Ah yes. That explains how my ballot is well-formed (formatting completely messed up by copy/paste, but probably 99% of all people couldn't tell a difference anyhow):

> gρi α−σi = gw+rσi α−σi = gwασi α−σi = gw = Ai and hρi (β/gMi )−σi = hw+rσi β−σi gσiMi = hwhrσi (hrgm)−σi gσiMi = hwg−mσi gσiMi = hw

I'm sure there's some way to implement a somewhat working online voting process, but all those suffer from a major problem you already stated: the majority of people won't be able to understand or verify that their vote was counted. Your expected to fully trust that some machine took your intent and counted it correctly. I wouldn't for important votes.

An important side effect is also that you make the process more scalable which IMHO isn't something you want in important votes as that makes the system more open to attacks. Consider tampering with the voting machine manufacturer to how difficult it is to manipulate distributed vote counting by random citizens. In Germany everyone can apply as "Wahlhelfer" (person helping with the voting process) and then both make sure the voting process is followed as well as count votes in a peer reviewed process.

With most things, trust is established "by proxy" (by trusting someone who trusts whatever you worry about).

In free software world, we generally trust that free software is well-meaning and contains no backdoors because we assume that someone else has reviewed the code: we don't go reviewing each and every library or app we use.

Sometimes that trust is misplaced, particularly with small, unused apps or libraries, but in a grand scheme of things, it works.

Elections are slightly different in that you want precision and guarantees. I think electronic voting can and should be introduced with a fully open source stack even for important votes, but it should never be mandatory: in theory, for those who understand the process, verifying their vote is much easier electronically. This would enable trust-by-proxy to work as well for the technically inclined.

There is the trouble of verifying that the software any voting system is running matches the source code you are given access to. In that sense, having public access to a full database of votes (or at least electronic ones) would help quell that concern as well — at the very least, each competing political party could run their own system to verify your vote.

Still, I think the easiest way to manipulate votes today, and how it's usually done in democracies, is by media manipulation (by selective reporting or over-reporting to drive a narrative), and no voting system can help with that :)

> but in a grand scheme of things, it works.

In the grand scheme of things, almost no computer system can withstand a focused, persistent attack by a nation-state level attacker. Air-gaps aren't enough [1], being extremely widely-used open-source isn't enough [2], even being formally verified isn't enough, because even a formally verified compiler can have backdoors [3]. And we haven't even touched whether you can trust the silicon it's running on [4].

And even in the absurdly unlikely case where a secure voting system is implemented, voters will connect to it with laughably insecure personal computers, that can alter their votes at will. I don't want to have to trust Microsoft and Intel's [5] benevolence to not abuse their root-or-lower level access to devices to alter votes as they are cast.

> but it should never be mandatory

So the 1% of voters that understand how insecure online voting is vote in person - or, let's be extremely generous and say 60% vote in person, while 40% have their votes altered by a hostile nation state (this includes the nation state that made their voter's operating system of designed or fabbed their CPUs). There's almost no election you can't swing if you control 40% of all votes.

With the prize being clandestine control of a country, someone is bound to make the effort. And then what will you do? Vote to return to paper ballots? They are imperfect, but attacks on them don't stealthily scale to a whole country.

[1] https://en.wikipedia.org/wiki/Stuxnet

[2] https://en.wikipedia.org/wiki/Heartbleed

[3] https://en.wikipedia.org/wiki/Backdoor_(computing)#Compiler_...

[4] https://www.schneier.com/blog/archives/2018/03/adding_backdo...

[5] https://en.wikipedia.org/wiki/Intel_Management_Engine - AMD has an equivalent backdoor

I won't discount the risks associated with electronic voting and electronic machines in general, but 40% of "wrong" votes are almost impossible to miss with the most rudimentary checks. Eg. if 60% of paper ballots have a ratio swinging 4 to 1 one way, and 40% of electronic votes have a ratio swinging 4 to 1 the other way (this is commonly done in any statistical endeavour to detect correlations, and much smaller effects can be noticed), any observer and participant in the elections can notice that when looking at the final tally, as long as there is a breakdown by the type of vote submission as well (which is already done for things like mail-in votes).

And if a vote is swinged completely against the actual public vote, you'll only end up with either a quick drop of the electronic system (which all the IT providing companies like MS or Intel would hate to see happen, which is an incentive for them to not interfere), or angry mobs hitting the streets.

Basically, what you are left with is influencing the outcome so that what would have been a 51-49 winning party is now a 49-51 losing party. Yet there are other "unfair" ways to achieve that even today that are not as involved as hacking the entire electronic voting system (as I mentioned, media manipulation being the key one, or providing benefits to vote a particular way or...).

