Activities of i-voting and voting on paper compared

I Preparation

Voting on paper I-voting

The voting district committee prepares the polling place.

The voting district committee receives the lists of voters, ballot papers, the seals of the voting district committee, and security seals for ballot boxes. The voting district committee and the State Electoral Office keep account of them.

The State Electoral Office configures the i-voting system. 

The State Electoral Office creates the key pair for encrypting (public key) and opening (private key) votes. The shares of the private key are distributed between members of the National Electoral Committee and representatives of the State Electoral Office.

The voter application and the individual verification application are configured.

The configured system is tested at a test voting. Test votes are cast and the choices of voters are recorded in minutes. The votes cast at the test voting are processed, and the results are counted and compared to the minutes.

 

II Voting in a voting district and voting using electronic means

Voting on paper I-voting

In order to receive a ballot paper, a voter presents an identity document.

A voter identifies themselves in the i-voting system, using their mobile-ID, ID-card or digital identity document.

The ballot paper is in conformity with the standard format established by the National Electoral Committee and carries an impression of the seal of the voting district committee.

The voter can check the authenticity of the application. Control totals and the instructions for checking authenticity are available on the website “valimised.ee”.

The voter signs the list of voters against receipt of the ballot paper.

The voter confirms their choice with their digital signature with the help of the voter application (after encryption of the vote).

The voter receives a ballot paper and completes the ballot paper, by making their choice from the list of candidates.

The voter application displays the list of candidates to the voter for making their choice. The voter makes their choice.

The voter deposits the ballot paper in the ballot box.

The voter application encrypts the voter’s vote with a public key, and the voter confirms their choice with their digital signature. Thereafter the voter application sends the vote to the collector. The collector is a server system that accepts i-votes. The Information System Authority manages the collector at elections.

The ballot paper is stamped with the seal of the voting district committee.

The voting district committee keeps account of the ballot papers issued and the persons who vote.

Every vote accepted by the collector obtains a time stamp from the registration service of a third party. This allows to check the integrity of the i-ballot box transferred to the State Electoral Office at the end of i-voting.

The voter can check their voting by their signature or the notation in the list of voters. The voter cannot check if their ballot paper is being counted.

With the help of the individual verification application on their smartphone, the voter can check if their vote reached the collector, and verify their choice. The voter can also check the fact of voting by i-voting again (a notation saying “You have already voted” is displayed), as well as at a polling place by the notation in the list of voters.

 

III Tallying of ballot papers and i-votes

Voting on paper I-voting

The voting district committee checks if a voter has voted several times (with a ballot paper in the voting district of their residence, outside the voting district of their residence, or using electronic means). 

The voter cannot change their vote cast on a paper ballot. If the voter votes outside the voting district of their residence several times, none of their ballot papers in envelopes are taken into account. If the voter votes by depositing their ballot paper in the ballot box in the voting district of their residence, as well as by placing their ballot paper in an envelope outside the voting district of their residence, the voter’s vote cast in the voting district is taken into account.  

In the case when the voter cannot vote freely and/or in secrecy, or the voter does not trust the computer they are using, the voter can change their vote during the electronic voting period by voting again using electronic means or by paper ballot. 

The vote cast last or, if the voter also votes in a voting district, the ballot paper is taken into account.

The ballot papers in envelopes are packed in security bags and are forwarded to the voting districts of residences. 

After the end of i-voting, the collector transfers to the State Electoral Office the i-ballot box which is written on an external data medium, and the message digest of which is signed by a representative of the collector.

After the end of voting, the voting district committee ascertains the number of ballot papers issued and those not issued, as well as the voter turnout, on the basis of the signatures and notations in the list of voters.

After the end of i-voting, the State Electoral Office checks if the votes saved in the collector correspond to the votes recorded in the registration service, and the integrity of the digital signatures of the votes, as well as if the i-voters are entered in the list of voters.

E-urni tervikluse kontroll
Figure 1: Checking of the integrity of the i-ballot box

Voting on paper I-voting

The voting district committee does not take into account the enveloped ballot papers of the voters who vote several times (the act takes place immediately when the enveloped ballot papers are received).

After the i-voting period, the State Electoral Office annuls repeated votes, and before the counting of i-votes (on the evening of election day), the State Electoral Office annuls the i-votes of the persons who have voted by ballot paper.

E-häälte tühistamine
Figure 2: Annulment of i-votes

 

IV Counting of votes and checking of voting results

Voting on paper I-voting

Ballot papers are already anonymous in the ballot box.

The enveloped ballot papers of the persons who vote outside the place of their residence undergo the following procedure. First, outer envelopes bearing the names and personal identification codes of voters are separated from inner envelopes (anonymisation). Next, inner unnotated envelopes are deposited in the ballot box.

