“E-voting systems are amongst the most complex” 28.10.2021
Academics from the University of Lorraine met Swiss Post’s e-voting team at their cryptography headquarters in Neuchâtel. In an interview with Swiss Post, the leading researchers in the development of the key cryptographic principles for e-voting systems explain various aspects of secure electronic voting from a scientific perspective.
At the “Laboratoire lorrain de recherche en informatique et ses applications” (LORIA) of the University of Lorraine as well as at other universities, several teams are conducting research into the development of the cryptographic and symbolic principles of secure IT systems and the algorithmic number theory. The symbolic analysis of a system enables its cryptographic evidence to be automated using verification software. Presenting the solution’s symbolic analysis is a legal requirement of e-voting systems in Switzerland. Swiss Post tasked a team from LORIA with designing its system’s symbolic analysis. An exchange of experiences between the team of academics and Swiss Post’s e-voting specialists was held as part of this collaboration. The two project leaders, Prof. Dr. Véronique Cortier and Prof. Dr. Pierrick Gaudry, discuss current issues in e-voting research with Xavier Monnat, e-voting product manager at Swiss Post.
What insights did you give Swiss Post’s e-voting team yesterday?
Véronique: We provided Swiss Post’s specialists with a better understanding of the derivation of the symbolic evidence on the cryptographic protocol which Swiss Post set us the task of producing. We explained how we use the Proverif tool and specifically developed it for use in the e-voting system. The tool enables specialists – including outside the specialist field of e-voting – to check whether the evidence in the cryptographic protocol is correct using a software-based automated procedure.
Have you learned anything from your visit to Switzerland?
Pierrick: We conduct research at the university, produce hypotheses and then prove them in scientific studies. A key element of our scientific work is the exchange of experiences with industry where we gain insights into the implementation of our academic expertise in a software solution. This dialogue is invaluable in terms of identifying challenges which we can then focus on in our research. Here scientific and industry-relevant knowledge enrich one another. We’re also gaining an understanding of the e-voting landscape beyond France through our collaboration with Swiss Post.
How do the e-voting framework conditions differ between the countries you mentioned?
Véronique: The major difference between Switzerland and France is in the physical casting of votes. While most of the electorate cast their votes physically at the ballot box in France, the preferred method of voting in Switzerland is the postal vote. From a scientific perspective, casting votes at the ballot box – like in France (without electronic voting machines) – is much more secure than postal voting. There’s also a political and cultural difference in terms of assessing the risk of buying votes. While this is regarded as one of the main challenges in postal or online voting in many European countries, Switzerland deems it a negligible risk. This means technical methods for identifying conspicuous identical voting patterns – suggesting that votes have been cast under (financial) pressure – are not relevant in Switzerland.
How does an e-voting system differ from other software?
Véronique: There are several differences when comparing e-voting solutions with other systems which process sensitive data. If your e-banking account gets hacked, it’s immediately obvious because money is missing. In contrast, an attack on an e-voting system is not immediately evident because only the people themselves know how they voted. This has to be the case to ensure voting secrecy. But there is much greater need to identify manipulation of e-voting systems – in view of their relevance to democracy and society – than an attack on an e-banking system. The misconduct of an individual when it comes to voting has consequences for the collective, whereas people who adopt a high-risk approach to e-banking only harm themselves.
Pierrick: E-voting systems are amongst the most complex out there. This is due to the characteristics Véronique has alluded to. The architecture of these systems is also highly complex as they define lots of roles and responsibilities assigned to various organizations. Swiss Post’s e-voting system is much more complex than other solutions.
What does that mean for research into e-voting?
Véronique: E-voting is a specialist field in its own right. The cryptographic methods used are highly specialized and are not applied widely in other electronic services. E-voting system specifications also go well beyond standard as both security and transparency of the data processed are required.
This means e-voting is also a niche area in research. If there were a bigger e-voting market – in other words, if more countries used e-voting systems – this would also lend impetus to research on the topic. This is why pioneering projects, such as those being carried out in Estonia and Switzerland, are of such great interest to researchers.
What are the key requirements for ensuring an e-voting system is secure?
Véronique: The basis for ensuring a secure e-voting system is the cryptographic principles which allow two conflicting requirements to be met – guaranteeing voting secrecy, while also enabling all votes to be verified.
Pierrick: Security is always a question of assessing the risks. To guarantee the security of IT systems, assumptions are made about whether system components and the actors involved are trustworthy. The security requirements are very high for e-voting in Switzerland. There are several components in the system which are not classified as trustworthy, such as the servers of voters.
However, in the Belenios e-voting systemTarget not accessible, which we developed for use in association ballots or at local level, the VotingClient of the voter is classified as trustworthy. The system architecture and cryptographic methods, which guarantee the security of a system, also differ depending on system requirements. As I mentioned before, a cultural difference that exists between Switzerland and other countries is the assessment of the risk of buying votes.
How can you check that votes in the electronic ballot box have not been manipulated without decrypting the individual votes?
Véronique: How this is implemented technically depends on the technology used. Generally speaking, I would say that cryptographic elements guarantee the result of the vote tallies with the total number of votes cast electronically. During the process from the casting of votes to their registration in the electronic ballot box, the system produces cryptographic evidence. This evidence can be checked by independent verification software. Any expert can verify this. If all the evidence is registered correctly, this proves that the electronic voting was not manipulated.
Switzerland is one of the few countries to have conducted e-voting trials and that will continue to do so in future. Do you think democracy will become increasingly digital and that more countries will come to rely on e-voting in future?
Pierrick: We can’t predict which path countries will take. Estonia and Switzerland are two interesting, albeit very different, examples of the use of e-voting. In Estonia, the use of the system is closely linked to the strong government e-ID. Other countries do not have this foundation of an extensive state e-ID. In my view, many countries will firstly focus on establishing this basis to enable them to then digitize other state services, such as voting.
The situation in Switzerland is different. Postal voting is extremely commonplace here. This means e-voting isn’t linked with a state e-ID. Swiss voters receive the e-voting login details by post in the same way as the voting documents.
Véronique: Switzerland is playing a vital role in preparing the terrain for e-voting. It sets high standards for the e-voting trials and makes them legally binding. Swiss Post is playing its part and is developing a system that meets these legal requirements. The level of security and technical implementation represent the state-of-the-art in current research. Switzerland and Swiss Post have set the bar high as far as the launch of e-voting is concerned and may serve as a model for other countries.