1. What is “end-to-end-verifiability”?
A voting system is end-to-end verifiable if every voter can verify that his/her vote was recorded and counted correctly. In such a system no one, not even the administrators of the voting system, can alter a vote without being detected.
2. Can a clever hacker (or a foreign country) forge results?
No. In the worst scenario the privacy of the system may be breached but the integrity of the system is always preserved. Let us emphasize this a bit more. Let us consider the unlikely, worst-case scenario where a hacker gets full control of both the software and all the secret keys of the system. Even in this case, the system guarantees that if the hacker tries to change the posted votes or the tallied result, then auditors would detect the attempt and reveal the forgery. Thus, if the elections pass audit and are successfully verified by voters, then voters can be assured that the election results are correct.
3. Can I trust cryptography to protect my privacy?
Cryptography is widely used in many important applications (online banking, financial transactions, electronic signatures, military uses) that often involve billions of dollars. There is a detailed NIST standard concerning these cryptographic primitives, and we follow these standards.
4. Why is ‘voter verifiability’ important?
Preventing electoral fraud has always been a major challenge. Surprisingly, even in the US this has been a major issue. A recent example is the 2004 US presidential elections. The main source of problems with the equipment used in these elections was their lack of transparency: there was simply no way for voters to verify their vote was registered correctly. Robert F. Kennedy Jr., for example, claims in an article titled “Was the 2004 Election Stolen?” that “80,000 votes for Kerry were counted instead for Bush”. We believe the moral of the story is very clear. Even if no fraud took place in the 2004 US elections, the voting process still failed, because it is not sufficient to have a properly working system, it is also mandatory that it can be convincingly demonstrated to be so. In short: modern voting schemes must be verifiable. We strongly believe all modern voting systems should have this property, and we built Wombat Voting to demonstrate this idea.
5. How do I know my vote is counted?
After you make your selection on the touch screen, your vote is encrypted and then printed on paper. The printout contains two parts: clear text that is thrown into the ballot-box and your encrypted vote that appears on the public ballot tracking web page and is given to you as a receipt. You can verify, at any time, that the cipher text given to you as a receipt matches the value appearing on the public ballot tracking web page.
6. How do I know my receipt correctly encodes my vote?
A question that is often asked is “How can I be sure that the value on my receipt (that also appears on the ballot tracking web page) indeed encrypts my vote?” The answer to that lies in the process producing the receipt. After making your choice on the touch screen a ballot is printed. The ballot contains:
The receipt (which is supposed to contain your encrypted vote), and,
Your vote as clear text.
You can (and should) verify that the value appearing in the clear text is indeed your choice. If you wish, you can also press the “audit” button and ask the machine to reveal the randomness used to encrypt your vote, thus verifying that the machine prints consistent ballots where the encryption matches the clear text. Finally, you can verify that the encrypted message (that is also given to you as a receipt) matches the value on the ballot tracking web page.
7. Can the receipt reveal my vote?
To protect your privacy, the receipt contains your vote encrypted with a public key encryption scheme. This means that the voting machine can encrypt your vote, but no one can decrypt it without knowing the secret private key. In our scheme there is a group of trustees (that should include, e.g., representatives from the government, the various political parties, the judiciary system and human rights organizations) that collectively hold the secret key in such a way that no party can decrypt a message without the help of the others. As a result, no one, including you or any proper subset of the trustees, can decipher the receipt and discover what it encodes (see Threshold cryptosystem for more details).
9. I have no mathematical training. How do I know all those encryptions are tallied correctly?
Cryptography is widely used today, e.g., almost all browsers support encryption. Anyone who understands cryptography can write a simple program that checks the validity of the elections. Even if you do not understand cryptography yourself, you can still test the validity of the system by using auditing software obtained from a reliable source.
Frequently Asked Questions
1. What is “end-to-end-verifiability”?
2. Can a clever hacker (or a foreign country) forge results?
3. Can I trust cryptography to protect my privacy?
4. Why is “voter verifiability” important?
5. How do I know my vote is counted?
6. How do I know my receipt correctly encodes my vote?
7. Can the receipt reveal my vote?
8. How does wombat voting prevent ballot stuffing?
9. I have no mathematical training. How do I know all those encryptions are tallied correctly?
10. Are there other voting systems that support “end-to-end verifiability”?
1. What is “end-to-end-verifiability”?
A voting system is end-to-end verifiable if every voter can verify that his/her vote was recorded and counted correctly. In such a system no one, not even the administrators of the voting system, can alter a vote without being detected.
