abc
Secure Internet Voting Protocol
Voting Option with Mathematically Provable Privacy & Vote Verifiability
A secure election has three requirements:
Authenticated voters
Only legitimately registered voters are allowed to vote, and only once per person.
Private voting
A fair election requires that voters can freely choose without anyone learning how they voted.
Verifiable tallies
For widely accepted results, vote totals must be independently auditable for accuracy.
There have already been digital systems in widespread use that offer each of these properties individually. Yet accomplishing all three at the same time has been unusually challenging.
Here is how SIV meets all three requirements:
Before the Election
Voter Registration
Election administrator collects list of all valid voters, via the same methods as currently used.
Individual voters should opt-in to SIV by registering an email address with their election administrator.
Using email is fast, easy, and highly affordable, but election administrator can also use other methods to contact voters, including traditional postal mail.
| Name | Mailing Address | Email Address | |||||
|---|---|---|---|---|---|---|---|
| Barton, Adam | ... | ... | |||||
| Green, Elissa | ... | ... | |||||
| Hauck, Erik | ... | ... | |||||
| Schuster, Brad | ... | ... | |||||
| Swift, Savannah | ... | ... | |||||
New
Ballot Finalized
The official ballot is finalized, as with traditional paper elections.
There can be multiple questions, as many as the election requires.
SIV is 100% compatible with — and makes it easier to adopt — voting methods meant to improve upon the Choose-Only-One system, such as Ranked Choice Voting, Approval Voting, and Score Voting.
Observer Registration
To give voters additional confidence that the election is run fairly, administrators have the option to add SIV “Verifying Observers”.
These are like the observers in our existing paper elections, but SIV Verifying Observers are vastly more powerful, because they use strong cryptography to ensure every vote is private and tamper-free.
After anonymization (Step 4), the Verifying Observers work together to unlock the votes for tallying (Step 5).
Before the election begins, Verifying Observers take part in a SIV Threshold Key Generation ceremony to generate private key shares and create the election's public key.
Each Observer contributes a share of the unlocking key.
The Observers ought to have competing interests. A reasonable choice would be one Observer selected by each candidate's political party, plus the election admin.
Verifying Observers do not need to trust each other, and cannot possibly tamper with votes.
Voting Begins
Step 1: Invitation to Vote
Election administrator sends individualized invitations to all enrolled voters.
The purpose of this step is to get each voter their Voter Auth Token, highlighted in orange.
Key Properties of Voter Auth Tokens
- required to vote
- unique per voter
- generated by election admin
- infeasible to guess
- can only be used once
- if necessary, election admin can invalidate individual Auth Tokens & generate new ones
- used Auth Tokens can be audited after the election
Here we use an easy distribution channel — a simple email. But election administrators can offer other options, including 2-factor methods with drawn signatures, SMS, TOTP, or IP address geolocation.
Admins can even send Voter Auth Tokens via traditional postal mail. In other words, SIV can match the Voter Authentication requirements of existing processes, while upgrading the return ballot process to be faster, more accessible, and fully verifiable.
See How does SIV ensure One Vote per Person? for more.
From: elections@local.gov
To: you@email.com
Subject: Your Vote Invitation
Voting for our next Mayor is now open.
Votes are accepted for the next 14 days.
Click here to securely cast your vote:
www.local.gov/vote?auth=137a3a06fa
This link is unique for you. Don't share it with anyone, or they'll be able to take your vote. (Help)
Step 2: Mark & Encrypt Your Vote
Voter fills out their ballot, which gets immediately encrypted.
SIV shows voters a simple point-and-click interface to fill out their ballot:
Who should be the next Mayor?
A random Verification # is generated before votes are encrypted.
Verification #:
This Verification # will be publicly shown once votes are unlocked. It allows you to easily verify your vote was counted correctly, while protecting your privacy.
This unique value was generated on your own device. Don't share it with anyone.
This example results in a plaintext vote:
{
}
}
Then the plaintext vote can be sealed, resulting in an encrypted vote:
{}
Encrypted votes can be safely shared, without revealing the underlying vote.
The encryption acts like sealing it inside a locked safe.
The encryption acts like sealing it inside a locked safe.
SIV creates an Encryption Receipt for each voter, allowing them or 3rd-party auditors to verify that everything worked as intended.
This is automatically stored in the browser's localstorage, and never leaves the device.
This is automatically stored in the browser's localstorage, and never leaves the device.
