WO2002063824A1 - Telekommunikationsprotokoll, -system und -vorrichtungen zur anonymen und authentischen abwicklung einer elektronischen wahl - Google Patents
Telekommunikationsprotokoll, -system und -vorrichtungen zur anonymen und authentischen abwicklung einer elektronischen wahl Download PDFInfo
- Publication number
- WO2002063824A1 WO2002063824A1 PCT/DE2001/002334 DE0102334W WO02063824A1 WO 2002063824 A1 WO2002063824 A1 WO 2002063824A1 DE 0102334 W DE0102334 W DE 0102334W WO 02063824 A1 WO02063824 A1 WO 02063824A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- electronic
- election
- voting
- voter
- computer
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3255—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/42—Anonymization, e.g. involving pseudonyms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/46—Secure multiparty computation, e.g. millionaire problem
- H04L2209/463—Electronic voting
Definitions
- the present invention relates to a telecommunications protocol, telecommunications system and telecommunications devices for the anonymous and authentic handling of an electronic choice.
- the invention presented here is used for dialing electronically via data traffic networks, with voting, vote counting and authentication of the persons authorized to vote being carried out by electronic computers.
- the identification and authentication of the voter The voter enters the polling station with his voting card and identifies himself there, for example by showing his identity card. He proves his eligibility for voting by means of a document (authentication document) sent to him.
- the election supervisor checks the documents, hands over the ballot and marks the voter in a list. He also keeps the election documents (authentication documents) sent to the respective voter, so that the election can only be carried out once.
- the voter identified and authenticated in this way is now allowed to vote.
- the voter carries out his election in a shielded room so that he alone knows his choice and then hands over his ballot to the ballot box.
- the vote count The ballot box is opened under supervision and the votes are counted. The counted votes of all ballot boxes are added up and the election is evaluated on the basis of this result.
- This procedure almost eliminates the assignment of a cast vote to a specific voter, namely the one who cast the vote, and the manipulation of the election itself as well as the manipulation of the election result by repeated voting in the framework of democratic procedures is excluded.
- This complex procedure which is repeated for every voter, suggests the use of electronic data processing systems.
- the usual tools such as computers, scanners and graphic processing systems are known, but are only used in the last of the three steps, the final vote count.
- Electronic procedures are already in use for elections with less official character, such as polls and votes.
- the periodically renewed ranking of popular pieces of music by choosing the title and the artist is now possible on the Internet. For the sake of data security, however, authentication of the voter is dispensed with, so that multiple votes are possible.
- an electronic polling station requests an electronic polling station from an electronic polling station
- the electronic returning officer checks the eligibility of a voter using the electronic voting station to participate in the electronic election and, if the eligibility of the voter using the electronic voting station to participate in the electronic election is determined, sends an electronic voting card to the voting station,
- the electronic polling station provides the electronic voting form received by the electronic election supervisor with an election made electronically by a voter
- the electronic polling station sends the electronic voting slip provided with the election to an electronic voting computer for collection and / or evaluation.
- the last two requirements result in opposing requirements for the voting system to be used.
- the demand for the equality of the election means that the voter is identified and authenticated, but on the other hand, once the voter has been determined, the choice he has made cannot be understood.
- selections in the context of this document is generally understood in the sense of any vote, and therefore also in the sense of citizen decisions or referendums or the like.
- the object of the present invention is therefore to provide an electronic voting system which technically guarantees both anonymity (that is, the secret of the choice) and authenticity (and therefore also the equality of the choice).
- an electronic polling station requests an electronic polling card from an electronic polling officer
- the electronic polling officer checks the authorization of a voter using the electronic polling station to participate in the electronic poll and in the event of determining the eligibility of the voter using the electronic polling station to participate in the electronic election, sends an electronic ballot to the polling station
- the electronic polling station provides the electronic polling card received by the electronic polling officer with an election made electronically by a voter
- the electronic one The electoral office sends the electronic voting slip provided with the election to an electronic election computer for collection and / or evaluation and which is characterized by it.
- D ate the data uniquely assigned to the person of the voter and the electronic choice made by the voter in all phases of processing or transmission either separated or encrypted or separated and encrypted.
- an electronic election manager preferably a server computer system, which, preferably via a telecommunication network, is connected to at least one electronic polling station (pollster), preferably a client computer system, and the electronic election manager is set up in terms of programming so that he checks the authorization of a voter using the electronic voting station to participate in an electronic election, whereby he is also characterized in that the data clearly assigned to the person of the voter and the electronic choice made by the voter in all phases of processing on the electronic returning officer or transmission to or from the electronic returning officer are either separated or encrypted or separated and encrypted.
