Sensus Voters' Manual

Sensus is a security-conscious electronic polling system developed for conducting secure and private elections over the Internet.

Sensus was developed by Lorrie Cranor (

Table of Contents

Sensus Modules

Sensus has four main modules:

Registering to Vote

Before registering to vote, a voter must obtain a voter identification number, token, and registration address from the election administrators.

You may begin the registration process by running the pollster module. This is generally done by invoking the sensus command.

The pollster module will display a menu of options. Select the "register to vote" option.

The pollster will generate a public/private key pair for you and then prompt you for your identification number, token, and the registration address.

The pollster will prepare a registration request on your behalf and submit it to the registrar. If all goes well, the pollster will collect an acknowledgment from the registrar within a few seconds. Then, the pollster will prompt you for a file name for saving your registration information. Select a name you will remember, as you will need to tell the pollster the name of your registration file every time you vote. If you are registered with more than one election authority, make sure you store your registration information in separate files. All Sensus files will be stored in your .sensus directory; if you do not have one, the pollster will create one for you.

Marking Your Ballot

Before you can mark a ballot, you must obtain the unvoted ballot for the election and place it in your .sensus directory. You must also be registered to vote in that election.

Start by running the pollster module as you did when you registered to vote.

If you would like to review the ballot before you mark it, select "view ballot questions and instructions" from the pollster menu.

When you are ready to mark your ballot, select "mark ballot" from the pollster menu.

The pollster will prompt you for the name of the ballot and your registration file name.

The pollster will then display the ballot questions one at a time along with instructions for responding to each question.

If you change your mind or make a mistake marking your ballot, you can remark your ballot. At this time it is not possible to change your response to some ballot questions without remarking your entire ballot.

When you have finished marking your ballot, the pollster will prompt you to continue the voting process. By answering yes at each of the prompts, you can authorize the pollster to complete the entire voting process on your behalf immediately. This process usually takes a few minutes. If you do not want to complete the process right away, you can exit from the pollster program and run it again later to pick up where you left off.

Understanding the Sensus System

Sensus is based on a system proposed by Fujioka, Okamoto, and Ohta in 1992. It uses public key cryptography and blind signatures to provide security and privacy in a digital environment.

Public key cryptographic algorithms use a pair of cryptographic keys: a public key and a private key. A message encrypted with a public key can only be decrypted with the corresponding private key and vice versa. In addition to protecting secrets, public key cryptography can also serve as a digital signature to authenticate electronic documents.

Blind signatures, first introduced by David Chaum in 1981, allow a document to be signed without revealing its contents. The effect is similar to placing a document and a sheet of carbon paper inside an envelope. If somebody signs the outside of the envelope, they also sign the document inside. The signature remains attached to the document, even when it is removed from the envelope.

Sensus requires a series of digital signatures and verifications. Here is a summary of what happens when you cast a vote. Note, that all the cryptographic functions are performed on your behalf by your pollster.

Privacy Issues

How private is your vote? That depends in part on your computer system. The easiest way for the privacy of your vote to be compromised is for someone to look over your shoulder or use root privileges to gain access to your files. You can reduce the chance of the latter happening by using PGP or another encryption program to encrypt all the files in your .sensus directory; Sensus does not do this automatically. If you are running your pollster on a remote system (that includes using a terminal attached via ethernet to a workstation down the hall) then someone could snoop your packets as they travel over the network. It is up to you to determine whether there is anyone in your organization who would care about your vote enough to attempt this. If you are concerned about this, always run your pollster on your own machine.

One problem with running your pollster on your own machine is that all packets from that machine can be identified as having been sent by you. Thus if the tallier wished to compromise your privacy, it could record the sending host of all packets it receives. This problem could be avoided through the use of anonymous re-mailers, but this has not been implemented. A third party could intercept packets as well, but would only be able to determine the contents of your ballot if it could determine the tallier's private encryption key.

A party who had access to the private keys of the tallier and validator could intercept packets and link voter IDs with marked ballots if the tallier and validator receive messages from voters in roughly the same order (that is if the validator receives messages from voter 1, followed by voter 2, followed by voter 3; then the tallier also receives messages in that order). The tallier and validator could record and time stamp all messages they receive from voters and work together to deduce this linkage as well. This problem is avoided if voter populations are large enough that several voters end up voting at approximately the same time. Voters who are worried about this sort of attack may delay in submitting their encrypted ballot to the tallier rather than submitting it immediately after receiving a validation from the validator.

Assuming you are running your pollster on a physically secure system and that the validator and tallier receive messages from voters in different orders, it is quite difficult for your privacy to be compromised. In order for this to happen your voted ballot would have to be traced back to you by breaking the blinding encryption layer on your ballot. (And if the attacker was anyone other than the validator, the validator's private key would have to be compromised as well.) The only known way of doing this is through a brute force attack or by finding a determinable pattern in the random number generator. While it is possible for someone with sufficient compute power to break the blinding encryption layer of one ballot through brute force attack, remember that the task will take a lot longer if all ballots are to be linked back to the voters who cast them.

Additional Information