Ask HN: How would you implement a secure online voting system?

(item?id=19137493)

6 points | by CM30 69 days ago

7 comments

  • jakobov 68 days ago

    I came up with a design many years ago that is both verifiable, mostly anonymous and does not require a trusted authority.

    The basic idea is as follows: 1. Server maintains a public DB of valid registered voters. 2. when users are ready to vote server groups voters in small groups of size n(N=~10-20 voters) 3. server shares IP information of group members so the group members can connect to one another directly. 4. Voters vote and create a random anonymous identifier to tag their vote with. 5. votes+tags (no voter id) are passed back and forth between all the voters in the group until every voter has the vote of every other group member. (Now there are n copies of all the votes). 6. each voter sends all the votes back to server 7. server verifies that all sets of votes agree and then publishes votes along with tags to the public. If votes don't agree (ie one of the group members was naughty) then server breaks up the group, creates new groups and tries again.

    • dovetailcode 68 days ago

      Why is online voting needed? As technologists we are sometimes suggesting and using technology to solve problems where technology creates more problems than it solves. If voting systems are online, they can be corrupted/hacked en masse. If it is paper, the corruption/hacking is much more logistically harder to accomplish.

      Take the US presidential election as an example. Voting happens on the first Tuesday in November and the winner takes office on Jan 20th. That is over 2 months elapsed time. We don't need to know the winner on election night. Even if it takes 3 weeks to get accurate counts in a close race, there is still plenty of time for transition.

      • chefkoch 68 days ago

        > We don't need to know the winner on election night.

        Other contries count the paper votes in one night, why shouldn't the US manage to.

        /edit: i don't really see the need for only voting if you only vote every other year.

        • CM30 66 days ago

          There's no real need here, this is just for fun. It's just a hypothetical question about how you would make online voting secure if you had to build it.

          • maceurt 68 days ago

            The voter turnout for the average presidential election is < 50%. A lot of that is because people do not have ways to get to the polling stations.

            • dovetailcode 67 days ago

              It really should just be a national holiday. I think I read one of the states decided to get rid of Columbus day and have a holiday on election day.

              • chefkoch 68 days ago

                This can be fixed with early voting and absentee ballots.

                No need for online voting.

                • maceurt 68 days ago

                  It hasn't been fixed though, and we have early voting and absentee ballots. I mean, if we really wanted to fix it we could without using online voting, but that is just one positive upside of online voting is higher voter turnout.

            • Chyzwar 69 days ago

              It can be done. Every voting machine gets a key. Voting machines send results inside a secure VPN network. Votes itself can be duplicated on paper inside the voting machine. The voting machine might not need to be connected to the internet as you can have a separate terminal operated by a staff member.

              We have ATMs working securely for decades. It is a largely solved problem. Problem is that the government is not willing to pay for a secure solution.

              • rezahandzalah 68 days ago

                How similar are the requirements of ATM and voting systems?

              • tmaly 69 days ago

                I would think this might actually be a good application for the blockchain with smart contracts

                • itamarst 68 days ago

                  There's a lot of academic research about electronic voting. A quick search on scholar.google.com brings up https://pdfs.semanticscholar.org/9cb3/cd86b699b124348b21e936..., I'm sure there's much more more out there.

                  • rolph 69 days ago

                    My first principle would be to remember that network security, and online security are oxymorons e.g. [fresh frozen, jumbo shrimp, military intelligence].

                    network connectivity, degrades security, and security is a limitation of connectivity.

                    • gtsteve 68 days ago

                      Blockchain is of course an interesting idea but what I don't really like about it is that someone with more than 50% control can take over the blockchain. While you could see that unfriendly action happening, an adversary could probably create enough chaos to throw doubt on the system. I have been considering an alternative.

                      In the UK, we have a postal voting system, which can be used by those unable or unwilling to travel to a polling station. You receive a ballot paper and two envelopes to put that ballot paper in. Perhaps other countries have something similar.

                      You put the ballot paper in envelope A, which is a plain envelope. You then put envelope A in envelope B which has some sort of barcode on it to ensure that there is only a limited number of envelope B. I assume there is a register therefore of those who have voted (just as we have at physical polling stations to prevent double voting).

                      The B envelopes are torn open and then the A envelopes are gathered. Then the A envelopes are torn open and the votes mixed in with the rest of the votes at polling day.

                      So another idea might be to double encrypt your voting message. The first message is signed against the key of the verification authority and contains a verification code. The second is signed against the counting authority. The verification system verifies that the vote is valid and hasn't been sent twice and then this is passed to the counting authority which is able to open just the vote message itself without more information.

                      Drawbacks:

                      1. We trust the verification authority to not send more votes than it receives

                      2. We trust the verification certificate and counting certificates are never in the same place. Hardware security modules can help with this.

                      3. We trust the client-side encryption is correctly implemented

                      4. We trust that the two authorities have the best interests of democracy at heart

                      5. We trust that the proposed system isn't just a total lie

                      So in other words, we trust the same things that we trust with postal votes - that there is a sufficiently decentralised organisation with enough checks and balances and eyes on what is going on to correctly blow the whistle if anything fraudulent is seen.

                      TL;DR: You need to trust somebody.