Chapter III

Design of Innovative Secure EVM Model

This chapter discusses about various voting machines and their limitations to be

used in current scenario. In sections 3.1 and 3.2 we present EVM functionality and its

limitations. In Sections 3.3 and 3.4 we describe about a new proposed EVM model and

its features which provides a secure voting model by overcoming vulnerabilities in the

present model. In Section 3.6 and in Section 3.7 we have discuss and analyze the

proposed S-EVM model with existing EVM in various dimensions.

3.1. INTRODUCTION

A special purpose calculating devices like computing systems are designed to

be reliable for a certain specialized class of applications like ATM’s or EVM’s or

Gaming stations or Kiosks. The design specification of these specialized devices, on the

other hand, should make it possible to offer several services to the end-user in a more

secure, reliable fashion which is not readily feasible with a general-purpose computer.

This is in stark contrast to the goals of a general-purpose computer, designed to provide

a broad spectrum of services without addressing specialized security concerns.

Elections allow the people to choose their representatives and express their

preferences for how they will be governed. Naturally, the integrity of the election

process is fundamental to the integrity of democracy itself. The election system must be

sufficiently robust to withstand a variety of fraudulent behaviors and must be

sufficiently transparent and comprehensible that voters and candidates can accept the

results of an election. Unsurprisingly, history is littered with examples of elections

being manipulated in order to influence their outcome. The design of a “good” voting

system, whether electronic or using traditional paper ballots or mechanical devices

53
must satisfy a number of sometimes competing criteria. The anonymity of a voter’s

ballot must be preserved, both to guarantee the voter’s safety when voting against a

malevolent candidate and to guarantee that voters have no evidence that proves which

candidates received their votes. The existence of such evidence would allow votes to be

purchased by a candidate.

The voting system must also be tamper-resistant to thwart a wide range of

attacks, including ballot stuffing by voters and incorrect tallying by insiders. A voting

system must be comprehensible and usable by the entire voting population, regardless

of age, infirmity, or disability. Providing accessibility to such a diverse population is an

important engineering problem and where, if other security is done well, electronic

voting could be a great improvement over current paper systems. Flaws in any of these

aspects of a voting system, however, can lead to indecisive or incorrect election results.

An electronic election should be more secure, transparent and trustworthy, as common

people have less faith in computers due to hacking threats and system crashes.

Kohnoel al discussed some of e-voting system problems such as incorrect use of

cryptography, unauthorized privilege escalation, vulnerabilities to network threats, and

poor software development processes [20].

Security is needed for the votes casted in EVM because important decisions are

based on the result. Due to ballot design or the mistake of unintentional voter, may lead

to foul votes. Unreliable results can also be produced by this scheme. Due to this

scheme, chances for malpractice are made available by corrupt leaders which may even

change the government decisions. But the design of EVM provides some loop holes

which threatens the security of the votes. The hardware provided with PROM for

storage of votes is compact with few instructions that run directly on the hardware. For

this simple design process, security is hard to maintain and may result in malpractice of

votes [13].

54
 To avoid the above mentioned problem, our thesis challenges the security of the

votes casted by the public. Our thesis focuses on two points [1]. One is to provide

security and the other is to provide backup storage for post checking, if at all any

problem arises. This facility is provided by using cryptography where two public keys

are used for encryption and one private key for decryption. Backup storage acts as a

remote server which preserves the votes. This storage is used for the purpose of

rechecking and confirmation. Hence, our thesis provides solution for the security

problems of the votes in EVM.

3.2. EXISTING EVM MODEL

The Election Commission of India developed EVMs in partnership with two

government-owned companies. The first Indian EVMs were developed in the early

1980s by ECIL. They were not widely used all over the nation because of the

inconvenience of the machine. They proposed the next model including the separate

control and ballot units and the layout of both components [3].

The first-generation EVMs was based on Hitachi 6305 microcontrollers and

used firmware stored in external UV-erasable PROMs along with 64kb EEPROMs for

storing votes. Second-generation models were introduced in 2000 by both ECIL and

BEL. These machines moved the firmware into the CPU and upgraded other

components. They were gradually deployed in greater numbers and used nationwide

beginning of 2004 In 2006, the manufacturers adopted a third-generation design

incorporating additional changes suggested by the Election Commission [3,7].

55
 Fig: 3.1 Electronic Voting Machine

India's EVM has two main components, shown in the Fig 3.1. There is a control

unit, used by poll workers which stores and accumulates votes and a ballot unit, located

in the election booth which is used by voters. These units are connected by a 5 m cable

which has one end permanently fixed to the ballot unit. The system is powered by a

battery pack inside the control unit. The EVMs are designed for one-or two-race

elections, as are typical in India. The old (or) existing EVM is a real machine used

widely all over nation for voting purposes.

