 further including a regisfrar database decryptor.

63. The election system according to Claim 62 wherein said registrar database decryptor is a partial decryptor.

64. The election system according to Claim 44 wherein said unique voter ID facilitates communication between a voter of said plurality of voters and said data reconciler.

65. The election system according to Claim 44 wherein said unique voter ID facilitates communication between a voter of said plurality of voters and said registrar.

66. The election system according to Claim 44 wherein said unique voter ID permits a voter of said plurality of voters to obtain a ballot of said plurality of ballots.

67. The election system according to Claim 44 wherein said unique voter ID permits verifying that a voter of said plurality of voters cast a ballot of said plurality of ballots.

68. The election system according to Claim 44 wherein said registrar link is bidirectional.

69. The election system according to Claim 44 wherein said registrar link is an Internet link.

70. The election system according to Claim 44 said registrar further including a unique voter ID generator.

71. The election system according to Claim 70 said unique voter ED generator further including a counter for determining the number of unique EDs generated.

72. The election system according to Claim 44 wherein said registrar link facilitates providing said unique voter ID from said data reconciler to a voter.

73. The election system according to Claim 44 wherein said registrar link facilitates providing a voter private key to a voter of said plurality of voters.

74. The election system according to Claim 73 wherein said registrar passes said voter private key to said voter of said plurality of voters without keeping a copy of said voter private key.

75. The election system according to Claim 44 further including an authenticator including an authenticator link for communication to at least said registrar.

76. The election system according to Claim 75 further including a voter authenticator.

77. The election system according to Claim 75 further including an authenticator database.

78. The election system according to Claim 75 wherein said authenticator database includes a plurality of voter ED-decryption key pairs.

79. The election system according to Claim 78 wherein said plurality of voter ID-decryption key pairs is a plurality of voter ED-voter public key pairs.

80. The election system according to Claim 75 further including a voter key generator.

81. The election system according to Claim 80 wherein said voter key generator is a voter decryption key generator.

82. The election system according to Claim 81 wherein said voter decryption key generator is a voter public key-private key pair generator.

83. The election system according to Claim 75 said authenticator further including a authenticator key generator.

84. The election system according to Claim 83 wherein said authenticator key generator is a public key-private key pair generator.

85. The election system according to Claim 77 further including a authenticator database encryptor.

86. The election system according to Claim 85 wherein said authenticator database encryptor is an on the fly encryptor.

87. The election system according to Claim 85 wherein said authenticator database encryptor uses public keys generated by a plurality of facilities of said election system to encrypt said authenticator database.

88. The election system according to Claim 85 further including a authenticator database decryptor.

89. The election system according to Claim 88 wherein said authenticator database decryptor is a partial decryptor.

90. The election system according to Claim 44 further including a verifier including a verifier link for communication at least within said election system.

91. The election system according to Claim 90 further including a vote counter for counting cast ballots to verify a vote tally.

92. The election system according to Claim 91 wherein said vote counter facilitates independently counting cast ballots to verify a vote tally.

93. The election system according to Claim 91 further including a ballot decrytor for decrypting cast ballots to permit said vote counting of said vote tally.

94. The election system according to Claim 90 further including a verifier database.

95. The election system according to Claim 94 wherein said verifier database includes a plurality of ballot ED-decryption key pairs.

96. The election system according to Claim 95 wherein said plurality of ballot ED-decryption key pairs is a plurality of ballot ED-voter public key pairs.

97. The election system according to Claim 90 said verifier further including a verifier key generator.

98. The election system according to Claim 97 wherein said verifier key generator is a public key-private key pair generator.

99. The election system according to Claim 94 further including a verifier database encryptor.

100. The election system according to Claim 99 wherein said verifier database encryptor is an on the fly encryptor.

101. The election system according to Claim 99 wherein said verifier database encryptor uses public keys generated by a plurality of facilities of said election system to encrypt said verifier database.

