Direct Recording Electronic with integrity

Last updated June 12, 2023

Direct Recording Electronic with Integrity (DRE-i) is an End-to-End (E2E) verifiable e-voting system, first designed by Feng Hao and Matthew Kreeger in 2010 ^[1] and formally published in 2014 with additional authors Brian Randell, Dylan Clarke, Siamak Shahandashti, and Peter Hyun-Jeen Lee. ^[2]

DRE-i is the first E2E verifiable e-voting system without involving any tallying authorities. The authors call such a tallying-authority-free E2E voting system "self-enforcing e-voting".^[2] The removal of tallying authorities is realized in DRE-i by pre-computing encrypted ballots in a structured way such that after the election, multiplying the ciphertexts will cancel out all the random factors, hence allowing any public observer to verify the tallying integrity. An improved version called DRE-i with enhanced privacy (DRE-ip), which adopts a real-time computation strategy instead of a pre-computation strategy, was successfully trialed in a polling station in Gateshead during the 2019 UK local elections.^[3]

Protocol

Let $p$ and $q$ be two large primes, where ${\textstyle q\,|\,p-1}$ . Let $g$ be a generator for the subgroup of $Z_{p}^{*}$ of the prime order $q$ . The parameters $(p,q,g)$ are publicly agreed before the election. All modulo operations are performed with respect to the modulus $p$ . The protocol can also be implemented using an elliptic curve, while the specification remains the same.

In the following example, the protocol is explained in the context of a single-candidate Yes/No election held at supervised polling stations using touch-screen DRE machines. There are standard ways to extend a single candidate election to support multiple candidates, e.g., providing a Yes/No selection for each of the candidates or using encoded values for candidates. The protocol can also be implemented for Internet voting as done for verifiable classroom voting.^[4]

The DRE-i protocol consists of three phases: setup, voting and tallying.

Setup

A DRE-i implementation may include a server and distributed DRE clients that connect to the server through a secure channel. Before the election, the server pre-computes a table as shown below.

Election Setup
Ballot No $i$	Random public key $g^{x_{i}}$	Restructured public key $g^{y_{i}}$	Cryptogram of yes-vote	Cryptogram of no-vote
$1$	$g^{x_{1}}$	$g^{y_{1}}$	$g^{x_{1}y_{1}}$ , 1-out-of-2 ZKP	$g^{x_{1}y_{1}}g$ , 1-out-of-2 ZKP
$2$	$g^{x_{2}}$	$g^{y_{2}}$	$g^{x_{2}y_{2}}$ , 1-out-of-2 ZKP	$g^{x_{2}y_{2}}g$ , 1-out-of-2 ZKP
...	...	...	...	...
$n$	$g^{x_{n}}$	$g^{y_{n}}$	$g^{x_{n}y_{n}}$ , 1-out-of-2 ZKP	$g^{x_{n}y_{n}}g$ , 1-out-of-2 ZKP

The table contains $n$ rows with each row corresponding to a ballot. The number $n$ is larger than the maximum number of the eligible voters to accommodate voter auditing. For each of the $n$ ballots, the server chooses a random secret key $x_{i}\in _{R}[1,q-1]$ and computes the corresponding public key $g^{x_{i}}$ . When this has been done for all ballots, the server computes a restructured public key for every ballot as follows:

g^{y_{i}}=\prod _{j<i}g^{x_{j}}/\prod _{j>i}g^{x_{j}}

The Yes/No value in each ballot is encrypted in the form of $C_{i}=g^{x_{i}y_{i}}\cdot g^{v_{i}}$ where $v_{i}$ = 0 for "No" and 1 for "Yes". In addition, the machine computes a 1-out-of-2 Zero-knowledge proof (ZKP) for each Yes/No value. This is to ensure that the encrypted vote is well-formed. In other words, the value of the vote $v_{i}$ can only be either 0 or 1. When the pre-computation is finished, the server publishes all the random public keys and restructured public keys (first three columns of the setup table) while keeping the Yes and No cryptograms secret (last two columns).

Voting

After authentication at a polling station, a voter obtains a random password or a smart card and logs onto a DRE client in a private voting booth. Casting a vote involves two basic steps.

