CyberVote devrait faciliter la procédure de vote de tous les électeurs
 

Frequently Asked Questions

 
 

Security and cryptology

1. Will my vote in any case remain anonymous?

2. How will CyberVote avoid "double voting"?

3. Will the voter have the possibility to use his/her right to leave a blank ballot or to cast an invalid ballot?

4. How will you guarantee that the system will remain under the control of citizens and not computer scientists? 

5. What is "universal verifiability"?

6. What level of verifiability is legally required for public elections? 

7. Can a virus or Trojan horse attack CyberVote?

8. To what extent CyberVote will ensure the secrecy of the vote?

9. How will CyberVote authenticate the voter?

10. How will you prevent attacks on the CyberVotecomputers?

11. How will CyberVote ensure software integrity on the server side and on the client side?

12. How will you ensure that my vote will be protected and not controlled?

13. How will CyberVote ensure voter anonymity?

14. Will CyberVote use blind signature algorithms?

15. What is "homomorphic encryption"?

16. How will I be sure that my vote will be taken into account?

17. What is a "trusted server approach"?

18. How will you solve the problem of priorities between e-voting, voting by mail and traditional voting?

19. What will happen if during the casting of my vote the ballot server crashes?

20. How will CyberVote transport my vote?

21. Will CyberVote support recounts?

22. How CyberVote will prevent form the hacking of the votes and the decryption of these votes 10 or 20 years later?

 

 

See also the frequently asked questions on :

Legal aspects

Use of mobile phones

Use of the system

Commercial and marketing

 

How will CyberVote avoid "double voting"?

The system will register the successful voting of the voter. After that, no more ballots from that voter will be accepted.

If the voter will also cast his vote in paper form, that vote will be counted and the electronic vote will be discarded.

[Back to top]

Will the voter have the possibility to use his/her right to leave a blank ballot or to cast an invalid ballot?

A blank ballot will be among the choices to make when casting a vote, but it will be impossible to cast an invalid ballot. If desired, it is possible for voters to express non-anonymously that they refuse to vote.

[Back to top]

How will you guarantee that the system will remain under the control of citizens and not computer scientists? 

As usual, trust in the system by the general audience will be achieved indirectly. An Internet-based voting system needs to be certified in a similar way as electronic voting machines get certified these days: the general audience does not need to inspect the voting machines or even try to understand the inner workings of these machines.

[Back to top]

What is "universal verifiability"?

"Universal verifiability" means that it is possible for anybody to check that the final tally is correctly computed from the valid ballots displayed on the bulletin board.

This is stronger than "local verifiability" where correctness of the final tally follows only if one assumes that each voter will check whether its vote has been counted.

[Back to top]

What level of verifiability is legally required for public elections? 

Current practice is that observers and scrutineers will check the proceedings of the elections and the operation of the voting machines. For the CyberVote system, providing universal verifiability, these observers and scrutineers may check the contents of the bulletin boardand see if the tally is computed correctly. (For a system with local verifiability, this cannot be done at the same level as it depends ultimately on the voters checking their votes after the election finished.)

[Back to top]

Can a virus or Trojan horse attack CyberVote?

Yes, like any other client software in an insecure PC environment.

Anti-virus software should be used and strict security guidelines followed to limit the risk of a virus or Trojan horse attack.

Secure user interface techniques can be applied to the CyberVote client to prevent Trojan horses.

[Back to top]

How will CyberVote authenticate the voter?

The preferred authentication mechanism is a smart card containing a private key for issuing digital signatures. Weaker authentication mechanisms such as PIN codes can be used if smart cards cannot be used; of course, this affects the overall security of the system.

[Back to top]

How will you prevent attacks on the CyberVote computers?

As a measure of precaution against Denial of Service attacks,routers should have secure routing protocols implemented.

Further, filters, or "sniffers'', can be used as well as any other generally available countermeasures.

[Back to top]

How will CyberVote ensure software integrity on the server side and on the client side?