102. The election system according to Claim 99 further including a verifier database decryptor.

103. The election system according to Claim 102 wherein said verifier database decryptor is a partial decryptor.

104. The election system according to Claim 44 wherein said data reconciler link permits communication with a voter of said plurality of voters.

105. The election system according to Claim 104 wherein said communication with a voter of said plurality of voters is via an Internet link.

106. The election system according to Claim 104 wherein said communication with a voter of said plurality of voters is via an Intranet link.

107. An election system including:

(b) a plurality of ballots for distribution to at least a portion of said plurality of voters, each ballot including a unique ballot ID and a list of plain data;

(c) a plurality of authentication codes, an authentication code for use with a cast ballot of said plurality of ballots;

(d) a data reconciler including a data reconciler link for communication to at least said regisfrar; and (e) a tally system having a tally system link for communication to at least said data reconciler.

108. The election system according to Claim 107 further including a counter having a counter link for communication at least within said election system.

109. The election system according to Claim 108 further including a ballot generator for generating said plurality of ballots.

110. The election system according to Claim 109 wherein said ballot generator is secure ballot generator.

111. The election system according to Claim 110 further including a matching pair generator for generating a matching pair corresponding said unique ballot ED and said corresponding list of plain data for, each of said plurality of ballots.

112. The election system according to Claim 110 further including a ballot encryption key generator for generating a plurality of ballot encryption keys corresponding to said plurality of ballots.

113. The election system according to Claim 112 wherein said ballot encryption key generator is a ballot encryption key-decryption key pair generator.

114. The election system according to Claim 112 further including a ballot encryptor for encrypting said corresponding list of plain data for each of said plurality of ballots using said corresponding plurality of ballot encryption keys.

115. The election system according to Claim 110 further including a ballot decryption key generator for generating a plurality of ballot decryption keys corresponding to said plurality of ballots to facilitate decryption thereof.

116. The election system according to Claim 108 further including a ballot authenticator for authenticating cast ballots.

117. The election system according to Claim 116 further including a tallier for tallying cast ballots.

118. The election system according to Claim 117 further including a decryptor for decrypting cast ballots prior to tallying cast ballots.

119. The election system according to Claim 108 further including a counter database having at least said unique ballot IDs of said plurality of ballots.

120. The election system according to Claim 119 said counter database further including a decryption key corresponding to each of said unique ballot IDs of said plurality of ballots.

121. The election system according to Claim 119 said counter database further including at least one of:

(a) said plurality of ballots;

(b) a matching pair corresponding to each of said unique ballot IDs; and (c) an encryption key corresponding to each of said unique ballot IDs.

122. The election system according to Claim 108 further including a counter key generator.

123. The election system according to Claim 122 wherein said counter key generator is a public key-private key pair generator.

124. The election system according to Claim 119 further including a counter database encryptor.

125. The election system according to Claim 124 wherein said counter database encryptor is an on the fly encryptor.

126. The election system according to Claim 124 wherein said counter database encryptor uses public keys generated by a plurality of facilities of said election system to encrypt said counter database.

127. The election system according to Claim 124 further including a counter database decryptor.

128. The election system according to Claim 127 wherein said counter database decryptor is a partial decryptor.

129. The election system according to Claim 107 further including a matcher having a matcher link for communication at least within said election system.

130. The election system according to Claim 129 wherein said matcher link is for communication with said plurality of voters.

131. The election system according to Claim 129 further including a matcher database having at least a matching pair corresponding to each of said unique ballot IDs of said plurality of ballots.

132. The election system according to Claim 129 further including a matcher key generator.

133. The election system according to Claim 132 wherein said matcher key generator is a public key-private key pair generator.

134. The election system according to Claim 131 further including a matcher database encryptor.

135. The election system according to Claim 134 wherein said c matcher database encryptor is an on the fly encryptor.

136. The election system according to Claim 134 wherein said matcher database encryptor uses public keys generated by a plurality of facilities of said election system to encrypt said matcher database.

137. The election system according to Claim 134 further including a matcher database decryptor.

138. The election system according to Claim 137 wherein said matcher database decryptor is a partial decryptor.

139. The election system according to Claim 107 further including a distributor having a distributor link for communication at least within said election system.

