Secure Internet Voting (SIV) Protocol Overview

Fast, Private, Verifiable

Voting Method with mathematically provable privacy & vote verifiability.

Before the Election

Voter Registration

Election administrator collects list of all valid voters, using the usual methods (in person, DMV, etc).



Individuals voters should opt-in to SIV by registering an email address with their election administrator.
NameMailing AddressEmail Address
Barton, Adam......
Green, Elissa......
Hauck, Erik......
Schuster, Brad......
Swift, Savannah......

New

Ballot Finalized

The official ballot is finalized, as with traditional paper elections.

There can be multiple questions, as many as the election requires.

SIV is 100% compatible with — and makes it easier to adopt — voting methods meant to improve upon the Choose-Only-One system, such as Ranked Choice Voting, Approval Voting, and Score Voting.






Observer Registration

Verifying Observers — who protect the privacy of the vote — are enrolled ahead of time.

As long as a single Observer works honestly, the privacy of the vote is ensured. This is shown in detail in Step 4.

No matter what, the accuracy of the vote can still always be verified.

To enroll, verifying observers need to generate a private key, and take part in a Threshold Key generation process with the election admin to create the corresponding public key for the election.

Their main job is explained in Step 4, but this shared public key is needed ahead-of-time for voters to encrypt their votes in Step 2.

Each Observer contributes a share of the unlocking key.



The Observers ought to have competing interests. A reasonable choice would be one Observer selected by each candidate's political party, plus the election admin.

Voting Begins

Step 1: Invitation to Vote

Election administrator sends individualized invitations to all enrolled voters.

The point of this step is to get each voter their Voter Auth Token, highlighted in orange.

Key Properties of Voter Auth Tokens

  • required to vote
  • unique per voter
  • generated by election admin
  • infeasible to guess
  • can only be used once
  • election admin can invalidate individual Auth Tokens, & generate new ones, if necessary
  • after the election, the public can see all Auth Tokens generated, invalidated, or used (but not content of any votes)

Here we use an easy distribution channel — a simple email. But election administrators can offer other options, including 2-factor methods with SMS, TOTP, or IP address geolocation.

Admins can even send Voter Auth Tokens via traditional postal mail. This makes it easy for jurisdictions already offering Vote by Mail to begin accepting returned ballots online, gaining the powerful Speed, Privacy, & Verification features of SIV. See How does SIV ensure One Vote per Person? for more.

From: elections@local.gov
To: you@email.com
Subject: Your Vote Invitation

Voting for our next Mayor is now open.

Votes accepted for the next 14 days.

Click here to securely cast your vote:
www.local.gov/vote?auth=1e1b7bae44

This link is unique for you. Don't share it with anyone, or they'll be able to take your vote. (Help)

Step 2: Mark & Encrypt Your Vote

Voter fills out their ballot, which gets immediately encrypted.





SIV shows voters a GUI to fill out their ballot:


Who should be the next Mayor?

SIV adds a unique Verification # before votes are encrypted.

Verification #:

This Verification # will be shown once votes are unlocked. It allows you to easily verify your vote was counted correctly, while protecting your privacy.

This unique value was generated on your own device. Don't share it with anyone.

This example results in a plaintext vote like:

{

mayor_vote: 'London Breed',

verification: '',

}



Then the plaintext vote can be sealed, resulting in an encrypted vote that looks like:

{}

Encrypted votes can be safely shared, without revealing the underlying vote.
The encryption acts like sealing it inside a locked safe.




SIV creates an Encryption Receipt for each voter, allowing them or 3rd-party auditors to verify that everything worked as intended.
This is automatically stored in the browser's localstorage, and never leaves the device.

Encrypted @ Mon Oct 25 2021 22:20:37 GMT+0000 (Coordinated Universal Time) Encryption Formula https://en.wikipedia.org/wiki/ElGamal_encryption encrypted = encoded * (recipient ^ randomizer) % modulo unlock = (generator ^ randomizer) % modulo Public Key generator: 4 modulo: 281375633683922886658704963872438275379 recipient: 162567696536869589189269434776144034905 mayor_vote plaintext: London Breed encoded: 1652572913926889599950 randomizer: undefined undefined verification plaintext: encoded: 0 randomizer: undefined undefined

Step 3: Submit Encrypted Vote

The voter sends their encrypted vote + Auth Token to the election administrator.

