The authorities will use quantum cryptography—a way to transmit information that detects eavesdroppers and errors almost immediately—to ensure not only that votes are kept secret but also that they are all counted.
I first became aware of this project when a New Scientist reporter sent me a note about it and asked for my opinion. I assumed that it was a joke or that the reporter had heard wrong. After all, protecting electronic transmissions is the one problem I can think of in all of this that is not really hard. Here are some of the problems in electronic voting that are hard:
- Ensuring that the software on the voting machines is the correct software. The proposed solution of having a library of hash values of the correct binaries of voting machine software and checking the voting machines does not work. There is no way to perform the check of the hash of the code that is running in the machines. In fact, any attempt to check that hash value would provide an opportunity for an attacker to change the code then and there.
- Ensuring that the software on the voting machines is not malicious.Even if the "correct" code is running on the voting machine, there is no deterministic way to determine that the code was not designed with a back door in it that could affect the outcome of the election.
- Ensuring that no unknown bugs in the voting machines can affect the outcome.Even if the "correct" code is running on the voting machine and even if there is no intentional malicious code in the machine, there is no way to ensure that the code does not contain inadvertent bugs or unexpected failure modes that could disrupt an election or cause the wrong result to be computed.
Quantum cryptography is a novel and very interesting topic. There are potentially many applications that could benefit from this technology, and I have always been a big fan. But, quantum cryptography does not address the problems in electronic voting that are actually difficult to solve. Transmitting the votes from the polls to the central tabulation center can be done with traditional cryptography. Authentication functions can provide tamper resistance and encryption can provide secrecy, assuming that secrecy is actually desirable here. I believe it is not, as every aspect of the process should be transparent, and I see no reason to keep the precinct results secret. Just the opposite is true - it is important for observers to see princinct level results.
I applaud the Swiss for pursuing innovation, but in this case, they are using the wrong tool to solve the wrong problem in an inappropriate way.