3.2.1 COMPONENTS OF EVM

EVM has a storage unit called memory or control unit and ballot unit. The votes

casted are saved in the memory and during counting time the workers remove the seal

of the memory and check the votes and declare the results. Ballot unit is used by the

votes in the booth. First the ballot unit is set up with the no. of candidates and their

symbols [3]. The control unit shares the no. of votes casted to enable the checking of

votes at any time.

56
3.2.2 FUNCTIONS OF EVM

During election time the machine is already checked once and then used for the

purpose. The individual who wants to deliver the votes just checks for the particular

name in the list. Next, the individual pressed ballot button for the selected candidate to

cast the vote. The vote casted and stored in the memory or control unit.

At the end of the day, the control unit is checked and sealed for security

purpose. On the counting day the control units are checked and the votes are counted.

Finally the result is declared based on the total number of votes wanted, which is stored

in the EVM.

3.3 CHALLENGES OF SECURITY IN EVM

 Environmental conditions may affect the votes stored in the memory for a long

period of time like rain, pollution, worms and insects may damage the votes [6, 9].

 Damage caused by the electoral fraud where party loyalties may attack the booth

and conquer the ballot box.

 Problem in the internal components of the cable may result in wrong casting of vote

which will affect the policy of election.

 The Source code of EVM is not revealed and the inner working style is not

exhibited. So the working process of EVM is not defined accurately.

 Security is provided by various cryptographic primitives as specified in to data that

can also be applied to votes in EVM at storage and in transit.

57
3.4. PROPOSED SECURE EVM MODEL (S-EVM)

Electronic Voting machine should provide good voting storage mechanism that

should have at least the following seven properties [11, 17]:

1. Simple: Design a voting storage mechanism that is simple to implement, analyze,

and verify.

2. Reliable: The voting storage mechanism should not rely on fragile moving parts or

other components that might fail during use.

3. Durable: The record of votes should survive unexpected crashes of the voting

storage mechanism.

4. Tamper-evident: Anyone with read access to the voting record should be able to

detect post election tampering.

5.History-independent: Assuming a non-malicious voting storage mechanism, the

contents of the voting record should not reveal information about the order in which

ballots were cast.

6. Subliminal-Free: A malicious voting storage mechanism should be able to un detect

embed covert information into the voting record.

7. Cost Effective: Election officials may only deploy these solutions if the cost per

voter is not significantly more expensive than alternative technologies.

Durability is important because, even if the vote storage mechanism is reliable,

catastrophic events like power loss and battery failure might cause a machine to crash.

History independence is important since it might otherwise be possible to compromise

voter privacy if one also knows the order in which people voted [23].

58
 Taking into consideration of various drawbacks and above considerations in

existing EVM model leads us to propose the new model with secure storage of votes in

EVM as well as secure backup storage, thus providing solution for security issues in the

existing EVM model. Also in the proposed new model can avoid fake votes i.e., which

a fake voter can vote without original voter presence by sending a key to original

voter’s mobile in which he will enter key at the time of giving vote in EVM which can

be used to encrypt vote before storing in backup.

Fig: 3.2 Security Model of EVM

In our proposed model security is provided at two stages for vote in EVM first

at the stage of storing in memory of EVM and at second stage the backing up of vote in

remote server by using efficient cryptographic technique MPKK algorithm which we

have discussed in previous chapter. Security is applied for storage in memory of EVM

used by the r accumulation of votes for counting while other, called backup storage is

used to store votes for post-checking purposes in case any problem arises.

59
3.5 COMPONENTS OF SECURE EVM MODEL

Based on the security issues of the existing EVM model, the architecture of the

proposed model is constructed. The voting system must prevent tampering with the

election, the voting results and the system’s functionality. To overcome the drawbacks

regarding privacy issues the new model is created with additional components. Along

with the components of the existing model, additional features are introduced to

safeguard the votes casted.

The basic Components of proposed Model

a) Control Unit: Control Unit contains the main circuit board with CPU of a micro

controller with an Oscillator. CPU consists of ROM, which provides security for

the software being changed. The CPU is custom manufactured with the election

software permanently recorded in an internal mask ROM. This prevents the

software from being electronically reprogrammed. Also on the main circuit board

there is connection to network and to the storage Chip to store votes.

b) Switches: Buttons are connected with switches used for casting the votes, storage

purpose for retrieving the votes.

c) EVM Storage: The Unit which is used to store the votes casted by the individual.

The memory or storage unit contains the votes which can be used for counting

purpose in encrypted storage by using public key-1 which is based on proposed

security algorithm MPPK cryptosystem.

d)Backup Storage: The alternate storage used to backup vote which is used to store

vote in back up storage device at remote server in encrypted format by using public

key-2 which is derived from proposed security algorithm MPPK. The encrypted

vote in remote server can be used by polling officer in case of damaged EVM or

memory in case of any accident or hacking of EVM.

60
e) Security Module: When creating a secure system, getting the design right is only

part of the battle. The design must then be securely implemented. The efficient

coding practices and implementation styles are to be used to create the voting

system. The design of this module provides cryptographic primitives which

provides security to EVM vote at the time of storage in EVM or in secondary

storage back up device. This module is split into two parts which encrypts votes at

the time of storage in EVM as well in backup storage. Decryption mechanism

allows to view the count of votes after giving key by Poll booth officer or admin.

