I built the Online Election Manager in my first year, as a part of the project track for the course ESC101A. The project was highly appreciated. Various people have starred the GitHub repo (some of whom I highly respect, some I don’t even know). Prof. Swaprava Nath mentioned in his comments that it was arguably the best project, and I was given a full score for the project.
But having a good project to showcase is one thing. Having it deployed and used in the real life in quite another. Today, my application was used, in the 1st Meeting of the Students’ Senate, 2020-21 for the elections for the student members for the various committees and councils of the Students’ Senate of IIT Kanpur.
Though (surprisingly) none of the voters questioned the reliability of the application, I believe a proof should be provided nonetheless. The process used during the elections has been detailed in the report, so I recommend you to read that first. The only thing that isn’t obvious in the report is the defense against the various tactics that the server admin can use to try to change the results of the elections. In this blog post, I’ll mention a few things that server admin can do, and explain why that won’t work. Most importantly, you may think that the server admin can run arbitrary code on the server, instead of the claimed code. Well true, but I’ll prove that it still maintains the anonymity of the ballots and the veracity of the results.
First, it is important to understand that I do not claim that the server admin cannot disrupt the elections. Obviously, they can just delete the database, and then we’ll not be able to calculate the results. But note that this is an issue in offline elections as well. Paper ballots? Well, someone responsible for transporting the ballots can just burn down all the ballots. EVMs? Someone responsible for transporting them can just destroy the EVMs. Obviously, if something like that happens in the real life, re-elections would be called. The key point, however, is that if something like this happens (destruction of ballots or EVMs), it must be brought to notice. I’ll prove below that the server admin cannot modify the database without being caught.
What happens if the server admin tries to modify/add/delete some votes?
This issue deals with the veracity of the results.
Since the server admin has complete control over the database, they can try to do this. Further, a vote is not tied to any voter, but to a ballot ID. So for our context here, modification is equivalent to deleting N real votes and then adding back N fake votes.
When a voter submits a vote, they are displayed the ballot IDs that were used for their votes. The voters can save these ballot IDs. When the results are published, the list of people who had voted is also published, along with all the ballot IDs and the corresponding choices (i.e. candidates).
The people who had voted can verify that they are on this list, and the non-voters can verify that they are not on this list. Also, the voters can verify that the ballot IDs they had been displayed after submitting their vote is on this list, and that the choices on this list match the choices they had submitted.
Now we have 3 situations:
- The server admin adds fake votes into the database
In this case, the number of ballot IDs for a post will be more than the number of voters who had voted.
- The server admin deletes some votes from the database
In this case, the number of ballot IDs for a post will be less than the number of voters who had voted.
- The server admin deletes N real votes and adds N fake votes In this case, the people whose votes were deleted will not be able to find their ballot IDs in the published list (since the server never gets to know the ballot IDs of an encrypted vote, the server admin cannot add fake votes using the same ballot IDs).
Thus, in all 3 cases, the discrepancies will help detect that the server admin has been involved in some fishy activites.
What happens if the server admin changes the code of the server or peeps into the database?
This issue deals with the anonymity of the votes.
Let us say that the server admin rewrites the application and we can assume that any data that is sent over to the server can be read and analysed by the admin. But the interesting part is that the server only serves as a communication medium, and no actual cryptography takes place on the server.
- The server admin can access the ballot IDs for all the voters
Yes, but the ballot IDs are encrypted using the passwords of all the users as the keys. The server never gets to know the plaintext password of any user (it only receives a hash for registration/login). Therefore, the server admin does not know the password of any voter, and hence they cannot decrypt the encrypted ballot IDs.
- The server admin can log all the votes and voters
Yes, and then they will be able to create a map between voters and the votes that they submitted. However, note that in the last step, the votes are encrypted with the public key of the CEO. The server admin does not know the private key of the CEO and hence they can not decrypt the votes on their own. So even if they are successful in mapping each voter to a vote, they will never be able to decrypt that vote.
The key point is that the frontend is responsible for all the encryption - the backend just stores and transfers it. So even if the server admin controls the backend, they can do nothing with the data.
So is this a zero trust system?
Not really. If the CEO and Server Admin collude and actively try to break the anonymity guarantee, they can. However, the CEO is a position of great responsibility, and in most cases it is okay to trust the CEO. I mean, after all, it is the job of the CEO to ensure that the elections are held in a fair manner. However, I believe there must exist some way so that we can fix this one issue. This is something that can be pursued as future work on this project.
For some reason, earlier I too used to think that I needed to prove the integrity of the code running on the server in order to prove that the elections have not been meddled with. And so I started to look up research papers on that topic. I couldn’t find any, and instead, I found this answer, which says that it is not possible. :( I find this a rather interesting problem, something that I’d definitely like to work on.