RemoteVote and SAFE Vote: Towards Usable End-to-End Verification for Vote-by-Mail (2111.08662v3)

Abstract: Postal voting is growing rapidly in the U.S., with 43% of voters casting ballots by mail in 2020, yet until recently there has been little research about extending the protections of end-to-end verifiable (E2E-V) election schemes to vote-by-mail contexts. The first - and to date, only - framework to focus on this setting is STROBE, which has important usability limitations. In this work, we present two approaches, RemoteVote and SAFE Vote, that allow mail-in voters to benefit from E2E-V without changing the voter experience for those who choose not to participate in verification. To evaluate these systems and compare them with STROBE, we consider an expansive set of properties, including novel attributes of usability and verifiability, several of which have applicability beyond vote-by-mail contexts. We hope that our work will help catalyze further progress towards universal applicability of E2E-V for real-world elections.

• The paper introduces RemoteVote and SAFE Vote, novel E2E-V systems designed to secure vote-by-mail without altering voter experience.
• It leverages public randomness in RemoteVote and scratch-off challenges in SAFE Vote to simplify verification while ensuring ballot secrecy.
• Evaluation against STROBE demonstrates improved usability, scalability, and auditability, paving the way for practical postal voting security.

RemoteVote and SAFE Vote: Towards Usable End-to-End Verification for Vote-by-Mail

Introduction

The rapid increase in postal voting in the U.S. highlights the critical need for secure vote-by-mail (VbM) options. Traditionally, end-to-end verifiable (E2E-V) voting systems enhance election integrity in in-person or online contexts, but adapting these systems to VbM scenarios is challenging. This paper introduces RemoteVote and SAFE Vote, novel systems designed to bring the benefits of E2E-V voting to the postal voting process without altering the traditional voter experience. These systems are evaluated against existing solutions like STROBE, showcasing their potential to advance practical VbM election security.

Background and Related Work

The STROBE Voting system by Benaloh presents a significant attempt to adapt E2E-V systems for VbM, addressing the critical challenge of high-latency communication between voters and authorities. STROBE's method involves sending multiple encryptions to voters and allowing them to select which to use, with the authority completing the process publicly. Although innovative, STROBE has practical limitations, such as requiring multiple ballots per voter, increasing costs, and potential issues such as confusion from receiving multiple ballots or exposure to distrust if both ballots in a twin set are processed.

Proposed Systems

RemoteVote

RemoteVote simplifies the voter interaction by eliminating interactivity and relying on a public, non-interactive challenge process, improving over STROBE's dual-ballot requirement. Voters receive paired encrypted ballots, with randomness used to publicly spoil one column from each pair. This public randomness minimizes reliance on the authenticity of private communications, providing collective verifiability and unobservable auditing. Observers can then ensure the spoiled column matches the intended encryptions, with any discrepancies addressed at the ballot level by voters during their custody.

Figure 1: RemoteVote

SAFE Vote

SAFE Vote incorporates a physical challenge element on each ballot, retaining interactivity in the verification process while resolving STROBE's aforementioned issues. It allows for discretionary verification by incorporating scratch-off surfaces that conceal randomness necessary to decrypt and verify the ballot encryptions. Voters independently audit ballots during their custody, ensuring a direct assessment before ballots are cast. This approach enables selection consistency, individual verification, and immediate fraud evidence during the verification phase.

Implementation Considerations

Both systems leverage ElGamal encryption and PPATS within a homomorphic tallying framework, generating commitments that maintain ballot secrecy even if cryptographic assumptions are compromised. SAFE Vote integrates a scratch-off approach allowing voters immediate independent verification, while RemoteVote uses public randomness for equitable auditing. Both systems provide a balance between usability and verifiability, supporting complex tallying methods and maintaining voter privacy and anonymity.

The integration of CCEs allows the system to achieve everlasting privacy properties, critical in the evolving cryptographic landscape. The systems are designed to scale with the logistical needs of real-world elections, maintaining practical limits on costs and resources while enhancing security.

Comparison and Conclusion

The comparative analysis reveals that RemoteVote and SAFE Vote each extend STROBE by enhancing usability and verification properties without compromising the integrity and privacy of the election process. RemoteVote provides better public transparency and collective auditability, while SAFE Vote prioritizes discretion and individual voter agency in verification. A synthesized system could combine the strengths of both, albeit with increased complexity.

Both RemoteVote and SAFE Vote are promising developments toward universal E2E-V in postal voting. While further testing and refinement are required, they establish a foundation for secure, verifiable mail-in voting, essential for future electoral processes as trends continue toward greater reliance on postal voting. The work herein contributes significantly to the practical realization of secure and accessible election systems for all voting methodologies.