We are delighted to offer a new Distinguished Talks Series for 2024!

Véronique Cortier, CNRS research director at LORIA, will give a talk on Wednesday, 7th of February 2024, on the suject Electronic voting: Design and formal verification.
This interview gives us insight into how e-voting fits into our society, the main difficulties encountered in designing protocols, the use of zero knowledge proofs and the risks involved.

“Even defining something as simple as vote secrecy is difficult, and there is still no academic consensus on how to state mathematically that my vote is secret, for example. Because the value of my vote is not secret. If I vote A or B, they are not secret; they are public. You know A and B, in this case, since they are the political candidates. So what you should not know is what I voted for. This is what is difficult to analyze.”

I started a PhD in formal verification. In summary, the goal is to develop algorithms to automatically prove properties about programs. Since my PhD, I have been focused on security protocols, particularly analyzing protocols for online payment, banking, or authentication. During that time, my primary goal was to design algorithms capable of automatically detecting vulnerabilities, attacks against protocols, or proving their security within a formal model.

This is still what I am doing, but now, I have a broader focus on electronic voting. In this domain, I do not only engage in proofs but also in design, aiming to develop protocols for Internet voting that are as secure as possible.

I authored a book (in French) on this subject titled Le vote électronique : Les défis du secret et de la transparence with Pierrick Gaudry (Odile Jacob Editor).

I really like math, so doing proofs and exploring science were things I wanted to continue. My future PhD advisor, Hubert Comon, offered me to do an internship at the MPI of Saarbrucken, on a very formal subject. It was about deciding “simultaneous Rigid Reachability on words”. I told my supervisor that I enjoyed it from a mathematical point of view, but I would prefer a Ph.D. topic that I could explain to my family.

At that time, in the lab, members were starting a new working group on security protocols. Therefore, my Ph.D. advisor offered me the opportunity to focus on formal verification applied to secure protocols, which was the new topic being explored by the lab at that time.

Actually, I would say that the topic chose me because, at the beginning, it was just another example of security protocols. During my PhD, I was designing algorithms to analyze any kind of protocols; for me, electronic voting was simply another species of protocols that was fun to analyze, just as a test for our tools. Little by little, I started to find this subject quite interesting. It was very hard for our tools, a difficult case. We really had to improve our tools.

And I realized that it was also difficult to just state formally what is a secure e-voting protocol. For authentication and for payments, typically, what you want is that, if I pay, then I get the service, and for the company, if they give the service, then they get the payment. Here, the properties are well understood.

For e-voting, that's not so easy. Even defining something as simple as vote secrecy is difficult, and there is still no academic consensus on how to just state mathematically that my vote is secret, for example. Because the value of my vote is not secret. If I vote A or B, they are not secret, they are public. You know A and B, in this case, since they are the political candidates. So what you should not know is what I voted for. This is what is difficult to analyze.

I moved from analyzing protocols with respect to a given security property, to defining security properties and comparing definitions. And then, gradually, I also started to correct flawed protocols and tried to design my own. We were also pushed for this, actually.

We designed our own protocol, Belenios. It is a voting platform that is used in France and overseas. We have more than 1000 elections each year now with academia and associations, and so on.

This gives us visibility also to enterprises. Thanks to Belenios, we had companies that contacted us to help them improve their own e-voting protocols. That's how I moved from formal verification to formalization of properties and then really to application.

Indeed. For maybe about 10 years now, I have worked with several companies. Some French companies like Docaposte and Voxaly. Some Spanish companies like Scytl, which is a leading company in e-voting. Currently, I am working with Swiss Post, a leading company in Switzerland, which is developing one of the main voting protocols for local and national political elections.

In France, in 2022, for the legislative election, we were approached by the European and Foreign Affairs ministry for French citizens abroad, who selected 11 deputies. They wanted to use Internet voting so voters could either vote in polling stations, by post, or online. And they mostly voted online, actually. It should be noted that the CNIL recommendation requires that voters can verify that their vote has been counted by third-party tools.

So, we were asked to write and run these third-party tools, which we did, to check the results of the election and also to let voters confirm that their votes were indeed counted or not.

Internet voting is already in use. Perhaps you have already used Internet voting, such as in professional elections.

So, in France, the only political election where you can use it is for French citizens living abroad. In France, the position is that electronic voting should not be used in political elections, which I completely agree with. Nonetheless, there are exceptions, such as in some cities where they use voting machines at polling stations. It is only possible for them to vote through those machines, but they have the right to do so. More than 1 million voters actually use voting machines in France.

It is not exactly an exception, but what is really on the edge is that political parties may use Internet voting, and they do it for their primary elections, which means they elect one of the main candidates for the Presidential election with Internet voting.

Many things!
The two main commonly required properties in vote secrecy are, first, that my vote should remain secret. That is the case for most elections. Some are public; you can say I am Véronique Cortier and I vote for A, but in many elections, this should remain secret.

Then, the other key property, which is actually difficult to have with vote secrecy, is what we call verifiability. In a way, it should be the same as in paper voting. It means that you should be able to check that your vote and those from legitimate voters only have been counted. This is much harder to achieve by Internet.

First, because the systems are complex. They are very difficult for voters to understand. And it really is a key challenge that will probably be very difficult to tackle even in several years. But even if voters were perfect algorithms, which they are not, it is already difficult to have a verifiable protocol that is transparent enough and allows voters to check that their vote has been counted, and yet that it has not been compromised.