In step one, the voter selects a choice, "Yes" or "No", for the candidate shown on the touch screen. Upon the selection, the DRE machine prints the following data on the paper receipt: the ballot serial number $i$ , and the cryptogram of the selected choice, along with a digital signature for proving the data authenticity.

In step two, the voter has the option to either confirm or cancel the previous selection. If the confirm option is chosen, the machine prints a “finish” on the paper receipt with a digital signature to indicate that a valid ballot has been cast. On the other hand, if the cancel option is selected, the machine prints the canceled candidate choice in plain text and the other cryptogram, along with a digital signature. In this case, a dummy vote has been cast. The voter should check if the canceled candidate choice printed on the receipt matches their selection; if not, a dispute should be raised to the election staff at the polling station. This "confirm/cancel" option enables a voter to verify that the vote is "cast as intended". The voter can cast as many dummy votes as they wish (subject to a reasonable limit), but is allowed to cast only one valid vote.

All receipts are published on a public bulletin board (i.e., a mirrored public website), together with digital signatures to prove the data authenticity. After voting, the voter leaves the voting booth with a receipt (or more than one receipt if the voter chooses to cancel ballots). The voter checks if the same content of the receipt is published on the bulletin board. This ensures their vote is "recorded as cast".

Tallying

When the election is finished, the server announces the tally of the "Yes" votes. In addition, it publishes the "Yes" and "No" cryptograms for all the unused ballots on the bulletin board, as if they were canceled by voters. An example of the bulletin board after the election is shown below.

An example of bulletin board after the election
Ballot No $i$	Random public key $g^{x_{i}}$	Restructured public key $g^{y_{i}}$	Published Votes $V_{i}$	ZKPs
$1$	$g^{x_{1}}$	$g^{y_{1}}$	Valid: $g^{x_{1}y_{1}}$	a 1-out-of-2 ZKP
$2$	$g^{x_{2}}$	$g^{y_{2}}$	valid: $g^{x_{2}y_{2}}$	a 1-out-of-2 ZKP
$3$	$g^{x_{3}}$	$g^{y_{3}}$	Cancelled: $g^{x_{3}y_{3}}$ , $g^{x_{3}y_{3}}\cdot g$	two 1-out-of-2 ZKPs
...	...	...	...	...
$n$	$g^{x_{n}}$	$g^{y_{n}}$	Unused: $g^{x_{n}y_{n}}$ , $g^{x_{n}y_{n}}\cdot g$	two 1-out-of-2 ZKPs

To verify the tally announced by the server, one simply multiplies all the published votes $V_{i}$ . For canceled (dummy) and unused votes, only the no-votes are included in the multiplication.

\prod _{i}V_{i}=\prod _{i}g^{x_{i}y_{i}}g^{v_{i}}=\prod _{i}g^{v_{i}}=g^{\sum _{i}v_{i}}

In the above computation, all random factors are cancelled out on the exponent because ${\textstyle \sum _{i}{x_{i}y_{i}}=0}$ based on a cancellation technique used in Anonymous veto network. This leaves only ${\textstyle \sum _{i}v_{i}}$ on the exponent. To verify the tally $t$ announced by the server, one just needs to check if the following equation holds. This ensures all votes are "tallied as recorded", which together with the earlier assurance on "cast as intended" and "recorded as cast" ensures the entire voting process is end-to-end verifiable.

\prod _{i}V_{i}\;{\overset {?}{=}}\;g^{t}

Implementation and practical applications

A prototype of a verifiable classroom voting system, based on the DRE-i protocol, has been implemented for pedagogical purposes and used for classroom voting and student prize competitions.^[4]

Limitation

The DRE-i protocol works by pre-computing the encrypted ballots. However, the pre-computed ballots need to be stored securely. If the pre-computed ballots are revealed, the secrecy of the votes will be compromised (however, the tallying integrity remains intact as guaranteed by the end-to-end verifiability). This limitation is addressed by using a different real-time computation strategy which leads to an improved protocol called DRE-i with enhanced privacy (DRE-ip). Both the DRE-i and DRE-ip protocols are end-to-end verifiable without tallying authorities, in contrast to other E2E verifiable e-voting schemes that involve tallying authorities for performing decryption and tallying operations.