Election admin confirms the Voter Auth Token matches an eligible voter, and hasn't already been used.


{ auth: '1e1b7bae44', mayor_vote: , verification: }



If it passes, the admin adds it to a public list of all votes received so far.


{ auth: '95b116f3e0', mayor_vote: { encrypted: 000271060167390154492082782910089751155, unlock: 121638991167245676449566266625357935461 }, verification: { encrypted: 004207492806974126614777084982049669501, unlock: 038437381520472562970925586983603433508 }

{ auth: '5fe973806a', mayor_vote: { encrypted: 028585053780644017008543595149854526426, unlock: 018614609968050648689704705714823565351 }, verification: { encrypted: 089224225940029830924499114603604723302, unlock: 000337144828267202492230213459132346020 }

{ auth: '17f6db2197', mayor_vote: { encrypted: 015214983870764520799383245083236059980, unlock: 158696507768357812946460142419810038722 }, verification: { encrypted: 078706992441682332131523070789733481050, unlock: 000340546754224412134644942384927981932 }

{ auth: '20342d0fc9', mayor_vote: { encrypted: 267759390829821965916224147611838313315, unlock: 000176421383116260503019959200955656860 }, verification: { encrypted: 000079957363289667782672924044504547872, unlock: 001284102133378466732345445206145293683 }

{ auth: '1e1b7bae44', mayor_vote: undefined, verification: undefined }



The election administrator has no way to know how a voter voted. Still, they can email voters a confirmation that their encrypted vote has been received and accepted.
This lets the voter know their job is done. It also alerts the voter in case someone else somehow gained access to their auth token. And it serves as a written receipt that the vote was accepted, to allow for auditing.

From: elections@local.gov
To: you@email.com
Subject: Vote Confirmation

Your vote for mayor has been received. Thank you.

The final results will be posted at www.local.gov/election-results when the election closes.

Here is the encrypted vote you submitted:

{ auth: '1e1b7bae44', mayor_vote: , verification: }

If you did not submit this ballot, click here to report a problem.

Voting Period Closes

Step 4: Verifiable Shuffle

All the encrypted votes are then anonymized by the Verifying Observers.

This step de-links voters' identities from the contents of their encrypted votes.




First, the Voter Auth Tokens are removed from the list of all encrypted votes.

{ auth: '95b116f3e0', mayor_vote: { encrypted: 000271060167390154492082782910089751155, unlock: 121638991167245676449566266625357935461 }, verification: { encrypted: 004207492806974126614777084982049669501, unlock: 038437381520472562970925586983603433508 } }

{ auth: '5fe973806a', mayor_vote: { encrypted: 028585053780644017008543595149854526426, unlock: 018614609968050648689704705714823565351 }, verification: { encrypted: 089224225940029830924499114603604723302, unlock: 000337144828267202492230213459132346020 } }

{ auth: '17f6db2197', mayor_vote: { encrypted: 015214983870764520799383245083236059980, unlock: 158696507768357812946460142419810038722 }, verification: { encrypted: 078706992441682332131523070789733481050, unlock: 000340546754224412134644942384927981932 } }

{ auth: '20342d0fc9', mayor_vote: { encrypted: 267759390829821965916224147611838313315, unlock: 000176421383116260503019959200955656860 }, verification: { encrypted: 000079957363289667782672924044504547872, unlock: 001284102133378466732345445206145293683 } }

{ auth: '1e1b7bae44', mayor_vote: , verification: }










Observer #1 then shuffles the votes.

{ mayor_vote: { encrypted: 000271060167390154492082782910089751155, unlock: 121638991167245676449566266625357935461 }, verification: { encrypted: 004207492806974126614777084982049669501, unlock: 038437381520472562970925586983603433508 } }

{ mayor_vote: { encrypted: 028585053780644017008543595149854526426, unlock: 018614609968050648689704705714823565351 }, verification: { encrypted: 089224225940029830924499114603604723302, unlock: 000337144828267202492230213459132346020 } }

{ mayor_vote: { encrypted: 015214983870764520799383245083236059980, unlock: 158696507768357812946460142419810038722 }, verification: { encrypted: 078706992441682332131523070789733481050, unlock: 000340546754224412134644942384927981932 } }

{ mayor_vote: { encrypted: 267759390829821965916224147611838313315, unlock: 000176421383116260503019959200955656860 }, verification: { encrypted: 000079957363289667782672924044504547872, unlock: 001284102133378466732345445206145293683 } }

{ mayor_vote: , verification: }


This randomizes the order of the votes, like mixing them up in a hat.