- an electronic election manager preferably a server computer system, which, preferably via a telecommunication network, is connected to at least one electronic polling station (pollster), preferably a client computer system, and the electronic election manager is set up in terms of programming so that he checks the authorization of a voter using the electronic voting station to participate in an electronic election, whereby he is also characterized in that the data clearly assigned to the person of the voter and the electronic choice made by the voter in all phases
- an electronic voting computer preferably a server computer system, which, preferably via a telecommunication network, is connected to at least one electronic polling station (pollster), preferably a client computer system, the electronic voting computer being program-related is set up in such a way that it collects and / or evaluates the electronic voting cards sent to it by the electronic voting point and is also characterized in that the data clearly assigned to the person of the voter and an electronic choice made by the voter in all phases Processing on the electronic election computer or transmission to or from the electronic election supervisor either separated or encrypted or separated and encrypted is used to achieve the above object.
- a server computer system which, preferably via a telecommunication network, is connected to at least one electronic polling station (pollster), preferably a client computer system
- the electronic voting computer being program-related is set up in such a way that it collects and / or evaluates the electronic voting cards sent to it by the electronic voting point and is also characterized in that the data clearly assigned to the person of the voter and an electronic choice made by the voter in all phases Processing
- data packets also called datagrams or telegrams
- data packets either contain no information about the voter identity or contain information about this (namely for the purpose of identification and authentication), but then they are encrypted, which results in a so-called information-based separation of powers and anonymity and ensures authenticity of choice.
- a particularly preferred embodiment of the telecommunication protocol for the anonymous and authentic handling of an electronic election is characterized in that the electronic polling station sends the electronic ballot with the choice made and with an identifier assigned to the voter, sends it back to the electronic election officer in encrypted form, and the electronic election officer sends it to signs the encrypted electronic ballot paper sent back to him and then sends it, signed by him, to the electronic polling station, the electronic polling station decrypts the electronic voting slip provided with the election and signed by the electronic election supervisor, removes the identifier assigned to the voter and the electronic voting slip in the case of his Sends authenticity without the identifier but with a signature to the electronic election computer for collection and / or evaluation.
- coding and encryption methods are preferably used which encrypt the data generated during the electronic dialing, such as personal data and dialing data, in such a way that, in the event of unauthorized access, this data is illegible and therefore unusable.
- these coding and encryption methods are also particularly preferably used, which only apply to the electronic election supervisor (validator), the electronic election computer (Psephor) and the electronic polling station ( Pollster) are known.
- These private coding and encryption methods are therefore only known to the computer which uses them, ie only he alone can encrypt and then decrypt a data packet using these methods.
- Coding and encryption methods which allow the use, ie also reading, of data only for certain groups and exclude other groups from this use can also be used.
- This measure namely the use of different coding and encryption methods, forms the basis for a transfer method of data packets which can now be sorted, counted and managed by the recipient, but the original information of the data packets is not known to the recipient.
- This means that procedures can be formally controlled and reproduced without the risk of disclosure of information.
- the encryption of the data packets can also be carried out asymmetrically.
- a data packet sent in this way can have the following structure:
- a pub B priv (message); message
- A is the receiver and B is the transmitter.
- This data packet contains the same message twice.
- this message is encrypted with a private code from the sender B, on the other hand it is unencrypted.
- the entire data packet is encoded again with the public key of the recipient A pub . Only this person can open the data packet and then read the unencrypted message.
- Receiver A cannot decrypt the message encrypted with the sender's private code. This only serves as a possible check by the sender as to whether the data packet was changed during the transmission. If this is the case, ie if the two initially identical messages are no longer identical, the message was manipulated without authorization. A possible manipulator would have to arrive at two keys present at separate locations in order to be able to change such a structured data packet without being noticed.
- the actual electronic dialing according to the telecommunications protocol available here preferably takes place in the following 11 steps: All data packets which are transferred in the context of the electronic dialing according to the telecommunications protocol available here are encoded using at least one encryption method.
- the election process is opened, in which an election registration w of the voter is submitted to the electronic election supervisor, the validator, and checked for the voting rights of the respective voter.
- the electronic polling station the so-called pollster, connects to the validator via the network.
- a data packet which contains the election registration w is now transmitted from the pollster to the validator.
- the validator checks the digital election registration w transmitted by the pollster, namely the digital election registration w contained in the data package, by comparing it with the digital data, preferably stored in a TrustCenter, and then either confirming voting authorization for this voter or immediately confirming the voting process in the event of any discrepancies aborts. If the right to vote is now available, the validator checks whether voting approval can be granted. To do this, he checks the electoral roll for a possible entry. Is there already a ballot of the voter with 'the present right to vote before, then the election process at this point also canceled. This prevents multiple votes. If the voter has not yet given a voting slip for this right to vote, the voting must still be granted.