Encrypted @ Thu Apr 20 2023 16:50:17 GMT+0000 (Coordinated Universal Time)
Encryption Formula
https://en.wikipedia.org/wiki/ElGamal_encryption
in Ristretto255 prime-order subgroup of Elliptic Curve25519
Encrypted = Encoded + (Recipient * randomizer)
Lock = (Generator * randomizer)
Public Key
36535d7cc956b4f64c4b97e313510619f402e7718066d8daa3c4e497332f5b5f
---------
Verification #: 0518-4353-0983
Step 3: Submit Encrypted Vote
The voter sends their encrypted vote, with their Auth Token, to the election administrator.
The Voter Auth Token is confirmed to match an eligible voter, and that it hasn't already been used.
{ auth: '137a3a06fa', mayor_vote: }If it passes, the vote is added to a public list of all votes received so far.
{ auth: '165ce01fb3', mayor_vote: { encrypted: 645dc4638740ba83ec8178c50434ae8fe3395fb0802960899d568f5e3363ab5e, lock: ba321a93b9bbeedb58d85662388136258f41509734bd8a04a0ebdca7ae633514 }
{ auth: '63207e5c56', mayor_vote: { encrypted: de08a055a8d82e613a088779bb043b3b958621af856c0dff4055667620b4763e, lock: beb2c4bd5180213c056c9171af99e29ca53160dec758e34c5e66e51f4b8f8733 }
{ auth: 'b883a5d813', mayor_vote: { encrypted: 46ffd9f9edf51cb35a2071db7684cfbfc562fc46c85cff9c712bf75ca53e9315, lock: b4f94d1d7e9c07d83b93c9dd329f7b03a56370433ca42ff900fd47d3b8f59020 }
{ auth: '70e0cc8542', mayor_vote: { encrypted: 325aca80c2585a328d58616fabc3bd6f2bbfb32a25048ff093bc7285be50624f, lock: 04dcf0f2da3f497cd35f93a83b3e4d08a9d27b83a709ca2a6a91138232bbc864 }
{ auth: '137a3a06fa', mayor_vote: undefined }
The voter is sent a confirmation that their encrypted vote has been received and accepted.
This lets the voter know their job is done. It also alerts them in case someone else somehow gained access to their auth token. And it serves as a written receipt that the vote was accepted, to allow for auditing.
Because of the strong encryption, the election administrator still has no way to know how individual voters choose to vote.
From: elections@local.gov
To: you@email.com
Subject: Vote Confirmation
Your vote for mayor has been received. Thank you.
The final results will be posted at www.local.gov/election-results when the election closes.
Here is the encrypted vote you submitted:
{ auth: '137a3a06fa', mayor_vote: }If you did not submit this ballot, click here to report a problem.
Voting Period Closes
Step 4: Verifiable Shuffle
All the encrypted votes are then anonymized by the Verifying Observers.
This step de-links voters' identities from the contents of their encrypted votes.
First, the Voter Auth Tokens are removed from the list of all encrypted votes.
{ auth: '165ce01fb3', mayor_vote: { encrypted: 645dc4638740ba83ec8178c50434ae8fe3395fb0802960899d568f5e3363ab5e, lock: ba321a93b9bbeedb58d85662388136258f41509734bd8a04a0ebdca7ae633514 } }
{ auth: '63207e5c56', mayor_vote: { encrypted: de08a055a8d82e613a088779bb043b3b958621af856c0dff4055667620b4763e, lock: beb2c4bd5180213c056c9171af99e29ca53160dec758e34c5e66e51f4b8f8733 } }
{ auth: 'b883a5d813', mayor_vote: { encrypted: 46ffd9f9edf51cb35a2071db7684cfbfc562fc46c85cff9c712bf75ca53e9315, lock: b4f94d1d7e9c07d83b93c9dd329f7b03a56370433ca42ff900fd47d3b8f59020 } }
{ auth: '70e0cc8542', mayor_vote: { encrypted: 325aca80c2585a328d58616fabc3bd6f2bbfb32a25048ff093bc7285be50624f, lock: 04dcf0f2da3f497cd35f93a83b3e4d08a9d27b83a709ca2a6a91138232bbc864 } }
{ auth: '137a3a06fa', mayor_vote: }
Observer #1 then shuffles the votes.
