User:Fh240/sandbox: Difference between revisions

This is the user sandbox of Fh240. A user sandbox is a subpage of the user's user page. It serves as a testing spot and page development space for the user and is not an encyclopedia article. Create or edit your own sandbox here. Other sandboxes: Main sandbox | Template sandbox Finished writing a draft article? Are you ready to request review of it by an experienced editor for possible inclusion in Wikipedia? Submit your draft for review!

Direct Recording Electronic with Integrity and Enforced Privacy (DRE-ip) is an End-to-End (E2E) verifiable e-voting system without involving any tallying authorities, proposed by Siamak Shahandashti and Feng Hao in 2016.^[1]. A touch-screen based prototype of this system was successfully trialed in the Gateshead Civic Centre polling station on 2 May 2019 during the 2019 United Kingdom local elections. ^[2]

Protocol

The DRE-i protocol can be implemented for either on-site polling station voting or remote Internet voting. In the following specification, the protocol is described for a single-candidate (Yes/No) election held at a polling station using a touch-screen DRE machine. There are standard ways to extend a single candidate election to support multiple candidates, e.g., providing a Yes/No selection for each of the candidates or using encoded values for multiple candidates^[1]. The protocol consists of three phases: setup, voting and tallying.

Setup

The DRE-ip protocol operates in a multiplicative cyclic group, e.g., a DSA-like group (the protocol works the same in an additive cyclic group over an elliptic curve, e.g., using an ECDSA-like group). Let ${\displaystyle p}$ and ${\displaystyle q}$ be two large primes, where ${\textstyle q\,|\,p-1}$. ${\displaystyle G_{q}}$ is a subgroup of ${\displaystyle Z_{p}^{*}}$ of the prime order ${\displaystyle q}$. Let ${\displaystyle g_{1}}$ and ${\displaystyle g_{2}}$ be two random generators of ${\displaystyle G_{q}}$, whose discrete logarithm relationship is unknow. This can be realized by choosing a non-identity element in ${\displaystyle G_{q}}$ as ${\displaystyle g_{1}}$ and computing ${\displaystyle g_{2}}$ using a one-way hash function with the inclusion of election specific information such as the date, election title and questions as the input. All modulo operations are performed with respect to the modulus ${\displaystyle p}$.

Voting

After being authenticated at a polling station, a voter obtains an authentication credential, which can be a random passcode or a smartcard. The authentication credential allows the voter to log onto a DRE machine and cast a vote, but the machine does not know the voter's real identity.

A voter casts a vote on a DRE machine in two steps. First, he is presented with "Yes" and "No" options for the displayed candidate on the screen. Once the voter makes a choice on the touch screen, the DRE prints the first part of the receipt, containing ${\displaystyle i,R_{i}=g_{2}^{r_{i}},Z_{i}=g_{1}^{r_{i}}g_{1}^{v_{i}}}$ where ${\displaystyle i}$ is a unique ballot index number, ${\displaystyle r_{i}}$ is a number chosen uniformly at random from ${\displaystyle [1,q-1]}$, and ${\displaystyle v_{i}}$ is either 1 or 0 (corresponding to "Yes" and "No" respectively). The cipher text also comes with a zero knowledge proof to prove that ${\displaystyle R_{i}}$ and ${\displaystyle Z_{i}}$ are well-formed.

In the second step, the voter has the option to either confirm or cancel the selection. In case of “confirm”, the DRE updates the aggregated values ${\displaystyle t}$ and ${\displaystyle s}$ in memory as below, deletes individual values ${\displaystyle r_{i}}$ and ${\displaystyle v_{i}}$, and marks the ballot as confirmed on the receipt.

${\displaystyle t=\sum v_{i},s=\sum r_{i}}$.

In case of “cancel”, the DRE reveals ${\displaystyle r_{i}}$ and ${\displaystyle v_{i}}$ on the receipt, marks it a cancelled ballot and prompts the voter to choose again. The voter can check if the printed ${\displaystyle v_{i}}$ matches his previous selection and can dispute it if it does not. The voter can cancel as many ballots as he wishes but can only cast one confirmed ballot. Since voting is anonymous, the machine cannot guess if, after having printed the first part of the receipt, the voter is going to choose “confirm” or “cancel”.

After voting, the voter leaves the voting booth with one receipt for the confirmed ballot and zero or more receipts for the canceled ballots. All data printed on the receipts are published on a public election website with a digital signature to prove the data authenticity. To ensure the vote is recorded, the voter just needs to check if the same receipt has been published on the election website.

Tallying

Once the election has finished, the DRE publishes the final values ${\displaystyle t}$ and ${\displaystyle s}$ on the election website, in addition to all the receipts. Anyone will be able to verify the tallying integrity by checking the published audit data, in particular, whether the following two equations hold.

${\displaystyle \prod R_{i}=g_{2}^{s}}$ and ${\displaystyle \prod Z_{i}=g_{1}^{s}g_{1}^{t}}$.

Implementation and real-world trial

A touch-screen based prototype of DRE-ip had been implemented and trialed in a polling station in Gateshead on 2 May 2019 during the 2019 United Kindom local elections. ^[2] As part of the trial, voters were asked to compare their voting experiences of using paper ballots and the new e-voting system, and indicate which system they would prefer. Responses from the participating voters showed a clear preference for the latter as summarized below. ^[3]

References

1. Shahandashti, Siamak F.; Hao, Feng (2016). "DRE-ip: A Verifiable E-Voting Scheme Without Tallying Authorities" (PDF). Computer Security – ESORICS 2016. 9879: 223–240. doi:10.1007/978-3-319-45741-3_12.
2. Wakefield, Jane (2 May 2019). "E-voting trialled in local elections". BBC News.
3. Hao, Feng; Wang, Shen; Bag, Samiran; Procter, Rob; Shahandashti, Siamak F; Mehrnezhad, Maryam; Toreini, Ehsan; Metere, Roberto; Liu, Lana (2020). "End-to-End Verifiable E-Voting Trial for Polling Station Voting" (PDF). IEEE Security & Privacy: 0–0. doi:10.1109/MSEC.2020.3002728.