The QR code next to "You voted for: Alice" links to Tom Scott's e-voting video

Is that a little CGP Grey face on the VOTE-A-TRON?

Do I spot a mighty Nail and Gear there?

If I don't trust the machine to encrypt my vote and ask to see several decryptions first, can't it just always show me what I want to see? You need a separate method of verifying the encrypted vote (and invalidating it, should a vote with that cyphertext appear in the final results).

That vote-a-tron is definitely CGP grey

With homomorphic encryption, couldn't you know what someone (let's say Carole) voted for by taking ten votes including Carole's, do the tally to check how many have voted for Alice, then do the same with only the nine other voters, and that way you deduce if Carole voted for Alice or not?

But how can you verify that when the machine tells you your vote has been properly cast it hasn't been contrived to lie to you?

How would you know that the machine didn't change the key or algorithm when it is being tested? Like with the Volkswagen emissions

Totally thought that said homoerotic.

Great, and how do you confirm that the computer telling you what kind of ballot it is, isn't just regurgitating the value you selected, while your vote itself wouldn't truly decrypt into the opposite vote? You can't separate the machines so that the computer's only information about your vote is your key, because otherwise your receipt, plus an algorithm, is all that's needed to decode it. However, what I'd do, to avoid pretty much any scrutiny save someone deliberately looking at the source code and understanding the whole encryption process - which would be kept secret for safety reasons, is to simply double-encode everything. Instead of 2 possible choices, instead I design the system for 4 possible choices. In this way I can record 4 states in the encrypted reciept. Who they ACTUALLY voted for, and who they're going to be Counted for. So we have: Vote Alice, Count Alice - Candidate 00 Vote Alice, Count Bob, - Candidate 01 Vote Bob, Count Alice, - Candidate 11 Vote Bob, Count Bob - Candidate 10 If anyone requests their vote back in some super-secure way: If (Candidate == 00 || 01) return 'Alice'; If (Candidate == 01 || 10) return 'Bob'; And the part of the code that tallies: Alice.count = Candidate 00 + Candidate 11; Bob.count = Candidate 10 + Candidate 01 The decryption machine will know who it should SAY they voted for, and tell them accordingly. While the final tally will report the results of column 2 by comparing the summed results from state 1 and 3 against 2 and 4. It seems to me that adding this in would be incredibly trivial - the software is going to be modular for the number of candidates, so doubling the number of candidate states wouldn't be a problem. And the part of the Program that decrypts and the part that tallies likewise will need a very sparse modification to pull off the deceit.

*BOB 2016* MAKE NUMBERPHILE GREAT AGAIN

If I know who I voted for, what prevents me from multiplying my vote against anyone else's to then get a count of both of our's, thus revealing the other persons vote?

A CGP Grey voting machine (Vote-a-tron-6000)

Still nothing is better than a traditional paper vote. Count it in front of people after the voting is done, is what make people sure that the counting was not RIGGED

Grey approved this voting machine.

In practice it is harder to ensure correct tallying of votes. For example, the encrypted token could contain 2 bits of information: who you actually voted for and who the machine wants to tally the vote for. If the voter checks the correctness (thereby voiding the ballot), the machine reports the first bit, and when the voter submits the vote the machine tallies the second bit.

This would create a situation where a single person/department/group (whoever created the encryption code) would be able to find out how any person voted - there would be no trust that the voting was confidential!

How do you sell your vote after you've already voted?

about the multiplication thing: what if you multiply together all votes except for one, wouldn't you be able to then know what they voted?

Since there could be social pressure for or against abstaining, I would hope that there's also an encryption scheme for all the non-votes. So the online database would include all eligible voters (whether they went to the polls or not), and those who abstained would have encrypted receipts as well, impossible to differentiate from the others.

Could you do a longer video about how the encrypted vote would be counted through multiplication of the numbers? I'm really confused

So if all the votes are public, and you can check the results by yourself, can't you tell what each person's vote was by checking the full list, and then checking a list that doesn't contain that one person's vote?

2 Numberphile videos a day! You surely know how to satisfy your Numberphiles Brady.

The only problem I can think of is, what would stop someone from adding a bunch of fake receipts to the final tally?

Couldn't you simply tally all the votes but one by multiplying the ciphers and the one choice that's missing a vote when compared with all the votes tallied would be the one you didn't tally in the first place, thus revealing the encrypted vote value? For example, I tally everything and get 6 for Allie. Then I tally everything except for Jubal - if I get 6 for Allie again, he voted for Bob, and if I get 5 for Allie, he voted for Allie?

What key decrypts the summed ciphertext(votes)? Would like a more in-depth video on the homomorphic encryption part. When he briefly explains it sounds like you can figure out everyone's votes by simply summing pairs of votes.