- the voters For the final approval of the election, the voters must now be properly identified. The voter is also identified online. For this purpose, a data packet is in turn sent from the pollster to the validator. The latter then compares this data transmitted in the data packet with the data present in the electoral register and valid for this election. If there is now an entry with the corresponding data, the voter has properly identified himself. The properly identified voter is now entitled to vote. The validator now gives the pollster the right to vote for this properly identified voter. For this purpose, the selection release is transferred from the validator to the pollster in the form of a data packet. Without the granted voting approval, no further data transmission from the pollster to the validator for the continuation of this already initiated voting process is possible.
- an electronic ballot preferably a datagram, for example particularly preferably also in the form of a website or an e-mail
- the electronic voting form issued by the validator and transmitted to the pollster must be filled in, preferably an electronic pointing device, such as a mouse or an electronic pen, is used for this purpose. This increases the ease of use and the number of invalid ballots is reduced.
- the poll string ws generated in this way (the completed website, i.e. the electronic ballot with the vote) is encrypted by the pollster and sent back to the validator.
- the validator is now not able to decrypt this electronic voting form because it does not have the necessary information, i.e. the decryption code.
- the validator signs the ballot, ie it ensures the submission of the ballot up to this step and the formal correctness of the electronic ballot.
- the voting slip signed in this way is then sent back to the pollster.
- the pollster decrypts the electronic signed by the validator Voting slip, he removes the identifier assigned to the voter (for example, all personal data or an anonymized identifier) and sends a data packet, which has the election string, to the electronic voting computer (the ballot box), ie the pesphor. With the receipt of the electronic ballot paper and its storage in the ballot box, the electoral roll will be blocked for the corresponding voter.
- a simple electronic note is sufficient for this, such as a change in the status information in the respective field of the electoral roll. It is therefore impossible for a voter to cast his vote more than once, but on the other hand, if the election is terminated due to a technical defect, such as a power failure and the resulting interruption of data flow in the electoral network, it is possible for these voters to carry out the election again can. After a complete, properly conducted election, the voter receives a message that expressly confirms this. The electronic election supervisor then no longer sends a polling card to the voter who has already voted; Possibly multiple-time polling cards are only taken into account in the form of the first and properly signed ballot papers received by the Psephor; all others are not taken into account.
- the encrypted votes are transferred from the psephor to electronic buffers and then completely handed over to the validator, who then counts and then calculates the result.
- digital signatures offer the possibility of making the process sequence safe and comfortable.
- Data packets provided with digital signatures can be clearly assigned to the validator, psephor or pollster, depending on who signed the respective data packet from the above-mentioned network participants.
- the digital signature also takes on the function of a clearly identifiable signature, so that the signed data packets are guaranteed to be checked and processed in a certain way.
- the validator signs the ballot paper filled in by the voter and sent by the pollster without being able to find out its contents.
- the signature of the validator then added to the data packet thus guarantees the pollster that the data packet transferred back can be processed properly and can thus participate in the election. In this step, the voter sees that the validator has accepted his own choice, i.e.
- the telecommunications protocol according to the invention thus protects particularly effectively against undesired manipulation of the dialing system.
- an electronic election supervisor (validator) who is set up in terms of programming so that he checks the eligibility of a voter using an electronic polling station to participate in an electronic election and, if the entitlement of the voter using the electronic polling station is determined, to participate in the electronic election sends the electronic ballot to the polling station and the electronic election supervisor signs an encrypted electronic voting slip sent back to him from the electronic polling station and then sends it back to the electronic polling station, signed by him, and
- an electronic voting computer (psephor, urn) which is set up in terms of program technology so that it only collects and / or evaluates electronic voting cards which are also signed by an electronic election manager.
- a further embodiment of the telecommunications protocol for the anonymous and authentic handling of an electronic election is characterized in that the identifier assigned to the voter is an identification that identifies the voter.
- the identifier assigned to the voter can also be anonymously assigned to the voter and thus do not represent an identification of the voter. This can preferably be done in that the electoral-specific data, for example the personal data, is eliminated in the first steps of the electronic election. The earlier such direct anonymization of the voter is carried out, the safer the voter is from being identified by unauthorized persons.
- a further embodiment of the telecommunication protocol for the anonymous and authentic handling of an electronic election is characterized in that the electronic voting station decrypts the electronic voting slip provided with the election and signed by the electronic election supervisor, removes the identifier assigned to the voter and the electronic voting slip without the identifier but only sends a signature to the electronic voting computer for collection and / or evaluation if the electronic voting center determines the authenticity of the signed electronic voting slip in such a way that the identifier assigned to the voter corresponds to the identifier after receipt from the electronic election officer as it does from the electronic one Polling station has been sent to the electronic returning officer.
