Direct-recording electronic (DRE) machines have been extensively used for in-person voting at polling stations around the world, particularly in USA, India and Brazil. However, the currently deployed DRE machines are unverifiable, which is commonly regarded as a critical weakness. In an unverifiable e-voting system, the DRE machine works like a black box: if an attacker maliciously changes the votes (or the electronic tally thereof), it is unlikely that the public will notice the change.
Previous solutions for DRE-based elections offer end-to-end (E2E) verifiability to allow voters to verify the integrity of the voting process, but they require a set of trustworthy tallying authorities (TAs). Each TA is responsible for safeguarding a share of the decryption key, and when the voting is finished, a quorum of the TAs will jointly perform the decryption and subsequently the tallying process in a publicly verifiable manner. However, the implementation of such TAs has proved rather difficult due to the complexity in the key management and a very high level of computing and cryptographic expertise required.
One technique developed by researchers at the School of Computing Science, Newcastle University, attempts to achieve E2E verifiability for a DRE-based election without involving any external TAs, by providing a TA-free E2E voting protocol, called Direct Recording Electronic with integrity, or DRE-i. The DRE-i system removes the need for external TAs by pre-computing encrypted ballots in a structured manner such that after the election, multiplication of all the published ciphertexts cancels out random factors that were introduced in the initial encryption progress, and permits anyone to verify the tally.
One problem with DRE-i is that its pre-computation strategy inevitably introduces the requirement of keeping the pre-computing data secret. Leakage of those data may endanger the voter's privacy. While it is possible to use tamper resistant hardware to protect the secrecy of pre-computed data for high security assurance, this may significantly drive up the cost for each DRE machine. In reality, the security of tamper resistant hardware is relative to its cost. In the extreme case that the tamper resistance is compromised, the privacy of all votes will be lost.
Hence, the challenge is to achieve strong assurance on the integrity for a DRE-based election without involving any external TAs, and simultaneously, achieve strong guarantee on the privacy of votes without depending on tamper resistant hardware.
To overcome these limitations we have developed a solution called the Direct Recording Electronic with integrity and privacy, or DRE-ip. Instead of pre-computing encrypted ballots before the election, in DRE-ip each vote is encrypted in real-time during voting. Novel cryptographic algorithms are applied to achieve the same E2E verifiability as DRE-i without requiring any tallying authorities, but with significantly stronger guarantee on the voter secrecy than DRE-i. Since ballot information does not need to be pre-computed in advance, tamper resistant hardware is not required to store the information. In the event of an intrusive attack that fully compromises everything in the DRE machine, only the partial tally at the attack time is revealed, which is the minimum information leakage. The assurance on the integrity of the cast ballots remains unaffected due to the E2E verifiability built in the design of DRE-ip. The key innovation in our research is summarized in Fig 1. DRE-i and DRE-ip are examples of "self-enforcing e-voting" (SEEV) systems: namely E2E e-voting systems that do not rely on any tallying authorities. The pre-computing strategy makes DRE-i particularly suitable for Internet voting. Because the ballots are pre-computed, the server can easily handle many ballot casting requests at the same time. By contrast, DRE-ip is particularly suitable for polling station voting. The ballots are encrypted in real-time when the voters queue to vote. In the case that the DRE machine is completely compromised, only the minimum information is leaked, i.e. the partial tally at the time of compromise.
A prototype of the DRE-ip voting system has been developed using a Google Pixel C tablet as the touch-screen frontend linked with a thermal printer for printing receipts, and a web server in the backend for issuing and publishing receipts. The prototype was successfully tested in a campus e-voting trial in Newcastle University on 22 May, 2017 with very positive user feedback. Further trials are planned in collaboration with the Newcastle/Gateshead councils for the local elections in May/June 2018.
Newcastle University is currently seeking industrial partners to develop the self-enforcing e-voting technologies, particularly the DRE-ip system, for commercial use in large-scale elections.
A GB patent application has been filed for this technology. A US patent is pending.
Title: End-to-end verifiable e-voting system without tallying authorities
Application No: GB1607597.0
Filing Date: 29/04/2016
Mr Graeme Young, Science, Agriculture & Engineering Enterprise Team, Research and Enterprise Services, Devonshire Building, Newcastle University, Newcastle upon Tyne, NE1 7RU, UK