Secure Internet Voting Protocol

Voting Option with Mathematically Provable Privacy & Vote Verifiability

A secure election has three requirements:

Authenticated voters

Only legitimately registered voters are allowed to vote, and only once per person.

Private voting

A fair election requires that voters can freely choose without anyone learning how they voted.

Verifiable tallies

For widely accepted results, vote totals must be independently auditable for accuracy.


There have already been digital systems in widespread use that offer each of these properties individually. Yet accomplishing all three at the same time has been unusually challenging.

Here is how SIV meets all three requirements:

Before the Election

Voter Registration

Election administrator collects list of all valid voters, via the same methods as currently used.



Individual voters should opt-in to SIV by registering an email address with their election administrator.

Using email is fast, easy, and highly affordable, but election administrator can also use other methods to contact voters, including traditional postal mail.
NameMailing AddressEmail Address
Barton, Adam......
Green, Elissa......
Hauck, Erik......
Schuster, Brad......
Swift, Savannah......

New

Ballot Finalized

The official ballot is finalized, as with traditional paper elections.

There can be multiple questions, as many as the election requires.

SIV is 100% compatible with — and makes it easier to adopt — voting methods meant to improve upon the Choose-Only-One system, such as Ranked Choice Voting, Approval Voting, and Score Voting.





Privacy Protectors Registration

To give voters additional confidence that the election is run fairly, administrators have the option to add SIV “Privacy Protectors”.

These are like the observers in our existing paper elections, but SIV Privacy Protectors are vastly more powerful, because they use strong cryptography to ensure every vote is private and tamper-free.

After anonymization (Step 4), the Privacy Protectors work together to unlock the votes for tallying (Step 5).

Before the election begins, Privacy Protectors take part in a SIV Threshold Key Generation ceremony to generate private key shares and create the election's public key.
Each Privacy Protector contributes a share of the unlocking key.



The Privacy Protectors ought to have competing interests. A reasonable choice would be one Privacy Protector selected by each candidate's political party, plus the election admin.

Privacy Protectors do not need to trust each other, and cannot possibly tamper with votes.

Voting Begins

Step 1: Invitation to Vote

Election administrator sends individualized invitations to all enrolled voters.

The purpose of this step is to get each voter their Voter Auth Token, highlighted in orange.

Key Properties of Voter Auth Tokens

  • required to vote
  • unique per voter
  • generated by election admin
  • infeasible to guess
  • can only be used once
  • if necessary, election admin can invalidate individual Auth Tokens & generate new ones
  • used Auth Tokens can be audited after the election

Here we use an easy distribution channel — a simple email. But election administrators can offer other options, including 2-factor methods with drawn signatures, SMS, TOTP, or IP address geolocation.

Admins can even send Voter Auth Tokens via traditional postal mail. In other words, SIV can match the Voter Authentication requirements of existing processes, while upgrading the return ballot process to be faster, more accessible, and fully verifiable.

See How does SIV ensure One Vote per Person? for more.

From: elections@local.gov
To: you@email.com
Subject: Your Vote Invitation

Voting for our next Mayor is now open.

Votes are accepted for the next 14 days.

Click here to securely cast your vote:
www.local.gov/vote?auth=13e036e44b

This link is unique for you. Don't share it with anyone, or they'll be able to take your vote. (Help)

Step 2: Mark & Encrypt Your Vote

Voter fills out their ballot, which gets immediately encrypted.





SIV shows voters a simple point-and-click interface to fill out their ballot:


Who should be the next Mayor?

A random Verification # is generated before votes are encrypted.

Verification #:

This Verification # will be publicly shown once votes are unlocked. It allows you to easily verify your vote was counted correctly, while protecting your privacy.

This unique value was generated on your own device. Don't share it with anyone.

This example results in a plaintext vote:

{
}



Then the plaintext vote can be sealed, resulting in an encrypted vote:

{}

Encrypted votes can be safely shared, without revealing the underlying vote.
The encryption acts like sealing it inside a locked safe.




SIV creates an Encryption Receipt for each voter, allowing them or 3rd-party auditors to verify that everything worked as intended.
This is automatically stored in the browser's localstorage, and never leaves the device.