MPPK algorithm [19] [20] allows to store votes in encrypted form in main memory

and remote memory with two public keys respectively.

3.6. WORKING OF SECURE EVM MODEL

Fig:3.3 Working of Secure EVM Model

61
 The proposed Secure EVM Model first ensures that the Voter is properly

authenticated by polling officer in the Election booth then he is proceeded to EVM for

giving his choice of vote. Authentication mechanism can be a threshold mechanism or

the existing way of using Voter cards or UID. After the voter can cast vote in EVM

where the votes are stored securely using MPPK cryptographic algorithm. The step by

step mechanism is stated below.

 Voter V obtains his Voter-ID VID/UID from election office that is used for

Authentication in Polling office

 Polling Officer (PA) verifies VID /UID

 PA makes two Public keys using MPKK algorithm along with Token for Vote

 On successful Verification Voter (V) casts vote in EVM by using Released

Token

 Vote Vt is encrypted by using key PK1 and stored in Memory of EVM

 Vote Vt is also encrypted by using key PK2 and send Remote server using

secure channel.

 Remote Server (Rs) accepts the vote Vt and stores the encrypted vote.

 At the time of result the Vote Vt is decrypted and retrieved from EVM by using

Private key of Prk of the polling officer either from EVM memory or from

Remote server when there is failure of EVM.

S-EVM model will provide Integrity and security for vote in the storage which

is lacking in existing EVM model.

62
3.7. SECURITY ANALYSIS OF PROPOSED SECURE EVM MODEL

Earlier analysis of electronic voting security have recommended avoiding

complexity and minimizing the size of the trusted computing base. To address the

requirements of security, the proposed EVM might superficially appear to be superior

to most other deployed DREs or existing EVM’s. The EVM use a simple embedded

system design, as we already know and the software is compact consisting of a few

thousand instructions that run directly on the hardware.

The following are the some of the problems that arise in the hardware of EVM

like Tampering with Software before CPU Manufacture, Substituting Look-Alike

CPU’s, Substituting Look-Alike Circuit Boards, Substituting Look-Alike Units and

Tampering with Machine State which should be addressed/ or manufactured under the

supervision of security experts.

In our model we consider our system to be free from the above hardware

security threats and the votes polled in EVM are stored in memory which are part of the

machine, which requires suitable precautions to be taken at their preservation before

viewing results of referendum. Every EVM is given a unique ID to identify machine

and the polling both to which it belongs. To view the results, Polling official will

officiate for the results if the EVM is secure in its place without damage physically

otherwise the entire votes will be lost [8].

So in this proposed S-EVM model, EVM is connected to remote server with a

network connection via communication mechanism, for vote storage at remote server as

backup is similar mirroring the memory of EVM. If EVM memory is hacked entire

votes may be modified, so to overcome this the proposed model stores votes not only in

memory of machine but also in remote server in encrypted form by using MPPK

cryptographic algorithm [12] with pairs of two keys. In this model pair of public keys

are used for encryption and private key is used for decryption.

63
 Fig: 3.4 Encrypted Votes in EVM Memory

The casted vote in EVM is encrypted with one of the pair of public key PK1 and

stored in EVM memory as shown in Fig-3.4 and same vote is encrypted with public key

PK2 and stored in the EVM backup storage at remote server as shown in fig-3.5. At the

time of results EVM votes are decrypted with private key of that EVM given by polling

official if voting machine is in normal condition or in case of EVM failure votes are

retrieved from remote server by using private key of poll booth officer.

64
 Fig: 3.5 Encrypted Votes stored in Remote Server

3.8 ANALYSIS OF SECURE EVM MODEL

 The proposed model is better designed to withstand any security attacks on data in

the storage.

 Since EVM is an electronic device Votes stored electronically can be lost due to

various problems related to electronic devices and it is not possible to recover, so

the proposed EVM model which provides back up of Votes can be recovered.

65
 In the proposed S-EVM model since the votes are encrypted in Memory of EVM it

cannot be altered which provides Integrity to votes polled.

 Proposed S-EVM stores data in remote server in encrypted format so it is not be

visible and cannot be altered by unauthorized/ordinary users.

 On transit of votes to remote server the proposed EVM Votes are encrypted and

transferred so in middle attacks can be avoided.

 As in the new EVM model Votes are accessed only by polling officer with his

private key, system is authenticated appropriately.

3.9. CONCLUSION

In this chapter we have discussed about the existing EVM functionality and its

limitations and based upon its observations a new model secure electronic voting

machine S-EVM model is proposed which enhances security for vote in storage as

well as by hackers or in case of damage in EVM. In the proposed S-EVM model a new

security model is added to enhance security by using MPPK cryptographic algorithm.

Chapter is concluded by showing the results and analysis of the proposed S-EVM

model.

66