140. The election system according to Claim 139 wherein said distributor link is for communication with said plurality of voters.

141. The election system according to Claim 140 further including a distributor database having at least said plurality of ballots.

142. The election system according to Claim 139 further including a distributor key generator.

143. The election system according to Claim 142 wherein said distributor key generator is a public key-private key pair generator.

144. The election system according to Claim 141 further including a distributor database encryptor.

145. The election system according to Claim 144 wherein said distributor database encryptor is an on the fly encryptor.

146. The election system according to Claim 144 wherein said distributor database encryptor uses public keys generated by a plurality of facilities of said election system to encrypt said matcher database.

147. The election system according to Claim 144 further including a distributor database decryptor.

148. The election system according to Claim 147 wherein said distributor database decryptor is a partial decryptor.

149. The election system according to Claim 107 wherein said authentication code is provided by said data reconciler.

150. The election system according to Claim 107 said plurality of ballots further including an encrypted version of said list of plain data.

151. The election system according to Claim 107 wherein said authentication code is an encrypted version of said list of plain data.

152. The election system according to Claim 151 wherein said encrypted version of said list of plain data is provided to a distributor for proving to said plurality of voters.

153. The election system according to Claim 151 further including a plurality of matching pairs corresponding to an encrypted version of said list of plain data.

154. The election system according to Claim 153 wherein said plurality of matching pairs is provided by said data reconciler.

155. The election system according to Claim 154 wherein said plurality of matching pairs are provided to a matcher for distribution to said plurality of voters.

156. The election system according to Claim 107 said registrar further including a voter identifier for determining the identity of said plurality of voters that have cast a vote.

157. The election system according to Claim 107 said registrar further including a registrar database of said plurality of voters.

158. The election system according to Claim 157 wherein said registrar database includes voter information.

159. The election system according to Claim 158 wherein said voter information includes voter names.

160. The election system according to Claim 157 said registrar database further including unique voter EDs of said plurality of voters.

161. The election system according to Claim 157 said registrar further including a registrar key generator.

162. The election system according to Claim 161 wherein said registrar key generator is a public key-private key pair generator.

163. The election system according to Claim 157 further including a registrar database encryptor.

164. The election system according to Claim 163 wherein said registrar database encryptor is an on the fly encryptor.

165. The election system according to Claim 163 wherein said registrar database encryptor uses public keys generated by a plurality of facilities of said election system to encrypt said registrar database.

166. The election system according to Claim 163 further including a registrar database decryptor.

167. The election system according to Claim 166 wherein said regisfrar database decryptor is a partial decryptor.

168. The election system according to Claim 107 wherein said unique voter ID facilitates communication between a voter of said plurality of voters and said data reconciler.

169. The election system according to Claim 107 wherein said unique voter ID facilitates communication between a voter of said plurality of voters and said registrar.

170. The election system according to Claim 107 wherein said unique voter ID permits a voter of said plurality of voters to obtain a ballot of said plurality of ballots.

171. The election system according to Claim 107 wherein said unique voter ID permits verifying that a voter of said plurality of voters cast a ballot of said plurality of ballots.

172. The election system according to Claim 107 wherein said regisfrar link is bi- directional.

173. The election system according to Claim 107 wherein said registrar link is an Internet link.

174. The election system according to Claim 107 said registrar further including a unique voter ED generator.

175. The election system according to Claim 174 said unique voter ID generator further including a counter for determining the number of unique EDs generated.

176. The election system according to Claim 107 wherein said registrar link facilitates providing said unique voter ID from said data reconciler to a voter.

177. The election system according to Claim 107 wherein said registrar link facilitates providing a voter private key to a voter of said plurality of voters.

178. The election system according to Claim 177 wherein said regisfrar passes said voter private key to said voter of said plurality of voters without keeping a copy of said voter private key.

179. The election system according to Claim 107 further including an authenticator including an authenticator link for communication to at least said regisfrar.