- Another embodiment of the telecommunications protocol for the anonymous and authentic handling of an electronic election is characterized in that the electronic polling station decrypts the electronic voting slip provided with the election and signed by the electronic election supervisor, removes the identifier assigned to the voter and the electronic voting slip without the identifier but only sends a signature to the electronic voting computer for collection / evaluation if the electronic voting center determines the authenticity of the signed electronic voting slip in such a way that the choice made by the voter corresponds to the choice as it was sent from the electronic voting point to the electronic election officer ,
- the aforementioned embodiments relate to a particularly secure way of transmitting an already signed electronic voting form from the electronic see electoral office for the electronic voting calculator, which relates to the type of verification of the content of the electronic voting form by the electronic electoral office.
- a further embodiment of the telecommunications protocol according to the invention is characterized in that electronic ballots are only collected on the electronic voting computer, but are not evaluated.
- the electronic voting cards collected by the electronic voting computer are preferably sent to the electronic election manager for evaluation.
- a particularly preferred embodiment of the telecommunication protocol for the anonymous and authentic handling of an electronic election is further characterized in that only those electronic voting cards are evaluated which are also signed by the electronic election supervisor.
- This embodiment is an additional security measure, which preferably enables a further control step at the end of the choice, for example the psephor or the validator.
- a further embodiment of the telecommunications protocol for the anonymous and authentic handling of an electronic election is characterized in that the evaluation of the electronic voting cards in the form of a count, preferably according to election categories, the election made in each case, as in the case of a political election or voting, as a rule. usually done.
- At least one of the following encryption methods can be used to operate the telecommunications protocol according to the invention:
- a hash function preferably a one-way hash function.
- the data is encrypted using a number known only to the user so that it is available for formal processing, such as counting, archiving and identification with a digital signature.
- content such as the dial string but only known to the user.
- the data is saved using a hash function.
- a hash function instead of the actual message can also lead to a significant reduction in the data packet size and thus significantly reduce the transmission time.
- the electronic polling station (pollster) used to operate the telecommunications method according to the invention preferably a client computer system, is, preferably via a telecommunications network, with an electronic dialing station (validator), preferably a first server computer system and an electronic voting computer (psephor) , Urn), preferably a second server computer system, connected and characterized in that it is set up in terms of programming so that it handles its communication traffic to the electronic election manager and to the electronic election computer according to an embodiment of the telecommunications protocol according to the invention.
- the electronic polling station can have a reading device for reading an electronically readable data carrier, preferably a non-rewritable data carrier, particularly preferably a chip card or a CD-ROM or also a DVD, which is used to authenticate or identify the voter by means of the non-rewritable one Disk serves.
- a reading device for reading an electronically readable data carrier preferably a non-rewritable data carrier, particularly preferably a chip card or a CD-ROM or also a DVD, which is used to authenticate or identify the voter by means of the non-rewritable one Disk serves.
- Authentication / identification of the voter can be carried out using an electronically readable medium.
- This automation of the authentication means a clear time saving and less personnel, since not every voter has to be identified visually, but rather identifies himself with the help of his chip-dialing card, which can be created forgery-proof these days.
- the electronic polling station can also have a reading device for carrying out a biometric identification, preferably a retina scanner or a fingerprint reader, particularly preferably a sensor field, which serves to identify the voter.
- a biometric identification preferably a retina scanner or a fingerprint reader, particularly preferably a sensor field
- the voter is identified using a biometric method, for example by scanning a palm.
- biometric measurement methods allow unambiguous identification, so that this identification method, together with secure authentication, almost excludes manipulation of the polling poll on the voter.
- the electronic polling station can also have an electronic voting panel (1), which preferably also has a reading unit for the electronically readable chip card and thus enables inexperienced voters - with appropriate operator guidance - to use the polling station without outside help , which also serves to ensure anonymity.
- the software modules required to operate the electronic polling station can also be present on non-rewritable data carriers, preferably on CD-ROM or on DVD. This makes manipulation of the pollster - for example by Trojans - more difficult but increases the mobility of the pollster, which also makes the home PC electronic voting point comes into question.
- a combination of the CD-ROM as a carrier of the operating software modules and as an identification badge for the voter is also possible.
- All - in particular the above-described - embodiments of the telecommunication protocol according to the present invention, as well as the methods for operating the individual system components according to the present invention, that is to say in particular of the validator, pollster and psephor, are each of course suitable as a computer program product which contains a computer-readable medium with computer program.
- Fig. 4 is an electronic voting booth
- FIG. 1 shows schematically the flow of information in an electronic election in the form of a publicly controlled Internet voting booth election. The following transmission protocol could be used for this.
