Online Voting Primer

By Jim Adler
President & CEO
VoteHere.net

Voting is a complex process, which involves an interaction of data security, privacy and trust.
Any successful voting system requires complete voter privacy, strict audit trails, and an easily
used and administered process.

Online voting systems are difficult to design because verification and privacy requirements present conflicting goals.
The most private systems allow anonymous votes to be cast over the Internet, potentially opening the virtual ballot box to
stuffing from third parties or corrupt authorities. The most verifiable systems maintain an audit trail between the ballot and
the voter, essentially eliminating any privacy of how a voter actually voted.

This paper outlines the requirements of an effective, public-sector online voting system and briefly discusses voting systems
commonly found on the Internet. A discussion of the VoteHere™ Platinum Election System will follow in the context of
these systems.

Requirements of an Internet Voting System

Voting systems must both protect the privacy of the voter and the integrity of the election. Traditional voting systems are
protected using physical security and paper audit trails. Party observers countercheck all election procedures to assure they are
followed. For example, before a ballot counting machine can begin counting, observers must verify and testify that the machine
has a zero initial count.
An online voting system should at minimum meet all requirements of a traditional election system. However, additional
requirements must be met in the case of remote online voting. In fact, requirements for these systems are closely aligned with
mail-in voting now common in many U.S. states. Typical requirements of an online voting system [Cra96, Sch95] include:
Eligibility — Only authenticated voters can vote.
Uniqueness — Ensures one person, one vote.
Privacy — Guarantees ballot secrecy.
Soundness — No one can change, add, or delete votes without being discovered.
Verifiability — Anyone can independently verify that all votes have been counted correctly. Systems that
are universally verifiable allow anyone to verify the entire election, including election officials, observers
and voters. Furthermore, all voters can make sure their vote has been taken into account in the final
tabulation.
Non-coercibility — No voter can prove that they voted in a particular way. This property is important for the
prevention of vote buying and extortion. Voters can only sell their votes if they are able to prove to the buyer
that they actually voted a certain way. Benaloh and Tuinstra [BT94] discuss the use of extortion to force
people to vote in a particular way in some small Italian villages.
Revisability — A voter can change their vote within a given period of time. This is typically not allowed in
civic elections.
Convenience — Voters may cast their votes quickly, in one session, and with minimal equipment or special
skills.
Flexibility — Allows a variety of ballot question formats, including open-ended questions. Flexibility is
important for write-in candidates and some survey questions. Some voting protocols are inflexible because
they only allow for single-bit (yes/no) votes.
Mobility — No restrictions, other than logistical, on the location from which a voter can cast a vote.
Efficiency — The election can be administered with a reasonable amount of resources.

Online Voting Primer Copyright © 2000 VoteHere, Inc.

Page 1
Online Voting Systems
Since the early 1980’s, considerable work has been done to develop secure and efficient Internet voting methods. However,
most online voting systems do not use this prior work. Typically, online voting systems will fall into the following categories:
E-commerce — Election systems of this type essentially provide no security except possibly the use of encrypted
channels (i.e., Secure Socket Layer.) SSL is typically used to protect credit card numbers over the Internet. In this
environment, ballot box stuffing is tolerated, the voter's privacy is not maintained, and vote tampering is not prevented.
Essentially, this voting system implements no more security than that found at a common Internet polling site.
Trusted Authority — Election systems may protect a voter's privacy from other voters and against tampering with the
Internet ballot box. In this case, the election officials are trusted to maintain the integrity of the election. Because the
trust is not distributed or shared, this system is open to inside attacks by disgruntled employees, hackers or otherwise
compromised election officials.
Individually Verifiable — Election systems support secure, efficient and private elections. However, the most
significant disadvantage of individually verifiable systems is that the voter is responsible for insuring that his vote has
been accounted for in the final election tally. This process is highly impractical for civic elections, because no
independent observer can verify the election.
Universally Verifiable — Election systems support secure, efficient, and private elections. In addition, anyone can
verify that the election was conducted fairly, without compromising voters’ privacy. This is a key feature for meeting
the requirements of a civic election.
Table 1 outlines how each of the voting systems meet the requirements of a good Internet voting system outlined above. Since
both the E-commerce and Trusted Authority systems do not offer any real security, we will focus on the last two systems.
Table 1 Online Voting Systems
Poll Voting Mail Voting E-commerce Trusted Individually Universally
Authority Verifiable Verifiable
Eligibility Yes Yes No Yes Yes Yes
Uniqueness Yes Yes No Yes Yes Yes
Privacy Yes No No No Yes Yes
Soundness Yes Yes No No Yes Yes
Verifiability Yes Yes No No Individual Universal
Non-coercibility Yes No No No No No
Revisability No No No No No Yes
Convenience No Yes Yes Yes Yes Yes
Flexibility Yes Yes Yes Yes Yes No
Mobility No Yes Yes Yes Yes Yes
Efficiency No No Yes Yes Yes No

