The Important Uses of Cryptography in Electronic Voting and Counting
Cryptography offers a number of benefits to electronic voting and counting solutions. It may be used to perform tasks such as encrypting votes and digital ballot boxes, ensuring votes and software are unmodified, verifying the identity of a voter before he or she casts a ballot, and assisting in auditing and tallying the results of an election. Traditionally, cryptography (from the Greek for “hidden writing”) was used to conceal information between two people using a secret key known only to them. Over time, it expanded into the art and science of using mathematics (in the form of algorithms) to hide information, protect privacy, ensure files are not altered and prove the identity of a message’s sender. Considering the paramount importance of ballot secrecy and fraud detection, cryptography has proved a useful tool for countries employing election technologies.
Encryption and Decryption
Encryption and decryption are among the most common uses of cryptography. Encryption is the process of obscuring information, and decryption reverses this process. Keys are the secret piece of information necessary to encrypt and decrypt data. Encrypted data is unintelligible; and without the correct decryption key, it cannot be recreated in its original form. An example of a very simple encryption key is to increment each letter in a block of text by one letter (i.e., “a” becomes “b,” “b” becomes “c,” etc.), so “Election Day” would become “Fmfdujpo Ebz”. Decryption of the text requires that each letter be decremented by one.
Ensuring that a key remains secret is paramount to ensuring encrypted information remains hidden. With the advent of computer-based cryptography, keys are now represented as large, nearly random strings of letters and numbers such as 2b7e151628aed2a6abf7158809cf4f3c (this number would typically be much larger). Different methods of encryption and decryption have different properties; some function more quickly, are more difficult to break, can be transmitted more rapidly or work better on slower computer processors.
For electoral purposes, encryption is often used to obscure the contents of a voter’s ballot selections and the contents of a digital ballot box. The voter’s encrypted ballot selections may be stored on a voting machine or sent over an insecure channel like the Internet or the telephone network. When casting an electronic vote, the value of the vote will be encrypted using an encryption key produced by the EMB and available at all electronic voting locations. However, only the EMB will have the key that is needed to decrypt encrypted data.
Another cryptographic function is the hash (often called cryptographic hashes). Hashes are mathematical functions or equations that “read in” a piece of information (e.g., a file) and output a set of numbers and letters that are unique to the input. Just as with encryption, there are different hashing algorithms with unique characteristics. Using the SHA-256 hashing algorithm, the word “election” hashes to: c7a19845b9e9de079260094d79525957. But when using the same algorithm and inputting the word “elections” (notice there is only a one-letter difference), the output is completely different: b9dd4e28c0fe5673909bb6c0615f5f22. This is the point of hashes – detecting changes. A file of any size can be passed through the hashing algorithm, even large and complex computer programs. Hashes can identify a one-character modification to a vote stored on a computer, the software running on a voting machine, or even an entire operating system.
There are many applications of this concept to voting. In the U.S., a public repository known as the National Software Reference Library (NSRL) stores the hashes of voting system source code and the compiled versions of software that are used for voting and counting systems. Some EMBs verify all software before installing it on voting machines by “hashing” the software and checking the result against the hash values in the NSRL. This process helps to identify malicious modifications to the software, but many election officials also state this process helps identify when incorrect versions are about to be installed or when software is corrupted.
Digital signatures are mathematical functions that work in a similar manner to cryptographic hashes and also help identify who sent a message or file. Digital signatures are not analogous to physical handwritten signatures as they provide much stronger proof of who “signed” a message. A digital signature is different for every message, making it much more difficult to forge another person’s signature. In elections, digital signatures are used to “sign” the contents of a digital ballot box or a voter’s ballot selections, thus helping ensure the ballot box or vote was not altered. If tampering occurred and the digital signature was forged, the attacker would need to know another person’s, or the EMB’s, secret key.
The order in which data is stored on electronic voting or counting systems can be used to link the identity of the voter to the value of the vote, if the order in which voters cast their ballots is also observed. Cryptographic schemes have been developed to protect the secrecy of stored votes. A mix-net takes encrypted, stored data and then re-encrypts it and mixes the order in which it is stored. Only then are the data decrypted and the values of the votes revealed. As the order of the original vote data has been changed and the encrypted value of the stored vote data has also been changed (it was re-encrypted as it passed through the mix-net), there is no way that decrypted vote values can be linked back to either the original data received or the identity of voters.
Another solution used to protect the secrecy of stored votes is homomorphic cryptography, which allows the votes in the electronic ballot box to be tabulated while still encrypted. As individual votes are never decrypted, there is no possibility of linking voters to the way that they voted. Votes may even be posted to a public bulletin board for independent tabulation by anyone to verify the outcome of the election.