On the security of (online) voting
Mail is now e-mail. Books are now e-books. Can votes be... e-votes?
Most of today’s infrastructure is transitioning to digital. Humans are more familiar with their devices and can perform many tasks from the comfort of their home. Paying bills, booking flights, sendings emails, signing important documents, all of these things can now be done from a laptop and/or phone. Voting, however, still requires people to physically go to a booth. Can we do better?
A: Yes (but it’s tricky!)
Voting is very important and has a set of interest requirements. For example, how people vote should be private.
At this point, I want to highlight something very disappointing: most voting processes in Web3 completely ignore this requirement (so much for trying to fight for the rights of the people…). Not only that, popular platforms have released different “privacy mechanisms” that consist of easy shortcuts to allow users to encrypt their vote first and then decrypt it at the end of the election. This is (somehow) called “partial privacy" or “collusion resistance”. I personally don’t understand where the term partial comes from as you can see at the end of the election who voted and how they voted. Why is the partial there? That’s zero privacy…
Online voting is hard for many reasons. First, votes have to be private. Second, the election process should (ideally) be auditable. Third, users should see that their vote was cast. Fourth, users should see that their vote was counted correctly. Moreover, in certain countries you cannot have a running tally where votes are posted one at a time. Instead, a full batch of votes is published (and opened) at the end of the election.
At first glance, many of these requirements may sound mutually exclusive. For example, how can you keep ballot privacy AND ensure that the whole election process is auditable AND check that you vote was counted properly? That seems to be contradictory… especially if we publish all of these things on a blockchain!
As if the challenge wasn’t hard enough, some consider the most important (unsolved) problem to be coercion. In other words, what about the ability for a malicious entity to force/bribe someone to get specific votes? This will be much easier if we allow for online voting!
Coercion can take many forms: the adversary can offer consumer goods to people in order to get votes. Alternatively, an abusive person can force their partner to vote a specific way. Or even more extreme, in an academic setting, a dean running for re-election can threaten to cancel benefits or promotions from specific professors unless they vote a specific way.
With this in mind, I want to introduce a simple test to see if a voting scheme is secure. The test has two parts:
Part I: Can the scheme be used in a university environment where a candidate can easily communicate with the entity managing the election (e.g., the IT department)
Part II: If an abusive person forces a partner to vote a specific way. Can the partner then (at some point) cancel or rectify the vote?
If the answer to both is not yes, then I have bad news: Your voting scheme is NOT secure. You can try to claim whatever you want, but the fact is that the scheme is not suitable for general elections as it doesn’t fulfil two important real-world environments.