Approach towards anonymous e-voting

Question

I want to implement an internet-based e-voting system. Voters shall be able to cast their vote for one out of n possible candidates. Each candidate has his own ballot-box kept by and at a trustworthy third party. This third party is absolutely trustworthy insofar as it can be trusted to attend to his duties of supervising the cast diligently. However it is not without bias and hence under no circumstances must be able to see which voter voted for which candidate.

This problem can be approached using homomorphic encryption. Votes are homomorphically encrypted and homomorphically added to the ballot-boxes. In order to prevent the third party from gaining any knowledge of any vote cast every voter puts one vote into every ballot-box. n-1 times this vote will be "0" for "no vote for this candidate" and only one time it will be "1" for "vote this candidate".

One unpleasant side effect of this approach is that the third party apparently is not able to check the correctness of every single vote. A voter may try to give a "1" to more than one candidate or a "2" to a single one. Of course the third party could hand out pre-signed voting coins in advance that the voters would use for casting their votes. However the third party would recognize these coins, i.e. their values, and hence still know who voted for whom.

Do you have any idea how to solve this problem relying on as few possible other (trusted) third parties as possible?

Answer 1

Using exponential Elgamal as the encryption function,

1. Define the list of candidates: e.g., Alice, Bob, Carol
2. Voters submit an encryption of their vote: e.g., to voter for Alice: $v=\langle\mathsf{Enc}(1),\mathsf{Enc}(0),\mathsf{Enc}(0)\rangle$
3. Use an OR-proof (Fig 2) to show each ciphertext encrypts a 0 or a 1: e.g., $\langle \pi_1, \pi_2, \pi_3 \rangle$
4. Under encryption, add up the ciphertexts in the vote: e.g., $v_t=\mathsf{Enc}(1)\cdot\mathsf{Enc}(0)\cdot\mathsf{Enc}(0)=\mathsf{Enc}(1+0+0)=\mathsf{Enc}(1)$
5. Use the same OR-proof to show $v_t$ encrypts a 0 or a 1 (a 0 means the voter abstained)
6. Submit $\langle v, \pi_1, \pi_2, \pi_3, v_t, \pi_t \rangle$

Anyone can check the validity of $\pi_1, \pi_2, \pi_3$. Anyone can add up $v$ to see it is $v_t$. Anyone can check $\pi_t$.

The election officials take $v$ from everyone, add them up element-wise. Then the results are decrypted (usually with a shared key) using a protocol that proves it was decrypted correctly (see same paper for how to do this).

Answer 2

Yes. There has been extensive research on this question: there is even a community of cryptographers who work on building voting schemes of this sort (see end-to-end auditable voting system). I'll give you some advice based upon the experience from that field.

Don't design your own. Don't try to design your own. There has been extensive research into this subject and if you try to invent the wheel it is likely you will end up with something that is either insecure or inferior.

Instead, if you are not using this for a public election, I recommend you use Helios. It is a state-of-the-art system, with among the best security that it anyone knows how to achieve for Internet voting -- and it has a high-quality implementation that you can just use, with almost no effort on your part. It has been vetted more thoroughly than anything you will be able to design on your own.

Internet voting is not safe enough for public elections. If you are planning to use this for a public election for public office, my recommendation is: don't. Just don't. The security risks are too grave. To learn more about this topic, I recommend reading the following: Online Government Elections System - Is it possible? and Secure Internet Polling and this and this and this.

Answer 3

You can use blind signatures: "Blind signatures can also be used to provide unlinkability, which prevents the signer from linking the blinded message it signs to a later un-blinded version that it may be called upon to verify. In this case, the signer's response is first "un-blinded" prior to verification in such a way that the signature remains valid for the un-blinded message."

A trusted party gives each voter one valid blind signature. That party has no idea what it's signing, but it does know that each voter gets only one.

Each voter encrypts his vote and sends it to the trusted signing party to get it signed. The trusted signing party signs exactly one ballot for each voter. The voter can then decrypt the signed vote and hand it to the ballot boxes. The ballot box checks the signature and counts one vote for each unique signature. Neither the ballot box nor the signer has any way to know which voter gave which vote.

Answer 4

Encryption based voting will always suffer for a different reason.

As a human, I cannot look at a numeric token to know if the value is "Yes" or "No". I have to 100% trust that the voting system is telling me this number is a vote for my candidate or not.

It doesn't matter if there's a solidly convincing mathematical proof. As an ordinary voter, I cannot perform the math that would convince me, Joe Failed-Algebra, of the validity of the system. It doesn't matter if the tokens arrive in the form of paper slips handed to me by an election judge, barcodes, buttons on a little black box, or anything.

The encryption based systems are impressive, they are fascinating, they are mental challenges. But they are not acceptable to humans.

Something we've lost in the rush to automate our lives is that the world actually functioned prior to the arrival of digital computers and 24-hour news. Our election system provides an entire month for votes to be tallied and carried to the nation's capital. In order for democracy to function, we do not need instant election results, despite the strong desires of the news networks to deliver them. Our only valid requirements are for a simple, fair system.

Answer 5

Something along these lines could be accomplished with zero-knowledge proofs. The voter proves that each one of the ballots is in the set $\{0,1\}$ and that the sum of the ballots is $1$.

Prove this to each of the $n$ trusted third parties. Each of the third parties signs the ballots once the proof is done. Then the voter casts the ballots. Signatures can then be checked to make sure a vote hasn't changed after the proofs.