But this alone isn't enough to properly anonymize them, because the encrypted data — the outsides of our metaphorical locked safes — are still distinguishable. Any computer could quickly reconstruct the original list.






So, Observer #1 then picks new Randomizer integers for each encrypted field, and Re-encrypts the shuffled votes.

This is like painting over the outside of the safes. The vote content is still safely locked within, and the Observer still has no ability to see or modify what's inside.

SIV is built upon a modular exponential operation ("modPow", also called ElGamal) to enable this re-encryption. The math is equivalent to multiplying X^A * X^B, or X^(A+B), where A is the Voter's Randomizer and B is the Re-encrypter's. Because the encryption only needs these exponents to be randomly chosen integers, there is no impact to the underlying contents.


{ mayor_vote: { encrypted: 000271060167390154492082782910089751155, unlock: 121638991167245676449566266625357935461 }, verification: { encrypted: 004207492806974126614777084982049669501, unlock: 038437381520472562970925586983603433508 } }

{ mayor_vote: { encrypted: 028585053780644017008543595149854526426, unlock: 018614609968050648689704705714823565351 }, verification: { encrypted: 089224225940029830924499114603604723302, unlock: 000337144828267202492230213459132346020 } }

{ mayor_vote: { encrypted: 015214983870764520799383245083236059980, unlock: 158696507768357812946460142419810038722 }, verification: { encrypted: 078706992441682332131523070789733481050, unlock: 000340546754224412134644942384927981932 } }

{ mayor_vote: { encrypted: 267759390829821965916224147611838313315, unlock: 000176421383116260503019959200955656860 }, verification: { encrypted: 000079957363289667782672924044504547872, unlock: 001284102133378466732345445206145293683 } }

{ mayor_vote: { encrypted: 015214983870764520799383245083236059980, unlock: 158696507768357812946460142419810038722 }, verification: { encrypted: 078706992441682332131523070789733481050, unlock: 000340546754224412134644942384927981932 } }



Now, the shuffled list is cryptographically mixed, with the original Auth Tokens unlinkable.

Only Observer #1 can possibly know the exact way they shuffled.

Their shuffled + re-encrypted list is now published publicly.


Each Observer also provides a Zero-Knowledge Proof of a Valid Shuffle. The SIV Shuffling software generates this for them automatically. This proof allows anyone to verify vote accuracy, even if a Observer is dishonest or compromised.




For strong cryptographic privacy, Observer #2 then repeats this same shuffle + re-encryption process, starting with the mixed list from Observer #1.


This way, all of the Observers independently shuffle the encrypted votes, like multiple people shuffling a deck of cards, then handing it off to the next person.

Total privacy is ensured as long as at least a single Observer refuses to share their record of how they shuffled.



Step 5: Votes Unlocked & Tallied

A quorum of Verifying Observers then works together to Unlock the final shuffled list.

This unlocks just the vote contents of the final list, while preserving privacy.


Each Observer's individual key can partially unlock the final votes.






Any voter can Search (Ctrl+F) to find their individual vote, via their Verification #, and see that their vote was counted correctly.



Anyone can tally the final vote count themselves.



Only submissions from authenticated voters were accepted, which can be verified with standard Risk-Limiting Audits after the election.

{ mayor_vote: 'London Breed', verification: '8419-0324-2711' }

{ mayor_vote: 'Angela Alioto', verification: '3479-9440-7990' }

{ mayor_vote: 'Jane Kim', verification: '3112-3899-2801' }

{ mayor_vote: 'Mark Leno', verification: '9309-9012-5171' }

{ mayor_vote: 'London Breed', verification: '' }


Final results:
  1. London Breed: 2
  2. Angela Alioto: 1
  3. Jane Kim: 1
  4. Mark Leno: 1