Lecture 9 - Using Technology Wisely

Securing g Digital
g Democracyy
Lecture 9 | Using
g Technology
gy Wiselyy
J. Alex Halderman
University of Michigan
9.1 Criteria Securing Digital Democracy
Criteria
Transparency
V
Voters can observe
b and
d understand
d t d theh process.
A fully transparent election system supports

accountability as well as public oversight,
comprehension and access to the entire process.
Definitions adopted from Joseph Lorenzo Hall

http://josephhall.org/papers/jhall‐phd.pdf
Verifiability
Voters have
V h means to convince
i themselves
h l that
h theh
outcome is correct without having to blindly trust
the
h technology
h l or the
h election
l i authorities.
h ii
Auditability
The system can be
Th b manually ll checked
h k d after
f theh
election to ensure that the votes have been counted
properly.
l
Software Independence
A voting system is software
software‐independent
independent
if an undetected change or error in its
software cannot cause an undetectable
change or error in an election outcome.
See: Rivest and Wack, “On the Notion of Software Indepdence in Voting Systems”
http://people.csail.mit.edu/rivest/RivestWack‐
OnTheNotionOfSoftwareIndependenceInVotingSystems.pdf
9.2 Post‐Election Auditing Securing Digital Democracy
Post‐Election Auditing
Manual Recounts Wh t?
What? Wh ?
When? C t?
Cost?
Full slide photo:by Flickr user immortalpoet, http://www.flickr.com/photos/32628580@N07/3048811142/

Licensed under a Creative Commons Attribution‐ShareAlike 2.0 Generic license
Redundant Records
AUDIT =?
Slow/expensive
Redundancyto tally failure modesFast/cheap
+ Different to tally
= Greater security
Verified by voter Unverified
But…Redundancy only helps if we use both records!
Post‐‐Election Audits
Post
Pick some precincts randomly for paper recount.

Iff electronic
l tallies
ll disagree,
d recount everywhere.
h
How much to Audit?

Standard practice: Recommended practice:
Fixed Fraction Fixed Level of

of Precincts Confidence
((e.g.,
g , 10%)) ((e.g.,
g , 99
99%))
Statistical Risk‐
Risk‐Limiting Audits
Establish, with high statistical confidence, that

hand co nting all of the paper records would
hand‐counting o ld
yield the same winner as the electronic tally.
Audit Example
Alice: 55
55%
Bob: 45% Goal: Reject hypothesis that ≥ 5%
of ballots differ between
electronic and paper
For 95% confidence, hand‐audit 60 precincts

Cost: about $100,000
An Alternative Approach
Precinct‐based auditing
(standard practice)
Ballot‐based auditing
100 marbles, 10% blue 6300 beads, 10% blue
How large
l a sample
l ddo we need
d to d
detect an error?
Example due to Andrew Appel. http://www.cs.princeton.edu/~appel/voting/
Audit Example
Alice: 55
55%
Bob: 45% Goal: Reject hypothesis that ≥ 5%
of ballots differ between
electronic and paper
ballots
For 95% confidence, hand‐audit 60 precincts
Cost: about $100,000
$1,000
Why Not Ballot‐

Ballot‐based?
● Alice
○ Bob
325631 Alice 325631
218594 Bob
810581 Alice
○ Alice
● Bob
218594
● Alice
○ Bob
810581
Need to match up electronic with paper ballots.

Difficult without compromising the secret ballot!
Machine‐‐Assisted Auditing
Machine
○ Alice ○ Alice
● Bob ● Bob
B b
1
1 Bob
B b
Alice: 510 2 Alice
Bob: 419 ...
929 Bob
Step 1. Check electronic

records against paper records =
using a recount machine.
Machine
○ Alice ○ Alice
● Bob ● Bob
B b
1
1 Bob
B b
Alice: 510 2 Alice
Bob: 419 ...
929 Bob
=
Machine
○ Alice
● Bob
○ Alice 321
● Bob
B b
1
● Alice
○ Bob =
1 Bob
b 716
2 Alice
... 321 Bob
716 Alice
929 Bob
Step 2. Audit the recount

machine by selecting random
ballots for human inspection.
Machine g
○ Alice
● Bob
○ Alice 321
○ Alice
● Bob ● Bob
1 ● Alice
○ Bob =
1 Bob 716
Alice: 510 2 Alice
... 321 Bob
Bob: 419 716 Alice
929 Bob
Machine Recount Manual Audit
We can use a machine without having to trust it!

More Efficient Audits

2006 Virginia
g U.S. Senate race
0.3% margin of victory
We want 99% confidence
Precinct Machine
Based Assisted
# Ballots 1,141,900 2,339
# Precincts 1,252 1,351
See Calandrino, Halderman, and Felten, “Machine‐Assisted Election Auditing.” EVT 2007.
https://jhalderm.com/pub/papers/audit‐evt07.pdf
The Gold‐
Gold‐Medal Standard
Precinct‐Count Optical Scan
+
Mandatory Risk‐Limiting Audits
9.3 End‐to‐End Verifiable Voting Securing Digital Democracy
End‐to‐End Verifiable Voting
This segment adapted from Josh Benaloh, with permission.