- W p, ub public key of the voter
- V ⁇ p ⁇ • v? V ⁇ pub private and public key of the validator
- the electoral office server contains the file "Electoral district constituency XX" with the following fields:
- FV AV WS 10
- ZIP code ZIP code
- a token list (TL) is kept for correspondence selection:
- F_TL_WS election status of the wtoken; 0 - not used
- the urn file WL has the following structure:
- Wtoken Voting card identifier E pub (voting form (x)): Voter vote encrypted with the public key of the electoral board
- F_P_Apub public key of the anonymous identity of the voter (A pub )
- F_P_Vpriv the hash value of the vote signed by the validator, the ballot ID V priv (hash (E pub (ballot (x)), wtoken)
- F_P_Apriv_w Control Dialing control ring A priv (w control) or A priv (hash (w control) signed with the private key of the anonymous identity
- F_P_Wtoken wtoken (voting slip identification)
- F P Status 0 - not used; (1 - issued)
- the system run can be varied depending on whether the choice is made from a publicly controlled input station (voting booth, public terminal) or from a private input station (PC or similar). Depending on the reason for the election and the context of the election, the security requirements can be changed and the protocol can be varied.
- the electronic election takes place in 11 phases:
- the transferred data packet message 0 contains information for establishing an SSL connection between pollster and validator
- the validator creates a random election control ring, namely w control.
- the hash value of the election control string is calculated, ie hash (w control).
- the public key of the electoral office V pub , the election control ring and the signed hash value are transmitted as message 1 from the validator to the pollster.
- the data packet message 1 contains: (V priv (hash (w Control)); w Control; V pub )
- Phase 2 Transfer of a data packet from Pollster to Validator:
- the pollster checks the identity of the validator.
- the pollster uses the hash function to check the correctness of the transmission.
- the data packet message 2 thus contains: V pub (W priv (w Control); W pub )
- Phase 3 Transfer of a data packet from Validator to Pollster:
- the validator checks the identity and voting rights of the voter.
- the hash value of the voting documents (ballot), public key of the psephor (Ppub) and public key of the election committee (Epub) is formed: hash (ballot, Ppub, Epub)
- the signed hash value and the election documents are encrypted with the voter's public key and sent as a message from the validator to the pollster.
- the data packet message 3 thus contains: W pub (Vpriv (hash (ballot, P pub , E pub )); ballot; P pub ; E pub )
- Phase 4 Transfer of a data packet from Pollster to Psephor:
- the pollster decrypts the message and checks the correctness.
- the pollster generates a random key pair as an anonymous identity (A priv , A pub )
- the signed public key and the election control ring and the public key of the anonymous identity are encrypted with the public key of the psephor and sent as a message from the pollster to the psephor.
- the data packet message 4 thus contains: P pub (A priv (w Control, A pub ); w Control, A pub )
- Phase 5 Transfer of a data packet from Pspehor to Pollster:
- the psephor decrypts message 4 and checks it for correctness. 2.
- the psephor assigns a unique k-digit election form (wtoken) for A pub .
- the following field values are set:
- the data packet message 5 thus contains: A pub (P priv (wtoken); wtoken;)
- Phase 6 Transfer of a data packet from Pollster to Validator:
- the pollster decrypts message 5 and checks the correctness of the transmission.
- ballot (x) is the completed ballot.
- the completed voting form (x) is encrypted with the public key of the election board E pub : E pub (voting form (x))
- the pollster hashes the encrypted dial together with the wtoken: hash (E pub (ballot (x), wtoken)
- the signed blinded and hashed value of the encrypted vote and the ballot number and the blinded value itself will be with the public Encryption key encrypted and sent as a message from the pollster to the validator.
- the data packet message 6 thus contains:
- V pub W priv (blind (m, hash (E pub (ballot (x)), wtoken))); blind (m, hash (
- Phase 7 Transfer of a data packet from Validator to Pollster:
- the validator decrypts message 6 and checks the correctness.
- the data packet message 7 thus contains:
- W pub V priv (blind (m, hash (E pub (ballot (x)), wtoken)), WL); blind (m, hash (E pub (ballot (x)), wtoken)); WL )
- Phase 8 Transfer of a data packet from Pollster to Psephor:
- the pollster decrypts message 7 and checks the digital signature and correctness.
- the pollster signs the encrypted voting decision, ballot number and polling station number. Those signed by the electoral office and by the anonymous identity Values are encrypted with the Psephor's public key and sent to the Psephor.
- the data packet message 8 thus contains: P pub (V priv (hash (E pub (ballot (x)); wtoken), WL); A priv (E pu (ballot (x), wtoken, WL); wtoken)
- Phase 9 Transmission of a data packet from Psephor to Pollster:
- the psephor places the e pub (ballot (x) and the ballot number in the urn WL
- F_P_A priv A priv (E pub (voting slip (x), wtoken, WL)
- the psephor generates a unique election control number i
- This signed election confirmation is sent to the pollster by the psephor with the public key of the anonymous identity.
