Electronic Voting Using Identity Domain Separation and Hardware Security Modules

Electronic Voting Using Identity Domain Separation and Hardware Security Modules

Thomas Rössler (Secure Information Technology Center Austria (A-SIT), Austria)
DOI: 10.4018/978-1-4666-0041-6.ch008
OnDemand PDF Download:
List Price: $37.50


E-voting increasingly gains interest in e-Democracy and e-Government movements. Not only the technical security issues of electronic voting systems are of paramount importance, but also the necessity of following an all-embracing approach is challenging and needs to be addressed. This paper discusses e-voting as being a supreme discipline of e-Government. It introduces an innovative e-voting concept using the Internet as the voting channel. The concept introduced is based on Austrian e-Government elements and the Austrian identity management concept in particular. This paper presents a novel approach of building an e-voting system relying on two core principles: strong end-to-end encryption and stringent identity domain separation.
Chapter Preview


Voting is the most important tool in democratic decision making. Therefore, elections and referenda should be accessible to as many people as possible. It is especially difficult for citizens living abroad to participate in elections.

The word e-voting is a general term that refers to any type of voting in electronic form. This work introduces a remote Internet e-voting concept that suits the needs of international election fundamentals—as formulated by the Venice Commission (Venice Commission, 2002) and the Council of Europe (Council of Europe, 2004a, 2004b)—and the needs of Austrian elections (Working-Group “E-Voting”, 2004) in particular1.

Today, the e-Government infrastructure is highly developed in many member states of the European Union. Austria in particular has actively pursued its e-Government strategy since the beginning and thus is today one of leading countries in Europe with respect to e-Government.

E-voting, seen as a special application of e-Government technologies, can be considered as being the supreme discipline of all e-Government applications due to its conflicting priorities of unique identification and perfect anonymity.

The proposed e-voting concept draws upon two principles in order to protect the election secrecy. On the one hand, the proposed e-voting system makes use of strong end-to-end encryption between the voter casting her vote and the electronic device responsible for counting. Thus, the cast vote is immediately encrypted by the voter after she has filled in her decision and is only decrypted for the single moment of counting. On the other hand, the proposed e-voting concept introduces a stringent domain separation model that has to ensure unique identification of voters during registration, but also guarantee perfect anonymity of cast votes. A special case in the introduced e-voting concept is that although votes are cast anonymously it is still possible to determine whether a given voter has cast her vote already or not. This mechanism is available during the election event only. This is important and a big advantage of the proposed scheme as it enables a voter to cast her vote conventionally at a polling station although she has decided to vote electronically. This characteristic of the proposed e-voting concept faces problems in connection with the Internet and the voter’s local infrastructure as raised by the SERVE-report (Jefferson, Rubin, Simons, & Wagner, 2004) for instance.

From a technical perspective, the proposed e-voting concept makes use of Austrian e-Government components such as the Citizen Card (Hollosi, Karlinger, Rössler, & Centner, 2008; Leitold, Hollosi, & Posch, 2002; see also Rössler, Hayat, Posch, & Leitold, 2005). Although the core principles of this e-voting concept are versatile, the resulting e-voting concept is tailored to a certain degree for Austrian elections. Thus, the proposed e-voting concept has been named “EVITA” (Electronic Voting over the Internet - Tailored for Austria). The EVITA voting model aims to follow the process model of conventional postal elections which has two phases. In phase one, voters have to register and in phase two the voting process is carried out. Also from a technical perspective EVITA follows tight the model of postal elections. The EVITA scheme requires to encrypt the voter's decision without any identifying information and to attach additional voter related information to the encrypted vote. This corresponds to scenario of postal election scenarios where the vote is put into an inner envelope which itself is wrapped by an outer envelope that contains additional identifying information about the voter.

This paper introduces the core elements of the proposed EVITA-voting concept. The rest of this paper is organised as follows. The next section explains the core principles of the EVITA concept and introduces the dual approach of using strong end-to-end encryption and stringent identity domain separation. Section 3 and 4 further elaborate these core aspects—the creation of the identifiers following the Austrian electronic identity management in particular—in several sub-sections in detail. Section 5 briefly sketches the counting phase; in section 6 two additional elements of the EVITA-concept are accentuated: the structure of ballots and the principle of indirect voter authentication through cast votes. Finally conclusions are drawn.

Complete Chapter List

Search this Book: