TPM Meets DRE: Reducing the Trust Base for Electronic Voting Using Trusted Platform Modules

R. A. Fink, A. T. Sherman, R. Carback

IEEE Transactions on Information Forensics and Security, vol. 4, no. 4, pp. 628–637 (2009)

PDF ← All Publications
TPM Meets DRE: Reducing the Trust Base for Electronic Voting Using Trusted Platform Modules

Securing Our Votes: How Trusted Hardware Can Fix Electronic Voting

Electronic voting machines promised to modernize elections with accessibility and accuracy, but their security flaws have eroded public trust. A 2009 research paper titled “TPM Meets DRE” offers a solution: using specialized hardware chips called Trusted Platform Modules (TPMs) to create a more secure voting system. Here’s a breakdown of why this matters and how it works.

The Problem with Current Voting Machines

Direct Recording Electronic (DRE) machines—touchscreen devices that record votes digitally—offer significant benefits: they eliminate overvotes (accidentally voting for too many candidates), support multilingual ballots, and help disabled voters. However, their security relies heavily on software, creating a large “trusted computing base” (TCB). If malicious software is installed, votes can be altered or deleted without detection. Previous attacks have shown that compromised machines can change election outcomes, making voters and officials rightly skeptical.

Why TPMs Change the Game

TPMs are tamper-resistant chips embedded in computers that provide cryptographic services and securely store keys. Unlike software, they cannot be easily hacked or modified. The paper proposes using TPMs to create a “Platform Vote Ballot” (PVB) key—a unique cryptographic signature that binds three critical elements:

  1. The software running on the machine
  2. The ballot presented to the voter
  3. The voter’s choices

This binding ensures that any tampering—like altering the ballot or vote data—will break the cryptographic chain, making fraud detectable.

Key Innovations

The protocol introduces several breakthroughs:

  • Hardware-Protected Keys: The private PVB key never leaves the TPM, preventing theft or misuse.
  • Election-Day Authorization: The key is only usable when an election-day password is entered, blocking “day-before” attacks where machines are compromised before voting starts.
  • Software Attestation: The TPM verifies the machine’s software is unmodified before allowing votes to be recorded.
  • Privacy via Randomization: Votes are stored in pseudorandom locations, preventing observers from linking vote order to voter identity.

How It Works: A Step-by-Step

  1. Pre-Election Setup: A trusted authority creates the PVB key and binds it to the machine’s software “fingerprint” (stored in TPM’s Platform Configuration Registers, or PCRs).
  2. Election Day: A precinct judge enters a password to unlock the PVB key. The machine verifies its software matches the approved fingerprint.
  3. Voting: When a voter casts a ballot, the TPM signs the vote and ballot data together. Votes are stored randomly to protect privacy.
  4. Tallying: After voting ends, the signed data is sent to officials. They verify signatures to confirm no tampering occurred.

Security Benefits

This approach detects tampering early:

  • Ballot Modification: Changing the ballot breaks the signature, alerting officials.
  • Vote Alteration: Any change to stored votes invalidates the storage signature.
  • Fake Machines: Substituted machines can’t sign votes correctly, so their results are rejected.
  • Unauthorized Access: The TPM’s tamper resistance and password protection block unauthorized use.

Limitations and Future Work

The system isn’t foolproof:

  • Hardware Trust: It relies on the TPM being secure, which some critics question.
  • Voter Verification: Voters can’t confirm their vote was recorded correctly in real time (though this could be added).
  • Insider Threats: Corrupt officials could still misuse their access.

Future improvements might include voter verification tools or splitting votes across multiple storage areas for redundancy.

Why This Matters

By reducing the trusted computing base from sprawling software to a single hardware chip, this protocol makes electronic voting more secure without sacrificing its benefits. It represents a critical step toward restoring faith in digital elections, ensuring that the technology serving our democracy is as trustworthy as the process itself. While not a silver bullet, it offers a pragmatic path forward—proving that with careful engineering, we can harness technology to strengthen, rather than weaken, democratic integrity.