The challenges of voter secrecy in e-voting

You've heard of Fifty Shades of Grey - now here comes Fifty Shades of Ballot Privacy! Only this wasn't a best-selling novel, but rather a noteworthy scientific paper tackling a concept that is just as multi-faceted: protecting voter secrecy. More specifically, this paper looked into the protection of secret ballots in cases where this is linked to a corrupt or dishonest server (or electronic ballot box).

Retaining secrecy

The publication won a Distinguished Paper Award at the 2020 edition of the CSF conference, which deals with the formal verification of security systems. It presented the results of research into protecting ballot secrecy that had been jointly conducted by Véronique Cortier, director of research at the CNRS and a member of the Pesto project team; Joseph Lallemand, a former PhD student from this same team (currently a postdoctoral researcher at ETH Zürich); and Bogdan Warinschi, a researcher at the Swiss foundation Dfinity, with past experience of working with researchers from the Inria Nancy - Grand-Est research centre. This new research will be of vital importance to both the Pesto project team (which deals with security protocols, particularly for electronic voting) and the Caramba project team (which deals with cryptography and cryptoanalysis), who are behind an open source electronic voting platform called Belenios. What is notable about this tool is that its source code is “open”, enabling it to be scrutinised, if necessary, by third parties. What’s more, it is designed to deliver maximum security for all shared data.

So far, so good. But what happens when the server (i.e. the electronic ballot box) to which ballot papers are sent is found to be “dishonest”? This was the focus of the work carried out by the three researchers, who were keen to stress the difficulty of defining the concept of voter secrecy in the context of electronic voting. But why is this? “There are several reasons”, explains Joseph Lallemand, a specialist in the verification of all types of cryptographic protocols. “Obviously, if everyone were to vote the same way, a potential attacker would know right away who someone had voted for. But it becomes more complicated if it can be shown that the electronic ballot box used to store encrypted votes was dishonest. In such cases, it could be difficult for organisers to ensure that ballot secrecy has been respected.” This explains the need to stop automatically trusting electronic ballot boxes when it comes to analysing ballot secrecy, as has so far been the case owing to a lack of any other options. Instead, it is necessary to begin with the principle that the ballot box may have been corrupted, but that this should not affect ballot secrecy.

Modelling the most dangerous attacks

Given the range of different forms which attacks and intrusions can take, the researchers modelled a whole host of deviant behaviours, providing mathematical descriptions for them. They made a distinction between those that could be dangerous, such as those where voters’ choices could be revealed to third parties, and those which could be tolerated, perhaps owing to a lack of any credible threat or because they would not lead to secrets being divulged.

“The goal of this theoretical work - in keeping with the scientific objectives of the Inria Nancy - Grand-Est research centre when it comes to developing algorithmic intelligence - was to provide a mathematical framework for formally defining what is serious and what isn’t”, explains Joseph Lallemand. “The work should also help us to develop a better understanding of what we can realistically expect from an electronic voting system from a security point of view”.

This will then enable them to present good practices to the authorities in charge of organising electronic votes or bodies responsible for privacy protection. As we have seen with the CNIL (the French data protection authority), it is now increasingly common for these bodies to set forward security guidelines for the organisers of elections.