What do we mean by secure voting?

The expression is overloaded and ambiguous. Part of the ambiguity stems from the different contexts where the term is used. On one hand, we can speak about secure voting in the general context of cybersecurity and the internet. On the other, secure voting has more specific definitions in the academic research literature into voting systems. In this post we try to clarify the meaning of secure voting, starting from general intuitions leading to more precise technical definitions.

In a general context, secure voting is understood to be about methods, software and systems that aim to protect an election from fraud and disruption. It a question of correctness and integrity. A voting system is secure in the sense that we can trust that the results of an election are fair and correct. The main threats faced by a secure voting system are those typical of any computer security problem: hacking, intrusion, manipulation, disruption. If we restricted our discussion to this general context, secure voting would simply be another problem in cybersecurity.

However, election integrity is not the whole story. Although the concept of cybersecurity includes concerns about data theft and privacy, the emphasis on privacy in the case of voting is critical. It’s what separates secure voting from more general problems in cybersecurity. This emphasis stems from voting’s nature as a political activity, where the crucial importance of the secret ballot is well established. The importance of the secret ballot has been recognized since roman times, and is even enshrined in the declaration of human rights[4].

Article 21.3 of the Universal Declaration of Human Rights states, “The will of the people…shall be expressed in periodic and genuine elections which…shall be held by secret vote or by equivalent free voting procedures.”

Accounting for this, the goal of secure voting is then protecting voter privacy as well as election integrity. It turns out that these two objectives are fundamentally opposed. For this reason, secure voting as a technical discipline is about finding methods that allow achieving both objectives simultaneously. It is in this domain (the academic literature on secure voting) where we find more precise definitions that factor in the core tension that general considerations about cybersecurity fail to address. And it is in this technical domain where voting-specific cryptography is employed to solve the unique problems that arise. Thus, the term “cryptographically secure voting” seems a reasonable choice to refer to this refined, more specific meaning.

At a high level[3], the goals of cryptographically secure voting are described by[1]

One of the most challenging aspects in computer-supported voting is to combine the apparently conflicting requirements of privacy and verifiability. On the one hand, privacy requires that a vote cannot be traced back from the result to a voter, while on the other hand, verifiability states that a voter can trace the effect of her vote on the result. This can be addressed using various privacy-enabling cryptographic primitives which also offer verifiability.

We stress that the use of cryptography is a means to an end, not the end in itself. A voting system that includes cryptographic techniques is not necessarily a cryptographically secure voting system.

This mistake is commonly made when assessing blockchain systems: these systems use cryptography, but this cryptography has no bearing on privacy[5]. Cryptography is there to satisfy certain requirements, not the other way around.

Let’s now pin down exactly what these requirements entail.

Privacy

Starting with privacy[2]

Privacy: In a secret ballot, a vote must not identify a voter and any traceability between the voter and its vote must be removed.

An alternative statement is[1]

Ballot-privacy: no outside observer can determine for whom a voter voted

Note that the expression “no outside observer” refers to anybody that is not the voter. The important implication is that not even the administrators of the voting system or anyone with privileged access to hardware/software can violate this privacy. If this condition is not met, a system does not support privacy and is therefore not a secure voting system. Solutions that simply “forget” data, or merely store data at different locations, do not satisfy privacy. It is not enough for the system to voluntarily disregard privacy-compromising information; said information must not be available at all. Relaxing this privacy requirement makes a building voting system trivial, typically reducing to the use of SSL for communication.

Verifiability

The literature presents several variants[1]:

Individual verifiability (IV): a voter can verify that the ballot containing her vote is in the published set of “all” (as claimed by the system) votes.

Universal verifiability (UV): anyone can verify that the result corresponds with the published set of “all” votes.

These two requirements appeared first in the literature, and were later augmented with[1]

End-to-end verifiability: a voter can verify that:
– cast-as-intended: her choice was correctly denoted on the ballot by the
system,
– recorded-as-cast: her ballot was received the way she cast it,
– tallied-as-recorded: her ballot counts as received.

The notion of verifiability of a voting system is directly related to integrity, and is in fact a strictly stronger property. Not only must the system operate correctly and election results must be fair, but it must be possible for participants and external observers to certify this unequivocally. Verifiability is one of the areas in which electronic voting systems may offer better guarantees than traditional voting. This is accomplished through cryptographic proofs and publicly available bulletin boards that collect election data.

End-to-end verifiable voting systems

With these defintions in hand we can suggest:

A cryptographically secure voting system is one that supports privacy and end-to-end verifiability.

For brevity, these systems are referred to simply as end-to-end verifiable. End-to-end verifiable systems are considered the goal standard for electronic voting. When these characteristics are further combined with general computer security techniques the result is a generally secure voting system.

Summary

We have seen that

  • The term “secure voting” is generally thought to refer to cybersecurity and resistance to cyberattacks.
  • However, cybersecurity is a general property of hardware/software that does not reflect the specific requirements of voting as a political process. The secret ballot is an established and indispensable requirement for voting.
  • Secure voting systems must support privacy as well as integrity; these two requirements stand in opposition.
  • In a system supporting privacy, no one, not even system administrators or other privileged observers can violate the secret ballot.
  • In a system supporting end-to-end verifiability, voters can ensure that their vote was cast, recorded, and counted correctly.
  • Cryptographically secure voting systems employ cryptographic technology to satisfy these two properties simultaneously. The gold standard are end-to-end verifiable voting systems.
  • A secure voting system is an end-to-end verifiable voting system that also employs general computer security principles.

This last point expresses our view of what it means for a voting system to be secure. Although this definition is very demanding, we believe it is appropriate to be conservative in an area that overlaps with political decision making. Unfortunately this approach implies that many systems that are labelled secure voting systems do not in fact belong to that category.


References

[1] Privacy and Verifiability in Voting Systems: Methods, Developments and Trends [https://eprint.iacr.org/2013/615.pdf]

[2] A framework and taxonomy for comparison of electronic voting schemes [https://www2.ee.washington.edu/research/nsl/papers/JCS-05.pdf]

[3] The literature includes many other properties relevant to secure voting, we concentrate on the essential ones. Please refer to [2] for further info.

[4] Secret ballot [https://en.wikipedia.org/wiki/Secret_ballot#International_law]

[5] Unless you include specific cryptographic techniques such as zk-snarks (zcash) or linkable ring signatures in addition to the blockchain. One of our proposals is related to the first case, found here. Another proposal related to blockchain’s distributed nature is here.