The Italian Academic The Italian Academic Community’sCommunity’sElectronic Voting SystemElectronic Voting System

Pierluigi BonettiPierluigi BonettiLisbon, May 2000Lisbon, May 2000

What is CINECAWhat is CINECA

A Consortium of 15 Italian Universities Mission: to provide the most advanced

computing and networking services to universities and industries

Founded in 1969 About 150 full time

researchers

CINECA resourcesCINECA resources

Cray T3E - 256 nodes IBM SP/2 - 32 nodes IBM SP/3 - 8 nodes SGI Onyx2 SGI Origin 2000 SGI Challenge L-2 Gigabit backbone LAN 10+ Mbps connection to Internet The first and uniqueVirtual Theatre in Italy

How Italian Universities How Italian Universities recruit teaching staffrecruit teaching staff

When a University offers a position, an evaluation committee is needed

Members of the committee have to be elected amongst all the teaching staff in all the Italian Universities belonging to the scientific discipline related to the position offered

Each offered position, therefore, requires a nation-wide election (!)

ComplexityComplexity

Thousands of elections, each with a different list of candidates

and involving many thousands of electors

Achieving this objective with traditional methods is impossible

The Ministry for University and Scientific and Technologic Research

asked us to build an Electronic Voting System

RequirementsRequirements

As in a traditional election: Legitimacy: only those who have the right to vote can

vote and can cast only one vote Secrecy: no one can read the vote until the polling

phase Anonymity: the identity of the voter cannot be traced

from the vote cast Integrity: the vote cannot be modified once

it has been cast In addition:

Acknowledge receipt of each vote cast

The Electronic Voting SystemThe Electronic Voting System

A Central Electoral Office for voting authorizations

A Central Ballot-Box collecting votes Many Polling Stations distributed all over

the country and directly connected to the two central entities

Smart card based asymmetric cryptography

The Polling StationThe Polling Station

Voting operationsVoting operations

He votes using a network terminal The printer prints out a record with the

name of the voter and periodic accountingon the number of voters

The voter is identified at a Polling Station by an electoral committee

He receives a one time use personal secret code

Polling operationsPolling operations

Each Recruitment Procedure Officer, using his smart card, gets the encrypted votes from the Central Ballot-Box and decrypt them

He determines the results, signs them with the smart card and gets them published on the Web in real-time

Polling Station softwarePolling Station software

A specific client in Java

No local data Simple to use

even for non-technical skilled people

Mouse use not required Confirmation required before any critical action

The Certification AuthorityThe Certification Authority

Issues X.509v3 certificates for:

Recruitment Procedure OfficersPolling Stations

Global architectureGlobal architecture

The voting phaseThe voting phase

CentralElectoral

Office

CentralBallot-Box

Voter

Polling Station

Voter identificationVoting Authorization +

List of Candidates +

Public-Key for encryption Votin

g A

utho

rizat

ion

+

Encr

ypte

d Vo

te

Issued Voting Authorization

Used or Expired Voting Authorization

Ack

now

ledg

e of

rece

ipt

Global architecture Global architecture

The poll phaseThe poll phase

IIden

tific

atio

n

CentralElectoral

Office

CentralBallot-Box

Recruitment Procedure Officer

Verifies credentials

Authorizes operation

Ecryp

ted

vote

s

Polling station

HardwareHardware

CENTRALELECTORALOFFICE

CENTRALBALLOT-BOX

CONTROL WORKSTATION

ACCESS ROUTERS

PRINTERISDN ROUTER

Polling station y

PRINTER ISDN ROUTER

Polling station x

STATION 1 STATION 2 STATION 1 STATION 2 STATION 3

CERTIFICATIONAUTHORITY

The NetworkThe Network

Private ISDN network configured as a closed user group

Direct connection from each Polling Station to the central servers

Dial-on-demand with multi-link PPP Caller ID verification Centralized management of

each network device

Security systemsSecurity systems

Votes are protected by: Strong asymmetric

cryptography based on smart card

SSL authentication with X.509v3 certificates

Digital signature of the Polling Station

Votes flowVotes flow

RECRUITMENTPROCEDURE OFFICER

PUBLIC KEY

ENCRYPTEDVOTE

ENCRYPTEDVOTE

POLLING STATIONPRIVATE KEY

CENTRAL BALLOT-BOXPUBLIC KEY

ISDN LINE

CENTRAL BALLOT-BOXRECRUITMENT PROCEDURE OFFICER

PRIVATE KEYPol

ling

phas

e

ISDN LINE

SSL

ENCRYPTEDVOTE

Why is the system secure?Why is the system secure?

Authentication for both client and server All communications are 1024 bit RSA protected The intranet is not connected to the public

Internet Each vote is encrypted with

the Recruitment Procedure Officer public key and signed by the Polling Station

No relation between the vote and the voter

Protectionagainst

the systemmanagers

System certificationSystem certification

This solution has been checked and certified as safe

by a Technical Committee on behalf of the

Ministry for University and Scientific and Technologic Research

The first voting session in 1999The first voting session in 1999Some numbersSome numbers

1969 elections and different candidate lists

42497 electors

79 Polling Stations in 72 Universities

209 Voting Stations

26873 voters (63%)

163645 votes cast

Opening time for Polling Stations: 3 weeks

Average number of votes due by each voter: 6

Average elapsed time for each voter: 5 minutes

Average elapsed time from the beginning of the polling phase and the publishing of the results on the Web: 1 minute

Future extensionsFuture extensions

A personal identity card for each voter instead of the one-time-use secret code

Polling Stations on the public Internet Feasibility of voting from any PC Other kinds of elections...

For any informationFor any information

evote@cineca.it