So yes, ultimately, everything can go wrong, but no, it won't because there are safeguards against that happening regardless of the method of voting.

You underestimate how large a manipulation could go undetected. [1] shows an election with a 28-41 win for Patrick, while the poll showed a 37-31 win for Dewhurst. That's a 10% absolute swing, and 25% relative. And the less attention an election gets from pollsters, the bigger the margin for error and manipulation.

Changing too many votes, to make people doubt the legitimacy of the election, is itself a powerful attack to sow division in a country. I'm sure I don't need to cite examples...

And then what is even the point of formal voting, if, when done online, it's a centralized way for an adversary to change results, and is only legitimized by reproducing results of informal polls (conducted by public research firms we trust, of course...) We may as well skip elections and use the polls directly.

I agree there are many other ways to manipulate voters, so let's not expand that list further.

[1] https://www.texastribune.org/2014/03/06/polling-center-poll-...

We seem to be discussing different scenarios.

In my example, a formal vote is partially done electronically, and partially through paper votes: large discrepancies in results between those two groups could be indicative of interference (small variation is to be expected). I am not talking of unofficial polls which can never produce a representative sample of people.

Point of formal voting is to elect a government that the majority of voters prefer. Many countries have a problem with voter turnout, so you rarely get any one party or coalition winning more than 20-30% of the eligible votes, yet they get majority control of the government.

Point of electronic voting should be to increase the turnout without decreasing the trustiness. It's not an easy problem to solve, but it's not insurmountable.

Electronic votes can be decentralized as well: final tallying is centralized with any approach, but it can similarly remain open to questioning.

Online voting is a horrible idea, anyone who tells you it's secure has no idea what they're talking about. Even if we were to assume a hypothetical future where it's implemented as an immutable smart contract on a widely used blockchain that's large enough to be too costly even for state actors to attack. Then the attacker just targets the devices citizens use to access the vote. Currently we have two mobile OS and not much more in the PC world. An exploit in just a single one of them would open the door for massive manipulation.

On top of that there's the trust issue, which I find absurd that this isn't more often discussed even with other forms of voting. For example in the US they use those idiotic electronic voting machines with catastrophic consequences for people's trust in the system. All this should be banned and only paper ballots allowed. Then when it comes to counting, citizens need to be allowed to observe the process (without interfering of course). That's the only way to do it and ensure both security and trust. The process must be easy enough that most voters can understand it. Electronic voting is the exact opposite, almost no one understands how it works on a technical level and even fewer people are going to be able to verify the code. Such a system is begging for collusion and fraud.

I don't get it. Why do you have any more faith in a paper based system? At the end of the day the vote is tallied and entered into a spreadsheet and uploaded to a central place. Where it is once again tallied, put into a spreadsheet and uploaded to a more central place. With all kinds of humans, computers etc. in the process. It's fully trust based. No one has any idea that its actually accurate. It probably is mostly accurate due to the good faith of "most" people. But that ain't a system ya know?

Why not have a fully electronic system but still retain the distributed nature of the paper system. E.g. you have to login to the server in your voting district. Its a separate instance and you have to verify with photo id over video conference. The SAME risk level more or less but does not require a wasteful drive and wait. We have the technology!

> At the end of the day the vote is tallied and entered into a spreadsheet and uploaded to a central place.

There's no inherent need for spreadsheets or computers. It takes much less effort to manually, on paper, sum the vote totals from N districts, than it did to count the votes in each district (given the reasonable assumption that N < number of people per district). From here it's an easy divide-and-conquer to get the sum for the whole country.

> Why do you have any more faith in a paper based system?

Because attacks against paper are much harder to scale and much easier to detect.

> It's fully trust based.

No, each step has multiple observers, independents and competing parties, to make sure there is no cheating. At least it should have. At least it can have them, while a computer system cannot - it's a black box, and no one knows fully how it works, or if it was swapped with a different black box since the last time it was used.

Even the vanishingly few people who understand the formal proof that the program running on it is correct (something no computer voting system has in practice yet had, but let's be generous) can't say for sure the compiler wasn't backdoored, or if silicon trojans were inserted at the factory, or if the CIA asked Intel to make use of their management engine to compromise the machines of the people who implemented the voting algorithm, or if Microsoft or a state-sponsored hacker altered the votes of a significant number of people at time of voting, since they connect to the voting server using their laughably insecure personal computers.

You have made your democracy rely on a massive supply chain, where compromising any link would give an attacker at minimum massive influence on the outcome of your elections. And for what benefit? What is so valuable that is worth this massive risk? Saving one drive per voter, every 2-4 years?

