font color=blue>
WOTE WOTE WOTE WOTE A Survey of Current Secret-Ballot Systems
WOTE
WOTE
WOTE
WOTE
A Survey of Current
Secret-Ballot Systems
David Chaum Outline
ANALYSIS
Models, Taxonomy of Tools, Key
Technologies, Paradigms, Composition, etc
SYSTEMS
Mainstream US deployed (with comparison)
New/proposed systems (partial, sketch)
SUBORDINATE ASPECTS
Interfaces, Privacy v. Integrity, Aggregation,
Ballot Styles, Write-in, Standardization, etc. Issues Considered
S</b>ecrecy (focused on)
I</b>ntegrity (focused on)
R</b>obustness [omitted]
E</b>ffectiveness (touched on)
N</b>on-restrictiveness (subordinate) ANALYSIS System Secrecy Model Integrity & Secrecy Mechanisms
Public proof of
information
Multiparty computation
(info or computational)
Voter-proveable
(before & during)
Auditability
(before & routine)
Unproveable Voter-
(before & during)
Unproveable Voter-
(after)
Monitoring
Trusted devices
(centralized)
Voter-proveable
(after)
Physical shuffle of
documents
Trusted devices
(distributed)
Voter Verifiable
Closed Group Verifiable
Publicly On TV
Privacy Capable
Open Group (before/during)
Verifiable
Public-Expert + Open-Group
Verifiable
Simple Open Source
Device
Auditability
(exceptional)
Open Group (after maybe)
Verifiable Audit as a Tool
Only for integritylimited use for privacy/secrecy
[as shown in diagram]
If after the fact
harder to prove anything
usually subject to manipulation/change
could be disrupted
often not invoked (even when useful)
If reveals secret information, inappropriate!!! Two kinds of unlinkability
Voter to Vote Capture
(fools privacy)
Often easily achieved
Not generally adequate
Vote Capture to Ballot Image
(true unlinkability)
A few known ways to achieve
Generally sufficient System Secrecy Model Unlinkability Technology Voting Technology Paradigms
Object into container
Mechanical machine
Electronic machines (so called DRE)
Electronic counting of objects (hybrid)
Computers voting as agents [omitted]
Electronic printing (& counting) (hybrids)
[covered later]
Code voting [omitted] Object into Container
Bring your own or it is given you
Modify it or submit it as is
One object per ballot or
combinations Mechanical Machine
Verification of Secrecy and
Integrity pretty straightforward!
Its a beautiful thing Electronic Machines
Tamper-resistant box everyone must trust,
except for:
Logic and Accuracy tests (no joke!)
Audit data stored and output
Does not address secrecy [mentioned]
Save all but order of votes
Generates readable record (e.g. tape)
Electronic memory Electronic Counting of Objects
Types of objects
Punch Card
Optical Scan
Precinct v. Central counting
Overvote rejection at precinct
Smaller investment for central Hybrid Composition
Parallel (e.g., object and electronic machine)
Secrecy vulnerabilities compounded
Sufficient to break easiest
May be even easier in combination
Integrity improved
If both required, must defeat both
If one is audit, then only audit advantage
Serial (e.g., in aggregation hierarchy)
Both integrity vulnerabilities
Both privacy vulnerabilities VOTING SYSTEMS
IN PRACTICE TODAY Hierarchical Flows (general)
Configuration/ballot flow downward
At poll closing flow upward
Tally
Burst modem
Media taken to collection point
Phoned-in by poll worker
Ballots for central counting
Logs and ballots for potential audit Aggregation Hierarchy Integrity Feature
System
Unlinking
Technology
Integrity
Technology
Capture of Voter
Intent
Tally Speed
Cost (Tally &
Investment)
Paper
ballot
Ballot Box
!!!"
Multiple Poll
Workers
!!!"
Good
!!""
Slow
""""
High Operation;
Low Investment
!"""
Mechanical
Voting
Machines
Mechanical
Counter
!!""
Multiple Poll
Workers
!!!"
Good
!!""
Instant per
booth
!!""
Both Very High
""""
Punch
Card
Ballot Box
!!!"
Central Electronic
Counter
!"""
Not so Good
""""
Slow but
Automated
!"""
Both Very Low
!!!!
Optical
Scan
Electronic
Counter
!"""
Black Box; Paper
Audit
!!""
Not so Good; but
no Overvote
!"""
Instant per
Precinct
!!!"
Both Medium
!!""
Direct
Recording
Electronic
Electronic
Counter
!"""
Black Box
!"""
Good and with
feedback
!!!!
Instant per
Booth
!!!"
Low Operation;
High Investment
!"""
Comparison of Dominant US Schemes Machine-Printed/Read
Ballot Systems (hybrid)
WebTools & VCB
Vote sent in electronically by machine; voter puts
audit ballot in box
Rebecca Mercuri
Voter can see but not touch; certified votes read
from ballots, machine output preliminary only
Ernie Hawkins
Voter can see but not touch, audit goes into box,
Belgian National
Ballot scanned on way into box; voter can check
on multiple machines Schemes to be Presented
Separately in this Session
Touchscreen DRE
Full-face DRE
VoteHere
TrueVote
Karins system SUBORDINATE ASPECTS Communication Between
Voter and Machine
Authentication of voter to machine
Emphasized today, but not enough
Assurance of accuracy of vote message
Authentication of machine to voter
Confirmation of receipt of vote message Integrity v. Untraceability
Priority differs by jurisdiction
England & Arkansas, e.g., give priority to
Integrity
Traceability-enabled options
Permissive enfranchisement: provisional
voting and/or contested ballots
Surgical implementation of court rulings
on eligibility
Forward Untraceability
Cannot go back once data destroyed Tally Information
[Already Touched On]
Abstain vote allowed in some
countries (would help understand
residual votes)
Straight-party voting (sometimes with
crossover) may or may not be
distinguished
Pinkas et al proposed techniques that
hide counts and only reveal the winner Ballot-Image Visibility
DRE audit reveals ballot images
Non-geographic and early-voting
secrecy compromised
Are ballot images known to
auditors (and/or elected officials)
and not made public? Multiple Ballot Styles
Mechanical Machine, Full-Face
DRE & Punch Card
Few ballot styles per precinct
Ballot on Paper
Medium number of styles per precinct
DRE and Electronic-Printing using
screens
Potentially large number of styles Aggregation Unlinkability
Non-geographic voting requires it
Early voting and vote anywhere
Ballot on paper with central count
Full unlinkable precinct aggregation
Mechanical, DRE or Machine
printing (with machine audit)
Linkable at least to precinct Ballot-style Security
[Partly Covered earlier]
Layout unbiased
Rotations correct
Swaps
Disruption Write-In
Rules differ, e.g.:
Only from approved list
Not allowed
Count only if could decide election
Object in box, best with envelopes
Sorting at scanning box
Mechanical machines and some
DRE use a paper ribbon
Some DRE allow Type-In Vote Selling and Influencing
[already discussed]
For attendance votinghard, but done
Technical: pass-back, copying, etc.
For remote votingeasy
Countermeasure: re-vote priority
Stopping certain people from voting
Can be harder for remote Standardization
& Certification
County decisions need the best
input they can get to guide choice
Voting systems standards in US
Called optional but mandatory
Called performance but design Conclusion
Tamper-resistant boxes requiring
universal trust and audit are the
primary means of securing elections in
this country today.
The opportunity forand pote