Voter verifiability and Public verifiability

A few people have asked about how a voter can be sure that her vote has been counted correctly just because she verifies that her vote has made it correctly into the batch of counted votes when she has no insight into the various stages of decryption and she has not got the expertise to verify those later stages herself.

The key is the combination of Voter verifiability and something called Public verifiability. A system is voter verifiable if an individual voter can verify that her vote has made it correctly into the batch of votes that is subsequently counted. A system is publicly verifiable if the public (in some form that I discuss below) can verify that all the votes (verified by the voters) are decrypted (and thus anonymised) and counted correctly.

Voter verifiability + Public verifiability = End-to-end verifiability

If a voter can verify the correct inclusion of her vote in the batch of votes that the public can then verify is correctly decrypted and then counted, then the system is end-to-end verifiable.

So how does the public verify that votes are decrypted and counted correctly?

If we skip the detail about exactly how the votes are decrypted (and thus anonymised) then we can more easily describe in general terms how the public does this verification. To start with, all the encrypted votes cast by the voters are collected in a database. Then all of those votes are downloaded by the first trusted party who performs a decryption step and a mix. The decryption that this trusted party is only one of many such decryptions that must be done by many different trusted parties before the votes are completely decrypted and thus readable. When the first trusted party is done then the output is published online for all to see. The second trusted party downloads all the data and does the same thing as the first. After a while, all trusted parties have performed their duties and the votes are decrypted and can be counted.

The trusted parties have key shares that together make up a secret key. Because they all have key shares, there is no central point where this key is known and no single organisation which knows the secret key. Only if all of the trusted parties work together can they decrypt the votes and because this decryption is done serially in a distributed fashion, there is no single server where the election secret can be revealed.

The public key is, as its name signals, made public – that is to say, it is published. This means that if I want to verify the work done by the trusted parties, I can download all the data from the decryption and mixing rounds done by the trusted parties and then use the public key to verify it. The work that the trusted parties do is done using the private key shares, but I can verify their work with the public key, which I know. So in order to verify the election data, I do not need to know the private key.

Doing this verification is, as you can imagine, quite tricky. You need to know how to program and you need to understand the technical specifications that you have to follow. Therefore, we envisage that all the various political parties, the government, Non-Government Organisations (NGOs), the United Nations, the ODIHR, government of other countries in the region, newspapers and other media outlets and any interested organisation or individual will nominate one or more experts to perform the public verifiability. This means that if I don’t trust the expert nominated by my political party then perhaps I do trust the expert nominated by the newspaper I subscribe to or the workers’ union I belong to. If I really do not trust any one of the experts available then I can learn a programming language (if I don’t already know one) and read up on the technical specifications that are published and then I can, on my own computer, write a program that verifies the election data.

So to sum up.

Each voter is able to verify that her vote is included correctly in the tally and the public is able to verify that all the votes are counted correctly, thus making the system completely verifiable.