- Allow individuals to vote using their own digital devices.
- Allow any voter to independently confirm that their vote was entered correctly.
- Allow any third party to independently tabulate the results of the election.
- Don't reveal the position taken by any single voter to anyone else.
- Voter has access to an email address that only they control.
- The voting platform has already determined before the election who should be eligible to vote, and has associated those verified voters with an email address.
- During the election, the voter has access to an internet device that can make secure https connections to the voting platform.
-
Voter Registration: A user, identified by an email address [email protected], is verified as an eligible voter in their district.
-
Email authentication: The user can login to the voting platform by identifying through a special link sent to their email.
-
The user views an election — 2016-E: Chocolate vs. Vanilla — on the voting platform.
-
Voting: The user decides to vote for Chocolate. The user also picks a secret passphrase that allows them to verify their vote:
banana. The user could also be given a receipt for their vote[1].
[1] You may not want to provide this receipt, because it makes it easier for a voter to be forced into provably revealing how they voted.
- Unique hash: Based on the unique characteristics of their vote — their email, the election id, their position, and their passphrase — a unique vote identifier is calculated using a one-way hashing function[2].
SHA3-256("<[email protected]>, 2016-E, Chocolate, banana") => 77a14de056bf7ee73629501fd7942c41e59dc857c404b4f6f426a3c2fdbfbab2
[2] This SHA3-256 example was calculated using https://emn178.github.io/online-tools/sha3_256.html
- Publish vote: An entry is added to a public record of all votes to represent their vote:
77a14de056bf7ee73629501fd7942c41e59dc857c404b4f6f426a3c2fdbfbab2 Chocolate
-
View results: At the end of the election, the entire public record of votes can be viewed to calculate a winner. This document can be cryptographically signed and use trusted timestamping to ensure it's authentic and not tampered with.
-
To protect against the possibility that the voting platform has added votes for non-existent voters, the total number of votes should be cross-referenced with expected numbers based on the number of registered voters. Exit polling information from an independent third party can also help inform the expected number of total votes.
Does the proposed procedure meet the stated goals?
Yes, this goal is met.
In addition to their own devices, a voter can also use a device provided to them by others. This could be from friend, or for public use such as in a library.
For these other computers, new concerns are introduced that the device may be compromised, such as by a keylogger, screen recorder, or a man-in-middle attack because of insecure connections.
Yes, this goal is met, assuming the hashing algorithm is open-source and cryptographically secure, and the voter remembers the 4 unique pieces that make up their vote — their email, the election id, their position, and their passphrase. They can independently calculate their vote's unique identifier and confirm their unique vote is in the list of all votes, with the correct position.
One concern is that this process is too technical for the everyday voter. Even so, the platform is still kept accountable because of the possibility that any voter may independently audit their vote.
Yes, this goal is met, since the record of all votes is published.
Yes, this goal is met, but this privacy could be lost.
While all votes are published, only the position and the vote's unique identifier, created from a one-way hashing function, are included in the public record. So by default, the individual voter's position is kept private.
This privacy could be compromised if another party learns the input that went into the hashing function: their email, the election id, their position, and their passphrase.
This privacy could be compromised if the voter's device is compromised. A keylogger, screen recorder, or a man-in-middle attack could all reveal a voter's position to a third party.
This privacy could be compromised from a brute-force attack on the hash. It is for this reason that the election id was included, acting like a salt so that the same rainbow table can't be re-used in case the voter, position (e.g. yea or nay), and secret all remain the same.
Brute-force attacks can be strengthened against by using longer inputs, in particular by using a passphrase with greater entropy.
Additional strength could also come from a more computationally intensive hashing function, such as scrypt. Since this function is memory bound, the system can attempt to limit the number of hashes that can be calculated within a certain timeframe. This can significantly raise the cost of a successful brute-force attack.
One implication of publishing a record of all votes is that although the system may be assumed reasonably secure at the time of the election, this may not hold in the future. Developments in computing hardware, as well as vulnerabilities discovered in the cryptographic functions, could compromise a voter's privacy.
Lastly, the individual voter's position is not private to the voting platform itself.