Did i miss something or it's very easy to see who someone voted? You just need to do the sum over all the votes and then do it again without bob vote and i can see if bob voted 1 or 0

This was fascinating! I would love to see more videos with Ron!

But how does the voting machine decrypt that "test" vote? That implies that there is an algorithm for decrypting a single vote, which defeats the whole purpose.

This is an improvement on other electronic voting methods, but there's still a lot of ways to attack it. For instance: if you voted for candidate A, the machine could tell you that you voted for candidate A even though it's internal record has you voting for candidate B.

So you can verify that your vote was counted, but how do you verify it was counted correctly after the election is over and the results are published?

I see Ron Rivest at the RSA security conference every year. Cool to see him on Numberphile! I'd might actually start voting again if something like this ever gets implemented.

Re: claim at 1:06 that selfies allow vote selling, here are three ways that taking a selfie doesn't really enable vote selling: 1) You can take a picture of a blank ballot, and in something like MS Paint, you add marks that look like a pen to the oval, or to connect the arrow, or however a completed ballot looks in your jurisdiction. Then you post the altered image. 2) You can take a picture of a completed ballot, then make a stray mark on the ballot. Take your spoiled ballot back to an election judge and request a new one. Then you can fill out the new ballot however you want. 3) In jurisdictions with mail-in voting, you can fill out the ballot at home, take a picture of that ballot, then go vote in person instead of mailing in the home ballot.

Yay!!! Nobody said "first!" :0 Speaks very highly of the numberphile audience.

If you can multiply encrypted votes together to make a tally, can't you use that ability to tell who a questioned vote is for?

I'm curious about one thing: if the multiplication of encryptions is the encryption of the addition of the plaintexts, and the decryption of that multiplication is revealed to the public, wouldn't that mean that you can decrypt the individual votes as well? Since it seems difficult to me that the multiplication of the results of one code happen to coincide with the additions of the plaintexts in another code in every possible scenario. How is that dealt with?

you've moved the problem to the verification machine, as it can hold in memory your true selection and replay it back to you despite encoding the alternative.

well... if I can count them myself... then I can also count just one... and know if it's a 1 or 0 ... or not?

What if you take your vote out of the set, multiply them all together, and then decrypt? In this example, wouldn't the total decrease by one if the vote had been for Alice?

What about this case: After we have all the votes and "multiply and decrypt" them and say it is 16 for Alice. Then i remove my vote and do the same thing. Then the result can be for example 15 for Alice. That way everyone know that i have voted for Alice. How is this case dealt with?

You still cant trust the computer.. Lets say I vote for A, the PC makes it into B and when I double-check my ballot the PC tells me it's A because the computer remebered that it manipulated my ballot?

How do you tally when there's 16 candidates?

instead of getting a code for who you voted for you should get a code for you name or ID. Then all the votes should be listed publicly alongside the encrypted codes of the voters. This allows each person to verify their own vote and anyone can tally all the votes to verify the result and also this keeps each voter anonymous.

How does the voter know the machine isn't just faking decryption? Ie. machine always encrypts Alice, but remembers of which receipts should be for Alice and which for Bob. When you test your receipt, the machine doesn't actually decrypt it, just checks the table and spits out the expected answer so everything looks aboveboard. Also, fact that the receipts *can* be decrypted by the machines seems to pose a privacy threat. Whoever owns the machines can presumably decrypt any receipt. How is voter privacy maintained? Maybe I'm missing something or the video didn't have time to delve into these, but it is not obvious to me. Given modern recording tools selling votes is very hard to prevent, unless we start entering the voting booth nude. Since that is probably not going to fly, I would stick with plaintext receipts that are entered into regular urns for later verification by manual methods.

Eastereggs in the VOTE-A-TRON-6000. Love it

Nice CGP Grey reference on the Vote-a-tron-6000

Just give everyone a micro chipped counter that has a number pad on it ,in the booth you place it on top of the picture of the candidate you wish to select the number pad then flashed for a few seconds allowing you to check is correct you then take it out the booth and place it in the box if votes are all held on the same day and the counters are encrypted with the same encryption algorithm it makes it easier for counting , additionally chips would be harder to spoil .Further more you could make the number pad react to a camera flash making it hard to buy someone's ballot

I don't think you would want the machines to be able to decrypt the votes. I think a simpler method would be to show you the encrypted value you would get by each vote next to the name, if the person is dubious they can remember a distinct features of the vote they want from the others (possibly with the ability to have new encryptions generated using a different pad if they cannot find anything distinctive enough), they can then check their printed vote once it comes out. The only way this could be tampered with is if the machine can predict who you want to vote for before you do in order to swap the displayed values, but in the example given in the video, the machine could just lie about the decryption (assuming that the machine has been tampered with). Obviously, there are other considerations: in particular about the padding that is used to avoid the same vote being encrypted with a different pad for each making them look different. I am sure a cryptographer doing this as a living can work out a reasonable way of achieving a unique pad that must be the same for all of them as its only valid for the session. Removing the ability to re-encrypt is also an option.

