“Computers have been involved in elections for decades,” explains Prof. Peter Ryan from the University of Luxembourg’s Interdisciplinary Centre for Security, Reliability and Trust (SnT). As head of the Applied Security and Information Assurance (APSIA) research group, Prof. Ryan has over 30 years of experience in cryptography, information assurance and formal verification. Since the 1990s in the US, touch screen devices have been common at polling sites. In Brazil, the 1996 introduction of an electronic voting system helped resolve an ongoing struggle with fraudulent election tabulation. And over the past twenty years, a number of countries around the world, such as Estonia and Switzerland, have begun implementing internet voting systems for elections at a range of levels.

“But there are serious concerns,” Ryan continued, “as to whether these systems are actually secure and privacy-preserving.” And while networked solutions are most vulnerable because they are most accessible, all voting done with the help of digital technology – regardless of connectivity – is vulnerable. The problem, however, is not digital technology per se. Voting is intrinsically untraceable and opaque – it’s these (well-intended) design flaws that create the conditions for fraud to happen.

“What if, however, citizens could have a way of verifying that their vote gets into the tally without being altered?” said Prof. Ryan. “On the one hand, using distributed ledger technology – an idea that has been proposed by many – would allow them to verify that the vote has correctly been transmitted to the authorities without being tampered with, effectively building traceability into digital voting. But the biggest problem we need to address is preserving the privacy of voters, yet still allow them to verify that their vote was correctly tallied. In a way, we need to introduce secure transparency into the voting process. My idea is to provide each voter with an encrypted tracking number that would allow them to verify that their vote has correctly been tallied,” added Prof. Ryan.

“If done naively this would open the door to coercion threats, but as long as the notification of the trackers is secret and anonimised, it would give voters a very intuitive and transparent way to monitor the integrity of the election.” It is an approach that could put the power of cryptography into the hands of election officials and afford voters the protective shield of convincing denials when faced with coercion. In fact, the relation between the tracking number and the voter would be secret, but as the tracking numbers would all be public and anonymous, anyone could, in the face of coercion, pick any number. “Deniability is a really particular flavour of security that can be very hard to achieve,” said Ryan. “Our solution needs to be sophisticated enough to ensure voter privacy, but easily understandable so that the average voter can really use and appreciate its features.”

The system would allow the ability for people to cast their votes freely without fear, and then to personally confirm that their votes were registered and tallied correctly. Prof. Ryan calls his idea Selene, and he hopes that someday, it could be implemented either as a complete front-and-backend software solution or an add-on to existing voting software. Over the last decade, his team has been exploring the application of this, and similar, concepts in their ongoing research on secure voting.

But vote privacy in the present is far from the only challenge researchers need to address when working with computer voting. There’s also the looming threat of quantum computers, which could lay bare all data encrypted by most of today’s popular – and even cutting-edge – privacy schemes. Within the APSIA group, Dr. Johannes Mueller and his team have recently begun an FNR-funded research project, called ‘FP2: Future-Proofing Privacy in Secure Electronic Voting’, in which they will investigate approaches for secure voting to ensure votes remain private “No matter how much computational power or approaches might change in the next ten, twenty, or even hundred years,” says Mueller.

Mueller’s project pursues an implementation for electronic voting that ensures everlasting privacy – privacy that cannot be broken by quantum computers or any other yet unknown future technologies. “We prioritise this durable, permanent privacy over everything else,” says Mueller. “Essentially, our system is designed like a safe. You put your vote into the digital safe that obfuscates which vote was submitted by which voter. The election authorities would secretly open this safe, calculate and publish the vote totals. They would also use zero-knowledge proofs to demonstrate the honesty of their operations.” Zero-knowledge proofs are a cryptographic technique that allows someone to verify the veracity of information without actually accessing important secrets. The result could be a system with even stronger privacy. “We’ve begun to identify ways to build deniability into these systems, similar to Selene, but every system strikes its own balance,” explains Mueller. 

The significant advantage of Mueller’s approach is that even in a post-quantum world, ballot secrecy can be preserved. As more and more elections move into digital spaces, ensuring the enduring privacy of citizens’ votes will become more and more important. “There is no one ‘right’ solution”, says Mueller. What matters now is that we’re exploring all the tools available to us to meet today’s – and tomorrow’s – challenges.”

This article was originally published on 9 February 2023.