Network intrusion detection and integrity checking tools can be used. In particular, it must be checked that the client software is authentic, e.g., by verifying a digital signature issued by CyberVote authorities. As part of the certification process of the system, the client software (source code and executable code)must be checked for processing the selected votes correctly. For instance, if a voter types 'yes' it must be ensured that the vote cast by the client software indeed represents 'yes' vote and nothing else.

[Back to top]

How will you ensure that my vote will be protected and not controlled?

The vote is stored on the bulletin board in encrypted form, so it cannot be read by non-authorized parties.

A threshold scheme will be applied for decryption. This means a minimum number of talliers need to cooperate in order to be able to decrypt a vote.

Furthermore, if homomorphic encryption is used, the talliers do not need to decrypt single votes at all, but only the final tally.

[Back to top]

How will CyberVote ensure voter anonymity?

See  "homomorphic encryption" and "threshold cryptography".

[Back to top]

Will CyberVote use blind signature algorithms?

Blind signatures are needed with schemes using anonymous channels.

CyberVote will not need (and hence not assume the availability of) anonymous channels.

[Back to top]

What is "homomorphic encryption"?

Essentially it means that the product of all the encrypted ballots is the encryption of the final tally.

So we only need to decrypt the product of all the encrypted ballots.

[Back to top]

How will I be sure that my vote will be taken into account?

See "universal verifiability" (*, **).

[Back to top]

What is a "trusted server approach"?

An approach where the voters must essentially trust the server to (i) maintain ballot secrecy for their votes and (ii) to tally the votes correctly. All trust is thus put in a single entity.

The alternative is that these properties are achieved through a cryptographic protocol, which ensures that these security properties hold unless a large number of parties is corrupted. This way, trust is distributed among a large number of parties.

[Back to top]

How will you solve the problem of priorities between e-voting, voting by mail and traditional voting?

The encrypted ballots are stored together with the names of the voter. So the digital ballot can be removed if the voter has also voted by mail or traditional voting.

[Back to top]

What will happen if during the casting of my vote the ballot server crashes?

Cybervote will make sure that there is only a small probability that the voting server will not be available during the election. However, there is always the possibility to vote (additionally) in the traditional way (with paper ballots). The paper ballot is the one which is counted then, and the digital ballot of the voter is discarded.

[Back to top]

What will happen if during the casting of my vote my client software crashes?

See also Legal Aspects.

The software will be tested to run correctly on the most common platforms. Some minimum requirements on hardware and software will be stated in the installation guide of the software. However Cybervote can not guarantee proper functioning in all cases.

If you are unable to restart the client again, you will have to look for a public voting client in your neighbourhood.

On your second attempt, you will have to find out whether your first vote has appeared on the bulletin board or not and possibly cast your vote again.

[Back to top]

Will somebody else than me be able to vote using my authentication material?

If the voting takes place at a polling station you will have to identify yourself there (as with traditional voting)before you are allowed to enter the voting booth.

If your presence at a polling station is not required,identification schemes will be used. During the registration phase you will commit yourself to some secret information that enables you (and only you) to prove your identity.

The holder of this information (or hardware token) will be able to cast his vote on Election day. Therefore you should keep this information strictly to yourself.

[Back to top]

How will CyberVote transport my vote?

The encrypted ballot will be transmitted over the Internet.

The CyberVote protocols are designed to be secure. Nevertheless, as an additional layer of security SSL/TLS can be used.

[Back to top]

How will CyberVote store my vote?

The encrypted ballots will be stored by the voting server in a database.

[Back to top]

Will CyberVote support recounts?

Recounts in the traditional sense will not be needed. The"universal verifiability'' property of the voting scheme makes it possible for scrutineers (maybe even for ordinary voters and others) to verify that the published tally matches the encrypted ballots.

[Back to top]

How CyberVote will prevent form the hacking of the votes and the decryption of these votes 10 or 20 years later?

CyberVote will pick key lenght to keep the encryption secure for 10 years considering some assumptions (eg the growth of computers efficiency will be the same as now).

 

See also the frequently asked questions on :

Legal aspects

Use of mobile phones

Use of the system

Commercial and marketing

 

 

Back to top