Love the Hello Internet logo on the ballot machine

Cool, CGP Grey and the Nail and Gear of the Hello Internet podcast both appear on the voting machine. Is "Vote-A-Tron-6000" a nod to "Fit-A-Tron-5000" from Hello Internet?

How would this system handle write-in votes? It seems to me that you'd need each candidate to have an encryption key issued in advance for it to work. Even if the system issued encryption keys to new write-in candidates on the fly, you'd have no way as a voter to know that your vote for Alice counted together with someone else's vote for Alice Smith, and another person's vote for Alice Smith/John Brown (a running-mate) etc.

The only trouble with this system is that it doesn't grant you provable anonymity: anyone in charge of the voting machine can potentially decrypt every vote and check who voted what. And that's a massive no-no. With paper ballots anonymity is granted by the assumption that the papers are identical and that once cast, they mix around in the box, making it impossible to trace back any single vote to any single voter. While at the same time the physical arrangement of the polling station, and voter identification before you enter the booth guarantees that you can list the name of every person who voted. These seemingly conflicting requirements make it incredibly tricky to make an electronic voting system that can be trusted to the same level as the paper ballot. (Which of course itself is far from perfect.)

Thank you for such a simple explanation 😁😁

But if you need the decryption key to verify the product as well, you still have no way of knowing whoever done the tallying wasn't making the results up.... So you still have to trust the system with no proof.

x² = (x-n)(x+n)+n² just thought i'd let this formula down to help you calculate square numbers ex. 49² = 50x48+1 = 2401 ex. 55² = 50x60+25 = 3025

What did I miss here: - You have access to all encrypted votes so you can do the homomorphic sum yourself and see the sum of votes - You get your own encrypted vote Can you then not - take the sum of N votes and do the tally, then take that N votes plus your vote and do the tally and compare, and thus check if yours is voting for the right candidate? - in fact, do this with every vote that you have in encrypted form and check what it voted for? I don't quite know how that encryption would work, but I imainge one for each candidate might be enough to check another encrypted vote by the difference of the sum. How is this prevented? I mean, it should be,shouldn't it?

I think the current hybrid system of a computer that prints a piece of paper that you have to put in a box is better. - The voter can very easily verify if his vote is registered correctly because it's written on the piece of paper - It's anonymous because no name is registered by the computer, nor on the paper - Votes can't be sold because you have to deposit the piece of paper The only downside is that there need to be random checks to see if the computer votes match the paper votes.

I like the nail and gear on the ballot machine!!

Now this is an excelent idea. Is it feasible? Think it would be great if countries that currently use e-voting would switch to something like this.

I'd like to see an explanation of whether (and how) this sort of scheme could be applied to Condorcet voting systems.

I think you need to preface the video with the computerphile video on public keys. I see a lot of comments around the safety of public key encryption systems which are already explained in the video with R. Miles.

The timing of this video is fitting.

G point on elliptic curve x=0,1 vote for one of two candidates r true randon number at least 200 bits output = (x + r)*G X sum of x (result of election), R sum of r X*G is calculated as (X+R)*G - R*G X is found comparing X*G with G, 2G, 3G, ... N*G, N number of votes Server publishes R, and R*G (only possible if R is calculated correct) From R'*G the value of R' cannot be calculated, so the server cannot publish a wrong value of (R'*G) and R' corresponding to a false value of X.

This is fantastic. I've recently become interested in secure Governance.

#AliceForPrison2016

we have a bit more to tackle before we do wonderful things like this

Numberphile and E2E verifiable voting? I'm in heaven!

Can we please talk about the Condorcet criterion? I think showing the mathematics of voting and alternative voting methods would be a great subject for Numberphile. I know CGP Grey has some great videos on voting systems, but he doesn't go into the math in the way that Numberphile might.

I love the sound effects.

I like how the QR Code takes you to the numberphile website!

1:19 but you could take the picture then change it and sell your ballot to all the candidates and vote for who you like, they cant verify that was the actual ballot submitted

Oh snap, that's Ron Rivest!

Comparing a computer that can have code that handles certain scenarios is completely different from a matchbox where the match cannot change once it has left the warehouse. I don't see it being outside the realm of possibilities that a machine could 'know' that the cypher decrypts to Alice and this is what it spits out when checked, but when multiplied with other votes, comes out as a vote for Bob.

Anyone else notice that Grey is the vote-o-tron?

