prior next up home
VoteHere protocol
This is a discription of a protocol which was developed at VoteHere about 2002.
There are enhancements to the protocol not documented here which ensure voters
can trust their votes have been properly recorded.
Ballot design
- Ballots form are generated based on GIS and district boundaries.
- Election officials review and sign each ballot form.
- Voters use only signed1 ballot forms.
Voting
- Voters are authenticated and their keys signed
(certificates generated) by election workers,
preventing anonymous bad actors.
Provisional ballots can be trivally generated
because they only require special bits in certificate.
- Ballot form is displayed, based on precinct assignment,
- Voter makes selections,
which are monitored by the vote client software
to prevent overvoting and warn of undervoting.
This system includes final confirmation of selections.
- Voted ballot is encrypted and signed.2
- Voter signature and certificate attached to signed, encrypted, voted ballot.
- SEVB is sent to pollsite or county facility by almost any method3
Ballot collection
- Election officials validate signatures on voted ballots
- Ballots only (no signatures) are put in a "Ballot Box"
- Ballot box is shuffled by several election officials.
The shuffle involves a re-encryption and re-ordering of
the ballots.
Each official presents a zero-knowledge proof that the
shuffle was done correctly before the next official
shuffles the ballot box.
Ballot tabulation
- Election officials perform partial decryptions on ballots
- Results are combined and decryption is completed
- Tabulation is performed
- Transcript is published showing everthing but decryption keys.
Footnotes:
1
One advantage of the VoteHere protocol is that documents are signed by
authenticated individuals whose signature key has a certification chain
to the top. This allows one to validate the authorship of all kinds of
data (ballot forms; signed, encrypted voted ballots; tabulation reports).
2
This discussion completely skips one of VoteHere's most significant
(and recent) contributions: a method which
(1) guarantees the voting machine isn't corrupt, and
(2) allows the voter to confirm that his/her ballot got to the ballot box.
(I wasn't ready to describe this in any detail,
especially give the time constraints.)
3
RFC1149 Standard for the transmission of IP datagrams on avian carriers
RFC2549 IP over Avian Carriers with Quality of Service
ElectronicVoting/vhproto.html
was last edited by
Randolph Bentson,
on
2005/03/03T17:20:28-08:00