Encrypted @ Thu Jan 25 2024 23:37:45 GMT+0000 (Coordinated Universal Time) Encryption Formula https://en.wikipedia.org/wiki/ElGamal_encryption in Ristretto255 prime-order subgroup of Elliptic Curve25519 Encrypted = Encoded + (Recipient * randomizer) Lock = (Generator * randomizer) Public Key ee8daa85a66d29944060e719c5c0d00f67b2df52bd6c2f5108a814be7c66aa0a --------- Verification #: 2401-8208-4035

Step 3: Submit Encrypted Vote

The voter sends their encrypted vote, with their Auth Token, to the election administrator.

The Voter Auth Token is confirmed to match an eligible voter, and that it hasn't already been used.


{ auth: '13e036e44b', mayor_vote: }



If it passes, the vote is added to a public list of all votes received so far.


{ auth: '89e4222cf1', mayor_vote: { encrypted: 067cc4b17107ac243923225f709c749ea3f7059c4a4c88e928f611a7f42ed375, lock: 28a5db54486f7af875a1ac78edd010b07a92915b41e67728e14a1a5e63fe747d }

{ auth: '51cfc299d6', mayor_vote: { encrypted: 62b77bc240872450c58081a6746a186686f088e5217b702e2bb7b2a00f69100e, lock: 7a9f13d353050d6af6657e9cef55d158870d7ae257129145201ef81c53e27267 }

{ auth: '909e74473c', mayor_vote: { encrypted: aa2d52ab5a847b6a00f25ff5207819c270d45a15b45144e80a23042ed2b16200, lock: 5a5a6f313f379213df175e21611214fbc873590c79715432934aa7a0d3896e6d }

{ auth: '153533ba53', mayor_vote: { encrypted: 203549b3ddae6a2d1a403bedb627556b93f183085662ef2d8f6c09c149c11802, lock: 603c8e89427804b3fe4adc69be6819501b434704e72f0a535879f8fcec78021a }

{ auth: '13e036e44b', mayor_vote: undefined }



The voter is sent a confirmation that their encrypted vote has been received and accepted.

This lets the voter know their job is done. It also alerts them in case someone else somehow gained access to their auth token. And it serves as a written receipt that the vote was accepted, to allow for auditing.



Because of the strong encryption, the election administrator still has no way to know how individual voters choose to vote.

From: elections@local.gov
To: you@email.com
Subject: Vote Confirmation

Your vote for mayor has been received. Thank you.

The final results will be posted at www.local.gov/election-results when the election closes.

Here is the encrypted vote you submitted:

{ auth: '13e036e44b', mayor_vote: }

If you did not submit this ballot, click here to report a problem.

Voting Period Closes

Step 4: Verifiable Shuffle

All the encrypted votes are then anonymized by the Privacy Protectors.

This step de-links voters' identities from the contents of their encrypted votes.




First, the Voter Auth Tokens are removed from the list of all encrypted votes.

{ auth: '89e4222cf1', mayor_vote: { encrypted: 067cc4b17107ac243923225f709c749ea3f7059c4a4c88e928f611a7f42ed375, lock: 28a5db54486f7af875a1ac78edd010b07a92915b41e67728e14a1a5e63fe747d } }

{ auth: '51cfc299d6', mayor_vote: { encrypted: 62b77bc240872450c58081a6746a186686f088e5217b702e2bb7b2a00f69100e, lock: 7a9f13d353050d6af6657e9cef55d158870d7ae257129145201ef81c53e27267 } }

{ auth: '909e74473c', mayor_vote: { encrypted: aa2d52ab5a847b6a00f25ff5207819c270d45a15b45144e80a23042ed2b16200, lock: 5a5a6f313f379213df175e21611214fbc873590c79715432934aa7a0d3896e6d } }

{ auth: '153533ba53', mayor_vote: { encrypted: 203549b3ddae6a2d1a403bedb627556b93f183085662ef2d8f6c09c149c11802, lock: 603c8e89427804b3fe4adc69be6819501b434704e72f0a535879f8fcec78021a } }

{ auth: '13e036e44b', mayor_vote: }










Privacy Protector #1 then shuffles the votes.

{ mayor_vote: { encrypted: 067cc4b17107ac243923225f709c749ea3f7059c4a4c88e928f611a7f42ed375, lock: 28a5db54486f7af875a1ac78edd010b07a92915b41e67728e14a1a5e63fe747d } }

{ mayor_vote: { encrypted: 62b77bc240872450c58081a6746a186686f088e5217b702e2bb7b2a00f69100e, lock: 7a9f13d353050d6af6657e9cef55d158870d7ae257129145201ef81c53e27267 } }

{ mayor_vote: { encrypted: aa2d52ab5a847b6a00f25ff5207819c270d45a15b45144e80a23042ed2b16200, lock: 5a5a6f313f379213df175e21611214fbc873590c79715432934aa7a0d3896e6d } }

{ mayor_vote: { encrypted: 203549b3ddae6a2d1a403bedb627556b93f183085662ef2d8f6c09c149c11802, lock: 603c8e89427804b3fe4adc69be6819501b434704e72f0a535879f8fcec78021a } }

{ mayor_vote: }


This randomizes the order of the votes, like mixing them up in a hat.

