Well-established forms of voting, such as direct democracy, rely upon the principle of "one voter - one vote". The voter is entrusted to make an informed decision by choosing a candidate or a voting option that she wants to support in the election, and to vote via casting her ballot directly during the election. As an alternative to such direct voting, the concept of proxy voting has been introduced. Proxy voting is a voting form where voters can delegate their right to vote to a trusted third party. The process of transferring the right to vote is called delegation. The voter receiving the right to vote is called delegate. The reason for delegation could be that voters do not consider themselves informed enough or might not be present at the time of the election. Hence, proxy voting might be especially useful for frequent elections, where voter fatigue due to the need to inform oneself on every issue that is being voted on could prevent the voters from participating in the election.
Providing the possibility of conducting Internet voting elections based on proxy voting can make the voting process even more efficient, reducing the burden for the voter. Developing solutions for Internet-based proxy voting furthermore requires considering the security requirements of both direct voting (e.g. vote integrity, ensuring that the cast votes are correctly included in the tally result) and also the requirements specific to the proxy voting (e.g. delegation integrity, ensuring that the proxy can cast a vote on someone’s behalf only when explicitly authorised by the voter).
After researching the security requirements that are specifically relevant for proxy voting (in addition to the requirements for direct votes as described here), following requirements emerged:
- Delegation eligibility: The proxy should only be able to cast delegated ballots on behalf of eligible voters.
- Delegation integrity: A proxy should only be able to cast a delegated ballot on behalf of the voter, if this voter has authorized the proxy to do so. Furthermore, if the voter delegates, the proxy cannot alter the priority assigned to her.
- Vote integrity for proxies: The valid votes cast by proxies are correctly included in the final tally.
- Delegation privacy: The voting system should not provide any information to establish a link between the delegating voter and the voter's chosen proxy. Furthermore, the proxy herself should not be able to tell which voter has delegated to her.
- Delegation power privacy: The voting system should not provide any information about the delegating power of a proxy, i.e. the number of eligible voters who delegated to this proxy.
- Vote privacy for proxies: The voting system should not provide any information to establish a link between the honest proxy and her vote, aside from what is available from the election result.
The research group has proposed several cryptographic schemes for secure proxy voting by extending existing schemes for electronic voting to enable to proxy voting scenario. All of the proposed schemes aim to ensure the requirements outlined above. However, the resulting schemes differ in their security model, e.g. relying on different assumptions for the adversarial capabilities or ensuring additional requirements not mentioned above. This makes it possible to select an appropriate solution for a particular election setting.
Currently, following schemes have been proposed:
- An extension of the well-known Helios voting scheme towards proxy voting. The scheme relies on the security of Helios, preserving the security requirements for the voters who cast a direct vote, and ensuring such requirements for the voters who delegate their votes as delegation privacy (e.g. keeping it a secret, which voter delegated to which proxy) and delegation integrity. The scheme introduces the so-called delegation credentials, that the voters use to construct delegation tokens sent to their chosen proxy, thus authorising the proxy to cast a vote on voter’s behalf. More information about the scheme can be found here.
- An extension of a modified Helios scheme with privacy improvements (see here). As such, in addition to ensuring the security requirements of Helios, the extension ensures the requirements of participation privacy and receipt-freeness. Participation privacy means, that the information, whether a given voter has cast a direct ballot, delegated her vote or abstained from the election, remains secret. Receipt-freeness furthermore prevents the voters from creating receipts that prove that the voter has voted for a particular candidate or delegated to a particular proxy, thus preventing vote buying. Same as in previous extension, the scheme relies on delegation credentials and delegation tokens for enabling the delegation. It furthermore uses the concept of dummy ballots, cast by the voting system in order to obfuscate the presence of both direct and delegated ballots. More information about the scheme can be found here.
- An extension of the JCJ/Civitas scheme. This extension ensures an even higher level of protection against voter coercion and vote buying, protecting not just against a remote coercer, but against over the shoulder coercion as well. The scheme relies on the existence of delegation credentials distributed to the voters. These delegations are used by the voters to delegate to their chosen proxy. In case the voter is coerced to delegate to the adversary, the voter has the possibility of using a fake delegation credential instead without the adversary noticing, so that the vote subsequently cast by the adversary will not be included in the tally. More information about the scheme can be found here.
- An extension of the boardroom voting scheme (see here). The extension enables proxy voting in a decentralised manner, relying on secret sharing of the delegation credentials. In addition to the security requirements listed above, the scheme ensures a variant of receipt-freeness, making it impossible for the voter to prove that she delegated to a specific proxy. More information about the scheme can be found here.
Introducing Proxy Voting to Helios: Kulyk, O.; Marky, K.; Neumann, S.; Volkamer, M. 2016. Availability, reliability, and security in information systems: IFIP WG 8.4, 8.9, TC 5 International Cross-Domain conference, CD-ARES 2016, and Workshop on Privacy Aware Machine Learning for Health Data Science, PAML 2016, Salzburg, Austria, August 31 - September 2, 2016, 98 - 106, IEEE, Piscataway, NJ. doi:10.1109/ARES.2016.38
A Proxy Voting Scheme Ensuring Participation Privacy and Receipt-Freeness: Kulyk, O.; Volkamer, M. 2019. 52. Hawaii International Conference on System Sciences (HICSS-52), Grand Wailea, Maui, Hawaii, 8 - 11 Januar 2019
Coercion-resistant Proxy Voting: Kulyk, O.; Neumann, S.; Marky, K.; Budurushi, J.; Volkamer, M. 2016. ICT Systems Security and Privacy Protection : 31st IFIP TC 11 International Conference, SEC 2016, Ghent, Belgium, May 30 - June 1, 2016, proceedings. Ed. by Jaap-Henk Hoepman, Stefan Katzenbeisser, 3-16, Springer, Cham
Enabling Vote Delegation for Boardroom Voting: Kulyk, O.; Neumann, S.; Marky, K.; Volkamer, M. 2017. International Conference on Financial Cryptography and Data Security (FC), Sliema, Malta, 7. April 2017, 419-433, Springer, Cham