Photo by Flickr user Dina Regine, http://www.flickr.com/photos/divadivadina/3954028726/in/photostream/

Licensed under a Creative Commons Attribution‐ShareAlike 2.0 Generic license.
End‐‐to
End to‐‐End (E2E) Voter
Voter‐‐Verifiability
As a voter, I can be sure that:
• My vote is cast as I intended.
• My vote is counted as cast.
• All votes are counted as cast.
cast Alice Johnson,
Ali J h 123 M
Main
i . . YES
Bob Ramirez, 79 Oak . . . . . NO
Carol Wilson, 821 Market . NO
Not a secret ballot!
End‐‐to
End to‐‐End Voter
Voter‐‐Verifiability
As a voter, I can be sure that:
• My vote is cast as I intended.
• My vote is counted as cast.
• All votes are counted as cast.
cast
• No voter can demonstrate how
h or she
he h voted d to a third
h d party.
A Verifiable Receipt
Alice Johnson, 123 Main . . . YES
Bob Ramirez, 79 Oak . . . . . . NO
Carol Wilson,
Wilson 821 Market . . NO
Checking the Result

Alice Johnson,
Johnson 123 Main . . . YES
No: 2
Bob Ramirez,, 79 Oak . . . . . . NO
Y
Yes: 1
Carol Wilson, 821 Market . . NO
Mathematical
Proof
End‐‐to
End to‐‐End Verifiable Elections
Anyone who cares to do so can:
Alice Johnson, 123 Main .
No: 2
Bob Ramirez, 79 Oak . . . . Yes: 1
Carol Wilson, 821 Market Mathematical
Proof
Check that their own Check that other Check the mathematical
encrypted votes are voters are legitimate. proof of the correctness
correctly
tl listed.
li t d off the
th tally.
t ll
The Voter
Voter’ss Perspective
Voters can …
• Use their receipts to check that their results are properly recorded.
p in the trash.
• Throw their receipts
• Verify the accuracy of the election with apps they wrote themselves.
• D
Download
l d apps from
f sources off th
their
i choice
h i tto verify
if th
the election.
l ti
• Believe verifications done by their political parties.
• Accept the results without question.
question
Lots of Details to Get Right!
How do voters know that their

p matches their choices?
receipt
How are voters convinced that

the published encrypted votes
correspond to the announced tally?
Voter‐‐Initiated Auditing
Voter
19837984723
Encrypted Vote
Voter’ss choice:
Voter Cast or Challenge
Voter
Cast
Voter
Challenge Vote for Alice

19837984723
Scantegrity
Optical Scan + E2E

http://www.scantegrity.org/
Helios
E2E Internet
Voting
http://heliosvoting.org/
9.4 Verifying an E2E Result Securing Digital Democracy
Verifying an E2E Result

Scantegrity
See: Chaum, et al., “Scantegrity II: End‐to‐End Verifiability for Optical Scan
Election Systems using Invisible Ink Confirmation Codes”. EVT 2008.
http://static.usenix.org/event/evt08/tech/full_papers/chaum/chaum.pdf
Verifiable Tallying
Confirmation Code Table p
Correspondence Table Voted Choice Table
Ballot A B VOTE? Result YES NO

B1 7LC WTX B3:A R2:YES R1
B2 J31 TC0 B1:B R3:NO R2
B3 KWA H7L B2:A R1:YES R3
B1:A R2:NO
B2:B R1:NO
B3 B
B3:B R3 YES
R3:YES
Verifiable Tallying

Yes B1 7LC WTX B3:A R2:YES R1 
No B2 J31 TC0 B1:B R3:NO R2 
No B3 KWA H7L B2:A R1:YES R3 
B1:A X R2:NO
B2:B X R1:NO
B3 B
B3:B X R3 YES
R3:YES
Verifiable Tallying

B1 7LC WTX B3:A R2:YES R1 
B2 J31 TC0 B1:B R3:NO R2 
B3 KWA H7L B2:A R1:YES R3 
B1:A X R2:NO
No: 2
B2:B X R1:NO
Yes: 1
B3 B
B3:B X R3 YES
R3:YES
Verifiable Tallying

B1 7LC WTX B3:A R2:YES R1 
B2 J31 TC0 B1:B R3:NO R2 
B3 KWA H7L B2:A R1:YES R3 
B1:A X R2:NO
B2:B X R1:NO
Check that revealed codes

B3 B
B3:B X R3 YES
R3:YES
Check that voted choices are
are marked with an X marked with an X
Questions for E2E?
Complexity? Usability?
Comprehensibility? Security?
Securing g Digital
g Democracyy
Lecture 9 | Using
g Technology
gy Wiselyy
J. Alex Halderman
University of Michigan

Lecture 9 - Using Technology Wisely

Uploaded by

Copyright:

Available Formats

You might also like

Lecture 9 - Using Technology Wisely

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture 9 - Using Technology Wisely

Uploaded by

Copyright:

Available Formats

Securing g Digital

A fully transparent election system supports

Definitions adopted from Joseph Lorenzo Hall

Full slide photo:by Flickr user immortalpoet, http://www.flickr.com/photos/32628580@N07/3048811142/

Pick some precincts randomly for paper recount.

How much to Audit?

Fixed Fraction Fixed Level of

Establish, with high statistical confidence, that

For 95% confidence, hand‐audit 60 precincts

100 marbles, 10% blue 6300 beads, 10% blue

Why Not Ballot‐

Need to match up electronic with paper ballots.

Step 1. Check electronic

Step 2. Audit the recount

Machine Recount Manual Audit

We can use a machine without having to trust it!

More Efficient Audits

Precinct‐Count Optical Scan

End‐to‐End Verifiable Voting

This segment adapted from Josh Benaloh, with permission.

Photo by Flickr user Dina Regine, http://www.flickr.com/photos/divadivadina/3954028726/in/photostream/

Alice Johnson, 123 Main . . . YES

Bob Ramirez, 79 Oak . . . . . . NO

Checking the Result

Lots of Details to Get Right!

How do voters know that their

How are voters convinced that

Challenge Vote for Alice

Optical Scan + E2E

Verifying an E2E Result

Ballot A B VOTE? Result YES NO

Ballot A B VOTE? Result YES NO

Ballot A B VOTE? Result YES NO

Ballot A B VOTE? Result YES NO

Check that revealed codes

Questions for E2E?

You might also like