Theoretical online voting system

With the election a few days away, I found myself recently looking at the state of voting in America and contemplating that there is still no online based voting system in place. The main arguments against online voting or digital based voting has been that it would be hard to verify, and would require a computer security expert to identify if something has been tampered with.

Now to create a system which is “provably incorruptible” would be very difficult and impracticable to expect  average poll workers to verify the correctness of such a system, however there is probably a widely unexplored range of systems which are better then our current system but still have some easy to verify properties. In this post I attempt to create a voting system which no worse the our current voting system with respect to voter fraud and ensuring the votes are counted.

First, lets consider the state of out current voting system, specifically the voting by mail system. Step 1 is to go online and register your address along with some identifying voter information. At a later point in time, the state will mail a ballot to your address which contains a “voting key” which maps various voting positions (who you would like for some office, or position on a proposition) to some number [1, 200]. To vote, you bubble in your corresponding chosen numbers, wrap your ballot in more paper call a “secrecy sleeve” put this in another envelope and mail it into the ballot counting location. Presumably, once your ballot arrives, someone will check the identifying information on the mailing envelope to prevent duplication and then pass the ballot and secrecy sleeve to someone else who is just going to count the votes. This two level operation would prevent people from knowing who you voted for assuming that the first poll works don’t look at the ballot inside the secrecy sleeve. In terms of ensuring that your vote is counted, we have to then trust the second poll worker to count the votes correctly. We might use more then one person for this second part to prevent errors etc.

Now in making a new system, we have to consider what possible vulnerabilities exist in the current system, as those could still be allowed in the new system:

  1. Trusting the United states postal services (USPS) to properly deliver mail — If your ballot never makes it back to the polling place then it will essentially be lost (there might be some ways to identify that it is lost, but still no real/easy recourse for ensuring that it gets counted)
  2. The USPS needs to get you your ballot to you in the first place — If the ballot was sent to the wrong address, it is possible that someone fills in the ballot in your name, forges your signature and then mails it back in
  3. People are trusted to bubble in their choice correctly — Eg, they are at least able to understand that given some “number” on a “ballot key” that they are suppose to transfer that number correctly to the ballot itself
  4. A malicious poll worker could prevent a vote from getting counted which they didn’t agree with — Given that your vote is easily identifiable on the ballot, it is trivial for someone to reject all ballots which have bubbled in number 10 (ideally there are two or more people to double check that this does not happen)

Given this set of vulnerabilities in our current system, lets now try to design a better system which allows for internet voting:

Our first steps would be very similar to the current voting system where someone goes online and registers with their mailing address. The state would then mail out a “ballot key” to the provided address. The reason that we would still require that something is mailed out is that there is currently no good way to identify a citizen online in a secure way, however like the current vote by mail system, it is acceptable to trust the USPS as a “broker of identities.” Now our vote by internet ballot key will be a bit different from existing ballots where each vote is represented by [1, 200] and instead have a number in [0, 2^{256}], additionally, instead of having a single number (say 10) represent a position on the ballot, each voter would be given a unique number for each position on the ballot. (A sample ballot is at the end of this post) We can then use a simple website to collect the keys which represent a person’s choice. Given that each user has different codes generated for their ballot, we can the use untrusted channels to communicate these codes to the vote counting authority. Additionally, we do not have to worry about “suppressing” the vote that a poll worker disagrees with since the intermediate communication mechanisms don’t even know which vote was cast. All they know is that they are responsible for is communicating some number to the voting authority.  Even if voters computer was infected with a computer virus, it would be unable to change your vote since it only knows the key that was enter representing your choice, while the other keys would only be present on the paper ballot key that was mailed to your address.

Some properties of this system:

  1. We are still trusting the USPS to properly identify people and communicate information with them securely. (Same as before)
  2. Submitting a vote for someone else still depends on your receiving or intercepting their ballot and “forging” a signature (Same as before)
  3. The intermediaries do not know your vote (better than before) — Now your vote is a number that is specific to you, so the only people who will know the vote is the person who generated the “voting key” and whoever has the voting key
    1. The intermediaries can not suppress your vote based off who you voted for — They do not who you voted for so it can not be suppressed based off this reason
    2. Your vote can not be changed after the fact — Changing your vote would require that the malicious intermediary have your “voting key book” which was printed by the state and mailed by the USPS (which is a trusted medium)
    3. Your computer (now technically also an intermediary) can not change your vote even if it was infected with a virus —  your computer does not know the alternate keys you were provided since they were printed and mailed, so it can not switch between them.
  4. The number that you have to enter is a lot longer (worse) — Currently you only enter some number [1, 200], however a 256 bit number is notably longer.  Given how people are already used to entering 16 digit credit card numbers this might not be such a big issue.  We could even include check sums to limit erroneously entering some thing (bitcoin already uses a 32 bit checksum on all addresses)

Some might point out that one could set up false voting websites to try to confuse voters or perform a DOS attack on the voting website. First, with false websites, we could follow the trend of some banking websites where an images is displayed to ensure that you are on the correct website, however we might make it some confirmation code that is sufficiently long that it would be difficult to counterfeit and easy to print on a “ballot key.” For the DOS attack, we already know how to build systems that can deal with DOS attacks. Additionally, if we have a confirmation code system which confirms that a vote has been recorded, then any mechanism which takes a voting key and returns the confirmation code is as good as any other. This means you could have voting via email or even text message which are “more difficult” to perform a DOS attack against or allow for third-party websites to spring up to collect votes as they would have to still be backed by the state vote recording authority.

 

Sample theoretical ballot key:

Politician Office key Confirmation code
T Sandwich President NMosFJizjPgUV2BKEhGErjvUZzKZVAFCyqPy7w3t6dD FuT8VDz3z
Giant D President Tru4oZn9y3RMnxAsb7g5Gqs7Fu13FX4ExaQSer6ykeD bFcCf4MJA
None of the above President LaGeinvoBUduEbovp5zJDQJ6DQEdgSqZWgXzArhiugS xjzEahMdi

(These politician names are based of this current season of south park.)

 

TL;DR: Online voting where you are still mailed your ballot via USPS and your ballot contains keys that we consider “secure” and you only submit one key that corresponds to your vote.

 

 

Update / additional background info / other posts on this topic:

While the mathematical concepts in these schemes are sound, it would be difficult to convince the public at large.  In these cases, people would have to just generally trust that someone has done the correct thing with designing the voting systems.  From an academic point of view, if these systems are implemented correctly, there wouldn’t even be a need for there to be vote checkers since they would “have to be correct.”