Related Research Articles

A voting machine is a machine used to record votes in an election without paper. The first voting machines were mechanical but it is increasingly more common to use electronic voting machines. Traditionally, a voting machine has been defined by its mechanism, and whether the system tallies votes at each voting location, or centrally. Voting machines should not be confused with tabulating machines, which count votes done by paper ballot.

Electronic voting is voting that uses electronic means to either aid or take care of casting and counting ballots.

<span class="mw-page-title-main">Blind signature</span> Form of digital signature

In cryptography a blind signature, as introduced by David Chaum, is a form of digital signature in which the content of a message is disguised (blinded) before it is signed. The resulting blind signature can be publicly verified against the original, unblinded message in the manner of a regular digital signature. Blind signatures are typically employed in privacy-related protocols where the signer and message author are different parties. Examples include cryptographic election systems and digital cash schemes.

A commitment scheme is a cryptographic primitive that allows one to commit to a chosen value while keeping it hidden to others, with the ability to reveal the committed value later. Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Commitment schemes have important applications in a number of cryptographic protocols including secure coin flipping, zero-knowledge proofs, and secure computation.

In combinatorics, Bertrand's ballot problem is the question: "In an election where candidate A receives p votes and candidate B receives q votes with p > q, what is the probability that A will be strictly ahead of B throughout the count?" The answer is

Voter verifiable paper audit trail (VVPAT) or verified paper record (VPR) is a method of providing feedback to voters using a ballotless voting system. A VVPAT is intended as an independent verification system for voting machines designed to allow voters to verify that their vote was cast correctly, to detect possible election fraud or malfunction, and to provide a means to audit the stored electronic results. It contains the name of the candidate and symbol of the party/individual candidate. While it has gained in use in the United States compared with ballotless voting systems without it, it looks unlikely to overtake hand-marked ballots.

A voting system is consistent if, whenever the electorate is divided (arbitrarily) into several parts and elections in those parts garner the same result, then an election of the entire electorate also garners that result. Smith calls this property separability and Woodall calls it convexity.

The single transferable vote (STV) is a voting system that elects multiple winners based on proportional representation and ranked voting. Under STV, an elector's vote is initially allocated to his or her most-preferred candidate. After candidates have been either elected (winners) by reaching quota or eliminated (losers), surplus votes are transferred from winners to remaining candidates (hopefuls) according to the surplus ballots' ordered preferences.

In cryptography, a secret sharing scheme is verifiable if auxiliary information is included that allows players to verify their shares as consistent. More formally, verifiable secret sharing ensures that even if the dealer is malicious there is a well-defined secret that the players can later reconstruct. The concept of verifiable secret sharing (VSS) was first introduced in 1985 by Benny Chor, Shafi Goldwasser, Silvio Micali and Baruch Awerbuch.

Electronic voting in Estonia gained popularity in 2001 with the "e-minded" coalition government. In 2005, it became the first nation to hold legally binding general elections over the Internet with their pilot project for municipal elections. Estonian election officials declared the electronic voting system a success and found that it withstood the test of real-world use.

<span class="mw-page-title-main">ThreeBallot</span> End-to-end auditable anonymous voting system

ThreeBallot is a voting protocol invented by Ron Rivest in 2006. ThreeBallot is an end-to-end (E2E) auditable voting system that can in principle be implemented on paper. The goal in its design was to provide some of the benefits of a cryptographic voting system without using cryptographic keys.

Punchscan is an optical scan vote counting system invented by cryptographer David Chaum. Punchscan is designed to offer integrity, privacy, and transparency. The system is voter-verifiable, provides an end-to-end (E2E) audit mechanism, and issues a ballot receipt to each voter. The system won grand prize at the 2007 University Voting Systems Competition.

End-to-end auditable or end-to-end voter verifiable (E2E) systems are voting systems with stringent integrity properties and strong tamper resistance. E2E systems often employ cryptographic methods to craft receipts that allow voters to verify that their votes were counted as cast, without revealing which candidates were voted for. As such, these systems are sometimes referred to as receipt-based systems.

Prêt à Voter is an E2E voting system devised by Peter Ryan of the University of Luxembourg. It aims to provide guarantees of accuracy of the count and ballot privacy that are independent of software, hardware etc. Assurance of accuracy flows from maximal transparency of the process, consistent with maintaining ballot privacy. In particular, Prêt à Voter enables voters to confirm that their vote is accurately included in the count whilst avoiding dangers of coercion or vote buying.