But this alone isn't enough to properly anonymize them, because the encrypted data — the outsides of our metaphorical locked safes — are still distinguishable. Any computer could quickly reconstruct the original list.






So, Privacy Protector #1 then picks new Randomizer integers for each encrypted field, and Re-encrypts the shuffled votes.

This is like painting over the outside of the safes. The vote content is still safely locked within, and the Privacy Protector still has no ability to see or modify what's inside.

SIV is built upon a homomorphic encryption scheme called ElGamal to enable this re-encryption. The math is equivalent to adding (X * A) + (X * B), or X * (A + B), where A is the Voter's Randomizer and B is the Re-encrypter's. Because the encryption only needs these factors to be randomly chosen integers, there is no impact to the underlying contents.


{mayor_vote: { encrypted: 067cc4b17107ac243923225f709c749ea3f7059c4a4c88e928f611a7f42ed375, lock: 28a5db54486f7af875a1ac78edd010b07a92915b41e67728e14a1a5e63fe747d } }

{mayor_vote: { encrypted: 62b77bc240872450c58081a6746a186686f088e5217b702e2bb7b2a00f69100e, lock: 7a9f13d353050d6af6657e9cef55d158870d7ae257129145201ef81c53e27267 } }

{mayor_vote: { encrypted: aa2d52ab5a847b6a00f25ff5207819c270d45a15b45144e80a23042ed2b16200, lock: 5a5a6f313f379213df175e21611214fbc873590c79715432934aa7a0d3896e6d } }

{mayor_vote: { encrypted: 203549b3ddae6a2d1a403bedb627556b93f183085662ef2d8f6c09c149c11802, lock: 603c8e89427804b3fe4adc69be6819501b434704e72f0a535879f8fcec78021a } }

{mayor_vote: { encrypted: aa2d52ab5a847b6a00f25ff5207819c270d45a15b45144e80a23042ed2b16200, lock: 5a5a6f313f379213df175e21611214fbc873590c79715432934aa7a0d3896e6d } }



Now, the shuffled list is cryptographically mixed, with the original Auth Tokens unlinkable.

Their shuffled + re-encrypted list is now published publicly.


Zero-Knowledge Proofs of a Valid Shuffle are also provided. These proofs verify vote accuracy, even in the face of a dishonest or compromised Privacy Protector.




For strong cryptographic privacy, Privacy Protector #2 then repeats this same shuffle + re-encryption process, starting with the mixed list from Privacy Protector #1.


This way, all of the Privacy Protectors independently shuffle the encrypted votes, like multiple people shuffling a deck of cards, then handing it off to the next person.

This design creates multiple fail-safes. Even if some Privacy Protectors' devices are compromised, vote privacy can still be protected.



abc

Step 5: Votes Unlocked & Tallied

The Privacy Protectors then work together to Unlock the final shuffled list.

This unlocks just the vote contents of the final list, while preserving privacy.


Each Privacy Protector's individual key can partially unlock the final votes.






Any voter can Search (Ctrl+F) to find their individual submission, via their Verification #, and see that their vote was counted correctly.



Anyone can independently tally the vote totals themselves.



Only submissions from authenticated voters were accepted, which can be verified with standard Risk-Limiting Audits after the election.

{ mayor_vote: 'Jane Kim', verification: '4435-0929-9715' }

{ mayor_vote: 'London Breed', verification: '9700-1002-1008' }

{ mayor_vote: 'Jane Kim', verification: '5792-8569-5991' }

{ mayor_vote: 'Jane Kim', verification: '4275-7690-7874' }

{ mayor_vote: 'undefined', verification: '2401-8208-4035' }


Vote Totals:
  1. Jane Kim: 3
  2. London Breed: 1
  3. undefined: 1

Election Completed

We've now succeeded to run an election that's authenticated, private, and completely verifiable.

For more information, see the Frequently Asked Questions page, or reach out to team@siv.org.