The ruling of the German Federal
Constitutional Court and its
technical consequences on eVoting
Alexander Prosser

http://e-voting.at
A real issue:
Finland 2008: ~ 200 evotes “disappeared”,
election had to be repeated on paper
Step Step Step Step
Audit Audit Audit
=> Could indicate failure in audit trail
2

http://e-voting.at
U.K. 2007: Software support staff manually
edited ballots as they would not fit into the counting
software. Key processes were performed on vendor-
supplied notebook computers by support staff
ibid: Unaccounted data transfers by USB sticks during
the ongoing election
=> Loss of control by election authorities ?
3

http://e-voting.at
Austria 2009: Head of election committee at student
union elections boarded a fire fighting vehicle
accompanied by an armed guard to take computer
disks to erasure.
Data could have allowed match voter – vote.*
ibid: Independent recount was not possible
“We are at the mercy of the technicians”
“I am convinced, I believe them”*
* derstandard.at 24.6.2009, my translation
4

http://e-voting.at
How can something inherently unobservable be
made observable and hence auditable ?
5

http://e-voting.at
© futurezone.orf.at 28.5.2009 (c) Günther Hack
6

http://e-voting.at
© futurezone.orf.at 28.5.2009 (c) Günther Hack
7

http://e-voting.at
© futurezone.orf.at 28.5.2009 (c) Günther Hack
8

http://e-voting.at
Germany: Federal elections 2005,
~2m voters cast votes with election terminals in
polling stations. Complaints alleged massive lack of
auditability,
that voters were unable to verify that their votes
were counted correctly,
that the Public was not able to follow election
procedures.
9

http://e-voting.at
BMI: Public could observe how election
staff copied the result computed by the machine into
their tally.
Also, machines were certified by PTB, Berlin
Complaints: Neither source code nor certification report
were published
The certification report for the Austrian student union pilot was not
published.
U.K. typically publishes such reports, recently also the U.S.
10

http://e-voting.at
Court Ruling:
- Barred the voting terminals used
- Decree enabling their use nullified
- Voter must reliably ascertain that his vote was
counted and included in the tally correctly
11

http://e-voting.at
Court did not pursue the complaints regarding
publication of source code and certification report
=> They do “not decisively contribute to achieve
the constitutional level of verifiability and
reproducibility of the election results”*
Contradicts the mainstream in evoting community.
=> The election, not the software has to be auditable
* my translation
12

http://e-voting.at
What does this mean for Internet voting ?
13

http://e-voting.at
“Voter must reliably ascertain that his vote
was counted and included in the tally correctly”
Individual verification Global verification
Useless Dangerous
Either you can verify how your vote
was counted or not.
14

http://e-voting.at
Voter must reliably ascertain that his vote
was counted and included in the tally correctly
Global verification
- Ballot box initially empty?
- Can only authenticated voters vote?
- Can they submit but one vote?
- Only rightfully submitted votes in ballot box?
- Ballot box under control of election committee?
- No votes added to the count?
- All votes counted?
- Does election committee decide on how to count the votes?
- ….
15

http://e-voting.at
Manipulation protection:
Who can manipulate what ?
16

http://e-voting.at
What? A single vote The votes of a The entire
Who? unit (ward, election
constituency)
A single entity Worst case
Coalition
involving the
voter
Coalition not
involving election
committee
Coalition with
committee
member/s
The election
committee and
resp. voter/s
Best case
17

http://e-voting.at
Avoid common pitfalls:
1. Single point of manipulation
Public key of the ballot box
Mixer
Voter (1)
Public key of the mixer
(2)
18

http://e-voting.at
Public key of the ballot box
Mixer
(4)
Voter (1)
(3)
Public key of the mixer
(2)
19

http://e-voting.at
Public key of the ballot box
Mixer
(4)
Voter (1) (5)
(3) (6)
Public key of the mixer
(2)
20

http://e-voting.at
The mixer‘s „election result“
Public key of the ballot box
Mixer
(4)
Voter (1)
(3)
Public key of the mixer
(2)
21

http://e-voting.at
Suppressed
Public key of the ballot box
Mixer
(4)
Voter (1)
(3)
Public key of the mixer
(2)
22

http://e-voting.at
Public key of the ballot box
Mixer
(4)
Voter (1) (5)
(3) (6)
Public key of the mixer
(2)
23

http://e-voting.at
Avoid common pitfalls:
2. Beware of the paper analogy
24

http://e-voting.at
(1) Encryption
(2) Digital
signature
Encrypted
vote
(3) Vote cast Digital signature
25

http://e-voting.at
(1) Encryption
(2) Digital
signature (5) Transfer of authority
E-votes Results
Encrypted
vote
(6) Decryption and counting
(3) Vote cast Digital signature
(4) Signature verification
26

http://e-voting.at
(1) Encryption
(2) Digital
signature (5) Transfer of authority
E-votes Results
Encrypted
vote
(6) Decryption and counting
(3) Vote cast Digital signature
(4) Signature verification
27

http://e-voting.at
What is required ?
Independent verification of voting right
Authentication of ballots while maintaining
voting secrecy
=> Requires anonymization of the vote
before, not after submission
Control by the election committee
Independent recounts
28

http://e-voting.at
Alexander Prosser
Univ. Economics and Business, Vienna
prosser@wu.ac.at
http://e-voting.at
29