In a couple of days, millions of citizens will cast their vote in the European elections – in paper ballots, online or electronically supported. Voter verifiability has the potential to improve confidence in and legitimacy of voting procedures.
Sound elections are built on three essential pillars: privacy – each voter has the right to a free and private vote, security – ballots must be protected from outside interference, and traceability – results must be provable.
For many years, modern, digital technology have been proposed and occasionally trialed or even deployed for electoral processes, with the goal to either carry out elections entirely online (i-voting) or for in-person voting with electronically supported recording or counting (e-voting). With elections naturally attracting actors that seek to undermine its integrity or privacy, how robust are current technologies, and how usable and acceptable are they for a larger electoral body? What are regulatory concerns?
“The challenge for e-voting and i-voting is to achieve a sufficient balance between privacy, security and traceability”, explains Peter Ryan. “Achieving just one pillar is easy enough. If you are not concerned about privacy then a simple show of hands is fine, if you’re not concerned about integrity but concerned mainly with privacy, then a system that delivers a random outcome is fine.”
Online voting has been introduced in Estonia as an additional voting method and in French legislative elections for expatriates, while Switzerland is still experimenting. Yet, internet-based solutions are still vulnerable and raise numerous regulatory questions. “The existing solutions are suitable for elections for which the threat level is deemed to be low: trades union delegations, councils, company boards for instance. But the nature of the internet itself makes it extremely challenging to balance security and integrity to a sufficient level for high-stakes elections.”
Any novel voting method must conform to the core election principles of free, universal, direct, secret, and equal suffrage. I-voting entails three features – computers, the internet, the remoteness of voters – and the combination of these makes it extremely challenging. “I-voting opens a number of questions related to electoral integrity, for instance whether the voter is indeed the one who cast the vote, whether there was undue influence or interference at an unmonitored location, how can we be sure that nobody will be able to find out the content of the ballot”, explains Leo Fel.
“Since 2004, the Council of Europe has established standards on e-voting and i-voting, which are a continuous work-in-progress. These standards are criteria against which any i-voting system should be assessed. However, these standards leave room for the autonomy of each country. Some of the basic election principles, when applied to i-voting, cannot easily and fully be reconciled.”
Finally, a system has to be acceptable and trustworthy for the electoral body. “Some concerns, especially regarding privacy and coercion, differ from country to country, as their cultural specificities affect people’s trust in institutions and the electoral system as an integral part of those institutions”, continues Leo Fel. “In some places, it is accepted to help your grandmother cast her vote or to publicly communicate your vote choice (like ‘stemfies’ – polling station selfies posted on social media in the Netherlands), while other countries may not accept these activities.” These differences influence how voters will perceive, trust, accept and use new voting schemes, hence they must be carefully assessed before and after each use.
A solution to balance the odds: voter verifiability
“What is at stake for technology-supported elections is voter verifiability, the ability of voters to check themselves that their vote has been properly recorded”, says Peter Ryan.
“The conventional process of elections, whether online based, or paper ballot with digital support, is based on trust – trusting the elections officials, the volunteers, the software and the company selling it. Voter verifiability instead enables them to check themselves that their vote is correctly counted.”
The challenge in cryptosecurity is to make this happen while protecting the content from prying eyes. Researchers at the APSIA lab design, analyse and test cryptographic techniques. This calls on many of the gadgets from the cryptographer’s toolbox: threshold encryption, verifiable shuffling, zero-knowledge proofs, etc.
How does it work?
After a vote is cast, an encryption of this vote is created with the voter keeping a copy of the encrypted vote, like a tracking number. This encrypted ballot is posted on a public bulletin board, which voters can visit to verify that their vote has been recorded as it was cast. If the vote has been carefully encrypted, your ballot cannot be decrypted and read, even if your visit to the bulletin board could be traced. “Our solution needs to be sophisticated enough to ensure voter privacy, but easily understandable so that the average voter can really use and accept its features2, explains Peter Ryan.
In a threshold encryption, no single entity or person holds the encryption keys. Instead they are shared among a number of trustees. “Say the key is shared amongst ten trustees and the threshold is set to six. The decryption can only happen if six trustees cooperate. So the choice of trustees is important.”
“The quality of the cryptography determines how safe these encrypted votes are against outside attacks. Hence, information security researchers spend a considerable time fine-tuning the mathematical tools used to design and implement the protocols.”
One issue that key election players must tackle is trust based on understandability, says Leo Fel. Both i-voting and e-voting systems imply sophisticated technological solutions that only a small fraction of voters comprehends and therefore be more likely to trust. In fact, the safer they are, they more complex they may appear. With voter verifiability, people regain assurance and control the verification. “Regulatory institutions closely followed the trend for verifiability, and in 2004 the Council of Europe recommended experimenting with verifiability techniques. “Over time, practical experiences and continuous research have supported verifiability, and it has gradually become a precondition for any form of e-voting. In its update of 2017, the Council of Europe recommended the introduction of verifiability tools.”
Opportunities for the future
For certain types of elections, with lower stakes and little interest from hackers, online voting systems may be safe enough. One of the major security challenges that ought to be dealt with is the threat posed by the emergence of quantum computers. Almost all existing electronic voting schemes depend on cryptography which will be broken by quantum algorithms. The research project “EquiVox – Secure, Quantum-Safe, Practical Voting Technologies”, aims to develop and prototype practical e-voting schemes that are secure against attackers capable of performing quantum algorithms that render the supposedly “hard” problems at the heart of most contemporary crypto quite easy.
“In the near future, large-scale quantum computers might be available and used by a variety of agents, including to break encrypted data”, says Peter Ryan. “A threat is the store now and decrypt later strategy. Our research group look at post quantum cryptography, that we believe should stay secure even when more people get hold of quantum computers.”
Research funded by the Institute for Advanced Studies
The project e/i voting: political and legal aspects in the cyber area is fully funded by the Institute for Advanced Research (IAS). The IAS is the University’s funding programme for interdisciplinary, audacious and frontier research projects.
Prof Peter Y A RYAN
FSTMFull professor in Computer science and communication – Applied Security