> I find the online voting part convenient, but I'm afraid people will not trust it because they cannot understand it.

Forget about having a trustworthy system: regardless of mathematical proofs or observers or anything else you can come up with, many people will not trust the election system after last time. You need a system that helps take into account this lack of trust.

Regardless of the voting system, one potential big missing ingredient IMO is individual auditability, and I don't mean the ability by a state to perform a "recount" that could be just as flawed or rigged as the original count.

There should arguably be a private method using cryptography where citizens should be able to individually privately verify that their vote was registered, and to see that their votes counted towards their intended candidate. People should be able to do this instantly and repeatedly after any vote cast. If you have 84 people who say their vote was registered wrong after a state election, maybe you chalk it up to user error and somebody choosing the wrong field. But if you have tens of thousands of people for one party come out in a state after an election and sign some legal document that says that they checked and their vote wasn't registered or went to the wrong candidate, you'd at least know there's likely some big flaw somewhere in the system.

Of course, even this doesn't guarantee an accurate election because votes could always be manufactured out of thin air using fake people and that's where things like observers might help, but at least you can largely deal with the issue of votes being changed with an individual audit system.

I hope there will be a push back to paper ballots.

Electronic voting is eroding democracy, because it introduces intransparency via complexity.

>The traditional voting system for French citizen is a transparent box with paper voting ballots in an envelop. You can count the votes later in a group of random citizens, I did it twice personnally, and it's very easy to understand.

That sounds lovely, maybe keep doing it that way.

You shouldn't treat online voting as something inevitable with phrasing like "will online voting require" if you want to continue living in a democratic republic.

"Crypto" (as in cryptography) experts have repeatedly briefed you people on this multiple times in multiple languages.

Stop misunderstanding on purpose, lest folks just do whatever they want (IMHO.)

But I'm not French, so I have no horse in this race... you can do whatever you want OP.

It's a difficult problem because easy proof of who you truly voted for is not desirable (it makes it easier to use money or intimidation on individual voters.)

The old Schneier crypto bible had an interesting introduction to trying to create the right properties to prove things in aggregate without revealing individual votes. It is certainly very interesting but hard to setup in a way where anyone who develops the expertise can independently inspect the properties of an election.

> you cannot know that the candidate you selected is the candidate actually registered in your electronic vote

Does that mean your vote could be altered at time of voting if your computer is compromised? Would that make this voting system, and therefore country, completely defenseless against attackers able to compromise large numbers of computers, such as Microsoft, Apple, Intel[1], AMD[2], and nation states with strong cyber-warfare abilities?

[1] https://en.wikipedia.org/wiki/Intel_Management_Engine

[2] https://en.wikipedia.org/wiki/AMD_Platform_Security_Processo...

Refreshing to see the word crypto used in its original meaning of cryptography!

This also applies in more general sense: will some aspects of formal verification (thus programmers) turn into tools of legislation and government oversight? In the other crypto field, cryptocurrencies, some have called for formal specifications to be one aspect that projects should include to become available in certain legislations. Although, the problem remains the same as with the OP: only a handful of people are able to review the proofs, which partly renders the usefulness of the proofs obsolete.

I think few understand the math behind these systems, and faulty implementations are indistinguishable from faulty ideas to the non-cryptographer. And ignoring the accidentally faulty case, there is a real chance that a malicious operator could steal an election. You might need more than a few PhDs to prove it.

Back to paper voting.

Traditional voting also relies on "trust"; in the sense that various parties involved have to follow the laws that guide them for things to work.

You could do online voting without cryptography simply by relying on a legal system that enforced secrecy and fairness by threat of legal consequence.

Right. But there are witnesses at each of the different steps, so it is really complicated to hack.

Also way less centralised. You might be able to “hack” a couple of groups counting votes to alter the result but not all at once.

History is full of voting being manipulated and changed. Sure didn't call it hack but ...

In my opinion the question of online voting should be rephrased something like:

Why don't our professional politicians want to setup an easy, safe and cheap way of direct voing that everyone could participate in?

And it would direct our discussion away from irrelevant technical details and onto the core issue of what kind of democracy is desirable.

We could use a secure end-to-end verifiable e-voting system using zero knowledge based blockchain: https://eprint.iacr.org/2018/466.pdf

I don't think that throwing a blockchain at this problem is helping because the problem is the complexity and impossibility to understand for non crypto experts.

Online voting is just handing the election over directly to hackers - not necessarily of the voting system, but the devices people are accessing it from.