Mitigating Attacks
Privacy Violations

Privacy Violations

Historically, ensuring both authenticated and private votes has been very hard. SIV was specifically designed to solve this problem, ensuring voters' right to a free and fair election.

SIV offers strong Multi-Party Encryption and Verifiable Cryptographic Shuffles to ensure that no one, including election administrators and SIV infrastructure, can see how anyone else votes. This is a significant improvement over traditional voting systems that may rely on implicit trust and have limited privacy measures in place.

At a high level, SIV ensures vote privacy by:

a. Using strong encryption to lock votes inside sealed digital encryption before submission.

b. Shuffling up the encrypted votes many times for strong anonymization, by multiple independent parties ("Privacy Protectors"). This design creates multiple fail-safes. Even if some Privacy Protectors' devices are compromised, vote privacy can still be protected. Privacy Protectors do not need to trust each other, and thanks to strong cryptographic proofs, cannot possibly tamper with votes.

c. Only after the votes have been thoroughly anonymized, the Privacy Protectors work together to unlock the encryption and verifiably tally up the final results.

The technical details are available under Technical Specifications. SIV allows for vote privacy to be verified mathematically: all encryption takes place on the voter's own device. For even stronger confidence that no plaintext information can leak out, all the encryption work (Step 2 of the SIV Protocol) can be performed on an air gapped device.

A simple version of this can be achieved using an Incognito window and turning off the device's internet, then preparing the encrypted ciphertexts, copying them out of the Incognito window, closing the Incognito window to destroy any private material, and then turning the internet back on before submitting. This protects against the SIV voter software exfiltrating private data, but note it does not protect against the device itself (e.g. from malware).

Improvements Over Current System
This cryptographic privacy offered by SIV is an improvement over the implicit trust required in paper elections, where for example, a single postal worker could surveil and potentially dispose of votes they dislike. Even ballots given out in-person often have unique voter-linked tracking numbers, and voters have little ability to verify for themselves how strongly their privacy is being protected.

Paper elections do have potential mitigation strategies, such as including independent election observers. But at scale, this requires huge numbers of people's time. SIV offers even higher assurances of privacy and accuracy, at orders of magnitude cheaper costs.

Further Reading

  1. Technical Specifications
  2. SIV Privacy
  3. Privacy Protectors