In cryptography, homomorphic secret sharing is a type of secret sharing algorithm in which the secret is encrypted via homomorphic encryption. A homomorphism is a transformation from one algebraic structure into another of the same type so that the structure is preserved. Importantly, this means that for every kind of manipulation of the original data, there is a corresponding manipulation of the transformed data.

In cryptography, the anonymous veto network is a multi-party secure computation protocol to compute the boolean-OR function. It was first proposed by Feng Hao and Piotr Zieliński in 2006. This protocol presents an efficient solution to the Dining cryptographers problem.

Bingo voting is an electronic voting scheme for transparent, secure, end-to-end auditable elections. It was introduced in 2007 by Jens-Matthias Bohli, Jörn Müller-Quade, and Stefan Röhrich at the Institute of Cryptography and Security (IKS) of the Karlsruhe Institute of Technology (KIT).

In cryptography, the open vote network is a secure multi-party computation protocol to compute the boolean-count function: namely, given a set of binary values 0/1 in the input, compute the total count of ones without revealing each individual value. This protocol was proposed by Feng Hao, Peter Ryan, and Piotr Zieliński in 2010. It extends Hao and Zieliński's anonymous veto network protocol by allowing each participant to count the number of veto votes while preserving the anonymity of those who have voted. The protocol can be generalized to support a wider range of inputs beyond just the binary values 0 and 1.

Helios Voting is an open-source, web-based electronic voting system. Users can vote in elections and users can create elections. Anyone can cast a ballot; however, for the final vote to be counted, the voter's identification must be verified. Helios uses homomorphic encryption to ensure ballot secrecy.

Direct Recording Electronic with Integrity and Enforced Privacy (DRE-ip) is an End-to-End (E2E) verifiable e-voting system without involving any tallying authorities, proposed by Siamak Shahandashti and Feng Hao in 2016. It improves a previous DRE-i system by using a real-time computation strategy and providing enhanced privacy. A touch-screen based prototype of the system was trialed in the Gateshead Civic Centre polling station on 2 May 2019 during the 2019 United Kingdom local elections with positive voter feedback. A proposal that includes DRE-ip as a solution for large-scale elections was ranked 3rd place in the 2016 Economist Cybersecurity Challenge jointly organized by The Economist and Kaspersky Lab.

References

↑ Hao, Feng; Kreeger, Matthew Nicolas (2010). "Every Vote Counts: Ensuring Integrity in Large-Scale DRE-based Electronic Voting" (PDF).
1 2 Feng Hao, Matthew N. Kreeger, Brian Randell, Dylan Clarke, Siamak F. Shahandashti, and Peter Hyun-Jeen Lee. "Every Vote Counts: Ensuring Integrity in Large-Scale Electronic Voting". USENIX Journal of Election Technology and Systems (JETS) Volume 2, Number 3, July 2014
↑ "E-voting by touch-screen trialled in local elections". BBC News. 2 May 2019.
1 2 Hao, Feng; Clarke, Dylan; Randell, Brian; Shahandashti, Siamak F. (January 2018). "Verifiable Classroom Voting in Practice" (PDF). IEEE Security & Privacy. 16 (1): 72–81. doi:10.1109/MSP.2018.1331032.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[dre-10-1] Hao, Feng; Kreeger, Matthew Nicolas (2010). "Every Vote Counts: Ensuring Integrity in Large-Scale DRE-based Electronic Voting" (PDF).

[DRE-i-2] 1 2 Feng Hao, Matthew N. Kreeger, Brian Randell, Dylan Clarke, Siamak F. Shahandashti, and Peter Hyun-Jeen Lee. "Every Vote Counts: Ensuring Integrity in Large-Scale Electronic Voting". USENIX Journal of Election Technology and Systems (JETS) Volume 2, Number 3, July 2014

[3] "E-voting by touch-screen trialled in local elections". BBC News. 2 May 2019.

[classroomvoting-4] 1 2 Hao, Feng; Clarke, Dylan; Randell, Brian; Shahandashti, Siamak F. (January 2018). "Verifiable Classroom Voting in Practice" (PDF). IEEE Security & Privacy. 16 (1): 72–81. doi:10.1109/MSP.2018.1331032.

[1]

[2]

[3]

[4]