EDUCATE

What Are the Security Requirements for Online Voting?

And how are they met?

Online voting has to meet a number of requirements in order to achieve the same or higher security than that of traditional paper-based voting. These requirements can be organized into four main groups: authentication, integrity, privacy and verifiability.

Authentication requires voters to be uniquely identified in a way that unmistakably distinguishes them from other people. Authentication can be implemented by several mechanisms, such as: pairs of usernames and passwords securely delivered to the voters before the election; pre-existing citizen authentication credentials, like those used for government web portals; or electronic identification cards, like national IDs.

Also, these mechanisms can be combined with additional authentication factors, such as login confirmation through a secondary device (an SMS code sent to the voter’s mobile phone, for example) or biometric authentication (fingerprints or face scans). Thanks to these authentication mechanisms, the e-voting system can verify a voter’s eligibility and will only grant access to citizens who have the right to vote.

Integrity means that a voter’s intention shall not be affected by the voting system, or by any undue influence. In an online voting system, integrity is protected at different levels and stages throughout the election. At the beginning, during the voting period, each ballot is digitally signed with a key unique to each voter, ensuring that the ballot cannot be altered by anyone other than the voter themself. Later, during the counting process, when the votes are anonymized and decrypted, digital signatures are used to protect the intermediate data exchanged during these processes and, depending on the type of election, mathematical proofs are also done to ensure the integrity of the processes themselves. Other sensitive information that is susceptible to manipulation is also digitally signed to prevent manipulation, such as election configuration files.

Privacy implies that each vote remains confidential and that the anonymity of the voters is preserved. The electronic voting system must ensure, at every stage of the voting procedure, that the confidentiality of the vote is protected, that the vote remains secret and that its contents are not disclosed. This is achieved by encrypting the votes directly on the voter’s device before transmission, ensuring that the contents are unreadable until the electoral board decrypts the anonymized ballot at the end of the election. The anonymity of the voter is predicated on eliminating any link between an unsealed vote and the voter who cast it. Mechanisms such as mixing, which is equivalent to shuffling a physical ballot box, or homomorphic tallying, which consists of tallying results without decrypting the votes, are used for this purpose.

Verifiability is a property that allows several of the procedures of the online voting system to be checked for correctness. Typically, there are three types of verifiability: cast-as-intended, recorded-as-cast and counted-as-recorded. The first two are individual verifiability mechanisms, because they relate to individual voters and the ballots they cast. The last is known as universal verifiability because anybody with the data generated by the system can verify it.

Cast-as-Intended verifiability enables the voter to verify that their preferred choices are accurately represented in the ballot that was transmitted from their device. Any undue influence that has modified the vote, such as malware on the voter’s computer, can be detected. Recorded-as-Cast verifiability enables the voter to verify that their electronic ballot has been received by the electronic ballot box without being altered. Any undue influence that has modified the vote can be detected.

Counted-as-Recorded verifiability, on the other hand, enables anybody with the data used and produced by the counting process to check that each authentic and authorized vote is accurately included in the respective election results. The evidence should be verifiable by means independent from the system. Usually mathematical proofs, known as Zero Knowledge Proofs, are generated by several of the counting processes and can be externally verified. In this manner it can be proven that the process was correct, and that no manipulation of the votes was produced during counting.

While many of these security features are indeed complex and sophisticated, this does not translate to the usability of an online voting system. Any qualified provider should have these measures built in and automatically applied when possible, simplifying the entire process election organizers and voters alike. They should also offer the necessary support to ensure that the election runs smoothly and securely. To learn more about the different security measures mentioned in this article, you can find in-depth descriptions in our Security Table of Online Voting, available in our resource center.

This article was written by Jordi Cucurull, Cryptography Researcher, and Jake Mahr, Communications and Marketing, at Scytl.