- the data packet message 9 thus contains: A pub (P priv (election confirmation); election confirmation) Phase 10: Transfer of a data packet from Pollster to Validator:
- the pollster decrypts and checks the correctness of the message 9.
- the election control number i is issued to the voter.
- the pollster forwards this message, signed and encrypted, to the validator
- the data packet message 10 thus contains: V pub (W priv (P priv (election confirmation); W pub ); election confirmation; W pub )
- Phase 11 Transfer of a data packet from Validator to Pollster
- the validator decrypts and checks the correctness of the message 10.
- the validator generates an election control number i
- the validator sends the election confirmation with the election control number i
- the data packet message 11 thus contains: W pub (V priv (P pr ; v (election confirmation), i); election confirmation; i)
- the pollster checks the message
- the election confirmation and the election control number i are communicated and / or printed out on the input monitor.
- FIG. 2 schematically shows the information flow of the electronic election in the form of an Internet correspondent election. With this form of election, the public voting booths are omitted. The choice can be made on any PC connected to the Internet.
- the psephor Before the election, the psephor generates a list of k-digit voting tokens (voting slip IDs) and sends them encrypted to the validator. (It can also be brought to the validator - saved on a medium.) Where TL represents the token list (each election token is also encrypted).
- the data packet contains the following information: V pub (P priv (hash (TL)), TL)
- the validator then confirms receipt of the list with the data packet: P Pub (V priv (hash (TL)), TL)
- the data packet message 0 contains information on establishing an SSL connection between pollster and validator.
- Phase 1 Transfer of a data packet from Validator to Pollster:
- the validator creates a random election control ring (w control)
- the hash value of the election control string is calculated: hash (w Control)
- the data packet message 1 thus contains: (V priv (hash (w Control)); w control; V pub )
- Phase 2 Transfer of a data packet from Pollster to Validator:
- the pollster checks the identity of the validator.
- the pollster uses the hash function to check the correctness of the transmission
- the pollster sends this message to the validator.
- the data packet message 2 thus contains: V pub (W pr ; v (w control); W pub )
- Phase 3 Transfer of a data packet from Validator to Pollster:
- the validator checks the identity and voting rights of the voter
- the hash value of the election documents (voting form (voting form), public key of the psephor (P pub ) and public key of the election committee (E pub ) is formed: hash (voting form, P pub , E pub )
- This hash value is signed by the electoral office with N priv ; V priv (hash (ballot, wtoken, P pub , E pub ))
- the signed hash value and election documents (ballot, wtpken, P pub , E pub ) are encrypted with the voter's public key and sent as a message from the validator to the pollster.
- the data packet message 3 thus contains: W pub (V priv (hash (ballot, wtoken, P pub , E pUb )); ballot; wtoken, P pub ; E pub )
- Phase 4 Transfer of a data packet from Pollster to Validator:
- the pollster decrypts the message and checks the correctness of the transmission.
- ballot (x) is the completed ballot.
- the completed voting form (x) is encrypted with the public key of the election board E pub : Epub (voting form (x))
- the signed blinded and hashed value of the encrypted vote and the ballot number and the blinded value itself are encrypted with the public key of the electoral office and sent as a message from the pollster to the validator.
- the data packet message 4 thus contains: V pub (W priv (blind (n, hash (E pub (voting slip (x)), wtoken))); blind (n, hash (Epub (voting slip (x)), wtoken)) )
- Phase 5 Transfer of a data packet from Validator to Pollster:
- the validator decrypts message 4 and checks the correctness.
- the polling station numbers are encrypted and sent back to the pollster with the voter's public key.
- the data packet message 5 thus contains: W pub (V priv (blind (m, hash (E pub (voting slip (x)), wtoken)), WL); blind (m, hash (E pub (voting slip (x)), wtoken); WL))
- Phase 6 Transfer of a data packet from Pollster to Psephor:
- the pollster decrypts the message and checks the digital signature and correctness of the message.
- the pollster signs the encrypted voting decision, ballot number, constituency / polling station number.
- V priv hash (E pu (ballot (x), wtoken), WL) and A priv (Epub (ballot (x), wtoken, WL) signed by the electoral office and by the anonymous identity are with the public key encrypted by the Psephor and sent to the Psephor This message is sent as an email with an anonymized, possibly fictitious SenderIP, which the server can control via a firewall.
