Sensus Voters' Manual

• Registrar - The registrar registers voters prior to an election.

• Pollster - The pollster acts as a voters' agent, presenting human readable ballots to a voter, collecting the voter's responses to ballot questions, performing cryptographic functions on the voter's behalf, obtaining necessary validations and receipts, and delivering ballots to the ballot box. The pollster is the only component of the Sensus system that voters must trust completely; voters concerned about the privacy of their ballots may want to install personal copies of the pollster on trusted machines.

• Validator - The validator ensures that only registered voters can vote, and that only one ballot is counted for each registered voter.

• Tallier - The tallier tallies the results of the election or survey.

You may begin the registration process by running the pollster module. This is generally done by invoking the sensus command.

The pollster module will display a menu of options. Select the "register to vote" option.

The pollster will generate a public/private key pair for you and then prompt you for your identification number, token, and the registration address.

The pollster will prepare a registration request on your behalf and submit it to the registrar. If all goes well, the pollster will collect an acknowledgment from the registrar within a few seconds. Then, the pollster will prompt you for a file name for saving your registration information. Select a name you will remember, as you will need to tell the pollster the name of your registration file every time you vote. If you are registered with more than one election authority, make sure you store your registration information in separate files. All Sensus files will be stored in your .sensus directory; if you do not have one, the pollster will create one for you.

Start by running the pollster module as you did when you registered to vote.

If you would like to review the ballot before you mark it, select "view ballot questions and instructions" from the pollster menu.

When you are ready to mark your ballot, select "mark ballot" from the pollster menu.

The pollster will prompt you for the name of the ballot and your registration file name.

The pollster will then display the ballot questions one at a time along with instructions for responding to each question.

If you change your mind or make a mistake marking your ballot, you can remark your ballot. At this time it is not possible to change your response to some ballot questions without remarking your entire ballot.

Public key cryptographic algorithms use a pair of cryptographic keys: a public key and a private key. A message encrypted with a public key can only be decrypted with the corresponding private key and vice versa. In addition to protecting secrets, public key cryptography can also serve as a digital signature to authenticate electronic documents.

Blind signatures, first introduced by David Chaum in 1981, allow a document to be signed without revealing its contents. The effect is similar to placing a document and a sheet of carbon paper inside an envelope. If somebody signs the outside of the envelope, they also sign the document inside. The signature remains attached to the document, even when it is removed from the envelope.

Sensus requires a series of digital signatures and verifications. Here is a summary of what happens when you cast a vote. Note, that all the cryptographic functions are performed on your behalf by your pollster.

• Your pollster encrypts your marked ballot with a special private key that you will only use once.

• Your pollster blinds your encrypted ballot.

• Your pollster signs your blinded ballot with your regular private key.

• Your pollster submits your blinded ballot, signature, and voter ID number to the validator.

• The validator uses your ID number to look up your public key, make sure you have not voted yet, and verify the authenticity of your signature. Note that the list of registered voter IDs and corresponding public keys is provided by the registrar.

• If the validator confirms that you are a registered voter who has not yet voted, it will sign your blinded ballot and return it to you.

• Your pollster uses a blind signature retrieving technique to remove the blinding encryption layer from the ballot, revealing the validator's signature on a ballot encrypted only with your special private key.

• Your pollster sends the signed, encrypted ballot to the tallier.

• The tallier verifies that the validator's signature on your ballot is authentic and places your encrypted ballot on a list of valid ballots to be published later. The tallier then signs your encrypted ballot and returns it to you as a receipt. If you should discover later that your vote does not appear on the published list (and thus was not counted), you can resubmit this receipt to prove that you voted.

• Your pollster sends the special public key that will decrypt your ballot to the tallier.

• The tallier uses the special public key to decrypt your ballot and adds your vote to the tally.

• After the election all encrypted ballots are published along with their corresponding public keys.

One problem with running your pollster on your own machine is that all packets from that machine can be identified as having been sent by you. Thus if the tallier wished to compromise your privacy, it could record the sending host of all packets it receives. This problem could be avoided through the use of anonymous re-mailers, but this has not been implemented. A third party could intercept packets as well, but would only be able to determine the contents of your ballot if it could determine the tallier's private encryption key.