Interesting idea, but that system would be giving out a massive list of plaintexts and ciphertexts to potentially everyone. How do you prevent the encryption key being worked out by fraudsters?

See the second video with Ron Rivest about how to check an election result: kzbin.info/www/bejne/kH6QmmuqadWAgZI

If you can multiply two ciphers together to add the votes together, you could check each of a set of votes by multiplying them together in various combinations.

But i don`t want to vote for Alice nor for Bob! I want to vote for Ed.

How do you manage a valid public decryption of the total tally without giving away how a given single vote can be decrypted?

I think public verifiability is more important than preventing vote buying. I think that the voting receipt hash should also hash with something like one's SSN, such that you could decrypt your individual receipt with your SSN, essentially using the voting receipt as a public key, and the SSN as a private key. That way all of the voting receipts can be published, and everyone could verify that their vote was cast the way the wanted it to be cast. Once everyone has verified their vote, all of the votes are published, but with a new hash attached to them - at this point, it becomes anonymous, except for area demographics.. So every vote is now made completely public to see, except that you can't see who made that vote. The new hash can also be verified with the SSN,, so that you can look up the anonymous hashes for your voting precinct, and find your hash to verify that it says what it should say. Then, once the anonymous vote is verified, the anonymous, publicly available votes are tallied together and the winners are announced.

Very cool :-) We've done some work with an FHE implementation in my work (cloud security, cybersecurity). This is a fun intro to what quickly gets to be a nasty subject.

Great idea but I don't think it would gain much support as I suspect many people would find it too complex.

I especially like that this system has no need for a unique ID being issued to voters which they then have to keep secret. Of course, we would have to start a new country for such a system to be adopted. We've known that First Past the Post voting is fundamentally flawed for ages, but we can't change it because those who benefit the most from it are the ones who would have to be responsible for dismantling it.

I see Nail and Gear

Now lets have a debate with the "Electronic voting is a bad idea" video from computerphile!

Isn’t anybody going to mention that at 19:00, the Vote-a-tron 6000 has the image of CGP Grey?

I see some comments on here questioning the validity of the approach. I don't want to insult people, but if a guy like Ron Rivest and others in the encryption community says something is secure, then it's secure. Having said that, the meaning of "secure" usually is shorthand for "reasonably secure". Encryption can often be theoretically broken with hardware from the future. For example, it might be possible to find out who Alice voted for 40 years from now. Is that important? Well, certainly not as important as ensuring an trustworthy vote in the present.

Can you please make a second RSA video? Dr. Grimes begins the explanation, but doesn't really explain the whole equation, or explain why the 3 was chosen.

The problem is that the user interface can be programed to display any kind of behavior you want.

I have got a question for you guys. Why (1*1)+(1*4)=5 and (1*2) +(1*3) =5. If you keep going you will get the same answer for other numbers. Let's take (1*4) + (1*7) = 11 and (1*5)+(1*6)= 11. It works for all numbers. Could you please explain what does it work this way?

The only problem I see is the decryption of the tally. Sure, you can check that all the encryptions add up correctly, but Since you don't have the algorythm for the decryption in the end you have to trust that the sum of all encryptions decrypts to what officials say.

desde la Rep. Dominicana. increible, att. bohane rosario

Very timely video, good job.

What is the derivative of the absolute value of X to the power of X?

Wait a minute. If I know my vote and its encryption could I not build the sum of every pair of myvote-anothervote and determine the value of the other vote from it? That would decode everyones vote once one is known. What am I getting wrong?

The "multiply and decrypt" method would not be possible in hiding votes.....because a system would have to be created to allow any number of votes to be made, making it a variable constraint. This means that if only one person votes, then you should be able to reliably come up with how many votes toward a candidate....which reveals that person's vote, and if you can reliably do this with each individual along with the total mass of population, then you have revealed EVERYONE's vote. There may be a possibility to put votes within "blocks" where each block is considered separately and only if the entire block is filled will the tally work....however, with encryption techniques, this creates a flaw in the system where an individual can decipher the block because you've had to add information to determine the block itself. It's similar to having a one-time pad key, only to use it on multiple messages, defeating the purpose.

Interesting but could this work with rank choice voting?

I'm a little confused about the "testing your vote" method. If we don't trust the computer or its programming, how do we trust the "check" button operates exactly the same as the "submit" button? The check button might always give you what you punched in, while submit sends in something else. There must be if-then logic to eradicate the check result and that if-then logic could be manipulated to change the submission upon "submit" but not "check".

What prevents someone from doing the multiply and decrypt thing to your vote and just one other? If you know who you voted for you can easily deduce what the other person voted for, which defeats the whole purpose of this system.

Dude, he got Ron Rivest on here lol, that's like a celebrity man lol