- the data packet message 6 thus contains: P pub (V pr ; v (hash (E pub (ballot (x)), wtoken), WL); A priv (E pub (ballot (x)); wtoken, WL); A pub )
- Phase 7 Transfer of a data packet from Psephor to Validator
- the psephor decrypts the message.
- V pub The signature of the electoral office is checked with V pub
- a pub the signature of the anonymous identity is checked with A pub .
- the psephor places the e pub (ballot (x)) and the ballot number in the urn WL.
- F_P_A priv A priv (E pub (voting slip (x), wtoken, WL)
- the dialing status code F_P_WS is set to 9. (Ballot in ballot box)
- This message is signed by the psephor and sent to the validator with the validator's public key.
- the data packet message 7 thus contains: V pub (P priv (wtoken), election confirmation); wtoken; Choice confirmation)
- Phase 8 Transfer of a data packet from Validator to Pollster
- the validator decrypts and checks the correctness of the message 7.
- the validator forms an election control number i and forwards the election confirmation and the election control number to the pollster: • •
- the data packet message 8 thus contains: W pub (V priv (confirmation of choice, i); P priv (confirmation of choice, i);)
- Phase 9 Transmission of a data packet from Psephor to the validator
- V pub P priv (Urne_XX), Urne_XX)
- the votes are decrypted and counted by the electoral board using E priv .
- FIG. 3 shows an electronic voice input panel 1.
- This is a panel which is preferably set up in the public voting booth and which enables the user to be clearly identified by means of biometric measurement.
- sensor fields 2 are attached to the panel.
- Fig. 4 shows an electronic voting booth 3 with the electronic voice input panel 1. This electronic voting booth 3 is connected directly to the election network and thus enables the direct and simple handling of the election.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Time Recorders, Dirve Recorders, Access Control (AREA)
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP01951428A EP1358734A1 (de) | 2001-02-05 | 2001-06-28 | Telekommunikationsprotokoll, -system und -vorrichtungen zur anonymen und authentischen abwicklung einer elektronischen wahl |
DE10195983T DE10195983D2 (de) | 2001-02-05 | 2001-06-28 | Telekommunikationsprotokoll, -system und -vorrichtungen zur anonymen und authentischen Abwicklung einer elektronischen Wahl |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE10105334 | 2001-02-05 | ||
DE10105334.7 | 2001-02-05 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2002063824A1 true WO2002063824A1 (de) | 2002-08-15 |
Family
ID=7673026
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/DE2001/002334 WO2002063824A1 (de) | 2001-02-05 | 2001-06-28 | Telekommunikationsprotokoll, -system und -vorrichtungen zur anonymen und authentischen abwicklung einer elektronischen wahl |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP1358734A1 (de) |
DE (1) | DE10195983D2 (de) |
WO (1) | WO2002063824A1 (de) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2006000245A1 (en) * | 2004-06-28 | 2006-01-05 | Genactis, Sarl | Transmission of anonymous information through a communication network |
US7925372B2 (en) | 2003-10-17 | 2011-04-12 | Trinary Anlagenbau Gmbh | Neutral data computer control system for a machine tool used to produce workpieces with a threaded surface and associated machine tool |
US8402550B2 (en) | 2003-10-17 | 2013-03-19 | Trinary Anlagenbau Gmbh | Method and device for preventing a control error of a machine tool |
DE102011122031A1 (de) * | 2011-12-22 | 2013-06-27 | Giesecke & Devrient Gmbh | Verfahren zum Absichern eines elektronischen Wahlverfahrens |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6081793A (en) * | 1997-12-30 | 2000-06-27 | International Business Machines Corporation | Method and system for secure computer moderated voting |
-
2001
- 2001-06-28 EP EP01951428A patent/EP1358734A1/de not_active Withdrawn
- 2001-06-28 WO PCT/DE2001/002334 patent/WO2002063824A1/de not_active Application Discontinuation
- 2001-06-28 DE DE10195983T patent/DE10195983D2/de not_active Expired - Fee Related
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6081793A (en) * | 1997-12-30 | 2000-06-27 | International Business Machines Corporation | Method and system for secure computer moderated voting |
Non-Patent Citations (3)
Title |
---|
BONETTI P ET AL: "The Italian academic community's electronic voting system", COMPUTER NETWORKS, ELSEVIER SCIENCE PUBLISHERS B.V., AMSTERDAM, NL, vol. 34, no. 6, December 2000 (2000-12-01), pages 851 - 860, XP004304824, ISSN: 1389-1286 * |
