A Survey of Current Secret-Ballot Systems David Chaum WOTE
ANALYSIS Outline Models, Taxonomy of Tools, Key Technologies, Paradigms, Composition, etc SYSTEMS Mainstream US deployed (with comparison) New/proposed systems (partial, sketch) SUBORDINATE ASPECTS Interfaces, Privacy v. Integrity, Aggregation, Ballot Styles, Write-in, Standardization, etc.
Issues Considered Secrecy (focused on) Integrity (focused on) Robustness [omitted] Effectiveness (touched on) Non-restrictiveness (subordinate)
ANALYSIS
System Secrecy Model
Integrity & Secrecy Mechanisms Public proof of information Voter-proveable (before & during) Voter-proveable (after) Publicly On TV Physical shuffle of documents Multiparty computation (info or computational) Auditability (before & routine) Simple Open Source Device Public-Expert + Open-Group Verifiable Trusted devices (distributed) Unproveable Voter- (before & during) Monitoring Open Group (before/during) Verifiable Trusted devices (centralized) Closed Group Verifiable Unproveable Voter- (after) Voter Verifiable Auditability (exceptional) Open Group (after maybe) Verifiable Privacy Capable
Audit as a Tool Only for integrity limited use for privacy/secrecy [as shown in diagram] If after the fact harder to prove anything usually subject to manipulation/change could be disrupted often not invoked (even when useful) If reveals secret information, inappropriate!!!
Two kinds of unlinkability Voter to Vote Capture ( fools privacy ) Often easily achieved Not generally adequate Vote Capture to Ballot Image ( true unlinkability ) A few known ways to achieve Generally sufficient
System Secrecy Model
Unlinkability Technology
Voting Technology Paradigms Object into container Mechanical machine Electronic machines (so called DRE ) Electronic counting of objects (hybrid) Computers voting as agents [omitted] Electronic printing (& counting) (hybrids) [covered later] Code voting [omitted]
Object into Container Bring your own or it is given you Modify it or submit it as is One object per ballot or combinations
Mechanical Machine Verification of Secrecy and Integrity pretty straightforward! It s a beautiful thing
Electronic Machines Tamper-resistant box everyone must trust, except for: Logic and Accuracy tests (no joke!) Audit data stored and output Does not address secrecy [mentioned] Save all but order of votes Generates readable record (e.g. tape) Electronic memory
Electronic Counting of Objects Types of objects Punch Card Optical Scan Precinct v. Central counting Overvote rejection at precinct Smaller investment for central
Hybrid Composition Parallel (e.g., object and electronic machine) Secrecy vulnerabilities compounded Sufficient to break easiest May be even easier in combination Integrity improved If both required, must defeat both If one is audit, then only audit advantage Serial (e.g., in aggregation hierarchy) Both integrity vulnerabilities Both privacy vulnerabilities
VOTING SYSTEMS IN PRACTICE TODAY
Hierarchical Flows (general) Configuration/ballot flow downward At poll closing flow upward Tally Burst modem Media taken to collection point Phoned-in by poll worker Ballots for central counting Logs and ballots for potential audit
Aggregation Hierarchy Integrity
Comparison of Dominant US Schemes Feature System Unlinking Technology Integrity Technology Capture of Voter Intent Tally Speed Cost (Tally & Investment) Paper ballot Ballot Box!!!" Multiple Poll Workers!!!" Good!!"" Slow """" High Operation; Low Investment!""" Mechanical Voting Machines Mechanical Counter!!"" Multiple Poll Workers!!!" Good!!"" Instant per booth!!"" Both Very High """" Punch Card Ballot Box!!!" Central Electronic Counter!""" Not so Good """" Slow but Automated!""" Both Very Low!!!! Optical Scan Electronic Counter!""" Black Box; Paper Audit!!"" Not so Good; but no Overvote!""" Instant per Precinct!!!" Both Medium!!"" Direct Recording Electronic Electronic Counter!""" Black Box!""" Good and with feedback!!!! Instant per Booth!!!" Low Operation; High Investment!"""
Machine-Printed/Read Ballot Systems (hybrid) WebTools & VCB Vote sent in electronically by machine; voter puts audit ballot in box Rebecca Mercuri Voter can see but not touch; certified votes read from ballots, machine output preliminary only Ernie Hawkins Voter can see but not touch, audit goes into box, Belgian National Ballot scanned on way into box; voter can check on multiple machines
Schemes to be Presented Separately in this Session Touchscreen DRE Full-face DRE VoteHere TrueVote Karin s system
SUBORDINATE ASPECTS
Communication Between Voter and Machine Authentication of voter to machine Emphasized today, but not enough Assurance of accuracy of vote message Authentication of machine to voter Confirmation of receipt of vote message
Integrity v. Untraceability Priority differs by jurisdiction England & Arkansas, e.g., give priority to Integrity Traceability-enabled options Permissive enfranchisement: provisional voting and/or contested ballots Surgical implementation of court rulings on eligibility Forward Untraceability Cannot go back once data destroyed
Tally Information [Already Touched On] Abstain vote allowed in some countries (would help understand residual votes ) Straight-party voting (sometimes with crossover ) may or may not be distinguished Pinkas et al proposed techniques that hide counts and only reveal the winner
Ballot-Image Visibility DRE audit reveals ballot images Non-geographic and early-voting secrecy compromised Are ballot images known to auditors (and/or elected officials) and not made public?
Multiple Ballot Styles Mechanical Machine, Full-Face DRE & Punch Card Few ballot styles per precinct Ballot on Paper Medium number of styles per precinct DRE and Electronic-Printing using screens Potentially large number of styles
Aggregation Unlinkability Non-geographic voting requires it Early voting and vote anywhere Ballot on paper with central count Full unlinkable precinct aggregation Mechanical, DRE or Machine printing (with machine audit) Linkable at least to precinct
Ballot-style Security [Partly Covered earlier] Layout unbiased Rotations correct Swaps Disruption
Write-In Rules differ, e.g.: Only from approved list Not allowed Count only if could decide election Object in box, best with envelopes Sorting at scanning box Mechanical machines and some DRE use a paper ribbon Some DRE allow Type-In
Vote Selling and Influencing [already discussed] For attendance voting hard, but done Technical: pass-back, copying, etc. For remote voting easy Countermeasure: re-vote priority Stopping certain people from voting Can be harder for remote
Standardization & Certification County decisions need the best input they can get to guide choice Voting systems standards in US Called optional but mandatory Called performance but design
Conclusion Tamper-resistant boxes requiring universal trust and audit are the primary means of securing elections in this country today. The opportunity for and potential significance of new approaches to security, confidence, and enfranchisement are huge.