2. Can a clever hacker (or a foreign country) forge results?
No. In the worst scenario the privacy of the system may be breached but the integrity of the system is always preserved. Let us emphasize this a bit more. Let us consider the unlikely, worst-case scenario where a hacker gets full control of both the software and all the secret keys of the system. Even in this case, the system guarantees that if the hacker tries to change the posted votes or the tallied result, then auditors would detect the attempt and reveal the forgery. Thus, if the elections pass audit and are successfully verified by voters, then voters can be assured that the election results are correct.
3. Can I trust cryptography to protect my privacy?
Cryptography is widely used in many important applications (online banking, financial transactions, electronic signatures, military uses) that often involve billions of dollars. There is a detailed NIST standard concerning these cryptographic primitives, and we follow these standards.
4. Why is ‘voter verifiability’ important?
Preventing electoral fraud has always been a major challenge. Surprisingly, even in the US this has been a major issue. A recent example is the 2004 US presidential elections. The main source of problems with the equipment used in these elections was their lack of transparency: there was simply no way for voters to verify their vote was registered correctly. Robert F. Kennedy Jr., for example, claims in an article titled “Was the 2004 Election Stolen?” that “80,000 votes for Kerry were counted instead for Bush”. We believe the moral of the story is very clear. Even if no fraud took place in the 2004 US elections, the voting process still failed, because it is not sufficient to have a properly working system, it is also mandatory that it can be convincingly demonstrated to be so. In short: modern voting schemes must be verifiable. We strongly believe all modern voting systems should have this property, and we built Wombat Voting to demonstrate this idea.
5. How do I know my vote is counted?
After you make your selection on the touch screen, your vote is encrypted and then printed on paper. The printout contains two parts: clear text that is thrown into the ballot-box and your encrypted vote that appears on the public ballot tracking web page and is given to you as a receipt. You can verify, at any time, that the cipher text given to you as a receipt matches the value appearing on the public ballot tracking web page.
6. How do I know my receipt correctly encodes my vote?
A question that is often asked is “How can I be sure that the value on my receipt (that also appears on the ballot tracking web page) indeed encrypts my vote?” The answer to that lies in the process producing the receipt. After making your choice on the touch screen a ballot is printed. The ballot contains:
You can (and should) verify that the value appearing in the clear text is indeed your choice. If you wish, you can also press the “audit” button and ask the machine to reveal the randomness used to encrypt your vote, thus verifying that the machine prints consistent ballots where the encryption matches the clear text. Finally, you can verify that the encrypted message (that is also given to you as a receipt) matches the value on the ballot tracking web page.
7. Can the receipt reveal my vote?
To protect your privacy, the receipt contains your vote encrypted with a public key encryption scheme. This means that the voting machine can encrypt your vote, but no one can decrypt it without knowing the secret private key. In our scheme there is a group of trustees (that should include, e.g., representatives from the government, the various political parties, the judiciary system and human rights organizations) that collectively hold the secret key in such a way that no party can decrypt a message without the help of the others. As a result, no one, including you or any proper subset of the trustees, can decipher the receipt and discover what it encodes (see Threshold cryptosystem for more details).
8. How does wombat voting prevent ballot stuffing?
We trust the polling station committee members to identify each voter, and let each voter vote only once.
9. I have no mathematical training. How do I know all those encryptions are tallied correctly?
Cryptography is widely used today, e.g., almost all browsers support encryption. Anyone who understands cryptography can write a simple program that checks the validity of the elections. Even if you do not understand cryptography yourself, you can still test the validity of the system by using auditing software obtained from a reliable source.
10. Are there other voting systems that support “end-to-end verifiability”?
Yes. Cryptographic voting is an active area of research, and many end-to-end verifiable protocols have been suggested. Some protocols have been implemented and the Scantegrity II voting system was even used in the Takoma Park, Maryland November, 2009 elections. Our system is a variant on the above systems, with some unique features, like the dual use of electronic and paper ballots.