CRANOR L F ET AL: "SENSUS: A SECURITY-CONSCIOUS ELECTRONIC POLLING SYSTEM FOR THE INTERNET", PROCEEDINGS OF THE HAWAII INTERNATIONAL CONFERENCE ON SYSTEM SCIENCES, XX, XX, vol. 3, 7 January 1997 (1997-01-07), pages 561 - 570, XP002929749 * |
MU Y ET AL: "ANONYMOUS SECURE E-VOTING OVER A NETWORK", PROCEEDINGS. ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE, XX, XX, vol. 14, CONF, 1998, pages 293 - 299, XP000869577 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7925372B2 (en) | 2003-10-17 | 2011-04-12 | Trinary Anlagenbau Gmbh | Neutral data computer control system for a machine tool used to produce workpieces with a threaded surface and associated machine tool |
US7983786B2 (en) | 2003-10-17 | 2011-07-19 | Trinary Anlagenbau Gmbh | Neutral data computer control system for a machine tool used to produce workpieces with a threaded surface and associated machine tool |
US8402550B2 (en) | 2003-10-17 | 2013-03-19 | Trinary Anlagenbau Gmbh | Method and device for preventing a control error of a machine tool |
WO2006000245A1 (en) * | 2004-06-28 | 2006-01-05 | Genactis, Sarl | Transmission of anonymous information through a communication network |
DE102011122031A1 (de) * | 2011-12-22 | 2013-06-27 | Giesecke & Devrient Gmbh | Verfahren zum Absichern eines elektronischen Wahlverfahrens |
Also Published As
Publication number | Publication date |
---|---|
DE10195983D2 (de) | 2004-01-22 |
EP1358734A1 (de) | 2003-11-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE3303846C2 (de) | ||
DE69605627T2 (de) | Anonymes Informationsverwaltungssystem für Statistiken, insbesondere für elektronische Wahlverfahren oder periodische Verbrauchsstücklisten | |
DE3841393C2 (de) | Zuverlässiges System zur Feststellung der Dokumentenechtheit | |
DE69919020T2 (de) | Methode und system zur durchführung von schnellen elektronischen lotterien | |
DE10124111B4 (de) | System und Verfahren für verteilte Gruppenverwaltung | |
DE602004007254T2 (de) | System und verfahren zum authentifizieren von dokumenten | |
DE102006039662B4 (de) | Elektronisches Onlinewahlen-System | |
EP0440914A2 (de) | Verfahren zum Zuordnen von Nutzdaten zu einem bestimmten Absender | |
WO2004114173A2 (de) | Produktschutz-portal und verfahren zur echtheitsprüfung von produkten | |
EP2438707A2 (de) | Pseudonymisierte authentifizierung | |
WO2018065441A1 (de) | Verfahren zur elektronischen dokumentation von lizenzinformationen | |
DE60122349T2 (de) | Verahren zur erzeugung von nachweisen über das senden und empfangen eines elektronischen schreibens und seines inhaltes über ein netzwerk | |
DE102018109825A1 (de) | Wahlverfahren und Stimmabgabegerät | |
DE102008028701A1 (de) | Verfahren und System zum Erzeugen einer abgeleiteten elektronischen Identität aus einer elektronischen Hauptidentität | |
EP1358734A1 (de) | Telekommunikationsprotokoll, -system und -vorrichtungen zur anonymen und authentischen abwicklung einer elektronischen wahl | |
EP3734478A1 (de) | Verfahren zur vergabe von zertifikaten, leitsystem, verwendung eines solchen, technische anlage, anlagenkomponente und verwendung eines identitätsproviders | |
DE102007014175A1 (de) | Kontrollbasiertes elektronisches Wahlsystem | |
EP1625467B1 (de) | Elektronisches übermitteln von dokumenten | |
DE602005000234T2 (de) | Verfahren zur gesicherten Abfrage von Lieferscheinen für Gegenstände | |
DE10325491A1 (de) | Wahlverfahren mit Abgabe und Kontrolle der Stimmzettel von geografisch verteilten Computern aus | |
WO2007003446A1 (de) | Verfahren zur bereitstellung von elektronischen zertifikaten zur verwendung für elektronische signaturen | |
DE102006009725A1 (de) | Verfahren und Vorrichtung zum Authentifizieren eines öffentlichen Schlüssels | |
WO2020144123A1 (de) | Verfahren und system zur informationsübermittlung | |
WO1999057688A1 (de) | Verfahren zum echtheitsnachweis von urkunden | |
DE102018109240A1 (de) | Multi-Chain basiertes Verfahren und System zum dauerhaften, anonymen und manipulationssicheren Verwalten und Nachweisen von Einwilligungen zur Versendung elektronischer Nachrichten |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2001951428 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2001951428 Country of ref document: EP |
|
REF | Corresponds to |
Ref document number: 10195983 Country of ref document: DE Date of ref document: 20040122 Kind code of ref document: P |
|
WWE | Wipo information: entry into national phase |
Ref document number: 10195983 Country of ref document: DE |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2001951428 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: JP |