Voter verifiability and Public verifiability

A few people have asked about how a voter can be sure that her vote has been counted correctly just because she verifies that her vote has made it correctly into the batch of counted votes when she has no insight into the various stages of decryption and she has not got the expertise to verify those later stages herself.

The key is the combination of Voter verifiability and something called Public verifiability. A system is voter verifiable if an individual voter can verify that her vote has made it correctly into the batch of votes that is subsequently counted. A system is publicly verifiable if the public (in some form that I discuss below) can verify that all the votes (verified by the voters) are decrypted (and thus anonymised) and counted correctly.

Voter verifiability + Public verifiability = End-to-end verifiability

If a voter can verify the correct inclusion of her vote in the batch of votes that the public can then verify is correctly decrypted and then counted, then the system is end-to-end verifiable.

So how does the public verify that votes are decrypted and counted correctly?

If we skip the detail about exactly how the votes are decrypted (and thus anonymised) then we can more easily describe in general terms how the public does this verification. To start with, all the encrypted votes cast by the voters are collected in a database. Then all of those votes are downloaded by the first trusted party who performs a decryption step and a mix. The decryption that this trusted party is only one of many such decryptions that must be done by many different trusted parties before the votes are completely decrypted and thus readable. When the first trusted party is done then the output is published online for all to see. The second trusted party downloads all the data and does the same thing as the first. After a while, all trusted parties have performed their duties and the votes are decrypted and can be counted.

The trusted parties have key shares that together make up a secret key. Because they all have key shares, there is no central point where this key is known and no single organisation which knows the secret key. Only if all of the trusted parties work together can they decrypt the votes and because this decryption is done serially in a distributed fashion, there is no single server where the election secret can be revealed.

The public key is, as its name signals, made public – that is to say, it is published. This means that if I want to verify the work done by the trusted parties, I can download all the data from the decryption and mixing rounds done by the trusted parties and then use the public key to verify it. The work that the trusted parties do is done using the private key shares, but I can verify their work with the public key, which I know. So in order to verify the election data, I do not need to know the private key.

Doing this verification is, as you can imagine, quite tricky. You need to know how to program and you need to understand the technical specifications that you have to follow. Therefore, we envisage that all the various political parties, the government, Non-Government Organisations (NGOs), the United Nations, the ODIHR, government of other countries in the region, newspapers and other media outlets and any interested organisation or individual will nominate one or more experts to perform the public verifiability. This means that if I don’t trust the expert nominated by my political party then perhaps I do trust the expert nominated by the newspaper I subscribe to or the workers’ union I belong to. If I really do not trust any one of the experts available then I can learn a programming language (if I don’t already know one) and read up on the technical specifications that are published and then I can, on my own computer, write a program that verifies the election data.

So to sum up.

Each voter is able to verify that her vote is included correctly in the tally and the public is able to verify that all the votes are counted correctly, thus making the system completely verifiable.


My TED Global talk

David Bismark speaking about Verifiable Electronic Voting at TED Global in Oxford, UK 2010

At TED Global 2010 I got a wonderful six minutes to talk about four years’ of research. I thought I would use that opportunity not only to give people a taste of the interesting results that the verifiable electronic voting research community has had in recent years, but also to end with a strong call to action. The ideas I wanted to convey were:

  • Elections should be transparent and verifiable.
  • Elections are fundamental to our democracy.
  • Elections are by the people, for the people.

The response from the TED community who attended the conference has been absolutely fantastic. I could not have guessed or asked for anything similar and I am hoping to follow up on all the threads shortly.

I do believe that we need to talk about elections in a new way; we need to talk about transparency and verifiability. We live our lives dependent on the democracy of our respective countries so elections, the fundamental underpinning of democracy, have to be correct. Many of us live in countries with universal suffrage so now we need to take a step further. My vision is of election systems that are transparent (so that the people can see that the outcome is based on their will) and verifiable (so that the people can check that the announced result is the correct one). These systems should not only be impossible to cheat (because they are not run by God, they are run by humans so they have to be immune to human intervention) but they should tally the election correctly and prove that the tally is correct.

There is a plethora of Verifiable Electronic Voting systems in the research community and now I want to connect those interested in implementing these notions in real elections with the relevant science and scientists. Please do contact me and I will do everything I can to provide access to not only my own knowledge on the subject but also that of other researchers. (I have a PhD in Verifiable Electronic Voting.)

As far as I am aware, my talk is due to be published on in November, as there are US midterm elections then.