{ mayor_vote: { encrypted: 645dc4638740ba83ec8178c50434ae8fe3395fb0802960899d568f5e3363ab5e, lock: ba321a93b9bbeedb58d85662388136258f41509734bd8a04a0ebdca7ae633514 } }
{ mayor_vote: { encrypted: de08a055a8d82e613a088779bb043b3b958621af856c0dff4055667620b4763e, lock: beb2c4bd5180213c056c9171af99e29ca53160dec758e34c5e66e51f4b8f8733 } }
{ mayor_vote: { encrypted: 46ffd9f9edf51cb35a2071db7684cfbfc562fc46c85cff9c712bf75ca53e9315, lock: b4f94d1d7e9c07d83b93c9dd329f7b03a56370433ca42ff900fd47d3b8f59020 } }
{ mayor_vote: { encrypted: 325aca80c2585a328d58616fabc3bd6f2bbfb32a25048ff093bc7285be50624f, lock: 04dcf0f2da3f497cd35f93a83b3e4d08a9d27b83a709ca2a6a91138232bbc864 } }
{ mayor_vote: }
This randomizes the order of the votes, like mixing them up in a hat.
But this alone isn't enough to properly anonymize them, because the encrypted data — the outsides of our metaphorical locked safes — are still distinguishable. Any computer could quickly reconstruct the original list.
So, Observer #1 then picks new Randomizer integers for each encrypted field, and Re-encrypts the shuffled votes.
This is like painting over the outside of the safes. The vote content is still safely locked within, and the Observer still has no ability to see or modify what's inside.
SIV is built upon a homomorphic encryption scheme called ElGamal to enable this re-encryption. The math is equivalent to adding (X * A) + (X * B), or X * (A + B), where A is the Voter's Randomizer and B is the Re-encrypter's. Because the encryption only needs these factors to be randomly chosen integers, there is no impact to the underlying contents.
{mayor_vote: { encrypted: 645dc4638740ba83ec8178c50434ae8fe3395fb0802960899d568f5e3363ab5e, lock: ba321a93b9bbeedb58d85662388136258f41509734bd8a04a0ebdca7ae633514 } }
{mayor_vote: { encrypted: de08a055a8d82e613a088779bb043b3b958621af856c0dff4055667620b4763e, lock: beb2c4bd5180213c056c9171af99e29ca53160dec758e34c5e66e51f4b8f8733 } }
{mayor_vote: { encrypted: 46ffd9f9edf51cb35a2071db7684cfbfc562fc46c85cff9c712bf75ca53e9315, lock: b4f94d1d7e9c07d83b93c9dd329f7b03a56370433ca42ff900fd47d3b8f59020 } }
{mayor_vote: { encrypted: 325aca80c2585a328d58616fabc3bd6f2bbfb32a25048ff093bc7285be50624f, lock: 04dcf0f2da3f497cd35f93a83b3e4d08a9d27b83a709ca2a6a91138232bbc864 } }
{mayor_vote: { encrypted: 46ffd9f9edf51cb35a2071db7684cfbfc562fc46c85cff9c712bf75ca53e9315, lock: b4f94d1d7e9c07d83b93c9dd329f7b03a56370433ca42ff900fd47d3b8f59020 } }
Now, the shuffled list is cryptographically mixed, with the original Auth Tokens unlinkable.
Their shuffled + re-encrypted list is now published publicly.
Zero-Knowledge Proofs of a Valid Shuffle are also provided. These proofs verify vote accuracy, even in the face of a dishonest or compromised Observer.
For strong cryptographic privacy, Observer #2 then repeats this same shuffle + re-encryption process, starting with the mixed list from Observer #1.
This way, all of the Observers independently shuffle the encrypted votes, like multiple people shuffling a deck of cards, then handing it off to the next person.
This design creates multiple fail-safes. Even if some Observers' devices are compromised, vote privacy can still be protected.
Step 5: Votes Unlocked & Tallied
The Verifying Observers then work together to Unlock the final shuffled list.
This unlocks just the vote contents of the final list, while preserving privacy.
Each Observer's individual key can partially unlock the final votes.
Any voter can Search (Ctrl+F) to find their individual submission, via their Verification #, and see that their vote was counted correctly.
Anyone can independently tally the vote totals themselves.
Only submissions from authenticated voters were accepted, which can be verified with standard Risk-Limiting Audits after the election.
{ mayor_vote: 'Jane Kim', verification: '5540-3796-2107' }
{ mayor_vote: 'Mark Leno', verification: '1053-9568-9905' }
{ mayor_vote: 'London Breed', verification: '1885-6886-1916' }
{ mayor_vote: 'London Breed', verification: '4498-3614-6811' }
{ mayor_vote: 'undefined', verification: '0518-4353-0983' }
Vote Totals:
- London Breed: 2
- Jane Kim: 1
- Mark Leno: 1
- undefined: 1
Election Completed
We've now succeeded to run an election that's authenticated, private, and completely verifiable.
For more information, see the Frequently Asked Questions page, or reach out to team@siv.org.