Before the beginning of the counting of votes, inner envelopes are opened and the ballot papers are mixed with other ballot papers (mixing).

In the counting of i-votes, it is necessary to preserve the secrecy of the voters’ votes. For that, the personal data (digital signature) of the voter are separated from their i-vote in the course of processing.

Before the opening of i-votes, encrypted i-votes are mixed, in order to make it impossible to match the cryptograms that go to counting with the cryptograms contained in the i-votes of voters.

About the mixing of i-votes 

E-häälte miksimine enne lugemist

Figure 3: mixing of i-votes 

Mixing is carried out in two stages.

1. Re-encryption of votes is carried out. A separate Verificatum mixing application is used for that. 

A new cryptogram is created for every encrypted vote. With that, the link between the initial i-vote and the re-encrypted cryptogram is lost (they have different cryptograms now).

2. The re-encrypted votes are mixed, and the connection between the order of the initial votes and the re-encrypted votes is lost.

Finally, a mixing certificate regarding the correctness of the mixing is issued which can be checked with the audit application. Since the mixed votes are compared against the input, that is, unmixed cryptograms, this is done in a controlled (closed) environment.

After the mixing, it is impossible to prove in the opening of votes that a vote encrypted by the voter application is any of the votes decrypted upon opening, because cryptograms are different, and cryptograms have been mixed. This ensures the preservation of the secrecy of the vote, and the results can be ascertained and the results can be checked in public.

Voting on paper I-voting

A paper vote that is counted is anonymous, but theoretically it is possible for a voter to mark their ballot paper, and in such a case it is possible to identify the ballot paper in the counting.

A choice counted is anonymous and is not retraceable to the voter.

The voting district committee opens the sealed ballot boxes. At least one-half of the members of the voting district committee must be present. The content of the boxes is compared to the tally of the ballot papers and the lists of voters.

Votes are decrypted with a private key, the access to which is divided between members of the National Electoral Committee (7) and representatives of the State Electoral Office (2). At least five keepers of the key shares must be present to open the votes.

The voting district committee counts the votes in the ballot boxes and ascertains the voting result.

The result is checked by a second recounting of the votes. The numbers of the ballot papers issued to the voting district committee, the ballot papers issued to voters and the ballot papers in the ballot box are also compared.

After mixing, the mixed votes are opened and the results are counted.

At the end of the counting of the votes, a counting certificate on the accuracy of counting is issued that confirms the correct opening of the i-votes and can be checked with the audit application. The counting certificate allows to check if an unencrypted vote and a cryptogram are interconnected based on the public key. 

In order to check the proofs, the auditor needs the result, the mixed votes and the public key.

Since the cryptograms of the votes that are the input to the counting of votes have been mixed, and the output (that is, the voting result) is public, the checking can be carried out without restrictions, without fear of loss of privacy. The source code of the audit application is freely downloadable and compilable, so that all observers can check the counting of votes.

E-häälte lugemin
Figure 4: Counting of i-votes

Voting on paper I-voting

The voting district committee prepares a record of the voting results, and the chairman of the voting district committee signs it. 

The Head of the State Electoral Office signs the results of i-votes after the integrity check. It is possible to check the authenticity and integrity of the voting result with the help of the signature file created in the course of the counting of the votes, using the public key.

Observers check the process of the counting of votes and determine if the counting is accurate and the procedures comply with the law and instructions.

Observers and the auditor can follow the course of i-voting procedures with the help of instructions. Auditors record all numbers of the stickers used.

With the help of the audit application and by using the counting certificate, the auditor and the observers, if they so wish, can determine if the votes were counted correctly. The cryptograms used for input have been mixed and the output is public, and therefore this can be carried out without fear of loss of privacy.

The audit application has a public source code and everyone can compile it (or also write their own application).

All activities of a voting district committee, including the activities of counting of votes, are public.

All i-voting activities are public. For security considerations, electronic access to the server system of voting (the collector) is restricted. The provability of the integrity of data is relied on here (the checking of the integrity of the i-ballot box and the integrity of the i-voting).

The voting result obtained by the voting district committee is checked on the following day in the course of the second counting of the votes.

The voting result obtained is checked on the following day in the course of the second check of the integrity of i-votes.

A rural municipality or city secretary preserves ballot papers for one month as of election day. Thereafter, but not before complaints relating to the elections have been settled finally, the rural municipality or city secretary organises the destruction of the ballot papers.

The State Electoral Office preserves i-votes for one month as of election day. Thereafter, but not before complaints relating to the elections have been settled finally, the State Electoral Office destroys the i-votes, the personal data of voters contained in the i-voting system, and the key for opening the i-votes.

 

References

Verificatum Mix-Net