What five security goals must a secure electronic voting system meet?
Authentication, Confidentiality (anonymity), Integrity, Verifiability (Nachvollziehbarkeit), and Non-repeatability (Unwiederholbarkeit).
| Goal | What it requires |
|---|---|
| Authentication | Only authorised voters may vote (no impersonation, no ineligible voters) |
| Confidentiality / Anonymity | Nobody can see how a specific voter voted — not the election authority, not a network attacker, not a coercer |
| Integrity | Votes cannot be changed or deleted after being cast |
| Verifiability | Anyone can verify the result is correctly tallied, without violating ballot secrecy |
| Non-repeatability | Each authorised voter votes at most once |
The tension that makes e-voting hard: Confidentiality and Verifiability pull in opposite directions. If anyone can verify the tally, they shouldn't be able to link votes to voters. If voters are completely anonymous, how do you prevent stuffing the ballot box?
The answer is clever cryptography — specifically blind signatures (the voting authority signs your ballot without seeing its contents) or homomorphic encryption (sum encrypted votes to a tally without ever decrypting individuals).
Real-world status:
- Switzerland — Swiss Post's e-voting system was repeatedly suspended after security researchers (Lewis et al.) found protocol bugs. Currently in restricted pilot operation as of 2024.
- Estonia — running national online elections since 2005.
- US — most jurisdictions reject internet voting; in-person paper ballots with optical scan are the consensus secure option.
Tip: "Voting on a blockchain" is one of those things that sounds clever but typically gets all five properties wrong simultaneously — public ledgers break anonymity, smart contracts have bugs, and key management for billions of voters is unsolved. Academic e-voting protocols are far more sophisticated.