Article Preview
Top1 Introduction
Electronic, mechanical, or electromechanical voting are nowadays form of voting commonly accepted in various countries worldwide. Despite of this diffusion, these voting techniques have been always criticized for many reasons. Typical critics are related to the possibility, for the voter, to audit his vote or have some kind of control on the underlying mechanism during the polling phase that is when the vote is cast. This kind of frights arise naturally from the intrinsic complexity and/or from the opacity of the mechanism itself and can be amplified by a justified sense of caution. These critics highlight that one of the most important open issues is security and in particular how to achieve or, eventually, increase it with respect to a traditional voting scenario. Electronic voting can, besides, enhance the accessibility to vote even for people living outside the country of origin or for disabled persons. Electronic voting, that is widely exploited, offers mainly two different approaches to solve both security and accessibility issues. The first approach aims to substitute traditional voting form in the polling stations with electronic machines trying to match the requirements for accessibility and security. The second tries to solve the accessibility issue by making people vote through web based or broadcasted applications, not disregarding the security of the communication channel that must be used in this case. Electronic voting machines in polling stations, named DRE (Direct Recording Electronic) voting systems (Federal Election Commision, 2001)(Federal Election Commision, 2001a), have been widely used especially after US presidential elections in 2000 when mechanical punching machines led to a large number of invalid ballots. Actually, despite of the confidence given by citizens to such a solution, DRE machines are very sensitive to various kind of attacks, as detailed in (Fisher & Coleman, 2005)(Kohno et al., 2007). In order to improve the security of DREs in terms of capability of performing an audit by the user, secrecy of vote, and relative independence from technical flaws the receipt approach has been proposed. As explained in (Chaum et al., 2008)(Chaum, 2004)(Essex et al., 2007) (Garera & Rubin, 2007) (Chaum et al., 2008), the central idea is to give the user an encrypted receipt which can be used to audit the vote as an evidence that the vote has been cast and that can be seen like the ballot itself, since the user's choice is encrypted. Typically these systems, implemented as electronic or manual, give as a result of the voting operation two distinct ballots. After the voting phase (this is part of the security mechanism) the user is asked to destroy one of these ballot, chosen by himself, and scan the other one. The scanned ballots are sent to a server that acts like a ballot repository. Since both the ballots are encrypted and only the combination of the two can give some chance of recovering the vote, at the end of the operation the voter owns an encrypted receipt. The actual ballot is readable only with the help of some codes owned by the trusted authority that controls the voting operation (e.g., the Ministry of Internal Affairs). To allow the user to audit his vote, every encrypted ballot is identified by a readable unique number. The number, that is decoupled from the user's identity, can be used to audit the ballot via web with the help of a specific web application.