And it is maybe even harder if you want stronger properties like resistance to vote buying because it might be easier to sell your vote on the Internet, typically. So, designing systems that are resistant against vote buying is even harder.

In my point of view, it should not be used as soon as ballot papers at physical polling stations with traditional ballot papers can be used because they are highly secure. There might be some flaws, but always on a low scale. It's well understood by users; they understand why it's verifiable, and they conduct the checks. Since the security offered by ballot papers is very good, there is no reason to use Internet voting if you can use traditional methods.

Concerning French citizens living abroad, sometimes, it can be difficult for people to go to polling stations because they have to travel a lot. They are using postal voting, which is with paper; it is the same material, but it's definitely not as secure as voting at polling stations because you don't know if your vote reaches the ballot box. They might be modified before reaching the ballot box. Also, with traditional voting, you sign on the envelope when you vote. So you should trust that no one will open it while checking your signature.

For example, I was told by a candidate who was already in place (he was a candidate for his reelection) that he was the one carrying the set of envelopes to the ballot box. So the level of security is not that good.

It really depends. Currently, for example, in France, the way Internet voting is implemented is that you receive some authentication material like login and password by mail, post, or SMS. That's why it is very easy to sell. I mean, you can just sell your credentials.

Scientifically, with cryptography, I can do nothing about it. But we can design protocols where you can lie about your credentials. That is really the idea: if I want to buy your vote, then you can actually sell me fake credentials. I will be able to vote with those, so I will not notice that they are fake during the tally, when the votes are counted and tallied. The ballots with fake credentials will disappear. But I won't know, as an attacker, which one has been destroyed. I will see that some ballots are destroyed, but I don't know if it is due to the fact that you sold me fake credentials, or because just other people use fake credentials.

So, if you can lie about your credentials, then we could say it is resistant against vote buying.

I guess it could; it is not my research area, but yes, indeed. The difficulty with Internet voting is how to authenticate voters. And now, you might have credentials, but is it really you, or is it just someone with your credentials? So a first solution that is not exactly related to what you said is to be able, at least, to vote with your identity card. This is the case in Estonia, for example. But, indeed, I also heard that there were some research for authentication procedures where you would be parallelly authenticated with your face.

In electronic voting, we use zero knowledge proofs a lot. The key usage is during the tally because votes are encrypted with some public key of the election. Trustees have a share of the decryption keys, like in a bank where you have one of the 3 keys. The key is split into 3 pieces, and you have one of the third of the key. So election authorities can decrypt the final result, and then they prove in zero knowledge that they correctly decrypted it. This way, anyone can check that the result is correct without knowing the secret keys, just checking the zero knowledge proof. It is one of the key usages of zero knowledge proofs in electronic voting.

For anonymity, we need zero knowledge proof to prove that the votes have been correctly counted without revealing any information about the votes. That is one key ingredient in e-voting. But it is not sufficient. We need other cryptographic ingredients. In particular, the votes are encrypted and we don't want to decrypt them line by line because otherwise, we would learn how voters voted. Instead, we can use for example homomorphic encryption, that allows to combine votes before decryption. Intuitively, you can just sum up your pile of envelopes (i.e. your encrypted votes), and you get one big envelope that contains all the votes in clear. You do not need to decrypt each envelope individually. You just need to decrypt this big final encrypted envelope.

There are other means here to protect vote privacy. If you cannot use homomorphic encryption because the election rules are complex, you can remix the envelopes but re-randomizing them so that you cannot follow the link between the initial encrypted vote and the re-randomized one.

So, my hope is that we won't use Internet voting as soon as it's possible to use traditional ballot papers for elections.

The same risk analysis should be conducted for any election system we are considering to use. Compared to ballot papers, I am not confident that Internet voting would be as secure and trustworthy as the traditional way. It needs to be secure, and people need to trust the system. These are two different things. I mean, you might have a secure system that people don't trust because they don't understand it. And you might also have insecure systems that people trust. It really is two different concepts.

And I think Internet voting won't be easy to trust. My hope is it won't be used. But now there are situations where it's not possible to use standard ballot paper systems, especially in some countries where they have much more complex election rules, or when it's difficult to travel, or for example in Switzerland, where they ask their population to vote very often. Indeed, 3 or 4 times a year, they are asked between 5 or even 20 questions. That's why they are using Internet voting because the Swiss population wouldn't go to polling stations 4 times a year.

It is actually unclear whether it is cheaper to use Internet voting because developing an internet voting system is usually very expensive. Yet, it might be the case that one day a politician decides to use Internet voting because it will be cheaper or more politically advantageous, or to increase voter turnout. All these reasons are debatable. But if they decide that it is more interesting or more trendy, then it may happen indeed. In fact, that is one of my motivations to work on e-voting. If, in case, we must use Internet voting because we are forced to, then we have to try to have the least insecure system as possible.

That's a difficult question. It is not my area of expertise, so I don't really know. Therefore, a related question is, does it improve the turnout, the number of people that do participate in the election? And the answer seems to be no, or very, very little. It doesn't seem to have any influence on the number of people who participate in an election.

The question you ask is slightly different. Would people vote more often? I don't know. I haven't seen studies related to this.