180. The election system according to Claim 179 further including a voter authenticator.

181. The election system according to Claim 179 further including an authenticator database.

182. The election system according to Claim 179 wherein said authenticator database includes a plurality of voter ED-decryption key pairs.

183. The election system according to Claim 182 wherein said plurality of voter ED-decryption key pairs is a plurality of voter ID-voter public key pairs.

184. The election system according to Claim 179 further including a voter key generator.

185. The election system according to Claim 184 wherein said voter key generator is a voter decryption key generator.

186. The election system according to Claim 185 wherein said voter decryption key generator is a voter public key-private key pair generator.

187. The election system according to Claim 179 said authenticator further including a authenticator key generator.

188. The election system according to Claim 187 wherein said authenticator key generator is a public key-private key pair generator.

189. The election system according to Claim 181 further including a authenticator database encryptor.

190. The election system according to Claim 189 wherein said authenticator database encryptor is an on the fly encryptor.

191. The election system according to Claim 189 wherein said authenticator database encryptor uses public keys generated by a plurality of facilities of said election system to encrypt said authenticator database.

192. The election system according to Claim 189 further including a authenticator database decryptor.

183. The election system according to Claim 192 wherein said authenticator database decryptor is a partial decryptor.

194. The election system according to Claim 107 further including a verifier including a verifier link for communication at least within said election system.

195. The election system according to Claim 194 further including a vote counter for counting cast ballots to verify a vote tally.

196. The election system according to Claim 195 wherein said vote counter facilitates independently counting cast ballots to verify a vote tally.

197. The election system according to Claim 195 further including a ballot decrytor for decrypting cast ballots to permit said vote counting of said vote tally.

198. The election system according to Claim 194 further including a verifier database.

199. The election system according to Claim 198 wherein said verifier database includes a plurality of ballot ED-decryption key pairs.

200. The election system according to Claim 199 wherein said plurality of ballot ED-decryption key pairs is a plurality of ballot ED-voter public key pairs.

201. The election system according to Claim 194 said verifier further including a verifier key generator.

202. The election system according to Claim 201 wherein said verifier key generator is a public key-private key pair generator.

203. The election system according to Claim 198 further including a verifier database encryptor.

204. The election system according to Claim 203 wherein said verifier database encryptor is an on the fly encryptor.

205. The election system according to Claim 203 wherein said verifier database encryptor uses public keys generated by a plurality of facilities of said election system to encrypt said verifier database.

206. The election system according to Claim 203 further including a verifier database decryptor.

207. The election system according to Claim 206 wherein said verifier database decryptor is a partial decryptor.

208. The election system according to Claim 107 wherein said data reconciler link permits communication with a voter of said plurality of voters.

209. The election system according to Claim 208 wherein said communication with a voter of said plurality of voters is via an Internet link.

210. The election system according to Claim 208 wherein said communication with a voter of said plurality of voters is via an Intranet link.

211. The election system according to Claim 208 wherein said communication with a voter of said plurality of voters is direct.

212. The election system according to Claim 208 wherein said communication with a voter of said plurality of voters is indirect.

213. The election system according to Claim 104 wherein said communication with a voter of said plurality of voters is direct.

214. The election system according to Claim 104 wherein said communication with a voter of said plurality of voters is indirect.

215. An election method including:

(a) registering a plurality of voters by providing each a unique voter ED; (b) distributing to at least a portion of said plurality of voters a ballot including a unique ballot ID and a list of plain data; and

(c) reconciling a cast ballot of said plurality of ballots.

216. An election method including:

(a) registering a plurality of voters by providing each a unique voter ID;

(b) distributing to at least a portion of said plurality of voters a ballot including a unique ballot ID and a list of plain data;

(c) authenticating a cast ballot of said plurality of ballots; and

(d) reconciling said cast ballot.

217. An election system including: (a) registering a plurality of voters by providing each a unique voter ED;

(c) authenticating cast ballots;

(d) reconciling said authenticated cast ballots; and tallying said authenticated cast ballots.