Individually Verifiable Election Systems

Current individually verifiable systems are efficient and flexible. They support arbitrary ballot types (yes/no, d-of-N options,
write-ins). However, these systems require due diligence solely from the voter to ensure that his or her ballot has been cast
correctly. This individual verifiability property is highly impractical for civic elections — no independent observer can verify
the election.
The privacy of individually verifiable election systems [FOO92, PIK93, Cra96, Sch95] is ensured through blind signatures.
Blind signatures [Cha81] are a class of digital signatures that allow a document to be signed without revealing its contents.
This is analogous to placing a document and a sheet of carbon paper inside an envelope and having somebody sign the outside
of the envelope. As a result, the carbon paper transfers the signature to the document on the inside of the envelope. The
signature remains on the document when removed from the envelope.
Typically, a voter blinds and digitally signs his voted ballot and submits it to a verifying authority. The voted ballot contains a
unique serial number generated by the voter. Once the voter submits the blinded vote to the verifier, the verifier checks the
voter’s digital signature and voter eligibility. If all criteria are met, the verifier checks the voter off the voter roles, countersigns
the voted ballot and sends the blinded, countersigned ballot back to the voter.

Online Voting Primer Copyright © 2000 VoteHere, Inc.

Page 2
The voter removes the blinding encryption layer revealing the verifying authority’s signature. Now that all voter specific
information is removed from the ballot, the voter submits it to the tallying authority through an anonymous channel. An
anonymous communications (e.g., onion routing) channel protects the message with multiple layers of encryption using
randomly selected intermediate points (see [SGR] for a discussion of onion routing). The tallying authority authenticates the
verifying authority’s digital signature and adds the results to the tally.
In one serious attack, the authority attack keeps the number of requests and the number of ballots identical and the authority
deletes and substitutes new ballots. This is possible because the protocol deliberately severs the connection between the ballot
request and the submitted ballot. As such, there is no way that an independent observer can detect that the ballots are the same
as those that were submitted, or even that all submitted ballots are still present.
A possible counter to these attacks is a bit commitment (i.e., a ballot serial number) on the authority-signed ballot returned to
the voter [FOO92, PIK93]. The voter, then, can detect attacks where the voted ballot or ballot serial number have been
modified by checking to make sure that his ballot number is present among the published ballots and that it contains the correct
vote. Note that the voter must also make sure that his signed ballot request is present; otherwise, the authority could have
deleted it to offset the deletion of someone else's ballot. If something is amiss, the voter can dispute the election results. Again,
this is weak protection because a significant number of voters must perform the verification.

Universally Verifiable Election Systems

Universally verifiable methods are based on the seminal work of Josh Benaloh and Moti Yung [Ben86, BY86, Ben87]. Voter
privacy is obtained from special properties of the encryption algorithms used to protect voted ballots. Essentially, the voted
ballots are combined without being decrypted such that the combined encrypted ballots form an encrypted tally. The verifying
authorities to obtain the election results decrypt the encrypted tally.
The most compelling feature is that anyone can verify that the election was conducted fairly, without compromising voters’
privacy. However, the biggest disadvantage of these systems have been their inflexibility to ballot types other than yes/no
answer choices.

Summary
Online voting systems have been under consideration in the cryptographic literature since the early 1980’s. From the literature,
two main secure methods have emerged, individually verifiable methods and universally verifiable elections. Although both
meet privacy requirements, individually verifiable election systems require voters to verify their votes, which is often unlikely.
Universally verifiable elections allow any observer to verify the integrity of the election without violating voter privacy.
References
[Ben86] J. Benaloh. Secret Sharing Homomorphisms: Keeping Shares of a Secret Secret. Advances in Cryptology –
CRYPTO ’86, Lecture Notes in Computer Science, pp. 251-260, Springer-Verlag, Berlin, 1987.
[BY86] J. Benaloh, M. Yung. Distributing the power of a government to enhance the privacy of voters. ACM Symposium
on Principles of Distributed Computing, pp. 52-62, 1986.
[Ben87] J. Benaloh. Verifiable Secret-Ballot Elections. Yale University Department of Computer Science Technical
Report, number 561, 1987.
[BT94] J. Benaloh, D. Tuinstra. Receipt-free secret-ballot elections. Proceedings of the Twenty-sixth Annual ACM
Symposium on the Theory of Computing, pp. 544-553, 1994.
[Cha81] D. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM,
24(2):84-88, http://www.eskimo.com/~weidai/mix-net.txt, 1981.
[Cra96] L. Cranor. Electronic Voting. ACM Crossroads, Issue 2.4, http://www.acm.org/crossroads/xrds2-4/voting.html,
1996.
[FOO92] A. Fujioka, T. Okamoto, K. Ohta. A practical secret voting scheme for large scale elections. Advances in
Cryptology – AUSCRYPT ’92, Lecture Notes in Computer Science, pp. 244-251, Springer-Verlag, 1992.
[PIK93] C. Park, K. Itoh, K. Kurosawa. Efficient anonymous channel and all/nothing election scheme. Advances in
Cryptology – EUROCRYPT ‘93, Lecture Notes in Computer Science, pp. 248-259, Springer-Verlag, 1993.
[Sch95] B. Schneier. Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd edition, John Wiley &
Sons, 1995.
[SGR] P. Syverson, D. Goldschlag, M. Reed. Onion Routing, http://www.onion-router.net/Publications.html, 1996-1999.

Online Voting Primer Copyright © 2000 VoteHere, Inc.

Page 3