218. A method of holding an election comprising enabling voters to register with a registrar facility including providing encryption keys to registered voters and storing the encryption key with an authenticator facility, distributing ballots having unique ballot ED's to requesting voters, receiving ballots having voter choices on them and encrypted using voters encryption keys, receiving from voters a) ballot ID, encrypted vote information and, voter ED at an authenticator facility, b) indications that votes have been cast with a ballots having indicated ballot ED's at a distributor facility, and c) an indication that the voter has voted at a registrar facility, authenticating the voter at the authenticator facility and passing authenticated votes and the ballot ED to a counter facility.

219. A method as claimed in Claim 218 further comprising decrypting votes at the counter facility and tallying a number of votes, publishing a list containing encrypted votes and ballot ED's at the authenticator facility, publishing a list containing encrypted votes and ballot ID's at the counter facility, publishing a list containing voter ED's of cast ballots at the authenticator facility, examining the list containing voter ID's of cast ballots at the registrar facility to confirm that only registered voters voted, verifying at a verifier facility that the list containing encrypted votes and ballot ED's published at the authenticator facility is identical to the list containing encrypted votes and ballot ID's published at the counter facility, confirming at the verifier facility from the list containing encrypted votes and ballot ID's published at the authenticator facility and a decryption table the results published by the counter facility, examining at the distributor facility the list containing encrypted votes and ballot ED's published at the authenticator facility and the list containing encrypted votes and ballot ED's published at the counter facility to ensure that only legitimate ballots appear, and releasing the election results at the counter facility.

220. A method as claimed in Claim 218 wherein at least one of the distributing and receiving steps includes transmitting information over the Internet.

221. A method as claimed in Claim 218 wherein distributing ballots includes distributing a number of ballots from an inventory of ballots that has more members than there are registered voters.

222. A method as claimed in Claim 218 wherein distributing ballots includes distributing a ballot having a ballot number, and a matching pair made up of plain-text versions of ballot choices and encrypted versions of ballot choices.

223. A method as claimed in Claim 222 wherein the encrypted version is encrypted using an encryption key unique to the ballot.

224. A method as claimed in Claim 222 wherein the ballot choices include ballot choices in municipal and national elections.

225. A method as claimed in Claim 219 wherein the acts of publishing include publishing to the general public.

226. A method as claimed in Claim 218 wherein passing authenticated votes includes passing data through a firewall.

227. An election apparatus comprising a network of data handling devices configured to hold an election comprising a data handling device enabling voters to register with a registrar facility including providing encryption keys to registered voters and storing the encryption key with an authenticator facility, a data handling device distributing ballots having unique ballot ID's to requesting voters, a data handling device receiving ballots having voter choices on them and encrypted using voters encryption keys, data handling devices configured as authenticator, distributor and registrar facilities enabled to receive from voters a) ballot ID, encrypted vote information and, voter ED at the authenticator facility, b) indications that votes have been cast with a ballots having indicated ballot ED's at the distributor facility, and c) an indication that the voter has voted at the registrar facility, to authenticate the voter at the authenticator facility and passing authenticated votes and the ballot ID to a data handling device configured as a counter facility.

228. An election apparatus as claimed in Claim 227 wherein at least two of the data handling devices communicate information to one another over the Internet.

229. An election apparatus as claimed in Claim 227 wherein the data handling device that distributes ballots distributes a number of ballots from an inventory of ballots that has more members than there are registered voters.

230. An election apparatus as claimed in Claim 227 wherein the data handling device that distributes ballots distributes a ballot having a ballot number, and a matching pair made up of plain-text versions of ballot choices and encrypted versions of ballot choices.

231. An election apparatus as claimed in Claim 229 wherein the encrypted version is encrypted using an encryption key unique to the ballot.

232. An election apparatus as claimed in Claim 229 wherein the ballot choices include ballot choices in municipal and national elections.

233. An election apparatus as claimed in Claim 227 the authenticator is protected by a firewall.